Analysis
-
max time kernel
164s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22/10/2023, 17:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.9576f18033382a97d7ea3bdf955b5500.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9576f18033382a97d7ea3bdf955b5500.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.9576f18033382a97d7ea3bdf955b5500.exe
-
Size
74KB
-
MD5
9576f18033382a97d7ea3bdf955b5500
-
SHA1
c6ee46908cc3a259928a7396310a79cef4243c62
-
SHA256
3016369a919d59ca002edb3cb8c149024cc2d86679ab6b4ea652ee787f64ea10
-
SHA512
bec85142145a5b9d7b4a1bd53175803c97126308423cfbc1473488fc9b82eb0757f0b14df2aeeba11949bcc4860a656ae83305df3b48f097481140e5923762b4
-
SSDEEP
768:jML/b/P+93I4EgNo9bIWOW9vkt2o04ADoN11y4EW0owMnbgK02+cZg7Jzk5n6GZ7:guVo9MWzwVWo9QaUK02I9DAuwP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ackbfioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjdma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogcqpdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcddlhgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flinddpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnnifggg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eonmkkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbhde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfjlp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjkje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgdef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knefnkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjmfmnhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliihipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pphlpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmbmefob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jialbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfdkeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppccemjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihmcflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbddmejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqpoja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdkool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaophp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkpbegc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpeejfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfehoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kepdfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecphmfbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbocbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnojcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qagdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjebbfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkdlhip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeecogb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofmndkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcccom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocoqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmoapq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bicogo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiddl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdnpon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnakld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidbab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mehcnlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldhpeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gblbmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qphljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbgjlq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghgbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcddjiel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heegjj32.exe -
Executes dropped EXE 64 IoCs
pid Process 4460 Ehkcgkdj.exe 3004 Eflceb32.exe 4428 Ellicihn.exe 1524 Efampahd.exe 4784 Ehbihj32.exe 2624 Epiaig32.exe 1148 Fhefmjlp.exe 1720 Fbjjkble.exe 1308 Fidbgm32.exe 4384 Fpnkdfko.exe 832 Flekihpc.exe 2408 Pdbbfadn.exe 988 Hikkdc32.exe 3780 Hedhoc32.exe 1124 Opcjno32.exe 2376 Ofmbkipk.exe 1920 Omgjhc32.exe 3828 Ofalfi32.exe 4712 Odelpm32.exe 1364 Omnqhbap.exe 1716 Offeahhp.exe 220 Pmpmnb32.exe 2296 Pignccea.exe 4068 Pboblika.exe 2088 Ppccemjk.exe 2124 Pljcjn32.exe 2968 Pcdlghgl.exe 532 Pphlpl32.exe 2316 Qciebg32.exe 4856 Qckbggad.exe 4220 Geeecogb.exe 4436 Lfkich32.exe 1352 Ppblkffp.exe 2876 Clhbhc32.exe 4900 Claenb32.exe 212 Dqomdppm.exe 2232 Djgbmffn.exe 1172 Dqajjp32.exe 1400 Dcdpakii.exe 4016 Dgbhgi32.exe 4624 Ejaecdnc.exe 4940 Eonmkkmj.exe 4572 Eopjakkg.exe 4552 Efjbne32.exe 3616 Ecnbgian.exe 3964 Fjldocde.exe 1164 Fnjmea32.exe 2068 Fgcang32.exe 2364 Fmpjfn32.exe 3844 Ffhnocfd.exe 1776 Fjfgealk.exe 1120 Fcnlng32.exe 1340 Gndpkp32.exe 1496 Gmimll32.exe 1336 Gnkflo32.exe 4724 Ghcjedcj.exe 3552 Gnmbao32.exe 4692 Hcjkje32.exe 4768 Hanlcjgh.exe 4312 Hfkdkqeo.exe 1884 Hmdlhk32.exe 4464 Hdodeedi.exe 3152 Hhjqec32.exe 1068 Hpeejfjm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Plqqme32.exe Pibdai32.exe File opened for modification C:\Windows\SysWOW64\Kaiocjae.exe Kfdkeaap.exe File created C:\Windows\SysWOW64\Bjhcad32.dll Jqfclgno.exe File created C:\Windows\SysWOW64\Njebknkf.dll Bfjlecdj.exe File opened for modification C:\Windows\SysWOW64\Gjqigg32.exe Gcfqjmka.exe File created C:\Windows\SysWOW64\Olijkhjb.dll NEAS.9576f18033382a97d7ea3bdf955b5500.exe File created C:\Windows\SysWOW64\Mpmqae32.dll Kklkej32.exe File opened for modification C:\Windows\SysWOW64\Knefnkla.exe Klfjbpmn.exe File opened for modification C:\Windows\SysWOW64\Gpnfak32.exe Glbjpmdd.exe File opened for modification C:\Windows\SysWOW64\Odelib32.exe Omkdlhip.exe File opened for modification C:\Windows\SysWOW64\Pdhiob32.exe Plqqme32.exe File created C:\Windows\SysWOW64\Eokkjn32.dll Pignccea.exe File created C:\Windows\SysWOW64\Ookmnk32.dll Pacahhib.exe File created C:\Windows\SysWOW64\Lojpiphc.dll Fgijdm32.exe File created C:\Windows\SysWOW64\Icbbbboe.exe Ifnbin32.exe File created C:\Windows\SysWOW64\Kakdhcgi.dll Kdjhde32.exe File created C:\Windows\SysWOW64\Mjddcf32.dll Apclep32.exe File created C:\Windows\SysWOW64\Jphigdll.dll Gcddjiel.exe File created C:\Windows\SysWOW64\Aaiiffjj.exe Akoqjl32.exe File created C:\Windows\SysWOW64\Ngmjnl32.dll Bliacj32.exe File opened for modification C:\Windows\SysWOW64\Mehapf32.exe Mgfabo32.exe File created C:\Windows\SysWOW64\Ijdlfdfj.dll Flbomn32.exe File opened for modification C:\Windows\SysWOW64\Pihmcflg.exe Paqebike.exe File opened for modification C:\Windows\SysWOW64\Qbljig32.exe Qmoapq32.exe File opened for modification C:\Windows\SysWOW64\Kkechjib.exe Kqpoja32.exe File opened for modification C:\Windows\SysWOW64\Dbqqeahl.exe Dpbdiehi.exe File created C:\Windows\SysWOW64\Jnkjpa32.exe Jgqbcg32.exe File created C:\Windows\SysWOW64\Fcmgjhop.exe Flbomn32.exe File created C:\Windows\SysWOW64\Hoadpgid.exe Googjgkg.exe File created C:\Windows\SysWOW64\Ipkneh32.exe Iiaein32.exe File created C:\Windows\SysWOW64\Kdehpnep.dll Ccednl32.exe File created C:\Windows\SysWOW64\Cmgmjbeo.dll Ifjdjbdd.exe File created C:\Windows\SysWOW64\Fpejjabq.dll Llofnh32.exe File opened for modification C:\Windows\SysWOW64\Ooqqmoac.exe Ohdlke32.exe File created C:\Windows\SysWOW64\Llbgoe32.dll Kknhjj32.exe File created C:\Windows\SysWOW64\Dmgbgf32.exe Dfmjjl32.exe File created C:\Windows\SysWOW64\Dffmogji.exe Daiegp32.exe File created C:\Windows\SysWOW64\Gmbmefob.exe Gdjilphb.exe File created C:\Windows\SysWOW64\Gedkkm32.dll Hikkdc32.exe File created C:\Windows\SysWOW64\Aoebjc32.dll Mbpoop32.exe File created C:\Windows\SysWOW64\Objelghl.dll Ibqndm32.exe File opened for modification C:\Windows\SysWOW64\Lhkkjl32.exe Lkgkqh32.exe File created C:\Windows\SysWOW64\Kolkip32.dll Gbgdef32.exe File created C:\Windows\SysWOW64\Djnfppqi.exe Dcdnce32.exe File created C:\Windows\SysWOW64\Mkckfk32.dll Dgpgplej.exe File opened for modification C:\Windows\SysWOW64\Peobeh32.exe Oemephgn.exe File opened for modification C:\Windows\SysWOW64\Jegobkeo.exe Jgcoigfe.exe File created C:\Windows\SysWOW64\Nnmile32.dll Omnqhbap.exe File created C:\Windows\SysWOW64\Odbemgba.dll Bocoqj32.exe File opened for modification C:\Windows\SysWOW64\Ieojqi32.exe Ibqndm32.exe File created C:\Windows\SysWOW64\Emphagjj.dll Hqagdpcc.exe File created C:\Windows\SysWOW64\Kpilnafg.exe Kmkpbegc.exe File opened for modification C:\Windows\SysWOW64\Kdmjmqjf.exe Jgiiclkl.exe File opened for modification C:\Windows\SysWOW64\Cmcoflhh.exe Cbnkhcha.exe File created C:\Windows\SysWOW64\Mabpdmlb.dll Kimglg32.exe File created C:\Windows\SysWOW64\Oacaqj32.dll Kpilnafg.exe File created C:\Windows\SysWOW64\Foqacehl.dll Gndpkp32.exe File created C:\Windows\SysWOW64\Gbjlbm32.exe Glpdecjb.exe File created C:\Windows\SysWOW64\Eqjolmea.dll Jedblkga.exe File opened for modification C:\Windows\SysWOW64\Jiagpikj.exe Jqfclgno.exe File created C:\Windows\SysWOW64\Agacalbb.dll Fhefmjlp.exe File created C:\Windows\SysWOW64\Omnqhbap.exe Odelpm32.exe File created C:\Windows\SysWOW64\Pemibn32.dll Kqpoja32.exe File opened for modification C:\Windows\SysWOW64\Gifjjacn.exe Gblbmg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apbghkhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgmelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcfcgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjpbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcldcd32.dll" Djnfppqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiclchd.dll" Eblpqono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hedhoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odelpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgbmffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdgaond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmdogpmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illiee32.dll" Jdkadb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aakelfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blhpjnbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggbpjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaopee32.dll" Gedflbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnanadfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bogcqpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Babfgo32.dll" Alkdbllo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcgpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkiccmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgioia32.dll" Qjmllgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgeabloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljanf32.dll" Alcfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbichjn.dll" Gifjjacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdjedblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qphljb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnlmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipkpk32.dll" Ffhnocfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmifcjif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmqekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qgohal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgiiclkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdjha32.dll" Boflfiai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcfjpfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaolen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfpcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laplba32.dll" Mhgkfkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjbobpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooddp32.dll" Nbkojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfqkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqppbdk.dll" Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfhae32.dll" Fibfkbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciokqqf.dll" Iodaikfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmmnm32.dll" Hnnlcpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphlil32.dll" Djegoanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdgeheg.dll" Pbocbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qindmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhbab32.dll" Qlmhfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gndima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hioamgfi.dll" Hcgjajmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdjhde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhejij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmakgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eimegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmbpckog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeiddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gehbcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjhqddk.dll" Jajdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbeffcei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oojaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbfgkan.dll" Qgmbkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfmjjl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4460 5072 NEAS.9576f18033382a97d7ea3bdf955b5500.exe 86 PID 5072 wrote to memory of 4460 5072 NEAS.9576f18033382a97d7ea3bdf955b5500.exe 86 PID 5072 wrote to memory of 4460 5072 NEAS.9576f18033382a97d7ea3bdf955b5500.exe 86 PID 4460 wrote to memory of 3004 4460 Ehkcgkdj.exe 87 PID 4460 wrote to memory of 3004 4460 Ehkcgkdj.exe 87 PID 4460 wrote to memory of 3004 4460 Ehkcgkdj.exe 87 PID 3004 wrote to memory of 4428 3004 Eflceb32.exe 88 PID 3004 wrote to memory of 4428 3004 Eflceb32.exe 88 PID 3004 wrote to memory of 4428 3004 Eflceb32.exe 88 PID 4428 wrote to memory of 1524 4428 Ellicihn.exe 89 PID 4428 wrote to memory of 1524 4428 Ellicihn.exe 89 PID 4428 wrote to memory of 1524 4428 Ellicihn.exe 89 PID 1524 wrote to memory of 4784 1524 Efampahd.exe 90 PID 1524 wrote to memory of 4784 1524 Efampahd.exe 90 PID 1524 wrote to memory of 4784 1524 Efampahd.exe 90 PID 4784 wrote to memory of 2624 4784 Ehbihj32.exe 91 PID 4784 wrote to memory of 2624 4784 Ehbihj32.exe 91 PID 4784 wrote to memory of 2624 4784 Ehbihj32.exe 91 PID 2624 wrote to memory of 1148 2624 Epiaig32.exe 92 PID 2624 wrote to memory of 1148 2624 Epiaig32.exe 92 PID 2624 wrote to memory of 1148 2624 Epiaig32.exe 92 PID 1148 wrote to memory of 1720 1148 Fhefmjlp.exe 93 PID 1148 wrote to memory of 1720 1148 Fhefmjlp.exe 93 PID 1148 wrote to memory of 1720 1148 Fhefmjlp.exe 93 PID 1720 wrote to memory of 1308 1720 Fbjjkble.exe 94 PID 1720 wrote to memory of 1308 1720 Fbjjkble.exe 94 PID 1720 wrote to memory of 1308 1720 Fbjjkble.exe 94 PID 1308 wrote to memory of 4384 1308 Fidbgm32.exe 95 PID 1308 wrote to memory of 4384 1308 Fidbgm32.exe 95 PID 1308 wrote to memory of 4384 1308 Fidbgm32.exe 95 PID 4384 wrote to memory of 832 4384 Fpnkdfko.exe 96 PID 4384 wrote to memory of 832 4384 Fpnkdfko.exe 96 PID 4384 wrote to memory of 832 4384 Fpnkdfko.exe 96 PID 832 wrote to memory of 2408 832 Flekihpc.exe 97 PID 832 wrote to memory of 2408 832 Flekihpc.exe 97 PID 832 wrote to memory of 2408 832 Flekihpc.exe 97 PID 2408 wrote to memory of 988 2408 Pdbbfadn.exe 98 PID 2408 wrote to memory of 988 2408 Pdbbfadn.exe 98 PID 2408 wrote to memory of 988 2408 Pdbbfadn.exe 98 PID 988 wrote to memory of 3780 988 Hikkdc32.exe 99 PID 988 wrote to memory of 3780 988 Hikkdc32.exe 99 PID 988 wrote to memory of 3780 988 Hikkdc32.exe 99 PID 3780 wrote to memory of 1124 3780 Hedhoc32.exe 100 PID 3780 wrote to memory of 1124 3780 Hedhoc32.exe 100 PID 3780 wrote to memory of 1124 3780 Hedhoc32.exe 100 PID 1124 wrote to memory of 2376 1124 Opcjno32.exe 101 PID 1124 wrote to memory of 2376 1124 Opcjno32.exe 101 PID 1124 wrote to memory of 2376 1124 Opcjno32.exe 101 PID 2376 wrote to memory of 1920 2376 Ofmbkipk.exe 102 PID 2376 wrote to memory of 1920 2376 Ofmbkipk.exe 102 PID 2376 wrote to memory of 1920 2376 Ofmbkipk.exe 102 PID 1920 wrote to memory of 3828 1920 Omgjhc32.exe 103 PID 1920 wrote to memory of 3828 1920 Omgjhc32.exe 103 PID 1920 wrote to memory of 3828 1920 Omgjhc32.exe 103 PID 3828 wrote to memory of 4712 3828 Ofalfi32.exe 104 PID 3828 wrote to memory of 4712 3828 Ofalfi32.exe 104 PID 3828 wrote to memory of 4712 3828 Ofalfi32.exe 104 PID 4712 wrote to memory of 1364 4712 Odelpm32.exe 105 PID 4712 wrote to memory of 1364 4712 Odelpm32.exe 105 PID 4712 wrote to memory of 1364 4712 Odelpm32.exe 105 PID 1364 wrote to memory of 1716 1364 Omnqhbap.exe 106 PID 1364 wrote to memory of 1716 1364 Omnqhbap.exe 106 PID 1364 wrote to memory of 1716 1364 Omnqhbap.exe 106 PID 1716 wrote to memory of 220 1716 Offeahhp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9576f18033382a97d7ea3bdf955b5500.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9576f18033382a97d7ea3bdf955b5500.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ellicihn.exeC:\Windows\system32\Ellicihn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Efampahd.exeC:\Windows\system32\Efampahd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Ehbihj32.exeC:\Windows\system32\Ehbihj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Epiaig32.exeC:\Windows\system32\Epiaig32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fhefmjlp.exeC:\Windows\system32\Fhefmjlp.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Fbjjkble.exeC:\Windows\system32\Fbjjkble.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Fidbgm32.exeC:\Windows\system32\Fidbgm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Fpnkdfko.exeC:\Windows\system32\Fpnkdfko.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Flekihpc.exeC:\Windows\system32\Flekihpc.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Hedhoc32.exeC:\Windows\system32\Hedhoc32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Odelpm32.exeC:\Windows\system32\Odelpm32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Offeahhp.exeC:\Windows\system32\Offeahhp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Pmpmnb32.exeC:\Windows\system32\Pmpmnb32.exe23⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Pboblika.exeC:\Windows\system32\Pboblika.exe25⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Ppccemjk.exeC:\Windows\system32\Ppccemjk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Pljcjn32.exeC:\Windows\system32\Pljcjn32.exe27⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pcdlghgl.exeC:\Windows\system32\Pcdlghgl.exe28⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Qkmqne32.exeC:\Windows\system32\Qkmqne32.exe30⤵PID:3848
-
C:\Windows\SysWOW64\Qciebg32.exeC:\Windows\system32\Qciebg32.exe31⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Qckbggad.exeC:\Windows\system32\Qckbggad.exe32⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Geeecogb.exeC:\Windows\system32\Geeecogb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe34⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ppblkffp.exeC:\Windows\system32\Ppblkffp.exe35⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe36⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Claenb32.exeC:\Windows\system32\Claenb32.exe37⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Dqomdppm.exeC:\Windows\system32\Dqomdppm.exe38⤵
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Djgbmffn.exeC:\Windows\system32\Djgbmffn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Dqajjp32.exeC:\Windows\system32\Dqajjp32.exe40⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Dcdpakii.exeC:\Windows\system32\Dcdpakii.exe41⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Dgbhgi32.exeC:\Windows\system32\Dgbhgi32.exe42⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Ejaecdnc.exeC:\Windows\system32\Ejaecdnc.exe43⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Eonmkkmj.exeC:\Windows\system32\Eonmkkmj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Eopjakkg.exeC:\Windows\system32\Eopjakkg.exe45⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Efjbne32.exeC:\Windows\system32\Efjbne32.exe46⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe47⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Fjldocde.exeC:\Windows\system32\Fjldocde.exe48⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Fnjmea32.exeC:\Windows\system32\Fnjmea32.exe49⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Fgcang32.exeC:\Windows\system32\Fgcang32.exe50⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Fmpjfn32.exeC:\Windows\system32\Fmpjfn32.exe51⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ffhnocfd.exeC:\Windows\system32\Ffhnocfd.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\Fjfgealk.exeC:\Windows\system32\Fjfgealk.exe53⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Fcnlng32.exeC:\Windows\system32\Fcnlng32.exe54⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Gndpkp32.exeC:\Windows\system32\Gndpkp32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Gmimll32.exeC:\Windows\system32\Gmimll32.exe56⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gnkflo32.exeC:\Windows\system32\Gnkflo32.exe57⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Ghcjedcj.exeC:\Windows\system32\Ghcjedcj.exe58⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Gnmbao32.exeC:\Windows\system32\Gnmbao32.exe59⤵
- Executes dropped EXE
PID:3552 -
C:\Windows\SysWOW64\Hcjkje32.exeC:\Windows\system32\Hcjkje32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Hanlcjgh.exeC:\Windows\system32\Hanlcjgh.exe61⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Hfkdkqeo.exeC:\Windows\system32\Hfkdkqeo.exe62⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Hmdlhk32.exeC:\Windows\system32\Hmdlhk32.exe63⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Hdodeedi.exeC:\Windows\system32\Hdodeedi.exe64⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Hhjqec32.exeC:\Windows\system32\Hhjqec32.exe65⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Hpeejfjm.exeC:\Windows\system32\Hpeejfjm.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Hmifcjif.exeC:\Windows\system32\Hmifcjif.exe67⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Hjmfmnhp.exeC:\Windows\system32\Hjmfmnhp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Ifdgaond.exeC:\Windows\system32\Ifdgaond.exe69⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Iplkje32.exeC:\Windows\system32\Iplkje32.exe70⤵PID:1548
-
C:\Windows\SysWOW64\Ikbphn32.exeC:\Windows\system32\Ikbphn32.exe71⤵PID:2964
-
C:\Windows\SysWOW64\Iodaikfl.exeC:\Windows\system32\Iodaikfl.exe72⤵
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Jgpfmncg.exeC:\Windows\system32\Jgpfmncg.exe73⤵PID:1948
-
C:\Windows\SysWOW64\Jgdphm32.exeC:\Windows\system32\Jgdphm32.exe74⤵PID:696
-
C:\Windows\SysWOW64\Jajdff32.exeC:\Windows\system32\Jajdff32.exe75⤵PID:3556
-
C:\Windows\SysWOW64\Jmqekg32.exeC:\Windows\system32\Jmqekg32.exe76⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Jgiiclkl.exeC:\Windows\system32\Jgiiclkl.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Kdmjmqjf.exeC:\Windows\system32\Kdmjmqjf.exe78⤵PID:1492
-
C:\Windows\SysWOW64\Kobnji32.exeC:\Windows\system32\Kobnji32.exe79⤵PID:2924
-
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe80⤵PID:4192
-
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe81⤵PID:3084
-
C:\Windows\SysWOW64\Kklkej32.exeC:\Windows\system32\Kklkej32.exe82⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Kknhjj32.exeC:\Windows\system32\Kknhjj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Kahpgcch.exeC:\Windows\system32\Kahpgcch.exe84⤵PID:3168
-
C:\Windows\SysWOW64\Lpmmhpgp.exeC:\Windows\system32\Lpmmhpgp.exe85⤵PID:2396
-
C:\Windows\SysWOW64\Lnanadfi.exeC:\Windows\system32\Lnanadfi.exe86⤵
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Lhgbomfo.exeC:\Windows\system32\Lhgbomfo.exe87⤵PID:1944
-
C:\Windows\SysWOW64\Lkgkqh32.exeC:\Windows\system32\Lkgkqh32.exe88⤵
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Lhkkjl32.exeC:\Windows\system32\Lhkkjl32.exe89⤵PID:2112
-
C:\Windows\SysWOW64\Lnhdbc32.exeC:\Windows\system32\Lnhdbc32.exe90⤵PID:4860
-
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe91⤵PID:4296
-
C:\Windows\SysWOW64\Mnjqhcno.exeC:\Windows\system32\Mnjqhcno.exe92⤵PID:4816
-
C:\Windows\SysWOW64\Mqimdomb.exeC:\Windows\system32\Mqimdomb.exe93⤵PID:3140
-
C:\Windows\SysWOW64\Mojmbf32.exeC:\Windows\system32\Mojmbf32.exe94⤵PID:3052
-
C:\Windows\SysWOW64\Mnojcb32.exeC:\Windows\system32\Mnojcb32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Moofmeal.exeC:\Windows\system32\Moofmeal.exe96⤵PID:4972
-
C:\Windows\SysWOW64\Mhgkfkhl.exeC:\Windows\system32\Mhgkfkhl.exe97⤵
- Modifies registry class
PID:4256 -
C:\Windows\SysWOW64\Mbpoop32.exeC:\Windows\system32\Mbpoop32.exe98⤵
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe99⤵PID:3004
-
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3204 -
C:\Windows\SysWOW64\Ndphpk32.exeC:\Windows\system32\Ndphpk32.exe101⤵PID:1308
-
C:\Windows\SysWOW64\Ngodlgka.exeC:\Windows\system32\Ngodlgka.exe102⤵PID:4596
-
C:\Windows\SysWOW64\Nofmndkd.exeC:\Windows\system32\Nofmndkd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4176 -
C:\Windows\SysWOW64\Nqgiel32.exeC:\Windows\system32\Nqgiel32.exe104⤵PID:2360
-
C:\Windows\SysWOW64\Ninafj32.exeC:\Windows\system32\Ninafj32.exe105⤵PID:3924
-
C:\Windows\SysWOW64\Nnkioq32.exeC:\Windows\system32\Nnkioq32.exe106⤵PID:3028
-
C:\Windows\SysWOW64\Ngcngfgl.exeC:\Windows\system32\Ngcngfgl.exe107⤵PID:4040
-
C:\Windows\SysWOW64\Nojfic32.exeC:\Windows\system32\Nojfic32.exe108⤵PID:4124
-
C:\Windows\SysWOW64\Negoaj32.exeC:\Windows\system32\Negoaj32.exe109⤵PID:4340
-
C:\Windows\SysWOW64\Nbkojo32.exeC:\Windows\system32\Nbkojo32.exe110⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3940 -
C:\Windows\SysWOW64\Oghgbe32.exeC:\Windows\system32\Oghgbe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4568 -
C:\Windows\SysWOW64\Onbpop32.exeC:\Windows\system32\Onbpop32.exe113⤵PID:2480
-
C:\Windows\SysWOW64\Oijqbh32.exeC:\Windows\system32\Oijqbh32.exe114⤵PID:4604
-
C:\Windows\SysWOW64\Pnbifmla.exeC:\Windows\system32\Pnbifmla.exe115⤵PID:2996
-
C:\Windows\SysWOW64\Paqebike.exeC:\Windows\system32\Paqebike.exe116⤵
- Drops file in System32 directory
PID:5136 -
C:\Windows\SysWOW64\Pihmcflg.exeC:\Windows\system32\Pihmcflg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Ppbepp32.exeC:\Windows\system32\Ppbepp32.exe118⤵PID:5224
-
C:\Windows\SysWOW64\Pacahhib.exeC:\Windows\system32\Pacahhib.exe119⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Peonhg32.exeC:\Windows\system32\Peonhg32.exe120⤵PID:5308
-
C:\Windows\SysWOW64\Phmjdbpo.exeC:\Windows\system32\Phmjdbpo.exe121⤵PID:5352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-