Analysis
-
max time kernel
171s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 20:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe
Resource
win7-20230831-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe
-
Size
98KB
-
MD5
b6bcc766e4968d3bd2a60a2055a4c620
-
SHA1
66b9d6ad89206cf0cf0e3f7b38141a66f2ede08e
-
SHA256
21b4c896fa8d4392d4150a17a7b7632fff637f012a681ed2db9cb47970d9fc9c
-
SHA512
e2e3fa325b032d8b04bf1e496496f8013be01ce052644bcfb6993447f1a42cafa3f884bad00688a9fad5282db4b4bf70fdd833970ffb10e405231769cba0cdc2
-
SSDEEP
3072:H28R6lqgN6Loqwu4RLdtzp6VbHP5Eh5eFKPD375lHzpa1P:H2HsLoqwuidtzp+NELeYr75lHzpaF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjbgfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majjgmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iffcgoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phodlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ildibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcepbooa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiclepa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfobfaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchbmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paelpcgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjmkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciokcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkjhif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeilne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfimmhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djipbbne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebnocpfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebagdddp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgoimlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeiahdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knphfklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbellhbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaaddlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjambg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dldlbgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cphgca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdmqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epndddnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdjqienq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlnbhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iehfno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeffcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogjdheqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqjolfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpledob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndidna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbiphhhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Headjael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmbnnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkjik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjlgafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icoodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjodff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojfin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifcnjpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ildibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjhfjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkbmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gempqo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddihfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neeifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdcbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fclmkb32.exe -
Executes dropped EXE 64 IoCs
pid Process 3540 Fgjhpcmo.exe 3932 Ieccbbkn.exe 4992 Jldbpl32.exe 4532 Kpccmhdg.exe 400 Laiipofp.exe 2152 Mljmhflh.exe 2684 Mjpjgj32.exe 3796 Ncpeaoih.exe 868 Objkmkjj.exe 2172 Pmkofa32.exe 4108 Pbjddh32.exe 1520 Aimogakj.exe 4320 Apnndj32.exe 1468 Bmbnnn32.exe 392 Bpjmph32.exe 5100 Cdmoafdb.exe 4248 Ccblbb32.exe 2280 Dggkipii.exe 1284 Enlcahgh.exe 3088 Famhmfkl.exe 1088 Fgiaemic.exe 4768 Fqikob32.exe 4740 Gcnnllcg.exe 4136 Hqdkkp32.exe 4368 Hnmeodjc.exe 1524 Ihceigec.exe 832 Jaljbmkd.exe 4112 Jeolckne.exe 2136 Jddiegbm.exe 3876 Kongmo32.exe 640 Lojfin32.exe 2340 Moefdljc.exe 1196 Ndidna32.exe 3892 Nlcidopb.exe 2412 Obkahddl.exe 4256 Ocmjhfjl.exe 1324 Pmmeak32.exe 776 Abpcja32.exe 1040 Afceko32.exe 492 Bmddihfj.exe 5020 Blknpdho.exe 4128 Cleqfb32.exe 3396 Cmgjee32.exe 4552 Dpjompqc.exe 4064 Egknji32.exe 3416 Emeffcid.exe 1364 Eebgqe32.exe 4540 Iepihf32.exe 2248 Jeilne32.exe 1932 Kmlgcf32.exe 4840 Kceoppmo.exe 4940 Lelajb32.exe 1944 Lkbmih32.exe 4348 Mobbdf32.exe 4584 Necqbo32.exe 4924 Ndkjik32.exe 1764 Nkebee32.exe 2260 Ohnljine.exe 1668 Onjebpml.exe 1760 Oggbfdog.exe 3328 Pohnnqgo.exe 4640 Pbifol32.exe 4180 Aeeomegd.exe 4068 Ebagdddp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gcddjiel.exe Gmjlmo32.exe File opened for modification C:\Windows\SysWOW64\Hoglmg32.exe Gikdep32.exe File created C:\Windows\SysWOW64\Hoglmg32.exe Gikdep32.exe File opened for modification C:\Windows\SysWOW64\Kdgapp32.exe Kjambg32.exe File opened for modification C:\Windows\SysWOW64\Fmpaqd32.exe Fjbddh32.exe File created C:\Windows\SysWOW64\Knipik32.exe Kblidkhp.exe File opened for modification C:\Windows\SysWOW64\Codhgg32.exe Cjgpoq32.exe File created C:\Windows\SysWOW64\Fmancbji.exe Epmmjnkp.exe File created C:\Windows\SysWOW64\Aceijg32.exe Qmkanmel.exe File created C:\Windows\SysWOW64\Ioeicajh.exe Ionbcb32.exe File created C:\Windows\SysWOW64\Ifqikhho.dll Pgpmdh32.exe File opened for modification C:\Windows\SysWOW64\Ibegpmah.exe Iimcgg32.exe File created C:\Windows\SysWOW64\Necqbo32.exe Mobbdf32.exe File created C:\Windows\SysWOW64\Aqjpod32.exe Ajqgbjoh.exe File created C:\Windows\SysWOW64\Mcappaqj.dll Ikijenab.exe File created C:\Windows\SysWOW64\Fdjmci32.dll Fclmkb32.exe File opened for modification C:\Windows\SysWOW64\Iepihf32.exe Eebgqe32.exe File opened for modification C:\Windows\SysWOW64\Jkmgladi.exe Idgocigi.exe File opened for modification C:\Windows\SysWOW64\Aqjpod32.exe Ajqgbjoh.exe File created C:\Windows\SysWOW64\Ahgobbpl.dll Knhbflbp.exe File created C:\Windows\SysWOW64\Fcepbooa.exe Eepbabjj.exe File opened for modification C:\Windows\SysWOW64\Gngnjk32.exe Ggnenagl.exe File created C:\Windows\SysWOW64\Gohoibbd.dll Ggoiap32.exe File created C:\Windows\SysWOW64\Odljbmgj.dll Kdfjej32.exe File created C:\Windows\SysWOW64\Nljopa32.exe Ndokko32.exe File created C:\Windows\SysWOW64\Mliejcjo.dll Ejmild32.exe File created C:\Windows\SysWOW64\Gihqbc32.dll Doiabgqc.exe File opened for modification C:\Windows\SysWOW64\Hpofbobf.exe Hienee32.exe File opened for modification C:\Windows\SysWOW64\Coldbl32.exe Chblebll.exe File opened for modification C:\Windows\SysWOW64\Idebniil.exe Hocqkc32.exe File opened for modification C:\Windows\SysWOW64\Nfeepdbg.exe Nlpabkba.exe File created C:\Windows\SysWOW64\Bcqhfmhe.dll Agbkfood.exe File created C:\Windows\SysWOW64\Hanolipa.dll Ejchbmna.exe File created C:\Windows\SysWOW64\Okcncdkp.dll Nkebee32.exe File opened for modification C:\Windows\SysWOW64\Bhblfpng.exe Bahdje32.exe File opened for modification C:\Windows\SysWOW64\Iioicn32.exe Ibeqgdpf.exe File created C:\Windows\SysWOW64\Mjodff32.exe Mcdlil32.exe File created C:\Windows\SysWOW64\Genobp32.exe Fdobhm32.exe File created C:\Windows\SysWOW64\Hfqgoo32.dll Pmmeak32.exe File opened for modification C:\Windows\SysWOW64\Ggoiap32.exe Fefjanml.exe File created C:\Windows\SysWOW64\Kifcnjpi.exe Kbedaand.exe File created C:\Windows\SysWOW64\Haajpgna.dll Cphgca32.exe File created C:\Windows\SysWOW64\Gkjhif32.exe Gempqo32.exe File opened for modification C:\Windows\SysWOW64\Cgnogmkl.exe Cpdgjc32.exe File created C:\Windows\SysWOW64\Eobdnbdn.dll Obkahddl.exe File opened for modification C:\Windows\SysWOW64\Lejgln32.exe Legjgn32.exe File created C:\Windows\SysWOW64\Odkaac32.exe Nacboi32.exe File created C:\Windows\SysWOW64\Jodlof32.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Oenfbj32.dll Lmmokgne.exe File opened for modification C:\Windows\SysWOW64\Chibfa32.exe Cggifn32.exe File created C:\Windows\SysWOW64\Gmeadk32.dll Emeffcid.exe File created C:\Windows\SysWOW64\Hfaaddlo.exe Hpgigj32.exe File opened for modification C:\Windows\SysWOW64\Kklkej32.exe Kdbchp32.exe File created C:\Windows\SysWOW64\Ndjldo32.exe Nmpdgdmp.exe File opened for modification C:\Windows\SysWOW64\Mbmbiqqp.exe Lnfgmc32.exe File created C:\Windows\SysWOW64\Qeoeaq32.dll Naaejj32.exe File created C:\Windows\SysWOW64\Mkhepqnd.dll Ajqgbjoh.exe File created C:\Windows\SysWOW64\Coldbl32.exe Chblebll.exe File created C:\Windows\SysWOW64\Dpjgoabj.dll Ieojqi32.exe File opened for modification C:\Windows\SysWOW64\Pohnnqgo.exe Oggbfdog.exe File created C:\Windows\SysWOW64\Klhnij32.dll Gajibq32.exe File created C:\Windows\SysWOW64\Gmjlmo32.exe Gfpcpefb.exe File created C:\Windows\SysWOW64\Njanjn32.dll Ebagdddp.exe File opened for modification C:\Windows\SysWOW64\Qfhdnb32.exe Qpolahdj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobocab.dll" Mbbcofpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkmmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdafekm.dll" Ddjmkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cocjbkna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eebgqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpqjaanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihceigec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfhdnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efeiahdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmpfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amibklml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qqamieno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkoldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oioojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkpbbdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilomqok.dll" Ipihiaqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddmqp32.dll" Mobbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll" Nlcidopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihclm32.dll" Ppeipfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcncjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cemdmlga.dll" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgopofnb.dll" Jfllca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hafpiehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jalakeme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmmlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odkaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhfenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoenbkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aghdco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aelcooap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oggbfdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Necqbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfaijand.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmiijjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cphgca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iogoinka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lojfin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdeqaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilbnkiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhppap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epkpdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haajpgna.dll" Cphgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibeqgdpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fagjolao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Necqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdckpqod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mingbhon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imbhiial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfngke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmncgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaigibm.dll" Pncggqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdgapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidmfhlj.dll" Qahkch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgedkcjf.dll" Headon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbgibgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanpok32.dll" Pbifol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgimjmfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebejpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hphfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genbjogo.dll" Bmeagjbo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3156 wrote to memory of 3540 3156 NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe 88 PID 3156 wrote to memory of 3540 3156 NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe 88 PID 3156 wrote to memory of 3540 3156 NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe 88 PID 3540 wrote to memory of 3932 3540 Fgjhpcmo.exe 89 PID 3540 wrote to memory of 3932 3540 Fgjhpcmo.exe 89 PID 3540 wrote to memory of 3932 3540 Fgjhpcmo.exe 89 PID 3932 wrote to memory of 4992 3932 Ieccbbkn.exe 90 PID 3932 wrote to memory of 4992 3932 Ieccbbkn.exe 90 PID 3932 wrote to memory of 4992 3932 Ieccbbkn.exe 90 PID 4992 wrote to memory of 4532 4992 Jldbpl32.exe 91 PID 4992 wrote to memory of 4532 4992 Jldbpl32.exe 91 PID 4992 wrote to memory of 4532 4992 Jldbpl32.exe 91 PID 4532 wrote to memory of 400 4532 Kpccmhdg.exe 92 PID 4532 wrote to memory of 400 4532 Kpccmhdg.exe 92 PID 4532 wrote to memory of 400 4532 Kpccmhdg.exe 92 PID 400 wrote to memory of 2152 400 Laiipofp.exe 93 PID 400 wrote to memory of 2152 400 Laiipofp.exe 93 PID 400 wrote to memory of 2152 400 Laiipofp.exe 93 PID 2152 wrote to memory of 2684 2152 Mljmhflh.exe 94 PID 2152 wrote to memory of 2684 2152 Mljmhflh.exe 94 PID 2152 wrote to memory of 2684 2152 Mljmhflh.exe 94 PID 2684 wrote to memory of 3796 2684 Mjpjgj32.exe 95 PID 2684 wrote to memory of 3796 2684 Mjpjgj32.exe 95 PID 2684 wrote to memory of 3796 2684 Mjpjgj32.exe 95 PID 3796 wrote to memory of 868 3796 Ncpeaoih.exe 96 PID 3796 wrote to memory of 868 3796 Ncpeaoih.exe 96 PID 3796 wrote to memory of 868 3796 Ncpeaoih.exe 96 PID 868 wrote to memory of 2172 868 Objkmkjj.exe 97 PID 868 wrote to memory of 2172 868 Objkmkjj.exe 97 PID 868 wrote to memory of 2172 868 Objkmkjj.exe 97 PID 2172 wrote to memory of 4108 2172 Pmkofa32.exe 98 PID 2172 wrote to memory of 4108 2172 Pmkofa32.exe 98 PID 2172 wrote to memory of 4108 2172 Pmkofa32.exe 98 PID 4108 wrote to memory of 1520 4108 Pbjddh32.exe 99 PID 4108 wrote to memory of 1520 4108 Pbjddh32.exe 99 PID 4108 wrote to memory of 1520 4108 Pbjddh32.exe 99 PID 1520 wrote to memory of 4320 1520 Aimogakj.exe 100 PID 1520 wrote to memory of 4320 1520 Aimogakj.exe 100 PID 1520 wrote to memory of 4320 1520 Aimogakj.exe 100 PID 4320 wrote to memory of 1468 4320 Apnndj32.exe 101 PID 4320 wrote to memory of 1468 4320 Apnndj32.exe 101 PID 4320 wrote to memory of 1468 4320 Apnndj32.exe 101 PID 1468 wrote to memory of 392 1468 Bmbnnn32.exe 102 PID 1468 wrote to memory of 392 1468 Bmbnnn32.exe 102 PID 1468 wrote to memory of 392 1468 Bmbnnn32.exe 102 PID 392 wrote to memory of 5100 392 Bpjmph32.exe 103 PID 392 wrote to memory of 5100 392 Bpjmph32.exe 103 PID 392 wrote to memory of 5100 392 Bpjmph32.exe 103 PID 5100 wrote to memory of 4248 5100 Cdmoafdb.exe 104 PID 5100 wrote to memory of 4248 5100 Cdmoafdb.exe 104 PID 5100 wrote to memory of 4248 5100 Cdmoafdb.exe 104 PID 4248 wrote to memory of 2280 4248 Ccblbb32.exe 105 PID 4248 wrote to memory of 2280 4248 Ccblbb32.exe 105 PID 4248 wrote to memory of 2280 4248 Ccblbb32.exe 105 PID 2280 wrote to memory of 1284 2280 Dggkipii.exe 106 PID 2280 wrote to memory of 1284 2280 Dggkipii.exe 106 PID 2280 wrote to memory of 1284 2280 Dggkipii.exe 106 PID 1284 wrote to memory of 3088 1284 Enlcahgh.exe 107 PID 1284 wrote to memory of 3088 1284 Enlcahgh.exe 107 PID 1284 wrote to memory of 3088 1284 Enlcahgh.exe 107 PID 3088 wrote to memory of 1088 3088 Famhmfkl.exe 108 PID 3088 wrote to memory of 1088 3088 Famhmfkl.exe 108 PID 3088 wrote to memory of 1088 3088 Famhmfkl.exe 108 PID 1088 wrote to memory of 4768 1088 Fgiaemic.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b6bcc766e4968d3bd2a60a2055a4c620.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Laiipofp.exeC:\Windows\system32\Laiipofp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Mljmhflh.exeC:\Windows\system32\Mljmhflh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Objkmkjj.exeC:\Windows\system32\Objkmkjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Pmkofa32.exeC:\Windows\system32\Pmkofa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Apnndj32.exeC:\Windows\system32\Apnndj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Bpjmph32.exeC:\Windows\system32\Bpjmph32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Ccblbb32.exeC:\Windows\system32\Ccblbb32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Enlcahgh.exeC:\Windows\system32\Enlcahgh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Famhmfkl.exeC:\Windows\system32\Famhmfkl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe23⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe24⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe25⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe26⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Ihceigec.exeC:\Windows\system32\Ihceigec.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Jaljbmkd.exeC:\Windows\system32\Jaljbmkd.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Janghmia.exeC:\Windows\system32\Janghmia.exe29⤵PID:1788
-
C:\Windows\SysWOW64\Jeolckne.exeC:\Windows\system32\Jeolckne.exe30⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Jddiegbm.exeC:\Windows\system32\Jddiegbm.exe31⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Kongmo32.exeC:\Windows\system32\Kongmo32.exe32⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Lojfin32.exeC:\Windows\system32\Lojfin32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Moefdljc.exeC:\Windows\system32\Moefdljc.exe34⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Nlcidopb.exeC:\Windows\system32\Nlcidopb.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe40⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Afceko32.exeC:\Windows\system32\Afceko32.exe41⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bmddihfj.exeC:\Windows\system32\Bmddihfj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Blknpdho.exeC:\Windows\system32\Blknpdho.exe43⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe44⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe45⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe46⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe47⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Iepihf32.exeC:\Windows\system32\Iepihf32.exe50⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Jeilne32.exeC:\Windows\system32\Jeilne32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kmlgcf32.exeC:\Windows\system32\Kmlgcf32.exe52⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe53⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe54⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Mobbdf32.exeC:\Windows\system32\Mobbdf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Ndkjik32.exeC:\Windows\system32\Ndkjik32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Nkebee32.exeC:\Windows\system32\Nkebee32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Ohnljine.exeC:\Windows\system32\Ohnljine.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe61⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe63⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Aeeomegd.exeC:\Windows\system32\Aeeomegd.exe65⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Ebagdddp.exeC:\Windows\system32\Ebagdddp.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Ehnpmkbg.exeC:\Windows\system32\Ehnpmkbg.exe67⤵PID:3424
-
C:\Windows\SysWOW64\Fefjanml.exeC:\Windows\system32\Fefjanml.exe68⤵
- Drops file in System32 directory
PID:656 -
C:\Windows\SysWOW64\Ggoiap32.exeC:\Windows\system32\Ggoiap32.exe69⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Hgkimn32.exeC:\Windows\system32\Hgkimn32.exe70⤵PID:4880
-
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe71⤵
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Hpejlc32.exeC:\Windows\system32\Hpejlc32.exe72⤵PID:216
-
C:\Windows\SysWOW64\Hjnndime.exeC:\Windows\system32\Hjnndime.exe73⤵PID:3532
-
C:\Windows\SysWOW64\Hphfac32.exeC:\Windows\system32\Hphfac32.exe74⤵
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Icminm32.exeC:\Windows\system32\Icminm32.exe75⤵PID:3456
-
C:\Windows\SysWOW64\Kgngqico.exeC:\Windows\system32\Kgngqico.exe76⤵PID:4512
-
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe77⤵PID:2728
-
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe78⤵
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Omgabj32.exeC:\Windows\system32\Omgabj32.exe79⤵PID:468
-
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe81⤵PID:228
-
C:\Windows\SysWOW64\Djipbbne.exeC:\Windows\system32\Djipbbne.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe83⤵PID:4992
-
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe84⤵PID:2796
-
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe85⤵PID:1320
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe86⤵PID:2684
-
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe87⤵PID:856
-
C:\Windows\SysWOW64\Glinjqhb.exeC:\Windows\system32\Glinjqhb.exe88⤵PID:4724
-
C:\Windows\SysWOW64\Gajpmg32.exeC:\Windows\system32\Gajpmg32.exe89⤵PID:4528
-
C:\Windows\SysWOW64\Gooqfkan.exeC:\Windows\system32\Gooqfkan.exe90⤵PID:2820
-
C:\Windows\SysWOW64\Hafpiehg.exeC:\Windows\system32\Hafpiehg.exe91⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Icdhdfcj.exeC:\Windows\system32\Icdhdfcj.exe92⤵PID:3460
-
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe93⤵PID:1256
-
C:\Windows\SysWOW64\Jhejgl32.exeC:\Windows\system32\Jhejgl32.exe94⤵
- Drops file in System32 directory
PID:4728 -
C:\Windows\SysWOW64\Jodlof32.exeC:\Windows\system32\Jodlof32.exe95⤵PID:1380
-
C:\Windows\SysWOW64\Kbedaand.exeC:\Windows\system32\Kbedaand.exe96⤵
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Kifcnjpi.exeC:\Windows\system32\Kifcnjpi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4304 -
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe98⤵PID:452
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe99⤵
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Mcpjnp32.exeC:\Windows\system32\Mcpjnp32.exe100⤵PID:4460
-
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe101⤵PID:4652
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe102⤵
- Drops file in System32 directory
PID:4768 -
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe103⤵PID:4596
-
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe104⤵PID:2192
-
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe105⤵PID:412
-
C:\Windows\SysWOW64\Akbjidbf.exeC:\Windows\system32\Akbjidbf.exe106⤵PID:4712
-
C:\Windows\SysWOW64\Acbhhf32.exeC:\Windows\system32\Acbhhf32.exe107⤵PID:3116
-
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe108⤵PID:2664
-
C:\Windows\SysWOW64\Cknbkpif.exeC:\Windows\system32\Cknbkpif.exe109⤵PID:2892
-
C:\Windows\SysWOW64\Dkehlo32.exeC:\Windows\system32\Dkehlo32.exe110⤵PID:5104
-
C:\Windows\SysWOW64\Dcegkamd.exeC:\Windows\system32\Dcegkamd.exe111⤵PID:3804
-
C:\Windows\SysWOW64\Dedceddg.exeC:\Windows\system32\Dedceddg.exe112⤵PID:4072
-
C:\Windows\SysWOW64\Eakdje32.exeC:\Windows\system32\Eakdje32.exe113⤵PID:1816
-
C:\Windows\SysWOW64\Ekeacmel.exeC:\Windows\system32\Ekeacmel.exe114⤵PID:3112
-
C:\Windows\SysWOW64\Eabjkdcc.exeC:\Windows\system32\Eabjkdcc.exe115⤵PID:3656
-
C:\Windows\SysWOW64\Eglbhnkp.exeC:\Windows\system32\Eglbhnkp.exe116⤵PID:2412
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe117⤵PID:1124
-
C:\Windows\SysWOW64\Eepbabjj.exeC:\Windows\system32\Eepbabjj.exe118⤵
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Fcepbooa.exeC:\Windows\system32\Fcepbooa.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4112 -
C:\Windows\SysWOW64\Faiplcmk.exeC:\Windows\system32\Faiplcmk.exe120⤵PID:1332
-
C:\Windows\SysWOW64\Fjbddh32.exeC:\Windows\system32\Fjbddh32.exe121⤵
- Drops file in System32 directory
PID:4544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-