Analysis
-
max time kernel
132s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 03:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe
-
Size
2.6MB
-
MD5
e23af4ab28a5ebca7d0ed9cf7c02a980
-
SHA1
c2722114400b81d8c118408f77de401d91d00450
-
SHA256
039d8daa8b41d8c1962a581653882d86649bec5d9a0897d8ded3a6012b7bc3b1
-
SHA512
0563febcd08306d9b7c9fe79e8389a0b5d205087566231b5b1f9ca20d27e0ea60e6837c6ac8093920a3fe881237d4a0b090da8ee859b2e9001a431c605a9cba0
-
SSDEEP
49152:KCrkB9f0VwEIV0MVp5fbVvOB9f0eB9f0S/B9f0HdVi:KCrVG0uptJvli
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badipiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lldfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgigfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gmfilfep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcmingd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocqncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhojqcil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blkdgheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daaiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkjooqb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meadgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iffcgoka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcmopeae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbecgned.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opefdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hkobdeok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhipp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgalelin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafcjijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdodekhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dpehikja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgimmkgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbacq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihhmgaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqfohdjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclaeocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdjfmjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlflog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdehep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkiobhac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibicgmhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnqbmadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcgndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jphkfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pijiif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgihppgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkflbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbikdbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpgmil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjcjad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpkdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obgccn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbikdbnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnadkmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Meepne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbapdfkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggnlhgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biogieke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhmmchpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bhkmoifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhkkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elepei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhqkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpoge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqfmcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lnpopcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peobeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Naaqhlmg.exe -
Executes dropped EXE 64 IoCs
pid Process 4700 Elilmi32.exe 4572 Kcgekjgp.exe 4924 Lpelqj32.exe 416 Mankaked.exe 1388 Pkinmlnm.exe 2188 Abflfc32.exe 1928 Cnkilbni.exe 4120 Dlmegd32.exe 2024 Eelpqi32.exe 2092 Fhflhcfa.exe 4356 Hoefgj32.exe 4180 Iljpgl32.exe 5036 Kcphpdil.exe 2580 Lbenho32.exe 2232 Npgjbabk.exe 2960 Opefdo32.exe 2872 Ofdhlh32.exe 4516 Qkmqne32.exe 1584 Akipic32.exe 4520 Bknidbhi.exe 4100 Bldogjib.exe 4480 Cggpfa32.exe 3648 Ecafgo32.exe 1956 Gajibq32.exe 1652 Hmlicp32.exe 2772 Jnjednnp.exe 3676 Kklbop32.exe 3748 Kdgcne32.exe 3064 Lfnfhg32.exe 4872 Mfgiof32.exe 3028 Nkkggl32.exe 496 Obeikc32.exe 4808 Pfenga32.exe 2172 Pmfldkei.exe 1452 Pmiijjcf.exe 4304 Qednnm32.exe 2672 Aoalba32.exe 3960 Abodhpic.exe 4952 Apcead32.exe 2216 Aebjokda.exe 1832 Bgdcom32.exe 5048 Bekmei32.exe 1416 Cpjdiadb.exe 1216 Dofgklcb.exe 4044 Dnhgidka.exe 3396 Eopjakkg.exe 2464 Emdjjo32.exe 4332 Eodclj32.exe 912 Enfcjb32.exe 704 Fnhppa32.exe 3608 Ffcedd32.exe 3332 Fplimi32.exe 2844 Fmpjfn32.exe 4796 Fjcjpb32.exe 2792 Fggkifmg.exe 2676 Fcnlng32.exe 4140 Gmfpgmil.exe 2424 Gjkqpa32.exe 1952 Gpjfng32.exe 1124 Gcgndf32.exe 1636 Hhegjdag.exe 3688 Haphiiee.exe 3036 Hfonfp32.exe 3956 Hhojqcil.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcffoben.exe Pgoejapi.exe File opened for modification C:\Windows\SysWOW64\Lqndahiq.exe Lcjchd32.exe File created C:\Windows\SysWOW64\Lpelqj32.exe Kcgekjgp.exe File created C:\Windows\SysWOW64\Ejqmmlpm.dll Lpelqj32.exe File opened for modification C:\Windows\SysWOW64\Kcphpdil.exe Iljpgl32.exe File created C:\Windows\SysWOW64\Ndjcpigg.dll Kknhjj32.exe File created C:\Windows\SysWOW64\Njlcdf32.exe Nlhbja32.exe File created C:\Windows\SysWOW64\Pbbnbkpe.exe Pijiif32.exe File opened for modification C:\Windows\SysWOW64\Dflmep32.exe Dpmknf32.exe File opened for modification C:\Windows\SysWOW64\Fkiobhac.exe Fobomglo.exe File opened for modification C:\Windows\SysWOW64\Oofacdaj.exe Oiihkncb.exe File opened for modification C:\Windows\SysWOW64\Cooolhin.exe Bcfabgel.exe File created C:\Windows\SysWOW64\Apeiij32.dll Eopjakkg.exe File opened for modification C:\Windows\SysWOW64\Gmfpgmil.exe Fcnlng32.exe File created C:\Windows\SysWOW64\Ppmleagi.exe Pbiklmhp.exe File created C:\Windows\SysWOW64\Kakfem32.dll Qaegcb32.exe File created C:\Windows\SysWOW64\Mgimmkgp.exe Mnpice32.exe File created C:\Windows\SysWOW64\Onohgh32.dll Cfnqdale.exe File created C:\Windows\SysWOW64\Jjgknf32.dll Bdndik32.exe File created C:\Windows\SysWOW64\Donklfgn.dll Pkinmlnm.exe File created C:\Windows\SysWOW64\Aogkhjii.exe Aacjofkp.exe File opened for modification C:\Windows\SysWOW64\Gnkajapa.exe Ggnlhgkg.exe File opened for modification C:\Windows\SysWOW64\Oiihkncb.exe Oiglen32.exe File created C:\Windows\SysWOW64\Pgcpdn32.exe Ojopki32.exe File created C:\Windows\SysWOW64\Eefhcimp.exe Ehbgjenf.exe File opened for modification C:\Windows\SysWOW64\Ceqngekl.exe Cndidlfb.exe File created C:\Windows\SysWOW64\Milinkgf.exe Mhmmchpd.exe File created C:\Windows\SysWOW64\Nijeoikf.exe Naaqhlmg.exe File opened for modification C:\Windows\SysWOW64\Diafkl32.exe Ccbanfko.exe File created C:\Windows\SysWOW64\Bgjoghhk.dll Gbjlbm32.exe File created C:\Windows\SysWOW64\Haphiiee.exe Hhegjdag.exe File created C:\Windows\SysWOW64\Neeppb32.dll Nneiikqe.exe File created C:\Windows\SysWOW64\Cellfm32.exe Cldgmgml.exe File created C:\Windows\SysWOW64\Fdjpgbba.dll Bijnnf32.exe File created C:\Windows\SysWOW64\Bcddlhgo.exe Bcahgh32.exe File created C:\Windows\SysWOW64\Cjakkgha.dll Aoalba32.exe File created C:\Windows\SysWOW64\Ilqfjc32.dll Gcgndf32.exe File created C:\Windows\SysWOW64\Jgbdfbob.dll Ofijifbj.exe File opened for modification C:\Windows\SysWOW64\Aoqegk32.exe Aiclodaj.exe File created C:\Windows\SysWOW64\Ckladcoa.exe Coepob32.exe File created C:\Windows\SysWOW64\Modejj32.dll Ejabgcdp.exe File created C:\Windows\SysWOW64\Mddbjg32.exe Mcdepd32.exe File created C:\Windows\SysWOW64\Gnckjbfj.exe Gonnhf32.exe File opened for modification C:\Windows\SysWOW64\Kbkaiddd.exe Fabqdl32.exe File created C:\Windows\SysWOW64\Pmjfjn32.dll Kaehepeg.exe File created C:\Windows\SysWOW64\Podcnh32.exe Oaqbdc32.exe File opened for modification C:\Windows\SysWOW64\Podcnh32.exe Oaqbdc32.exe File opened for modification C:\Windows\SysWOW64\Ahdpea32.exe Qnlkllcf.exe File created C:\Windows\SysWOW64\Kflono32.dll Mddbjg32.exe File opened for modification C:\Windows\SysWOW64\Ibnlbm32.exe Iomcqa32.exe File created C:\Windows\SysWOW64\Afboll32.exe Ahonbhig.exe File opened for modification C:\Windows\SysWOW64\Madjbg32.exe Mcqjhc32.exe File created C:\Windows\SysWOW64\Ofdgbn32.dll Mefmbbod.exe File created C:\Windows\SysWOW64\Kaehepeg.exe Kbpkdd32.exe File opened for modification C:\Windows\SysWOW64\Njkklk32.exe Nmenmgab.exe File created C:\Windows\SysWOW64\Gepmno32.dll Gjkqpa32.exe File created C:\Windows\SysWOW64\Hfonfp32.exe Haphiiee.exe File created C:\Windows\SysWOW64\Imkbooff.dll Jhmfba32.exe File opened for modification C:\Windows\SysWOW64\Mkpglqgj.exe Mahbck32.exe File created C:\Windows\SysWOW64\Amblenpq.dll Odaphl32.exe File created C:\Windows\SysWOW64\Dbghhd32.dll Dofgklcb.exe File created C:\Windows\SysWOW64\Hokeebcd.dll Jjklcf32.exe File created C:\Windows\SysWOW64\Oofacdaj.exe Oiihkncb.exe File opened for modification C:\Windows\SysWOW64\Phhhbi32.exe Poodicio.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obeikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcdepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pafcjijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epgndedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boffej32.dll" Lgccccec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppmleagi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nqklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddbbngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkgjekai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mefmbbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqnoba32.dll" Phhhbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakodpe.dll" Djfckenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplfmjhg.dll" Mhmmchpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aohpek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Elilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibqpio32.dll" Nqgiel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qpfokpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kiikkada.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blkdgheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbdfbob.dll" Ofijifbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiakllhf.dll" Cooolhin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knlbipjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmenmgab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcgekjgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfenga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijcecgnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehbgjenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhemdpf.dll" Mlbbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflono32.dll" Mddbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kihdqkaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdoli32.dll" Eeagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdgbn32.dll" Mefmbbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmdach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcpigg.dll" Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gbenjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cnbmolhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iopghggd.dll" Mfejme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjjjhifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhhchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnghh32.dll" Jkligd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndphpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmijliej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkolggfe.dll" Lihfmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afinbdon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhoildi.dll" Knlbipjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Podcnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfhkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcfkkmeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljopo32.dll" Badipiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjfjn32.dll" Kaehepeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkioojpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aaqgop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjagcndq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhfacp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oplkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccpkblqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lfeaegdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bknidbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlcde32.dll" Nqklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkqebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aclhkdmp.dll" Nbcjhobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmlicp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 4700 3020 NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe 94 PID 3020 wrote to memory of 4700 3020 NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe 94 PID 3020 wrote to memory of 4700 3020 NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe 94 PID 4700 wrote to memory of 4572 4700 Elilmi32.exe 95 PID 4700 wrote to memory of 4572 4700 Elilmi32.exe 95 PID 4700 wrote to memory of 4572 4700 Elilmi32.exe 95 PID 4572 wrote to memory of 4924 4572 Kcgekjgp.exe 96 PID 4572 wrote to memory of 4924 4572 Kcgekjgp.exe 96 PID 4572 wrote to memory of 4924 4572 Kcgekjgp.exe 96 PID 4924 wrote to memory of 416 4924 Lpelqj32.exe 98 PID 4924 wrote to memory of 416 4924 Lpelqj32.exe 98 PID 4924 wrote to memory of 416 4924 Lpelqj32.exe 98 PID 416 wrote to memory of 1388 416 Mankaked.exe 99 PID 416 wrote to memory of 1388 416 Mankaked.exe 99 PID 416 wrote to memory of 1388 416 Mankaked.exe 99 PID 1388 wrote to memory of 2188 1388 Pkinmlnm.exe 100 PID 1388 wrote to memory of 2188 1388 Pkinmlnm.exe 100 PID 1388 wrote to memory of 2188 1388 Pkinmlnm.exe 100 PID 2188 wrote to memory of 1928 2188 Abflfc32.exe 101 PID 2188 wrote to memory of 1928 2188 Abflfc32.exe 101 PID 2188 wrote to memory of 1928 2188 Abflfc32.exe 101 PID 1928 wrote to memory of 4120 1928 Cnkilbni.exe 102 PID 1928 wrote to memory of 4120 1928 Cnkilbni.exe 102 PID 1928 wrote to memory of 4120 1928 Cnkilbni.exe 102 PID 4120 wrote to memory of 2024 4120 Dlmegd32.exe 103 PID 4120 wrote to memory of 2024 4120 Dlmegd32.exe 103 PID 4120 wrote to memory of 2024 4120 Dlmegd32.exe 103 PID 2024 wrote to memory of 2092 2024 Eelpqi32.exe 104 PID 2024 wrote to memory of 2092 2024 Eelpqi32.exe 104 PID 2024 wrote to memory of 2092 2024 Eelpqi32.exe 104 PID 2092 wrote to memory of 4356 2092 Fhflhcfa.exe 105 PID 2092 wrote to memory of 4356 2092 Fhflhcfa.exe 105 PID 2092 wrote to memory of 4356 2092 Fhflhcfa.exe 105 PID 4356 wrote to memory of 4180 4356 Hoefgj32.exe 106 PID 4356 wrote to memory of 4180 4356 Hoefgj32.exe 106 PID 4356 wrote to memory of 4180 4356 Hoefgj32.exe 106 PID 4180 wrote to memory of 5036 4180 Iljpgl32.exe 107 PID 4180 wrote to memory of 5036 4180 Iljpgl32.exe 107 PID 4180 wrote to memory of 5036 4180 Iljpgl32.exe 107 PID 5036 wrote to memory of 2580 5036 Kcphpdil.exe 108 PID 5036 wrote to memory of 2580 5036 Kcphpdil.exe 108 PID 5036 wrote to memory of 2580 5036 Kcphpdil.exe 108 PID 2580 wrote to memory of 2232 2580 Lbenho32.exe 109 PID 2580 wrote to memory of 2232 2580 Lbenho32.exe 109 PID 2580 wrote to memory of 2232 2580 Lbenho32.exe 109 PID 2232 wrote to memory of 2960 2232 Npgjbabk.exe 110 PID 2232 wrote to memory of 2960 2232 Npgjbabk.exe 110 PID 2232 wrote to memory of 2960 2232 Npgjbabk.exe 110 PID 2960 wrote to memory of 2872 2960 Opefdo32.exe 112 PID 2960 wrote to memory of 2872 2960 Opefdo32.exe 112 PID 2960 wrote to memory of 2872 2960 Opefdo32.exe 112 PID 2872 wrote to memory of 4516 2872 Ofdhlh32.exe 113 PID 2872 wrote to memory of 4516 2872 Ofdhlh32.exe 113 PID 2872 wrote to memory of 4516 2872 Ofdhlh32.exe 113 PID 4516 wrote to memory of 1584 4516 Qkmqne32.exe 114 PID 4516 wrote to memory of 1584 4516 Qkmqne32.exe 114 PID 4516 wrote to memory of 1584 4516 Qkmqne32.exe 114 PID 1584 wrote to memory of 4520 1584 Akipic32.exe 115 PID 1584 wrote to memory of 4520 1584 Akipic32.exe 115 PID 1584 wrote to memory of 4520 1584 Akipic32.exe 115 PID 4520 wrote to memory of 4100 4520 Bknidbhi.exe 116 PID 4520 wrote to memory of 4100 4520 Bknidbhi.exe 116 PID 4520 wrote to memory of 4100 4520 Bknidbhi.exe 116 PID 4100 wrote to memory of 4480 4100 Bldogjib.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e23af4ab28a5ebca7d0ed9cf7c02a980.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Elilmi32.exeC:\Windows\system32\Elilmi32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dlmegd32.exeC:\Windows\system32\Dlmegd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Fhflhcfa.exeC:\Windows\system32\Fhflhcfa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Iljpgl32.exeC:\Windows\system32\Iljpgl32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Lbenho32.exeC:\Windows\system32\Lbenho32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ofdhlh32.exeC:\Windows\system32\Ofdhlh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Bknidbhi.exeC:\Windows\system32\Bknidbhi.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe23⤵
- Executes dropped EXE
PID:4480 -
C:\Windows\SysWOW64\Ecafgo32.exeC:\Windows\system32\Ecafgo32.exe24⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Gajibq32.exeC:\Windows\system32\Gajibq32.exe25⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hmlicp32.exeC:\Windows\system32\Hmlicp32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Jnjednnp.exeC:\Windows\system32\Jnjednnp.exe27⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Kklbop32.exeC:\Windows\system32\Kklbop32.exe28⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe29⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Lfnfhg32.exeC:\Windows\system32\Lfnfhg32.exe30⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mfgiof32.exeC:\Windows\system32\Mfgiof32.exe31⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Nkkggl32.exeC:\Windows\system32\Nkkggl32.exe32⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Obeikc32.exeC:\Windows\system32\Obeikc32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:496 -
C:\Windows\SysWOW64\Pfenga32.exeC:\Windows\system32\Pfenga32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Pmfldkei.exeC:\Windows\system32\Pmfldkei.exe35⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pmiijjcf.exeC:\Windows\system32\Pmiijjcf.exe36⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Qednnm32.exeC:\Windows\system32\Qednnm32.exe37⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Aoalba32.exeC:\Windows\system32\Aoalba32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Abodhpic.exeC:\Windows\system32\Abodhpic.exe39⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Apcead32.exeC:\Windows\system32\Apcead32.exe40⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Aebjokda.exeC:\Windows\system32\Aebjokda.exe41⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bgdcom32.exeC:\Windows\system32\Bgdcom32.exe42⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Bekmei32.exeC:\Windows\system32\Bekmei32.exe43⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Cokgonmp.exeC:\Windows\system32\Cokgonmp.exe44⤵PID:3440
-
C:\Windows\SysWOW64\Cpjdiadb.exeC:\Windows\system32\Cpjdiadb.exe45⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Dofgklcb.exeC:\Windows\system32\Dofgklcb.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Dnhgidka.exeC:\Windows\system32\Dnhgidka.exe47⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\Eopjakkg.exeC:\Windows\system32\Eopjakkg.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Emdjjo32.exeC:\Windows\system32\Emdjjo32.exe49⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Eodclj32.exeC:\Windows\system32\Eodclj32.exe50⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Enfcjb32.exeC:\Windows\system32\Enfcjb32.exe51⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fnhppa32.exeC:\Windows\system32\Fnhppa32.exe52⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ffcedd32.exeC:\Windows\system32\Ffcedd32.exe53⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Fplimi32.exeC:\Windows\system32\Fplimi32.exe54⤵
- Executes dropped EXE
PID:3332 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe55⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fjcjpb32.exeC:\Windows\system32\Fjcjpb32.exe56⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Fggkifmg.exeC:\Windows\system32\Fggkifmg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Gmfpgmil.exeC:\Windows\system32\Gmfpgmil.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Gjkqpa32.exeC:\Windows\system32\Gjkqpa32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Gpjfng32.exeC:\Windows\system32\Gpjfng32.exe61⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Gcgndf32.exeC:\Windows\system32\Gcgndf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Hhegjdag.exeC:\Windows\system32\Hhegjdag.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Haphiiee.exeC:\Windows\system32\Haphiiee.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Hfonfp32.exeC:\Windows\system32\Hfonfp32.exe65⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Hhojqcil.exeC:\Windows\system32\Hhojqcil.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Hagnihom.exeC:\Windows\system32\Hagnihom.exe67⤵PID:3492
-
C:\Windows\SysWOW64\Ijpcbn32.exeC:\Windows\system32\Ijpcbn32.exe68⤵PID:3560
-
C:\Windows\SysWOW64\Iffcgoka.exeC:\Windows\system32\Iffcgoka.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Ifipmo32.exeC:\Windows\system32\Ifipmo32.exe70⤵PID:2976
-
C:\Windows\SysWOW64\Ihhmgaqb.exeC:\Windows\system32\Ihhmgaqb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Ipcakd32.exeC:\Windows\system32\Ipcakd32.exe72⤵PID:5156
-
C:\Windows\SysWOW64\Iodaikfl.exeC:\Windows\system32\Iodaikfl.exe73⤵PID:5196
-
C:\Windows\SysWOW64\Jhmfba32.exeC:\Windows\system32\Jhmfba32.exe74⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Jphkfc32.exeC:\Windows\system32\Jphkfc32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Joikdk32.exeC:\Windows\system32\Joikdk32.exe76⤵PID:5328
-
C:\Windows\SysWOW64\Jgdphm32.exeC:\Windows\system32\Jgdphm32.exe77⤵PID:5368
-
C:\Windows\SysWOW64\Jpmdabfb.exeC:\Windows\system32\Jpmdabfb.exe78⤵PID:5412
-
C:\Windows\SysWOW64\Kgkfil32.exeC:\Windows\system32\Kgkfil32.exe79⤵PID:5448
-
C:\Windows\SysWOW64\Kkioojpp.exeC:\Windows\system32\Kkioojpp.exe80⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Kpfggang.exeC:\Windows\system32\Kpfggang.exe81⤵PID:5544
-
C:\Windows\SysWOW64\Knjhae32.exeC:\Windows\system32\Knjhae32.exe82⤵PID:5588
-
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:5636 -
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Mnmmmbll.exeC:\Windows\system32\Mnmmmbll.exe85⤵PID:5728
-
C:\Windows\SysWOW64\Mqpcdn32.exeC:\Windows\system32\Mqpcdn32.exe86⤵PID:5772
-
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe87⤵PID:5812
-
C:\Windows\SysWOW64\Ndphpk32.exeC:\Windows\system32\Ndphpk32.exe88⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe89⤵
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Nqifkl32.exeC:\Windows\system32\Nqifkl32.exe90⤵PID:5960
-
C:\Windows\SysWOW64\Nicjaino.exeC:\Windows\system32\Nicjaino.exe91⤵PID:6004
-
C:\Windows\SysWOW64\Oapllk32.exeC:\Windows\system32\Oapllk32.exe92⤵PID:6044
-
C:\Windows\SysWOW64\Obphenpj.exeC:\Windows\system32\Obphenpj.exe93⤵PID:6084
-
C:\Windows\SysWOW64\Obbekn32.exeC:\Windows\system32\Obbekn32.exe94⤵PID:6124
-
C:\Windows\SysWOW64\Opfedb32.exeC:\Windows\system32\Opfedb32.exe95⤵PID:5140
-
C:\Windows\SysWOW64\Oiojmgcb.exeC:\Windows\system32\Oiojmgcb.exe96⤵PID:5188
-
C:\Windows\SysWOW64\Oiagcg32.exeC:\Windows\system32\Oiagcg32.exe97⤵PID:5272
-
C:\Windows\SysWOW64\Pbiklmhp.exeC:\Windows\system32\Pbiklmhp.exe98⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Ppmleagi.exeC:\Windows\system32\Ppmleagi.exe99⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Piepnfnj.exeC:\Windows\system32\Piepnfnj.exe100⤵PID:5472
-
C:\Windows\SysWOW64\Ppbepp32.exeC:\Windows\system32\Ppbepp32.exe101⤵PID:5540
-
C:\Windows\SysWOW64\Pijiif32.exeC:\Windows\system32\Pijiif32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5576 -
C:\Windows\SysWOW64\Pbbnbkpe.exeC:\Windows\system32\Pbbnbkpe.exe103⤵PID:3500
-
C:\Windows\SysWOW64\Qpfokpoo.exeC:\Windows\system32\Qpfokpoo.exe104⤵
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Qecgcfmf.exeC:\Windows\system32\Qecgcfmf.exe105⤵PID:5764
-
C:\Windows\SysWOW64\Qnlkllcf.exeC:\Windows\system32\Qnlkllcf.exe106⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Ahdpea32.exeC:\Windows\system32\Ahdpea32.exe107⤵PID:5876
-
C:\Windows\SysWOW64\Aiclodaj.exeC:\Windows\system32\Aiclodaj.exe108⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Aoqegk32.exeC:\Windows\system32\Aoqegk32.exe109⤵PID:5988
-
C:\Windows\SysWOW64\Aocamk32.exeC:\Windows\system32\Aocamk32.exe110⤵PID:6104
-
C:\Windows\SysWOW64\Ahkffqdo.exeC:\Windows\system32\Ahkffqdo.exe111⤵PID:3060
-
C:\Windows\SysWOW64\Aacjofkp.exeC:\Windows\system32\Aacjofkp.exe112⤵
- Drops file in System32 directory
PID:5248 -
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe113⤵PID:5360
-
C:\Windows\SysWOW64\Bpggbm32.exeC:\Windows\system32\Bpggbm32.exe114⤵PID:4300
-
C:\Windows\SysWOW64\Bpidhmoi.exeC:\Windows\system32\Bpidhmoi.exe115⤵PID:5552
-
C:\Windows\SysWOW64\Bplammmf.exeC:\Windows\system32\Bplammmf.exe116⤵PID:5680
-
C:\Windows\SysWOW64\Bhgeao32.exeC:\Windows\system32\Bhgeao32.exe117⤵PID:3020
-
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe118⤵PID:5784
-
C:\Windows\SysWOW64\Cadcfd32.exeC:\Windows\system32\Cadcfd32.exe119⤵PID:3136
-
C:\Windows\SysWOW64\Cohdoh32.exeC:\Windows\system32\Cohdoh32.exe120⤵PID:6072
-
C:\Windows\SysWOW64\Elepei32.exeC:\Windows\system32\Elepei32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-