Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 23:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d9f252c4abe0650d262d03d7e912770_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d9f252c4abe0650d262d03d7e912770_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2d9f252c4abe0650d262d03d7e912770_NEAS.exe
-
Size
552KB
-
MD5
2d9f252c4abe0650d262d03d7e912770
-
SHA1
1cd21fdc4ff7884e645497c5882646e4b932075d
-
SHA256
229157540b59f1980d0b3200f6a691132cac4ffdac3d656067379ff23f825ee0
-
SHA512
5f253217e221d8eac7825e0ad56719a27a77b0f36c42eda52ff8e2a470f3555650dab8c9879d9eced4c54ba7dc564177a6cac0377d37c0aca00e676a64e51a31
-
SSDEEP
6144:m1qJz/iiQ+D8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:m0Jz/l87g7/VycgE81lgxaa8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbfbgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjcbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfkpqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnnooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onbgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgpjanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmgbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chpmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdlhjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Joifam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nefpnhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poapfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdkgocpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpjlajk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgilchkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbomfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjqcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhkbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiihdlpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnicmdli.exe -
Executes dropped EXE 64 IoCs
pid Process 2096 Gonnhhln.exe 2684 Gegfdb32.exe 2628 Glaoalkh.exe 2780 Gopkmhjk.exe 2388 Gkgkbipp.exe 3052 Geolea32.exe 2480 Ggpimica.exe 2912 Hgilchkf.exe 1592 Hhjhkq32.exe 2932 Hodpgjha.exe 812 Henidd32.exe 332 Icbimi32.exe 1268 Ilknfn32.exe 2980 Iqmcpahh.exe 2868 Iggkllpe.exe 1616 Inqcif32.exe 2044 Igihbknb.exe 1304 Ikddbj32.exe 1644 Incpoe32.exe 1512 Iqalka32.exe 1776 Jqdipqbp.exe 904 Jfqahgpg.exe 1484 Joifam32.exe 1876 Jfcnngnd.exe 3008 Jiakjb32.exe 1944 Jkbcln32.exe 1812 Jgidao32.exe 2604 Joplbl32.exe 2416 Kkgmgmfd.exe 2468 Kbqecg32.exe 2436 Keoapb32.exe 320 Kgnnln32.exe 2732 Kkijmm32.exe 2812 Kngfih32.exe 1560 Keanebkb.exe 2664 Kgpjanje.exe 2956 Knjbnh32.exe 1648 Kahojc32.exe 1264 Kcfkfo32.exe 596 Kfegbj32.exe 1204 Kiccofna.exe 2040 Kaklpcoc.exe 1292 Kfgdhjmk.exe 3024 Kifpdelo.exe 1688 Lldlqakb.exe 2056 Lijjoe32.exe 2848 Lpdbloof.exe 2380 Lafndg32.exe 1696 Llkbap32.exe 2588 Ldfgebbe.exe 2620 Llnofpcg.exe 2408 Lmolnh32.exe 2712 Lefdpe32.exe 2508 Mhdplq32.exe 2768 Mkclhl32.exe 356 Mgimmm32.exe 2744 Mkeimlfm.exe 2076 Maoajf32.exe 1600 Mkgfckcj.exe 1288 Mpdnkb32.exe 2348 Mdpjlajk.exe 1060 Mmhodf32.exe 2164 Mlkopcge.exe 2000 Mgqcmlgl.exe -
Loads dropped DLL 64 IoCs
pid Process 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 2096 Gonnhhln.exe 2096 Gonnhhln.exe 2684 Gegfdb32.exe 2684 Gegfdb32.exe 2628 Glaoalkh.exe 2628 Glaoalkh.exe 2780 Gopkmhjk.exe 2780 Gopkmhjk.exe 2388 Gkgkbipp.exe 2388 Gkgkbipp.exe 3052 Geolea32.exe 3052 Geolea32.exe 2480 Ggpimica.exe 2480 Ggpimica.exe 2912 Hgilchkf.exe 2912 Hgilchkf.exe 1592 Hhjhkq32.exe 1592 Hhjhkq32.exe 2932 Hodpgjha.exe 2932 Hodpgjha.exe 812 Henidd32.exe 812 Henidd32.exe 332 Icbimi32.exe 332 Icbimi32.exe 1268 Ilknfn32.exe 1268 Ilknfn32.exe 2980 Iqmcpahh.exe 2980 Iqmcpahh.exe 2868 Iggkllpe.exe 2868 Iggkllpe.exe 1616 Inqcif32.exe 1616 Inqcif32.exe 2044 Igihbknb.exe 2044 Igihbknb.exe 1304 Ikddbj32.exe 1304 Ikddbj32.exe 1644 Incpoe32.exe 1644 Incpoe32.exe 1512 Iqalka32.exe 1512 Iqalka32.exe 1776 Jqdipqbp.exe 1776 Jqdipqbp.exe 904 Jfqahgpg.exe 904 Jfqahgpg.exe 1484 Joifam32.exe 1484 Joifam32.exe 1876 Jfcnngnd.exe 1876 Jfcnngnd.exe 3008 Jiakjb32.exe 3008 Jiakjb32.exe 1944 Jkbcln32.exe 1944 Jkbcln32.exe 1812 Jgidao32.exe 1812 Jgidao32.exe 2604 Joplbl32.exe 2604 Joplbl32.exe 2416 Kkgmgmfd.exe 2416 Kkgmgmfd.exe 2468 Kbqecg32.exe 2468 Kbqecg32.exe 2436 Keoapb32.exe 2436 Keoapb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Mpdnkb32.exe Mkgfckcj.exe File created C:\Windows\SysWOW64\Bllbijej.dll Qedhdjnh.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Dcadac32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nlekia32.exe File created C:\Windows\SysWOW64\Incpoe32.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Bjidgghp.dll Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Emnndlod.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Hanlnp32.exe Hmbpmapf.exe File opened for modification C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Joaeeklp.exe Jnpinc32.exe File opened for modification C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File created C:\Windows\SysWOW64\Edekcace.dll Dcenlceh.exe File created C:\Windows\SysWOW64\Papnde32.dll Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Pcdipnqn.exe Pdaheq32.exe File created C:\Windows\SysWOW64\Bfbdiclb.dll Pdaheq32.exe File created C:\Windows\SysWOW64\Qngmgjeb.exe Qodlkm32.exe File opened for modification C:\Windows\SysWOW64\Ckiigmcd.exe Cpceidcn.exe File opened for modification C:\Windows\SysWOW64\Oobjaqaj.exe Okgnab32.exe File created C:\Windows\SysWOW64\Mdkjlm32.dll Nondgn32.exe File opened for modification C:\Windows\SysWOW64\Flehkhai.exe Figlolbf.exe File created C:\Windows\SysWOW64\Hanedg32.dll Nkmdpm32.exe File created C:\Windows\SysWOW64\Agpgbgpe.dll Kifpdelo.exe File created C:\Windows\SysWOW64\Nmgpon32.dll Ilncom32.exe File opened for modification C:\Windows\SysWOW64\Jkoplhip.exe Jchhkjhn.exe File created C:\Windows\SysWOW64\Hqalfl32.dll Kincipnk.exe File created C:\Windows\SysWOW64\Allepo32.dll Kicmdo32.exe File created C:\Windows\SysWOW64\Lhnffb32.dll Pkndaa32.exe File opened for modification C:\Windows\SysWOW64\Dgjclbdi.exe Ccngld32.exe File created C:\Windows\SysWOW64\Kijbioba.dll Dcadac32.exe File created C:\Windows\SysWOW64\Gohjaf32.exe Gpejeihi.exe File created C:\Windows\SysWOW64\Aohjlnjk.dll Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Pgpeal32.exe Pcdipnqn.exe File created C:\Windows\SysWOW64\Okikfagn.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Fbdjbaea.exe Fnhnbb32.exe File created C:\Windows\SysWOW64\Gbcfadgl.exe Gohjaf32.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kgcpjmcb.exe File opened for modification C:\Windows\SysWOW64\Mmneda32.exe Legmbd32.exe File opened for modification C:\Windows\SysWOW64\Blbfjg32.exe Bidjnkdg.exe File created C:\Windows\SysWOW64\Jkfalhjp.dll Kbkameaf.exe File created C:\Windows\SysWOW64\Gioicn32.dll Apalea32.exe File created C:\Windows\SysWOW64\Ndmjqgdd.dll Baadng32.exe File opened for modification C:\Windows\SysWOW64\Keoapb32.exe Kbqecg32.exe File created C:\Windows\SysWOW64\Fddcahee.dll Oklkmnbp.exe File created C:\Windows\SysWOW64\Djdfhjik.dll Mapjmehi.exe File created C:\Windows\SysWOW64\Iqmcpahh.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Aedeic32.dll Ioaifhid.exe File created C:\Windows\SysWOW64\Pfgngh32.exe Pcibkm32.exe File created C:\Windows\SysWOW64\Aaheie32.exe Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Anlfbi32.exe Akmjfn32.exe File opened for modification C:\Windows\SysWOW64\Bdkgocpm.exe Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Dookgcij.exe Dkcofe32.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dbhnhp32.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jjpcbe32.exe File created C:\Windows\SysWOW64\Paenhpdh.dll Pomfkndo.exe File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Aamfnkai.exe File created C:\Windows\SysWOW64\Ohhkga32.dll Pjadmnic.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qjjgclai.exe File created C:\Windows\SysWOW64\Dggcffhg.exe Dhdcji32.exe File created C:\Windows\SysWOW64\Hbfbgd32.exe Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Hdlhjl32.exe Heihnoph.exe File created C:\Windows\SysWOW64\Mjbkcgmo.dll Jgagfi32.exe File created C:\Windows\SysWOW64\Ljhcccai.dll Aecaidjl.exe File created C:\Windows\SysWOW64\Npdjje32.exe Nglfapnl.exe -
Program crash 1 IoCs
pid pid_target Process 4740 4376 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kiccofna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" Dndlim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbdjbaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikfmfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agfgqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocdmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 2d9f252c4abe0650d262d03d7e912770_NEAS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhpnakf.dll" Gffoldhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkhofjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Modkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmphi32.dll" Nefpnhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfdjhndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhefhd32.dll" Fpqdkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeegb32.dll" Mhdplq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilbgbe32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkng32.dll" Bkommo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acpdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chpmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Echfaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpknpme.dll" Jgidao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacima32.dll" Mkeimlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnffb32.dll" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohfbg32.dll" Illgimph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbkameaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocimgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qjjgclai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhqbkhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmamaoln.dll" Hojgfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqdipqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biicik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Coelaaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knklagmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkdneid.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkpmm32.dll" Mhbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcinmgng.dll" Kaklpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmjojo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 2096 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 28 PID 996 wrote to memory of 2096 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 28 PID 996 wrote to memory of 2096 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 28 PID 996 wrote to memory of 2096 996 2d9f252c4abe0650d262d03d7e912770_NEAS.exe 28 PID 2096 wrote to memory of 2684 2096 Gonnhhln.exe 29 PID 2096 wrote to memory of 2684 2096 Gonnhhln.exe 29 PID 2096 wrote to memory of 2684 2096 Gonnhhln.exe 29 PID 2096 wrote to memory of 2684 2096 Gonnhhln.exe 29 PID 2684 wrote to memory of 2628 2684 Gegfdb32.exe 30 PID 2684 wrote to memory of 2628 2684 Gegfdb32.exe 30 PID 2684 wrote to memory of 2628 2684 Gegfdb32.exe 30 PID 2684 wrote to memory of 2628 2684 Gegfdb32.exe 30 PID 2628 wrote to memory of 2780 2628 Glaoalkh.exe 31 PID 2628 wrote to memory of 2780 2628 Glaoalkh.exe 31 PID 2628 wrote to memory of 2780 2628 Glaoalkh.exe 31 PID 2628 wrote to memory of 2780 2628 Glaoalkh.exe 31 PID 2780 wrote to memory of 2388 2780 Gopkmhjk.exe 32 PID 2780 wrote to memory of 2388 2780 Gopkmhjk.exe 32 PID 2780 wrote to memory of 2388 2780 Gopkmhjk.exe 32 PID 2780 wrote to memory of 2388 2780 Gopkmhjk.exe 32 PID 2388 wrote to memory of 3052 2388 Gkgkbipp.exe 33 PID 2388 wrote to memory of 3052 2388 Gkgkbipp.exe 33 PID 2388 wrote to memory of 3052 2388 Gkgkbipp.exe 33 PID 2388 wrote to memory of 3052 2388 Gkgkbipp.exe 33 PID 3052 wrote to memory of 2480 3052 Geolea32.exe 34 PID 3052 wrote to memory of 2480 3052 Geolea32.exe 34 PID 3052 wrote to memory of 2480 3052 Geolea32.exe 34 PID 3052 wrote to memory of 2480 3052 Geolea32.exe 34 PID 2480 wrote to memory of 2912 2480 Ggpimica.exe 35 PID 2480 wrote to memory of 2912 2480 Ggpimica.exe 35 PID 2480 wrote to memory of 2912 2480 Ggpimica.exe 35 PID 2480 wrote to memory of 2912 2480 Ggpimica.exe 35 PID 2912 wrote to memory of 1592 2912 Hgilchkf.exe 36 PID 2912 wrote to memory of 1592 2912 Hgilchkf.exe 36 PID 2912 wrote to memory of 1592 2912 Hgilchkf.exe 36 PID 2912 wrote to memory of 1592 2912 Hgilchkf.exe 36 PID 1592 wrote to memory of 2932 1592 Hhjhkq32.exe 37 PID 1592 wrote to memory of 2932 1592 Hhjhkq32.exe 37 PID 1592 wrote to memory of 2932 1592 Hhjhkq32.exe 37 PID 1592 wrote to memory of 2932 1592 Hhjhkq32.exe 37 PID 2932 wrote to memory of 812 2932 Hodpgjha.exe 38 PID 2932 wrote to memory of 812 2932 Hodpgjha.exe 38 PID 2932 wrote to memory of 812 2932 Hodpgjha.exe 38 PID 2932 wrote to memory of 812 2932 Hodpgjha.exe 38 PID 812 wrote to memory of 332 812 Henidd32.exe 39 PID 812 wrote to memory of 332 812 Henidd32.exe 39 PID 812 wrote to memory of 332 812 Henidd32.exe 39 PID 812 wrote to memory of 332 812 Henidd32.exe 39 PID 332 wrote to memory of 1268 332 Icbimi32.exe 40 PID 332 wrote to memory of 1268 332 Icbimi32.exe 40 PID 332 wrote to memory of 1268 332 Icbimi32.exe 40 PID 332 wrote to memory of 1268 332 Icbimi32.exe 40 PID 1268 wrote to memory of 2980 1268 Ilknfn32.exe 41 PID 1268 wrote to memory of 2980 1268 Ilknfn32.exe 41 PID 1268 wrote to memory of 2980 1268 Ilknfn32.exe 41 PID 1268 wrote to memory of 2980 1268 Ilknfn32.exe 41 PID 2980 wrote to memory of 2868 2980 Iqmcpahh.exe 42 PID 2980 wrote to memory of 2868 2980 Iqmcpahh.exe 42 PID 2980 wrote to memory of 2868 2980 Iqmcpahh.exe 42 PID 2980 wrote to memory of 2868 2980 Iqmcpahh.exe 42 PID 2868 wrote to memory of 1616 2868 Iggkllpe.exe 43 PID 2868 wrote to memory of 1616 2868 Iggkllpe.exe 43 PID 2868 wrote to memory of 1616 2868 Iggkllpe.exe 43 PID 2868 wrote to memory of 1616 2868 Iggkllpe.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d9f252c4abe0650d262d03d7e912770_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\2d9f252c4abe0650d262d03d7e912770_NEAS.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Jgidao32.exeC:\Windows\system32\Jgidao32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Joplbl32.exeC:\Windows\system32\Joplbl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe33⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe35⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe36⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe38⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe40⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe44⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe48⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe49⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe51⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe52⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Mhdplq32.exeC:\Windows\system32\Mhdplq32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:356 -
C:\Windows\SysWOW64\Mkeimlfm.exeC:\Windows\system32\Mkeimlfm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe59⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mkgfckcj.exeC:\Windows\system32\Mkgfckcj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe61⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Mdpjlajk.exeC:\Windows\system32\Mdpjlajk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe63⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe65⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe66⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe67⤵PID:1640
-
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe69⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe70⤵PID:2740
-
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe71⤵PID:2960
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe72⤵PID:2344
-
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe73⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe74⤵PID:2864
-
C:\Windows\SysWOW64\Nglfapnl.exeC:\Windows\system32\Nglfapnl.exe75⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe76⤵PID:1176
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe78⤵PID:2052
-
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe79⤵PID:980
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe80⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe81⤵PID:2532
-
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe82⤵PID:2608
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe83⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe84⤵PID:1036
-
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe85⤵PID:2456
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe87⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe88⤵PID:836
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe89⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe90⤵PID:3048
-
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe91⤵PID:1012
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe92⤵PID:2676
-
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe93⤵PID:2132
-
C:\Windows\SysWOW64\Pedleg32.exeC:\Windows\system32\Pedleg32.exe94⤵PID:2036
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe96⤵
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe97⤵PID:2940
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe98⤵PID:1736
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe99⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe100⤵PID:1748
-
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe101⤵PID:1148
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe102⤵PID:2816
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe103⤵PID:1412
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe105⤵PID:1340
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe106⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe108⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe109⤵PID:2612
-
C:\Windows\SysWOW64\Qedhdjnh.exeC:\Windows\system32\Qedhdjnh.exe110⤵
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe111⤵PID:2284
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe112⤵PID:1572
-
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe113⤵PID:2264
-
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe114⤵PID:2080
-
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe115⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe116⤵PID:2252
-
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe117⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe118⤵PID:2944
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe119⤵PID:284
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe120⤵PID:2792
-
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe121⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-