Analysis
-
max time kernel
69s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.79c75f3ecc50341c536dd58d01f45840.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.79c75f3ecc50341c536dd58d01f45840.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.79c75f3ecc50341c536dd58d01f45840.exe
-
Size
442KB
-
MD5
79c75f3ecc50341c536dd58d01f45840
-
SHA1
7381302cc9e44356753ae9aa2b34f792220a7710
-
SHA256
5524e589a7a1c5ca2eb12e5a74fda5f6bfb7a5ba0d500c733fd2f56d58b4c1de
-
SHA512
d0023494971ed72954f6b75f19e97c6ce710892c5543db1836411b7540a58c087fad4e0fc754e9aea965a884f9a09c13a3e483dc7f40c31baa31b6a2b791f3e7
-
SSDEEP
6144:Z6YgjZhjTVqmWdrK86S1oikXXjZhjTVqmWdS+l/G49eMOwCHZ:Z6K/G49eMOwEZ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnmfclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghghb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbkkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lokdnjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekaapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkbnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdpbpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflkbanj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feimadoe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgopidgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmofagfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omegjomb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhmofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelfmaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmphaaln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqdechnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affikdfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jddiegbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcila32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaedanal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napameoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lldopb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnehdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidehpea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fboecfii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekdffee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enllgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acppddig.exe -
Executes dropped EXE 64 IoCs
pid Process 3964 Hacbhb32.exe 392 Iafonaao.exe 1084 Ihphkl32.exe 4520 Inmpcc32.exe 3856 Ihbdplfi.exe 4840 Idieem32.exe 4908 Jkaicd32.exe 4868 Kjhcjq32.exe 2092 Kaehljpj.exe 3096 Kgopidgf.exe 2184 Kageaj32.exe 1444 Kjpijpdg.exe 3192 Lgcjdd32.exe 4496 Lbinam32.exe 840 Lgffic32.exe 4748 Lbkkgl32.exe 2640 Lieccf32.exe 3216 Lldopb32.exe 3956 Lbngllob.exe 3220 Lihpif32.exe 3208 Llflea32.exe 1636 Lbpdblmo.exe 2028 Lijlof32.exe 4796 Ljkifn32.exe 1820 Meamcg32.exe 1352 Mlkepaam.exe 4832 Mbenmk32.exe 1908 Mnnkgl32.exe 4672 Mehcdfch.exe 2528 Mhfppabl.exe 1784 Mblcnj32.exe 1460 Nobdbkhf.exe 1644 Naaqofgj.exe 2844 Nlfelogp.exe 4348 Noeahkfc.exe 4716 Nacmdf32.exe 2924 Nhmeapmd.exe 4644 Nbcjnilj.exe 4744 Neafjdkn.exe 848 Nhpbfpka.exe 2276 Nojjcj32.exe 1304 Nkqkhk32.exe 3388 Nbgcih32.exe 1524 Nefped32.exe 784 Oondnini.exe 5112 Oifeab32.exe 536 Bmofagfp.exe 1376 Cfldelik.exe 3164 Ckilmcgb.exe 4656 Cjjlkk32.exe 704 Cofecami.exe 2836 Cfqmpl32.exe 1804 Coiaiakf.exe 2824 Cjnffjkl.exe 5028 Cmmbbejp.exe 1544 Ccgjopal.exe 5000 Dfefkkqp.exe 2492 Dkbocbog.exe 2112 Difpmfna.exe 2068 Dpphjp32.exe 2060 Dfjpfj32.exe 1580 Dmdhcddh.exe 2940 Dpbdopck.exe 2292 Djhimica.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Idhdlmdd.dll Logicn32.exe File created C:\Windows\SysWOW64\Gckjlf32.exe Gqmnpk32.exe File created C:\Windows\SysWOW64\Inkjfk32.exe Process not Found File created C:\Windows\SysWOW64\Mbenmk32.exe Mlkepaam.exe File created C:\Windows\SysWOW64\Bnoknihb.exe Blnoga32.exe File created C:\Windows\SysWOW64\Edommp32.dll Dfnbgc32.exe File created C:\Windows\SysWOW64\Lpiaimfg.dll Ibqnkh32.exe File opened for modification C:\Windows\SysWOW64\Lgdidgjg.exe Lomqcjie.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Mcifkf32.exe File opened for modification C:\Windows\SysWOW64\Ckebcg32.exe Cdkifmjq.exe File opened for modification C:\Windows\SysWOW64\Ilfennic.exe Hihibbjo.exe File created C:\Windows\SysWOW64\Jjdejk32.dll Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Nclikl32.exe Manmoq32.exe File created C:\Windows\SysWOW64\Aehgnied.exe Akccap32.exe File created C:\Windows\SysWOW64\Jenmcggo.exe Jcoaglhk.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jojdlfeo.exe File created C:\Windows\SysWOW64\Aeopfl32.exe Process not Found File created C:\Windows\SysWOW64\Ggicbe32.exe Gdkffi32.exe File created C:\Windows\SysWOW64\Hgbfhc32.exe Hcembe32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mjahlgpf.exe File opened for modification C:\Windows\SysWOW64\Ckidcpjl.exe Cdolgfbp.exe File created C:\Windows\SysWOW64\Kjmole32.dll Pbddobla.exe File created C:\Windows\SysWOW64\Qhjgfkpf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aogiap32.exe Qdbdcg32.exe File opened for modification C:\Windows\SysWOW64\Opclldhj.exe Ojfcdnjc.exe File created C:\Windows\SysWOW64\Lamgof32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jjnaaa32.exe Jddiegbm.exe File opened for modification C:\Windows\SysWOW64\Blnjecfl.exe Bfabmmhe.exe File created C:\Windows\SysWOW64\Fdogjk32.exe Process not Found File created C:\Windows\SysWOW64\Ngifef32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jdmgfedl.exe Jncoikmp.exe File created C:\Windows\SysWOW64\Bjjhhfnd.dll Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Emmdom32.exe Dfnbgc32.exe File created C:\Windows\SysWOW64\Jakjcj32.dll Hnbnjc32.exe File created C:\Windows\SysWOW64\Finnef32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jhgiim32.exe Iamamcop.exe File opened for modification C:\Windows\SysWOW64\Pmmlla32.exe Pfccogfc.exe File created C:\Windows\SysWOW64\Nnoefe32.dll Egkddo32.exe File opened for modification C:\Windows\SysWOW64\Lldopb32.exe Lieccf32.exe File opened for modification C:\Windows\SysWOW64\Iljpij32.exe Hildmn32.exe File opened for modification C:\Windows\SysWOW64\Jgpmmp32.exe Jpfepf32.exe File created C:\Windows\SysWOW64\Cggkemhh.dll Qobhkjdi.exe File created C:\Windows\SysWOW64\Ialjan32.dll Ebimgcfi.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bmeandma.exe File opened for modification C:\Windows\SysWOW64\Giljfddl.exe Dabhomea.exe File created C:\Windows\SysWOW64\Dbeojn32.dll Jncoikmp.exe File created C:\Windows\SysWOW64\Jnlkedai.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Cpacqg32.exe Cigkdmel.exe File created C:\Windows\SysWOW64\Dcffnbee.exe Daeifj32.exe File created C:\Windows\SysWOW64\Nneilmna.dll Gjcmngnj.exe File opened for modification C:\Windows\SysWOW64\Jlobkg32.exe Jcgnbaeo.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qlgpod32.exe File created C:\Windows\SysWOW64\Glbjggof.exe Fnnjmbpm.exe File created C:\Windows\SysWOW64\Cdkifmjq.exe Cdimqm32.exe File created C:\Windows\SysWOW64\Kdmqmc32.exe Knchpiom.exe File created C:\Windows\SysWOW64\Agecdgmk.dll Dcffnbee.exe File created C:\Windows\SysWOW64\Fachkklb.dll Fbdnne32.exe File created C:\Windows\SysWOW64\Hpigao32.dll Hjlhipbc.exe File created C:\Windows\SysWOW64\Gaeaha32.dll Lgcjdd32.exe File opened for modification C:\Windows\SysWOW64\Aalmimfd.exe Aidehpea.exe File opened for modification C:\Windows\SysWOW64\Cmmgof32.exe Blnjecfl.exe File created C:\Windows\SysWOW64\Hmmppdij.dll Process not Found File created C:\Windows\SysWOW64\Dgpamjnb.dll Gijmad32.exe File created C:\Windows\SysWOW64\Kcjjhdjb.exe Kplmliko.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnljj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjehneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcjfjoi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbfcigf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll" Gbkdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhfknjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehcdfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flbfjl32.dll" Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll" Jifecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcnkaj.dll" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnlkfal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipdndloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gojgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcigfeaf.dll" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffpcbchm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clomci32.dll" Idieem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkqdnkge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjali32.dll" Iamamcop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll" Hebcao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnmlhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlkepaam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgmeiqa.dll" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepglifa.dll" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecbjkngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmmbfem.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockkandf.dll" Qdphngfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll" Lebijnak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Oblhcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacmpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enbjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgipm32.dll" Epjhcnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdplc32.dll" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnfohmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5040 wrote to memory of 3964 5040 NEAS.79c75f3ecc50341c536dd58d01f45840.exe 86 PID 5040 wrote to memory of 3964 5040 NEAS.79c75f3ecc50341c536dd58d01f45840.exe 86 PID 5040 wrote to memory of 3964 5040 NEAS.79c75f3ecc50341c536dd58d01f45840.exe 86 PID 3964 wrote to memory of 392 3964 Hacbhb32.exe 87 PID 3964 wrote to memory of 392 3964 Hacbhb32.exe 87 PID 3964 wrote to memory of 392 3964 Hacbhb32.exe 87 PID 392 wrote to memory of 1084 392 Iafonaao.exe 88 PID 392 wrote to memory of 1084 392 Iafonaao.exe 88 PID 392 wrote to memory of 1084 392 Iafonaao.exe 88 PID 1084 wrote to memory of 4520 1084 Ihphkl32.exe 89 PID 1084 wrote to memory of 4520 1084 Ihphkl32.exe 89 PID 1084 wrote to memory of 4520 1084 Ihphkl32.exe 89 PID 4520 wrote to memory of 3856 4520 Inmpcc32.exe 90 PID 4520 wrote to memory of 3856 4520 Inmpcc32.exe 90 PID 4520 wrote to memory of 3856 4520 Inmpcc32.exe 90 PID 3856 wrote to memory of 4840 3856 Ihbdplfi.exe 92 PID 3856 wrote to memory of 4840 3856 Ihbdplfi.exe 92 PID 3856 wrote to memory of 4840 3856 Ihbdplfi.exe 92 PID 4840 wrote to memory of 4908 4840 Idieem32.exe 93 PID 4840 wrote to memory of 4908 4840 Idieem32.exe 93 PID 4840 wrote to memory of 4908 4840 Idieem32.exe 93 PID 4908 wrote to memory of 4868 4908 Jkaicd32.exe 94 PID 4908 wrote to memory of 4868 4908 Jkaicd32.exe 94 PID 4908 wrote to memory of 4868 4908 Jkaicd32.exe 94 PID 4868 wrote to memory of 2092 4868 Kjhcjq32.exe 95 PID 4868 wrote to memory of 2092 4868 Kjhcjq32.exe 95 PID 4868 wrote to memory of 2092 4868 Kjhcjq32.exe 95 PID 2092 wrote to memory of 3096 2092 Kaehljpj.exe 133 PID 2092 wrote to memory of 3096 2092 Kaehljpj.exe 133 PID 2092 wrote to memory of 3096 2092 Kaehljpj.exe 133 PID 3096 wrote to memory of 2184 3096 Kgopidgf.exe 132 PID 3096 wrote to memory of 2184 3096 Kgopidgf.exe 132 PID 3096 wrote to memory of 2184 3096 Kgopidgf.exe 132 PID 2184 wrote to memory of 1444 2184 Kageaj32.exe 97 PID 2184 wrote to memory of 1444 2184 Kageaj32.exe 97 PID 2184 wrote to memory of 1444 2184 Kageaj32.exe 97 PID 1444 wrote to memory of 3192 1444 Kjpijpdg.exe 131 PID 1444 wrote to memory of 3192 1444 Kjpijpdg.exe 131 PID 1444 wrote to memory of 3192 1444 Kjpijpdg.exe 131 PID 3192 wrote to memory of 4496 3192 Lgcjdd32.exe 130 PID 3192 wrote to memory of 4496 3192 Lgcjdd32.exe 130 PID 3192 wrote to memory of 4496 3192 Lgcjdd32.exe 130 PID 4496 wrote to memory of 840 4496 Lbinam32.exe 98 PID 4496 wrote to memory of 840 4496 Lbinam32.exe 98 PID 4496 wrote to memory of 840 4496 Lbinam32.exe 98 PID 840 wrote to memory of 4748 840 Lgffic32.exe 129 PID 840 wrote to memory of 4748 840 Lgffic32.exe 129 PID 840 wrote to memory of 4748 840 Lgffic32.exe 129 PID 4748 wrote to memory of 2640 4748 Lbkkgl32.exe 99 PID 4748 wrote to memory of 2640 4748 Lbkkgl32.exe 99 PID 4748 wrote to memory of 2640 4748 Lbkkgl32.exe 99 PID 2640 wrote to memory of 3216 2640 Lieccf32.exe 100 PID 2640 wrote to memory of 3216 2640 Lieccf32.exe 100 PID 2640 wrote to memory of 3216 2640 Lieccf32.exe 100 PID 3216 wrote to memory of 3956 3216 Lldopb32.exe 101 PID 3216 wrote to memory of 3956 3216 Lldopb32.exe 101 PID 3216 wrote to memory of 3956 3216 Lldopb32.exe 101 PID 3956 wrote to memory of 3220 3956 Lbngllob.exe 102 PID 3956 wrote to memory of 3220 3956 Lbngllob.exe 102 PID 3956 wrote to memory of 3220 3956 Lbngllob.exe 102 PID 3220 wrote to memory of 3208 3220 Lihpif32.exe 128 PID 3220 wrote to memory of 3208 3220 Lihpif32.exe 128 PID 3220 wrote to memory of 3208 3220 Lihpif32.exe 128 PID 3208 wrote to memory of 1636 3208 Llflea32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.79c75f3ecc50341c536dd58d01f45840.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.79c75f3ecc50341c536dd58d01f45840.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096
-
-
-
-
-
-
C:\Windows\SysWOW64\Oqhoeb32.exeC:\Windows\system32\Oqhoeb32.exe7⤵PID:11292
-
C:\Windows\SysWOW64\Oqklkbbi.exeC:\Windows\system32\Oqklkbbi.exe8⤵PID:11372
-
C:\Windows\SysWOW64\Oblhcj32.exeC:\Windows\system32\Oblhcj32.exe9⤵
- Modifies registry class
PID:11380 -
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe10⤵PID:11544
-
C:\Windows\SysWOW64\Omalpc32.exeC:\Windows\system32\Omalpc32.exe11⤵PID:11560
-
C:\Windows\SysWOW64\Oophlo32.exeC:\Windows\system32\Oophlo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11688 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe13⤵PID:11704
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe14⤵PID:11808
-
C:\Windows\SysWOW64\Oikjkc32.exeC:\Windows\system32\Oikjkc32.exe15⤵
- Modifies registry class
PID:11924 -
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe16⤵PID:12076
-
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe17⤵PID:3648
-
C:\Windows\SysWOW64\Pjjfdfbb.exeC:\Windows\system32\Pjjfdfbb.exe18⤵PID:4540
-
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe19⤵PID:2224
-
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe20⤵PID:3584
-
C:\Windows\SysWOW64\Pbekii32.exeC:\Windows\system32\Pbekii32.exe21⤵PID:12212
-
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe22⤵PID:1648
-
C:\Windows\SysWOW64\Pafkgphl.exeC:\Windows\system32\Pafkgphl.exe23⤵PID:12220
-
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe24⤵PID:3952
-
C:\Windows\SysWOW64\Pfccogfc.exeC:\Windows\system32\Pfccogfc.exe25⤵
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Pmmlla32.exeC:\Windows\system32\Pmmlla32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4224 -
C:\Windows\SysWOW64\Pplhhm32.exeC:\Windows\system32\Pplhhm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11524 -
C:\Windows\SysWOW64\Pbjddh32.exeC:\Windows\system32\Pbjddh32.exe28⤵PID:1464
-
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe29⤵PID:4908
-
C:\Windows\SysWOW64\Pmphaaln.exeC:\Windows\system32\Pmphaaln.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe31⤵PID:3488
-
C:\Windows\SysWOW64\Qfjjpf32.exeC:\Windows\system32\Qfjjpf32.exe32⤵PID:4532
-
C:\Windows\SysWOW64\Qiiflaoo.exeC:\Windows\system32\Qiiflaoo.exe33⤵PID:1072
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe34⤵PID:11280
-
C:\Windows\SysWOW64\Qfmfefni.exeC:\Windows\system32\Qfmfefni.exe35⤵PID:4504
-
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe36⤵PID:11444
-
C:\Windows\SysWOW64\Apeknk32.exeC:\Windows\system32\Apeknk32.exe37⤵PID:1212
-
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe38⤵PID:2276
-
C:\Windows\SysWOW64\Aadghn32.exeC:\Windows\system32\Aadghn32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:11820 -
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe40⤵PID:11940
-
C:\Windows\SysWOW64\Aiplmq32.exeC:\Windows\system32\Aiplmq32.exe41⤵PID:2148
-
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe42⤵PID:3192
-
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe43⤵PID:2800
-
C:\Windows\SysWOW64\Ajohfcpj.exeC:\Windows\system32\Ajohfcpj.exe44⤵PID:11304
-
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe45⤵PID:3056
-
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3228 -
C:\Windows\SysWOW64\Aidehpea.exeC:\Windows\system32\Aidehpea.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Aalmimfd.exeC:\Windows\system32\Aalmimfd.exe48⤵PID:3096
-
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Bmbnnn32.exeC:\Windows\system32\Bmbnnn32.exe50⤵PID:4348
-
C:\Windows\SysWOW64\Bpqjjjjl.exeC:\Windows\system32\Bpqjjjjl.exe51⤵PID:11708
-
C:\Windows\SysWOW64\Bjfogbjb.exeC:\Windows\system32\Bjfogbjb.exe52⤵PID:11912
-
C:\Windows\SysWOW64\Bmdkcnie.exeC:\Windows\system32\Bmdkcnie.exe53⤵PID:1444
-
C:\Windows\SysWOW64\Bdocph32.exeC:\Windows\system32\Bdocph32.exe54⤵PID:11332
-
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe55⤵PID:1984
-
C:\Windows\SysWOW64\Biklho32.exeC:\Windows\system32\Biklho32.exe56⤵PID:12068
-
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe57⤵PID:4716
-
C:\Windows\SysWOW64\Bbdpad32.exeC:\Windows\system32\Bbdpad32.exe58⤵PID:1148
-
C:\Windows\SysWOW64\Bkkhbb32.exeC:\Windows\system32\Bkkhbb32.exe59⤵PID:3560
-
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe60⤵PID:1084
-
C:\Windows\SysWOW64\Bdcmkgmm.exeC:\Windows\system32\Bdcmkgmm.exe61⤵PID:732
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe62⤵PID:12304
-
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe63⤵PID:12344
-
C:\Windows\SysWOW64\Cigkdmel.exeC:\Windows\system32\Cigkdmel.exe64⤵
- Drops file in System32 directory
PID:12384 -
C:\Windows\SysWOW64\Cpacqg32.exeC:\Windows\system32\Cpacqg32.exe65⤵PID:12424
-
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe66⤵PID:12476
-
C:\Windows\SysWOW64\Ckggnp32.exeC:\Windows\system32\Ckggnp32.exe67⤵PID:12512
-
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe68⤵PID:12556
-
C:\Windows\SysWOW64\Cdolgfbp.exeC:\Windows\system32\Cdolgfbp.exe69⤵
- Drops file in System32 directory
PID:12604 -
C:\Windows\SysWOW64\Ckidcpjl.exeC:\Windows\system32\Ckidcpjl.exe70⤵PID:12652
-
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe71⤵
- Modifies registry class
PID:12696 -
C:\Windows\SysWOW64\Dgpeha32.exeC:\Windows\system32\Dgpeha32.exe72⤵PID:12736
-
C:\Windows\SysWOW64\Daeifj32.exeC:\Windows\system32\Daeifj32.exe73⤵
- Drops file in System32 directory
PID:12784 -
C:\Windows\SysWOW64\Dcffnbee.exeC:\Windows\system32\Dcffnbee.exe74⤵
- Drops file in System32 directory
PID:12860 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe75⤵PID:12900
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe76⤵PID:12952
-
C:\Windows\SysWOW64\Dpmcmf32.exeC:\Windows\system32\Dpmcmf32.exe77⤵PID:12996
-
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe78⤵PID:13040
-
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe79⤵PID:13084
-
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe80⤵PID:13124
-
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe81⤵PID:13176
-
C:\Windows\SysWOW64\Egkddo32.exeC:\Windows\system32\Egkddo32.exe82⤵
- Drops file in System32 directory
PID:13216 -
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe83⤵
- Modifies registry class
PID:13268 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe84⤵PID:3552
-
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe85⤵PID:12356
-
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe86⤵PID:12416
-
C:\Windows\SysWOW64\Fkcpql32.exeC:\Windows\system32\Fkcpql32.exe87⤵PID:12472
-
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe88⤵PID:12552
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe89⤵PID:12576
-
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe90⤵PID:1520
-
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe91⤵PID:12692
-
C:\Windows\SysWOW64\Fboecfii.exeC:\Windows\system32\Fboecfii.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe93⤵PID:12776
-
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe94⤵PID:12852
-
C:\Windows\SysWOW64\Fjjjgh32.exeC:\Windows\system32\Fjjjgh32.exe95⤵PID:12884
-
C:\Windows\SysWOW64\Fbaahf32.exeC:\Windows\system32\Fbaahf32.exe96⤵PID:4332
-
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe97⤵PID:12984
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe98⤵PID:13028
-
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe99⤵
- Drops file in System32 directory
PID:13068 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe100⤵PID:1576
-
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe101⤵PID:13172
-
C:\Windows\SysWOW64\Fnjocf32.exeC:\Windows\system32\Fnjocf32.exe102⤵PID:13236
-
C:\Windows\SysWOW64\Fqikob32.exeC:\Windows\system32\Fqikob32.exe103⤵PID:4140
-
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe104⤵PID:13296
-
C:\Windows\SysWOW64\Gkoplk32.exeC:\Windows\system32\Gkoplk32.exe105⤵PID:12300
-
C:\Windows\SysWOW64\Gnmlhf32.exeC:\Windows\system32\Gnmlhf32.exe106⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe107⤵PID:1372
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe108⤵PID:9008
-
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe109⤵
- Drops file in System32 directory
PID:12444 -
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe110⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Gdiakp32.exeC:\Windows\system32\Gdiakp32.exe111⤵PID:4856
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe112⤵PID:12720
-
C:\Windows\SysWOW64\Gnaecedp.exeC:\Windows\system32\Gnaecedp.exe113⤵PID:12800
-
C:\Windows\SysWOW64\Gdknpp32.exeC:\Windows\system32\Gdknpp32.exe114⤵PID:12820
-
C:\Windows\SysWOW64\Ggjjlk32.exeC:\Windows\system32\Ggjjlk32.exe115⤵PID:12880
-
C:\Windows\SysWOW64\Gjhfif32.exeC:\Windows\system32\Gjhfif32.exe116⤵PID:12992
-
C:\Windows\SysWOW64\Gcqjal32.exeC:\Windows\system32\Gcqjal32.exe117⤵PID:13020
-
C:\Windows\SysWOW64\Hjmodffo.exeC:\Windows\system32\Hjmodffo.exe118⤵PID:13120
-
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe119⤵
- Modifies registry class
PID:13108 -
C:\Windows\SysWOW64\Hjolie32.exeC:\Windows\system32\Hjolie32.exe120⤵PID:13164
-
C:\Windows\SysWOW64\Heepfn32.exeC:\Windows\system32\Heepfn32.exe121⤵PID:13244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-