Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f83d5ccc6c035561575650107f11e50_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
5f83d5ccc6c035561575650107f11e50_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
5f83d5ccc6c035561575650107f11e50_NEAS.exe
-
Size
435KB
-
MD5
5f83d5ccc6c035561575650107f11e50
-
SHA1
f4015ed5ec19444efa455599d5afc73a9db0ef52
-
SHA256
7220843dcfb334707635c15b45860eb4875a7ff2a0bfa6bf1aab593a5cb00282
-
SHA512
fdf29c537de55a298eec91490c73f32b67b6a7f144cf332624e9a25c864cbea14768767ce08f944a5f8d5121c0cc65c6101d0d130442726b93be55e057b6498a
-
SSDEEP
12288:t3Ar2B0HbWGRdA6sQhPbWGRdA6sQvjpxN:twLHvZbN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naajoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onphoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqfffqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdjhndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piblek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifnechbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjilieka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fddmgjpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnpmipql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmekoalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amejeljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeddafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqopea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdikkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlelaeqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmibdlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojficpfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkpdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbqhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafecmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjgkjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehgppi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaeiieeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaeoang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacmcfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnoomqbg.exe -
Executes dropped EXE 64 IoCs
pid Process 2540 Laplei32.exe 3036 Lfmdnp32.exe 2608 Lodlom32.exe 3044 Lmiipi32.exe 2628 Lbfahp32.exe 2500 Lmkfei32.exe 2004 Llnfaffc.exe 2936 Lplogdmj.exe 1828 Mcjkcplm.exe 1824 Mpolmdkg.exe 2440 Migpeiag.exe 2804 Mlelaeqk.exe 1064 Mlgigdoh.exe 2052 Mofecpnl.exe 1008 Mhnjle32.exe 1868 Mdejaf32.exe 472 Mgcgmb32.exe 2400 Njbcim32.exe 1784 Nnnojlpa.exe 1880 Naikkk32.exe 1748 Nfkpdn32.exe 2296 Njgldmdc.exe 2392 Nleiqhcg.exe 880 Nocemcbj.exe 1696 Ngkmnacm.exe 1620 Nqcagfim.exe 2664 Nofabc32.exe 2112 Nbdnoo32.exe 2096 Nkmbgdfl.exe 2616 Nbfjdn32.exe 2740 Ofbfdmeb.exe 2844 Ohqbqhde.exe 2456 Okoomd32.exe 2692 Onmkio32.exe 2180 Okalbc32.exe 1156 Oomhcbjp.exe 1528 Onphoo32.exe 1652 Oqndkj32.exe 1680 Oiellh32.exe 1068 Ojficpfn.exe 1732 Obnqem32.exe 1672 Oelmai32.exe 2100 Ocomlemo.exe 1252 Okfencna.exe 2404 Ojieip32.exe 1092 Omgaek32.exe 2904 Oenifh32.exe 3016 Ocajbekl.exe 2300 Ojkboo32.exe 2640 Ongnonkb.exe 2964 Pminkk32.exe 3060 Pphjgfqq.exe 2852 Pccfge32.exe 2148 Pjmodopf.exe 2832 Pmlkpjpj.exe 1996 Paggai32.exe 2472 Pcfcmd32.exe 2816 Pfdpip32.exe 2240 Piblek32.exe 1668 Pmnhfjmg.exe 2876 Plahag32.exe 2812 Pchpbded.exe 384 Pfflopdh.exe 2284 Peiljl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 2540 Laplei32.exe 2540 Laplei32.exe 3036 Lfmdnp32.exe 3036 Lfmdnp32.exe 2608 Lodlom32.exe 2608 Lodlom32.exe 3044 Lmiipi32.exe 3044 Lmiipi32.exe 2628 Lbfahp32.exe 2628 Lbfahp32.exe 2500 Lmkfei32.exe 2500 Lmkfei32.exe 2004 Llnfaffc.exe 2004 Llnfaffc.exe 2936 Lplogdmj.exe 2936 Lplogdmj.exe 1828 Mcjkcplm.exe 1828 Mcjkcplm.exe 1824 Mpolmdkg.exe 1824 Mpolmdkg.exe 2440 Migpeiag.exe 2440 Migpeiag.exe 2804 Mlelaeqk.exe 2804 Mlelaeqk.exe 1064 Mlgigdoh.exe 1064 Mlgigdoh.exe 2052 Mofecpnl.exe 2052 Mofecpnl.exe 1008 Mhnjle32.exe 1008 Mhnjle32.exe 1868 Mdejaf32.exe 1868 Mdejaf32.exe 472 Mgcgmb32.exe 472 Mgcgmb32.exe 2400 Njbcim32.exe 2400 Njbcim32.exe 1784 Nnnojlpa.exe 1784 Nnnojlpa.exe 1880 Naikkk32.exe 1880 Naikkk32.exe 1748 Nfkpdn32.exe 1748 Nfkpdn32.exe 2296 Njgldmdc.exe 2296 Njgldmdc.exe 2392 Nleiqhcg.exe 2392 Nleiqhcg.exe 880 Nocemcbj.exe 880 Nocemcbj.exe 1696 Ngkmnacm.exe 1696 Ngkmnacm.exe 1620 Nqcagfim.exe 1620 Nqcagfim.exe 2664 Nofabc32.exe 2664 Nofabc32.exe 2112 Nbdnoo32.exe 2112 Nbdnoo32.exe 2096 Nkmbgdfl.exe 2096 Nkmbgdfl.exe 2616 Nbfjdn32.exe 2616 Nbfjdn32.exe 2740 Ofbfdmeb.exe 2740 Ofbfdmeb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Cngcjo32.exe Ckignd32.exe File created C:\Windows\SysWOW64\Ahcocb32.dll Gelppaof.exe File created C:\Windows\SysWOW64\Jgnamk32.exe Jofiln32.exe File created C:\Windows\SysWOW64\Jicgpb32.exe Jfekcg32.exe File created C:\Windows\SysWOW64\Dkmcgmjk.dll Onmdoioa.exe File created C:\Windows\SysWOW64\Mhnjle32.exe Mofecpnl.exe File created C:\Windows\SysWOW64\Nleiqhcg.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Cojema32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Pcfcmd32.exe File created C:\Windows\SysWOW64\Mmqgncdn.dll Djefobmk.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Ffnphf32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kfbkmk32.exe File created C:\Windows\SysWOW64\Oacima32.dll Mgimmm32.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cdgneh32.exe File created C:\Windows\SysWOW64\Njgldmdc.exe Nfkpdn32.exe File opened for modification C:\Windows\SysWOW64\Pccfge32.exe Pphjgfqq.exe File created C:\Windows\SysWOW64\Bbmfll32.dll Ldfgebbe.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oqideepg.exe File created C:\Windows\SysWOW64\Iefmgahq.dll Bemgilhh.exe File created C:\Windows\SysWOW64\Emcbkn32.exe Djefobmk.exe File created C:\Windows\SysWOW64\Nnplna32.dll Keoapb32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Kaklpcoc.exe Kfegbj32.exe File opened for modification C:\Windows\SysWOW64\Nbdnoo32.exe Nofabc32.exe File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Dfgmhd32.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Ebbjqa32.dll Penfelgm.exe File created C:\Windows\SysWOW64\Ilknfn32.exe Idceea32.exe File created C:\Windows\SysWOW64\Jbgbni32.exe Joifam32.exe File created C:\Windows\SysWOW64\Fpebfbaj.dll Nhkbkc32.exe File created C:\Windows\SysWOW64\Alpmfdcb.exe Ahdaee32.exe File created C:\Windows\SysWOW64\Omgaek32.exe Ojieip32.exe File opened for modification C:\Windows\SysWOW64\Ongnonkb.exe Ojkboo32.exe File opened for modification C:\Windows\SysWOW64\Icpigm32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Nolhan32.exe Mlmlecec.exe File created C:\Windows\SysWOW64\Necfoajd.dll Oqmmpd32.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Cgejac32.exe File opened for modification C:\Windows\SysWOW64\Ampqjm32.exe Aiedjneg.exe File created C:\Windows\SysWOW64\Qoflni32.dll Cciemedf.exe File created C:\Windows\SysWOW64\Cbkeib32.exe Cciemedf.exe File created C:\Windows\SysWOW64\Pnnclg32.dll Gbkgnfbd.exe File created C:\Windows\SysWOW64\Phoccb32.dll Jbjochdi.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Mlelaeqk.exe Migpeiag.exe File created C:\Windows\SysWOW64\Jkjecnop.dll Bloqah32.exe File created C:\Windows\SysWOW64\Haloha32.dll Bekkcljk.exe File opened for modification C:\Windows\SysWOW64\Enkece32.exe Elmigj32.exe File created C:\Windows\SysWOW64\Qahefm32.dll Ghfbqn32.exe File created C:\Windows\SysWOW64\Pggbla32.exe Pamiog32.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Anccmo32.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ejhlgaeh.exe File opened for modification C:\Windows\SysWOW64\Lmiipi32.exe Lodlom32.exe File created C:\Windows\SysWOW64\Ohqbqhde.exe Ofbfdmeb.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Mcbndm32.dll Cndbcc32.exe File created C:\Windows\SysWOW64\Ikddbj32.exe Igihbknb.exe File created C:\Windows\SysWOW64\Jmgogg32.dll Mhgmapfi.exe File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe Dbhnhp32.exe -
Program crash 1 IoCs
pid pid_target Process 5596 5556 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndejjf32.dll" Amndem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpapln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepgqikf.dll" Iqmcpahh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmpfjke.dll" Kcfkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaonpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpeofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hmlnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolpjf32.dll" Pkndaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdikkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdacap32.dll" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppamme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjndop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcnngnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmfkafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Medfkpfc.dll" Pccfge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iblpjdpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgiaak32.dll" Jofiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpmlkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhigphio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqdajkkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdehna32.dll" Nofabc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlhnbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfdgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhmepp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papfegmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiellh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoneabg.dll" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggpimica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmicohqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlelaeqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonghnnp.dll" Namqci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfmjjgm.dll" Anojbobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bekkcljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hckcmjep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijqnib32.dll" Lajhofao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Mgqcmlgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqhhknjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomhcbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbdna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2540 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 28 PID 2976 wrote to memory of 2540 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 28 PID 2976 wrote to memory of 2540 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 28 PID 2976 wrote to memory of 2540 2976 5f83d5ccc6c035561575650107f11e50_NEAS.exe 28 PID 2540 wrote to memory of 3036 2540 Laplei32.exe 29 PID 2540 wrote to memory of 3036 2540 Laplei32.exe 29 PID 2540 wrote to memory of 3036 2540 Laplei32.exe 29 PID 2540 wrote to memory of 3036 2540 Laplei32.exe 29 PID 3036 wrote to memory of 2608 3036 Lfmdnp32.exe 30 PID 3036 wrote to memory of 2608 3036 Lfmdnp32.exe 30 PID 3036 wrote to memory of 2608 3036 Lfmdnp32.exe 30 PID 3036 wrote to memory of 2608 3036 Lfmdnp32.exe 30 PID 2608 wrote to memory of 3044 2608 Lodlom32.exe 31 PID 2608 wrote to memory of 3044 2608 Lodlom32.exe 31 PID 2608 wrote to memory of 3044 2608 Lodlom32.exe 31 PID 2608 wrote to memory of 3044 2608 Lodlom32.exe 31 PID 3044 wrote to memory of 2628 3044 Lmiipi32.exe 32 PID 3044 wrote to memory of 2628 3044 Lmiipi32.exe 32 PID 3044 wrote to memory of 2628 3044 Lmiipi32.exe 32 PID 3044 wrote to memory of 2628 3044 Lmiipi32.exe 32 PID 2628 wrote to memory of 2500 2628 Lbfahp32.exe 33 PID 2628 wrote to memory of 2500 2628 Lbfahp32.exe 33 PID 2628 wrote to memory of 2500 2628 Lbfahp32.exe 33 PID 2628 wrote to memory of 2500 2628 Lbfahp32.exe 33 PID 2500 wrote to memory of 2004 2500 Lmkfei32.exe 34 PID 2500 wrote to memory of 2004 2500 Lmkfei32.exe 34 PID 2500 wrote to memory of 2004 2500 Lmkfei32.exe 34 PID 2500 wrote to memory of 2004 2500 Lmkfei32.exe 34 PID 2004 wrote to memory of 2936 2004 Llnfaffc.exe 35 PID 2004 wrote to memory of 2936 2004 Llnfaffc.exe 35 PID 2004 wrote to memory of 2936 2004 Llnfaffc.exe 35 PID 2004 wrote to memory of 2936 2004 Llnfaffc.exe 35 PID 2936 wrote to memory of 1828 2936 Lplogdmj.exe 36 PID 2936 wrote to memory of 1828 2936 Lplogdmj.exe 36 PID 2936 wrote to memory of 1828 2936 Lplogdmj.exe 36 PID 2936 wrote to memory of 1828 2936 Lplogdmj.exe 36 PID 1828 wrote to memory of 1824 1828 Mcjkcplm.exe 37 PID 1828 wrote to memory of 1824 1828 Mcjkcplm.exe 37 PID 1828 wrote to memory of 1824 1828 Mcjkcplm.exe 37 PID 1828 wrote to memory of 1824 1828 Mcjkcplm.exe 37 PID 1824 wrote to memory of 2440 1824 Mpolmdkg.exe 38 PID 1824 wrote to memory of 2440 1824 Mpolmdkg.exe 38 PID 1824 wrote to memory of 2440 1824 Mpolmdkg.exe 38 PID 1824 wrote to memory of 2440 1824 Mpolmdkg.exe 38 PID 2440 wrote to memory of 2804 2440 Migpeiag.exe 39 PID 2440 wrote to memory of 2804 2440 Migpeiag.exe 39 PID 2440 wrote to memory of 2804 2440 Migpeiag.exe 39 PID 2440 wrote to memory of 2804 2440 Migpeiag.exe 39 PID 2804 wrote to memory of 1064 2804 Mlelaeqk.exe 40 PID 2804 wrote to memory of 1064 2804 Mlelaeqk.exe 40 PID 2804 wrote to memory of 1064 2804 Mlelaeqk.exe 40 PID 2804 wrote to memory of 1064 2804 Mlelaeqk.exe 40 PID 1064 wrote to memory of 2052 1064 Mlgigdoh.exe 41 PID 1064 wrote to memory of 2052 1064 Mlgigdoh.exe 41 PID 1064 wrote to memory of 2052 1064 Mlgigdoh.exe 41 PID 1064 wrote to memory of 2052 1064 Mlgigdoh.exe 41 PID 2052 wrote to memory of 1008 2052 Mofecpnl.exe 42 PID 2052 wrote to memory of 1008 2052 Mofecpnl.exe 42 PID 2052 wrote to memory of 1008 2052 Mofecpnl.exe 42 PID 2052 wrote to memory of 1008 2052 Mofecpnl.exe 42 PID 1008 wrote to memory of 1868 1008 Mhnjle32.exe 43 PID 1008 wrote to memory of 1868 1008 Mhnjle32.exe 43 PID 1008 wrote to memory of 1868 1008 Mhnjle32.exe 43 PID 1008 wrote to memory of 1868 1008 Mhnjle32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f83d5ccc6c035561575650107f11e50_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\5f83d5ccc6c035561575650107f11e50_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe34⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe35⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe36⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe39⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe42⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe43⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe44⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe45⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe47⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe49⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe52⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe55⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe59⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe61⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe62⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe63⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe64⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe65⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe66⤵PID:1552
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe67⤵PID:1404
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe68⤵PID:2704
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe69⤵PID:2324
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe70⤵PID:876
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe71⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe72⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe73⤵PID:2020
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe74⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe75⤵PID:1428
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe76⤵PID:2268
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe77⤵PID:2460
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe78⤵PID:1536
-
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe79⤵PID:2060
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe80⤵PID:1152
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe84⤵PID:2064
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe85⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe86⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe87⤵PID:2256
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe89⤵PID:2708
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe90⤵PID:1356
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe91⤵PID:1540
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe93⤵PID:1400
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe94⤵PID:992
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe95⤵PID:1832
-
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe96⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe97⤵PID:1648
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe98⤵PID:2328
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe99⤵PID:1712
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe100⤵PID:1728
-
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe101⤵PID:2040
-
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe102⤵PID:2756
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe104⤵PID:2076
-
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe105⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe108⤵PID:952
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe109⤵PID:1932
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe110⤵PID:1192
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe111⤵PID:2056
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe112⤵PID:572
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe113⤵PID:2312
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe114⤵PID:2584
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe116⤵PID:2344
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe117⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe118⤵PID:2736
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe119⤵PID:2504
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe120⤵
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe121⤵
- Drops file in System32 directory
PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-