Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe
-
Size
59KB
-
MD5
5aff17af101ab2965cb9c1f76dca48a0
-
SHA1
7249a55f12a0365b8025c741df2a86e4d8fa9fc2
-
SHA256
16df0153ecd9ad5f8249efa9df3a384699d99b6cb12fdad27e840e6e52459ea8
-
SHA512
b605db18d6df69aec08060bfb8327a55c4ee0e543ebe1f5f2d80fb860fda39870fa00210c726cb1e2c8307d6b98a3939101568d2277904607ad642233e9d7981
-
SSDEEP
1536:nlPvFu0hrhsTqAZVYKrrrrrrra5q2Lj+O:nlPdumhqfk3qO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qabcjgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egiiapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpicodoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helngnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndohedg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkbdiqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchhkjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbqbaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfpoeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifaciae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moanaiie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjlpom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdonb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckoam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnbjlpom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidmbcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbhkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajomhbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enqdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicdnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmkjedk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldmoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbqdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkbkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejphiik.exe -
Executes dropped EXE 64 IoCs
pid Process 2612 Nhkbkc32.exe 2740 Olmhdf32.exe 2300 Ocgpappk.exe 2832 Olpdjf32.exe 2228 Ocimgp32.exe 3064 Ombapedi.exe 2836 Obojhlbq.exe 536 Oobjaqaj.exe 2312 Ooeggp32.exe 1996 Pimkpfeh.exe 1984 Pnjdhmdo.exe 816 Pgbhabjp.exe 1164 Pnlqnl32.exe 1944 Pgeefbhm.exe 284 Pmanoifd.exe 1440 Pfjbgnme.exe 2072 Ppbfpd32.exe 792 Qabcjgkh.exe 632 Qfokbnip.exe 1744 Qpgpkcpp.exe 1580 Aipddi32.exe 328 Aibajhdn.exe 1560 Aehboi32.exe 3068 Adnopfoj.exe 2956 Aaaoij32.exe 1184 Afohaa32.exe 1596 Bhndldcn.exe 2816 Bmkmdk32.exe 1712 Bdeeqehb.exe 2732 Biamilfj.exe 2736 Behnnm32.exe 2792 Bblogakg.exe 2564 Bhigphio.exe 2500 Bemgilhh.exe 2824 Ckjpacfp.exe 2380 Ccahbp32.exe 2508 Cdbdjhmp.exe 1392 Clilkfnb.exe 1916 Cnkicn32.exe 268 Ceaadk32.exe 2808 Cddaphkn.exe 1108 Ckoilb32.exe 2264 Cahail32.exe 1844 Cpkbdiqb.exe 1372 Chbjffad.exe 1720 Ckafbbph.exe 640 Cnobnmpl.exe 2096 Cpnojioo.exe 2420 Cclkfdnc.exe 2928 Cnaocmmi.exe 2200 Ccngld32.exe 1740 Djhphncm.exe 2240 Dglpbbbg.exe 2020 Dhnmij32.exe 2744 Dbfabp32.exe 3044 Dhpiojfb.exe 2724 Dojald32.exe 2684 Dfdjhndl.exe 2592 Dhbfdjdp.exe 1912 Dolnad32.exe 2876 Dfffnn32.exe 1968 Dggcffhg.exe 820 Enakbp32.exe 576 Ehgppi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 2612 Nhkbkc32.exe 2612 Nhkbkc32.exe 2740 Olmhdf32.exe 2740 Olmhdf32.exe 2300 Ocgpappk.exe 2300 Ocgpappk.exe 2832 Olpdjf32.exe 2832 Olpdjf32.exe 2228 Ocimgp32.exe 2228 Ocimgp32.exe 3064 Ombapedi.exe 3064 Ombapedi.exe 2836 Obojhlbq.exe 2836 Obojhlbq.exe 536 Oobjaqaj.exe 536 Oobjaqaj.exe 2312 Ooeggp32.exe 2312 Ooeggp32.exe 1996 Pimkpfeh.exe 1996 Pimkpfeh.exe 1984 Pnjdhmdo.exe 1984 Pnjdhmdo.exe 816 Pgbhabjp.exe 816 Pgbhabjp.exe 1164 Pnlqnl32.exe 1164 Pnlqnl32.exe 1944 Pgeefbhm.exe 1944 Pgeefbhm.exe 284 Pmanoifd.exe 284 Pmanoifd.exe 1440 Pfjbgnme.exe 1440 Pfjbgnme.exe 2072 Ppbfpd32.exe 2072 Ppbfpd32.exe 792 Qabcjgkh.exe 792 Qabcjgkh.exe 632 Qfokbnip.exe 632 Qfokbnip.exe 1744 Qpgpkcpp.exe 1744 Qpgpkcpp.exe 1580 Aipddi32.exe 1580 Aipddi32.exe 328 Aibajhdn.exe 328 Aibajhdn.exe 1560 Aehboi32.exe 1560 Aehboi32.exe 3068 Adnopfoj.exe 3068 Adnopfoj.exe 2956 Aaaoij32.exe 2956 Aaaoij32.exe 1184 Afohaa32.exe 1184 Afohaa32.exe 1596 Bhndldcn.exe 1596 Bhndldcn.exe 2816 Bmkmdk32.exe 2816 Bmkmdk32.exe 1712 Bdeeqehb.exe 1712 Bdeeqehb.exe 2732 Biamilfj.exe 2732 Biamilfj.exe 2736 Behnnm32.exe 2736 Behnnm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mholen32.exe Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Cinfhigl.exe Cbdnko32.exe File created C:\Windows\SysWOW64\Jnalbmkj.dll Iaelanmg.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Hakphqja.exe File created C:\Windows\SysWOW64\Eiiddiab.dll Jofbag32.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jkmcfhkc.exe File created C:\Windows\SysWOW64\Opdnhdpo.dll Leljop32.exe File created C:\Windows\SysWOW64\Llohjo32.exe Liplnc32.exe File created C:\Windows\SysWOW64\Jfknbe32.exe Jcmafj32.exe File created C:\Windows\SysWOW64\Fpcqjacl.dll Kbbngf32.exe File opened for modification C:\Windows\SysWOW64\Balkchpi.exe Bjbcfn32.exe File created C:\Windows\SysWOW64\Ehjehh32.exe Ejgemkbm.exe File created C:\Windows\SysWOW64\Jemoqj32.dll Fqmpni32.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bhndldcn.exe File opened for modification C:\Windows\SysWOW64\Dhkiid32.exe Delmmigh.exe File created C:\Windows\SysWOW64\Inoqpi32.dll Dhkiid32.exe File opened for modification C:\Windows\SysWOW64\Dlahng32.exe Djclbl32.exe File created C:\Windows\SysWOW64\Dnjjbl32.dll Hpkldg32.exe File created C:\Windows\SysWOW64\Cmeabq32.dll Oobjaqaj.exe File created C:\Windows\SysWOW64\Ligkin32.dll Bmkmdk32.exe File created C:\Windows\SysWOW64\Nmgpon32.dll Icfofg32.exe File created C:\Windows\SysWOW64\Fgnokb32.exe Fpffje32.exe File created C:\Windows\SysWOW64\Pkbeiaoi.dll Ecpjfq32.exe File created C:\Windows\SysWOW64\Helndmjp.dll Emkkdf32.exe File opened for modification C:\Windows\SysWOW64\Nhkbkc32.exe NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe File created C:\Windows\SysWOW64\Knklagmb.exe Kklpekno.exe File created C:\Windows\SysWOW64\Fbpljhnf.dll Mmldme32.exe File opened for modification C:\Windows\SysWOW64\Djqoll32.exe Dgbcpq32.exe File created C:\Windows\SysWOW64\Chbjffad.exe Cpkbdiqb.exe File opened for modification C:\Windows\SysWOW64\Ednpej32.exe Ejhlgaeh.exe File created C:\Windows\SysWOW64\Jkfalhjp.dll Kbkameaf.exe File created C:\Windows\SysWOW64\Bhdmagqq.dll Clmbddgp.exe File opened for modification C:\Windows\SysWOW64\Delmmigh.exe Chhldeho.exe File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe Bphbeplm.exe File opened for modification C:\Windows\SysWOW64\Ehjehh32.exe Ejgemkbm.exe File created C:\Windows\SysWOW64\Maigcgee.dll Gbjlaplk.exe File opened for modification C:\Windows\SysWOW64\Igonafba.exe Hdqbekcm.exe File created C:\Windows\SysWOW64\Dddaaf32.dll Ipgbjl32.exe File created C:\Windows\SysWOW64\Jchhkjhn.exe Jkmcfhkc.exe File opened for modification C:\Windows\SysWOW64\Ljkomfjl.exe Lcagpl32.exe File created C:\Windows\SysWOW64\Mpmapm32.exe Libicbma.exe File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe Bkglameg.exe File created C:\Windows\SysWOW64\Ibnnbc32.dll Ecbfkpfk.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Ooeggp32.exe File created C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Jfknbe32.exe File created C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File created C:\Windows\SysWOW64\Haloha32.dll Bblogakg.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Chbjffad.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Lghjel32.exe File opened for modification C:\Windows\SysWOW64\Emkkdf32.exe Efqbglen.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dhnmij32.exe File created C:\Windows\SysWOW64\Akigbbni.dll Cnaocmmi.exe File opened for modification C:\Windows\SysWOW64\Dglpbbbg.exe Djhphncm.exe File created C:\Windows\SysWOW64\Bpebiecm.dll Ipjoplgo.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mencccop.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe Cahail32.exe File opened for modification C:\Windows\SysWOW64\Dolnad32.exe Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Fnhnbb32.exe Fiihdlpc.exe File created C:\Windows\SysWOW64\Gihniioc.exe Gaafhloq.exe File created C:\Windows\SysWOW64\Ihbqdh32.exe Iecdhm32.exe File created C:\Windows\SysWOW64\Bdeeqehb.exe Bmkmdk32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Mabgcd32.exe Mkhofjoj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkiid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlffdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjjbl32.dll" Hpkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbqoqbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgbhabjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll" Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghelfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcil32.dll" Daejhjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnbbqbd.dll" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicdaj32.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Dhbfdjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpkof32.dll" Pnjdhmdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbfpg32.dll" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmqjgdc.dll" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll" Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll" Cnaocmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nookinfk.dll" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amaipodm.dll" Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbkc32.dll" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbejih32.dll" Fcpfedki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Cdoajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffnbaojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghkndf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicqmmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqomci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclchm32.dll" Ghmkjedk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gpncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cejphiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohdlpmi.dll" Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkedenn.dll" Fgnokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjdhmdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgjefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boplllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejgemkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioolqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pckoam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejodhmc.dll" Olpdjf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2612 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 28 PID 2812 wrote to memory of 2612 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 28 PID 2812 wrote to memory of 2612 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 28 PID 2812 wrote to memory of 2612 2812 NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe 28 PID 2612 wrote to memory of 2740 2612 Nhkbkc32.exe 29 PID 2612 wrote to memory of 2740 2612 Nhkbkc32.exe 29 PID 2612 wrote to memory of 2740 2612 Nhkbkc32.exe 29 PID 2612 wrote to memory of 2740 2612 Nhkbkc32.exe 29 PID 2740 wrote to memory of 2300 2740 Olmhdf32.exe 30 PID 2740 wrote to memory of 2300 2740 Olmhdf32.exe 30 PID 2740 wrote to memory of 2300 2740 Olmhdf32.exe 30 PID 2740 wrote to memory of 2300 2740 Olmhdf32.exe 30 PID 2300 wrote to memory of 2832 2300 Ocgpappk.exe 31 PID 2300 wrote to memory of 2832 2300 Ocgpappk.exe 31 PID 2300 wrote to memory of 2832 2300 Ocgpappk.exe 31 PID 2300 wrote to memory of 2832 2300 Ocgpappk.exe 31 PID 2832 wrote to memory of 2228 2832 Olpdjf32.exe 32 PID 2832 wrote to memory of 2228 2832 Olpdjf32.exe 32 PID 2832 wrote to memory of 2228 2832 Olpdjf32.exe 32 PID 2832 wrote to memory of 2228 2832 Olpdjf32.exe 32 PID 2228 wrote to memory of 3064 2228 Ocimgp32.exe 33 PID 2228 wrote to memory of 3064 2228 Ocimgp32.exe 33 PID 2228 wrote to memory of 3064 2228 Ocimgp32.exe 33 PID 2228 wrote to memory of 3064 2228 Ocimgp32.exe 33 PID 3064 wrote to memory of 2836 3064 Ombapedi.exe 34 PID 3064 wrote to memory of 2836 3064 Ombapedi.exe 34 PID 3064 wrote to memory of 2836 3064 Ombapedi.exe 34 PID 3064 wrote to memory of 2836 3064 Ombapedi.exe 34 PID 2836 wrote to memory of 536 2836 Obojhlbq.exe 35 PID 2836 wrote to memory of 536 2836 Obojhlbq.exe 35 PID 2836 wrote to memory of 536 2836 Obojhlbq.exe 35 PID 2836 wrote to memory of 536 2836 Obojhlbq.exe 35 PID 536 wrote to memory of 2312 536 Oobjaqaj.exe 36 PID 536 wrote to memory of 2312 536 Oobjaqaj.exe 36 PID 536 wrote to memory of 2312 536 Oobjaqaj.exe 36 PID 536 wrote to memory of 2312 536 Oobjaqaj.exe 36 PID 2312 wrote to memory of 1996 2312 Ooeggp32.exe 37 PID 2312 wrote to memory of 1996 2312 Ooeggp32.exe 37 PID 2312 wrote to memory of 1996 2312 Ooeggp32.exe 37 PID 2312 wrote to memory of 1996 2312 Ooeggp32.exe 37 PID 1996 wrote to memory of 1984 1996 Pimkpfeh.exe 38 PID 1996 wrote to memory of 1984 1996 Pimkpfeh.exe 38 PID 1996 wrote to memory of 1984 1996 Pimkpfeh.exe 38 PID 1996 wrote to memory of 1984 1996 Pimkpfeh.exe 38 PID 1984 wrote to memory of 816 1984 Pnjdhmdo.exe 39 PID 1984 wrote to memory of 816 1984 Pnjdhmdo.exe 39 PID 1984 wrote to memory of 816 1984 Pnjdhmdo.exe 39 PID 1984 wrote to memory of 816 1984 Pnjdhmdo.exe 39 PID 816 wrote to memory of 1164 816 Pgbhabjp.exe 40 PID 816 wrote to memory of 1164 816 Pgbhabjp.exe 40 PID 816 wrote to memory of 1164 816 Pgbhabjp.exe 40 PID 816 wrote to memory of 1164 816 Pgbhabjp.exe 40 PID 1164 wrote to memory of 1944 1164 Pnlqnl32.exe 41 PID 1164 wrote to memory of 1944 1164 Pnlqnl32.exe 41 PID 1164 wrote to memory of 1944 1164 Pnlqnl32.exe 41 PID 1164 wrote to memory of 1944 1164 Pnlqnl32.exe 41 PID 1944 wrote to memory of 284 1944 Pgeefbhm.exe 42 PID 1944 wrote to memory of 284 1944 Pgeefbhm.exe 42 PID 1944 wrote to memory of 284 1944 Pgeefbhm.exe 42 PID 1944 wrote to memory of 284 1944 Pgeefbhm.exe 42 PID 284 wrote to memory of 1440 284 Pmanoifd.exe 43 PID 284 wrote to memory of 1440 284 Pmanoifd.exe 43 PID 284 wrote to memory of 1440 284 Pmanoifd.exe 43 PID 284 wrote to memory of 1440 284 Pmanoifd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.5aff17af101ab2965cb9c1f76dca48a0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Pfjbgnme.exeC:\Windows\system32\Pfjbgnme.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Behnnm32.exeC:\Windows\system32\Behnnm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe34⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe35⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe36⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe37⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe38⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe39⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe40⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe41⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe42⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe43⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Ckafbbph.exeC:\Windows\system32\Ckafbbph.exe47⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe49⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe50⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe54⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe56⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe58⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe59⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe61⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe62⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe63⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe65⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe66⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe67⤵PID:1400
-
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe68⤵PID:1652
-
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe69⤵
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe70⤵PID:2308
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe71⤵PID:848
-
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe72⤵PID:2348
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe73⤵PID:1320
-
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe74⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe75⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe76⤵PID:1700
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe77⤵PID:2936
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe78⤵
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe79⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe80⤵PID:2800
-
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe81⤵PID:2692
-
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe82⤵PID:2540
-
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe83⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe84⤵PID:1224
-
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe85⤵PID:1356
-
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe87⤵PID:1332
-
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe88⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe90⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe92⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe93⤵PID:2364
-
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe94⤵PID:968
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe95⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe97⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe98⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe100⤵PID:2628
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe101⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe103⤵PID:1656
-
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe105⤵PID:596
-
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe106⤵PID:1948
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe107⤵PID:280
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe108⤵PID:2108
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe109⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1060 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe111⤵PID:1748
-
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:812 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe114⤵PID:2100
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe115⤵PID:2704
-
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe117⤵PID:2516
-
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe118⤵PID:2780
-
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe119⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe120⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-