Analysis
-
max time kernel
167s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe
-
Size
101KB
-
MD5
bb5492bec8a7d49bcc93a1a08e302250
-
SHA1
1a5dbd4c215b8db8a7a7786266497f82f51fb557
-
SHA256
ec530314287837455a9c74dc760db17d0943fd9fffb2627df5087ff3171664ff
-
SHA512
ade1d30e434da24fd3bc85d2f352d4755a48833bfd05c7675d2e56d187d713ad85bfff8e043b337be6fd109cd7a30fd606dfaae1387da34a140c67426592e8a8
-
SSDEEP
3072:aIpNtjNqnA4Em9Xio+5PE6D76Fa2T0se3Q3/zrB3g3k8p4qI4/HQCC:7NxNH2ensPBZs/HNC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aklddmep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akamol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmpkkjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbbnim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Olphlcdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baephacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkifkkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gibhihko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjfpco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnhphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdihmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgjicb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abonimmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnfpbcbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdocin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lqhdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiackied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagdgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejjqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pneelmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecfeldcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elccpife.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgpaqbcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcklac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehbgjenf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcdjba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgkqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clknii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjeckojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imgbdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmolimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdbheajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iihilhol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkbcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dfphmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafbhkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ponfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hehdpjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodjemee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmffhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnjbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonnhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpdbhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchcijo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlflog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhiodm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqdcio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkldlgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecbjdcml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkgdgej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljbnpbkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjlbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjophf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoohk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaiddajo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocegnoog.exe -
Executes dropped EXE 64 IoCs
pid Process 4820 Khcgfo32.exe 3316 Pfkpiled.exe 1968 Pdeffgff.exe 4128 Qbmpjkqk.exe 1360 Afnefieo.exe 4200 Biedhclh.exe 4488 Cnpibh32.exe 1496 Dfngcdhi.exe 4356 Eekjep32.exe 2684 Foakpc32.exe 3728 Gomkkagl.exe 872 Hcommoin.exe 2724 Igieoleg.exe 2752 Kpilekqj.exe 2100 Lgjglg32.exe 4968 Ljjpnb32.exe 4184 Mjfoja32.exe 3944 Nplkhf32.exe 764 Oknnanhj.exe 4976 Pncanhaf.exe 3648 Qpmmfbfl.exe 2912 Adpogp32.exe 4040 Ahpdcn32.exe 708 Bjhgke32.exe 1524 Bglgdi32.exe 2776 Dnkbcp32.exe 4700 Eelpqi32.exe 408 Ficlmf32.exe 1756 Hepoddcc.exe 4912 Iapbodql.exe 3756 Jhqqlmba.exe 624 Limioiia.exe 400 Lcdjba32.exe 3884 Liabjh32.exe 2184 Mimbfg32.exe 2336 Omnqhbap.exe 1028 Pphlpl32.exe 1880 Alcfpm32.exe 4324 Agndidce.exe 3208 Bdfnmhnj.exe 2344 Bjeckojo.exe 1644 Cgpjebcp.exe 1612 Ccldebeo.exe 1016 Dmfecgim.exe 1872 Djoohk32.exe 2976 Egjebn32.exe 844 Flmhclod.exe 4980 Fmejlcoj.exe 548 Geqlhp32.exe 2404 Hhpaki32.exe 852 Iolfmcbb.exe 3380 Jamhflqq.exe 3784 Knphfklg.exe 3104 Lndaaj32.exe 348 Lofjam32.exe 3352 Mkadam32.exe 2804 Meobeb32.exe 3676 Npmjij32.exe 5064 Omfcmm32.exe 1316 Opiidhoj.exe 2460 Pbjbfclk.exe 3816 Pifghmae.exe 648 Plgpjhnf.exe 2400 Aohbbqme.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hjeiai32.exe Hameic32.exe File created C:\Windows\SysWOW64\Lckbje32.exe Kagimmol.exe File created C:\Windows\SysWOW64\Elngjn32.dll Qakdke32.exe File opened for modification C:\Windows\SysWOW64\Fbmhglqi.exe Fkbpjbil.exe File created C:\Windows\SysWOW64\Kaajfe32.exe Jkplilgk.exe File created C:\Windows\SysWOW64\Dnondf32.exe Dgeegled.exe File opened for modification C:\Windows\SysWOW64\Mckbhg32.exe Ljbnpbkl.exe File created C:\Windows\SysWOW64\Kkomblep.dll Dbfomagf.exe File opened for modification C:\Windows\SysWOW64\Fmbdnhme.exe Eblpqono.exe File created C:\Windows\SysWOW64\Bkeljj32.dll Pehnaqid.exe File opened for modification C:\Windows\SysWOW64\Mjlafqbb.exe Mqclmk32.exe File created C:\Windows\SysWOW64\Blgdnjba.exe Bppcii32.exe File created C:\Windows\SysWOW64\Lnhinj32.dll Laqlclga.exe File created C:\Windows\SysWOW64\Blqnfcom.dll Ckladcoa.exe File created C:\Windows\SysWOW64\Hpmpogko.dll Kkbkffka.exe File created C:\Windows\SysWOW64\Lhdjmlfb.dll Cmpcnlaj.exe File created C:\Windows\SysWOW64\Qpmmfbfl.exe Pncanhaf.exe File opened for modification C:\Windows\SysWOW64\Opiidhoj.exe Omfcmm32.exe File opened for modification C:\Windows\SysWOW64\Eodjdocj.exe Ddjmkg32.exe File created C:\Windows\SysWOW64\Gbkkbp32.exe Gegkilik.exe File created C:\Windows\SysWOW64\Igieoleg.exe Hcommoin.exe File opened for modification C:\Windows\SysWOW64\Dphipidf.exe Dfphmp32.exe File created C:\Windows\SysWOW64\Ifihckmi.exe Ikcdfbmc.exe File opened for modification C:\Windows\SysWOW64\Jfkehk32.exe Ifihckmi.exe File created C:\Windows\SysWOW64\Oobfhh32.exe Mgjicb32.exe File created C:\Windows\SysWOW64\Hkohmnal.exe Haidpeaf.exe File created C:\Windows\SysWOW64\Nicjaino.exe Niqnli32.exe File created C:\Windows\SysWOW64\Poimigfm.exe Plkpmlfi.exe File created C:\Windows\SysWOW64\Hlalhlfd.dll Ddjmkg32.exe File created C:\Windows\SysWOW64\Cgnfiaco.dll Ddhofjpb.exe File created C:\Windows\SysWOW64\Ghldkkkk.dll Hcommoin.exe File created C:\Windows\SysWOW64\Dnfnab32.dll Limioiia.exe File created C:\Windows\SysWOW64\Koelmaed.dll Fmmffhnk.exe File opened for modification C:\Windows\SysWOW64\Hmhhnmao.exe Hkhkdjkl.exe File created C:\Windows\SysWOW64\Hgpmalme.dll Hlblmd32.exe File created C:\Windows\SysWOW64\Ajbpfl32.dll Dcmjpl32.exe File created C:\Windows\SysWOW64\Jdjfmjhm.exe Jbfphh32.exe File created C:\Windows\SysWOW64\Ddqbkebo.exe Depanm32.exe File created C:\Windows\SysWOW64\Oifglb32.dll Eekjep32.exe File opened for modification C:\Windows\SysWOW64\Ecfeldcj.exe Dphipidf.exe File created C:\Windows\SysWOW64\Jpegfm32.exe Ifhibhfc.exe File created C:\Windows\SysWOW64\Noljjg32.dll Oaajoj32.exe File opened for modification C:\Windows\SysWOW64\Emphhhoh.exe Ebjckppa.exe File opened for modification C:\Windows\SysWOW64\Injmlbkh.exe Icdhojka.exe File created C:\Windows\SysWOW64\Hihbma32.dll Npnjcm32.exe File created C:\Windows\SysWOW64\Alqjiohm.exe Aakelfhg.exe File created C:\Windows\SysWOW64\Imhdbi32.dll Efikco32.exe File created C:\Windows\SysWOW64\Gfedfk32.exe Gmmome32.exe File opened for modification C:\Windows\SysWOW64\Idjmfmgp.exe Ibjqlj32.exe File created C:\Windows\SysWOW64\Emmkci32.exe Ejoogm32.exe File created C:\Windows\SysWOW64\Modgnn32.exe Mcnfhmcf.exe File created C:\Windows\SysWOW64\Bnlfli32.dll Mfnojh32.exe File created C:\Windows\SysWOW64\Maghkogk.dll Pdeffgff.exe File created C:\Windows\SysWOW64\Lhiodm32.exe Lncjgddf.exe File created C:\Windows\SysWOW64\Delnbdao.exe Ddmaia32.exe File created C:\Windows\SysWOW64\Olphlcdb.exe Nbefmopd.exe File opened for modification C:\Windows\SysWOW64\Emefpiob.exe Egknco32.exe File created C:\Windows\SysWOW64\Npmjij32.exe Nnlqig32.exe File created C:\Windows\SysWOW64\Hbdjbn32.dll Apbngn32.exe File created C:\Windows\SysWOW64\Oclkqihc.exe Ofhkgeij.exe File created C:\Windows\SysWOW64\Aaafdbjg.dll Gegkilik.exe File created C:\Windows\SysWOW64\Hlblmd32.exe Hehdpjki.exe File opened for modification C:\Windows\SysWOW64\Jiokpfee.exe Jnifbmfo.exe File created C:\Windows\SysWOW64\Edqdij32.exe Dikpla32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkhkdjkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dedkimfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peifchgg.dll" Apekha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apfqbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnhdea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Niklip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oclkqihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moacnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifjmf32.dll" Cpifoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghldkkkk.dll" Hcommoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aohbbqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakgec32.dll" Fbomfokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdjgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klljhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gnnjgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iogoinka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihemclci.dll" Mldmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnleolbk.dll" Ebjckppa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malohibh.dll" Nqaini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkkkgmge.dll" Ofqnlplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpegfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffbgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnncad32.dll" Lbekjipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdimglke.dll" Pedlpgqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhphdmq.dll" Anobaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbphojkc.dll" Cponodge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clknii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dfngcdhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blobgill.dll" Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmdmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glpdecjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egjebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jlidkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfhgieaf.dll" Emnbmoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaehepeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akdoam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blgdnjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koggehff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laiadfap.dll" Ffbgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Injmlbkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Khdedapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjfha32.dll" Kggcgeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dfphmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcafjf32.dll" Kbocng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmehnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjpdpob.dll" Idoknmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdeijmph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mehhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoijo32.dll" Boenam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apekha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kogqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcdgo32.dll" Liabjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djoohk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feqlmqgl.dll" Knphfklg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emniheha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caqpdpii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjhgke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldblon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klljhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmgbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ginnokej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkohmnal.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 4820 1536 NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe 91 PID 1536 wrote to memory of 4820 1536 NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe 91 PID 1536 wrote to memory of 4820 1536 NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe 91 PID 4820 wrote to memory of 3316 4820 Khcgfo32.exe 92 PID 4820 wrote to memory of 3316 4820 Khcgfo32.exe 92 PID 4820 wrote to memory of 3316 4820 Khcgfo32.exe 92 PID 3316 wrote to memory of 1968 3316 Pfkpiled.exe 93 PID 3316 wrote to memory of 1968 3316 Pfkpiled.exe 93 PID 3316 wrote to memory of 1968 3316 Pfkpiled.exe 93 PID 1968 wrote to memory of 4128 1968 Pdeffgff.exe 94 PID 1968 wrote to memory of 4128 1968 Pdeffgff.exe 94 PID 1968 wrote to memory of 4128 1968 Pdeffgff.exe 94 PID 4128 wrote to memory of 1360 4128 Qbmpjkqk.exe 95 PID 4128 wrote to memory of 1360 4128 Qbmpjkqk.exe 95 PID 4128 wrote to memory of 1360 4128 Qbmpjkqk.exe 95 PID 1360 wrote to memory of 4200 1360 Afnefieo.exe 96 PID 1360 wrote to memory of 4200 1360 Afnefieo.exe 96 PID 1360 wrote to memory of 4200 1360 Afnefieo.exe 96 PID 4200 wrote to memory of 4488 4200 Biedhclh.exe 97 PID 4200 wrote to memory of 4488 4200 Biedhclh.exe 97 PID 4200 wrote to memory of 4488 4200 Biedhclh.exe 97 PID 4488 wrote to memory of 1496 4488 Cnpibh32.exe 98 PID 4488 wrote to memory of 1496 4488 Cnpibh32.exe 98 PID 4488 wrote to memory of 1496 4488 Cnpibh32.exe 98 PID 1496 wrote to memory of 4356 1496 Dfngcdhi.exe 99 PID 1496 wrote to memory of 4356 1496 Dfngcdhi.exe 99 PID 1496 wrote to memory of 4356 1496 Dfngcdhi.exe 99 PID 4356 wrote to memory of 2684 4356 Eekjep32.exe 100 PID 4356 wrote to memory of 2684 4356 Eekjep32.exe 100 PID 4356 wrote to memory of 2684 4356 Eekjep32.exe 100 PID 2684 wrote to memory of 3728 2684 Foakpc32.exe 101 PID 2684 wrote to memory of 3728 2684 Foakpc32.exe 101 PID 2684 wrote to memory of 3728 2684 Foakpc32.exe 101 PID 3728 wrote to memory of 872 3728 Gomkkagl.exe 102 PID 3728 wrote to memory of 872 3728 Gomkkagl.exe 102 PID 3728 wrote to memory of 872 3728 Gomkkagl.exe 102 PID 872 wrote to memory of 2724 872 Hcommoin.exe 103 PID 872 wrote to memory of 2724 872 Hcommoin.exe 103 PID 872 wrote to memory of 2724 872 Hcommoin.exe 103 PID 2724 wrote to memory of 2752 2724 Igieoleg.exe 104 PID 2724 wrote to memory of 2752 2724 Igieoleg.exe 104 PID 2724 wrote to memory of 2752 2724 Igieoleg.exe 104 PID 2752 wrote to memory of 2100 2752 Kpilekqj.exe 105 PID 2752 wrote to memory of 2100 2752 Kpilekqj.exe 105 PID 2752 wrote to memory of 2100 2752 Kpilekqj.exe 105 PID 2100 wrote to memory of 4968 2100 Lgjglg32.exe 106 PID 2100 wrote to memory of 4968 2100 Lgjglg32.exe 106 PID 2100 wrote to memory of 4968 2100 Lgjglg32.exe 106 PID 4968 wrote to memory of 4184 4968 Ljjpnb32.exe 107 PID 4968 wrote to memory of 4184 4968 Ljjpnb32.exe 107 PID 4968 wrote to memory of 4184 4968 Ljjpnb32.exe 107 PID 4184 wrote to memory of 3944 4184 Mjfoja32.exe 109 PID 4184 wrote to memory of 3944 4184 Mjfoja32.exe 109 PID 4184 wrote to memory of 3944 4184 Mjfoja32.exe 109 PID 3944 wrote to memory of 764 3944 Nplkhf32.exe 110 PID 3944 wrote to memory of 764 3944 Nplkhf32.exe 110 PID 3944 wrote to memory of 764 3944 Nplkhf32.exe 110 PID 764 wrote to memory of 4976 764 Oknnanhj.exe 111 PID 764 wrote to memory of 4976 764 Oknnanhj.exe 111 PID 764 wrote to memory of 4976 764 Oknnanhj.exe 111 PID 4976 wrote to memory of 3648 4976 Pncanhaf.exe 113 PID 4976 wrote to memory of 3648 4976 Pncanhaf.exe 113 PID 4976 wrote to memory of 3648 4976 Pncanhaf.exe 113 PID 3648 wrote to memory of 2912 3648 Qpmmfbfl.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bb5492bec8a7d49bcc93a1a08e302250.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Khcgfo32.exeC:\Windows\system32\Khcgfo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Pdeffgff.exeC:\Windows\system32\Pdeffgff.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Afnefieo.exeC:\Windows\system32\Afnefieo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Cnpibh32.exeC:\Windows\system32\Cnpibh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Dfngcdhi.exeC:\Windows\system32\Dfngcdhi.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Eekjep32.exeC:\Windows\system32\Eekjep32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Foakpc32.exeC:\Windows\system32\Foakpc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gomkkagl.exeC:\Windows\system32\Gomkkagl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Igieoleg.exeC:\Windows\system32\Igieoleg.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kpilekqj.exeC:\Windows\system32\Kpilekqj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lgjglg32.exeC:\Windows\system32\Lgjglg32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Mjfoja32.exeC:\Windows\system32\Mjfoja32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Nplkhf32.exeC:\Windows\system32\Nplkhf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Pncanhaf.exeC:\Windows\system32\Pncanhaf.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe23⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe24⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:708 -
C:\Windows\SysWOW64\Bglgdi32.exeC:\Windows\system32\Bglgdi32.exe26⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe28⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe29⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe30⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Iapbodql.exeC:\Windows\system32\Iapbodql.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Jhqqlmba.exeC:\Windows\system32\Jhqqlmba.exe32⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Limioiia.exeC:\Windows\system32\Limioiia.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe36⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Omnqhbap.exeC:\Windows\system32\Omnqhbap.exe37⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pphlpl32.exeC:\Windows\system32\Pphlpl32.exe38⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Alcfpm32.exeC:\Windows\system32\Alcfpm32.exe39⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Agndidce.exeC:\Windows\system32\Agndidce.exe40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Bdfnmhnj.exeC:\Windows\system32\Bdfnmhnj.exe41⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Bjeckojo.exeC:\Windows\system32\Bjeckojo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe43⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ccldebeo.exeC:\Windows\system32\Ccldebeo.exe44⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Dmfecgim.exeC:\Windows\system32\Dmfecgim.exe45⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Djoohk32.exeC:\Windows\system32\Djoohk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Egjebn32.exeC:\Windows\system32\Egjebn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Flmhclod.exeC:\Windows\system32\Flmhclod.exe48⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Fmejlcoj.exeC:\Windows\system32\Fmejlcoj.exe49⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe50⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Hhpaki32.exeC:\Windows\system32\Hhpaki32.exe51⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Iolfmcbb.exeC:\Windows\system32\Iolfmcbb.exe52⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Jamhflqq.exeC:\Windows\system32\Jamhflqq.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3380 -
C:\Windows\SysWOW64\Knphfklg.exeC:\Windows\system32\Knphfklg.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Lndaaj32.exeC:\Windows\system32\Lndaaj32.exe55⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Lofjam32.exeC:\Windows\system32\Lofjam32.exe56⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Mkadam32.exeC:\Windows\system32\Mkadam32.exe57⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Meobeb32.exeC:\Windows\system32\Meobeb32.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Nnlqig32.exeC:\Windows\system32\Nnlqig32.exe59⤵
- Drops file in System32 directory
PID:4764 -
C:\Windows\SysWOW64\Npmjij32.exeC:\Windows\system32\Npmjij32.exe60⤵
- Executes dropped EXE
PID:3676 -
C:\Windows\SysWOW64\Omfcmm32.exeC:\Windows\system32\Omfcmm32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\Opiidhoj.exeC:\Windows\system32\Opiidhoj.exe62⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Pbjbfclk.exeC:\Windows\system32\Pbjbfclk.exe63⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Pifghmae.exeC:\Windows\system32\Pifghmae.exe64⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe65⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Aohbbqme.exeC:\Windows\system32\Aohbbqme.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe67⤵PID:1476
-
C:\Windows\SysWOW64\Claenb32.exeC:\Windows\system32\Claenb32.exe68⤵PID:3048
-
C:\Windows\SysWOW64\Dcmjpl32.exeC:\Windows\system32\Dcmjpl32.exe69⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Dncnnd32.exeC:\Windows\system32\Dncnnd32.exe70⤵PID:4232
-
C:\Windows\SysWOW64\Dodjemee.exeC:\Windows\system32\Dodjemee.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4620 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe72⤵PID:1580
-
C:\Windows\SysWOW64\Fgcang32.exeC:\Windows\system32\Fgcang32.exe73⤵PID:5056
-
C:\Windows\SysWOW64\Fmdcamko.exeC:\Windows\system32\Fmdcamko.exe74⤵PID:4400
-
C:\Windows\SysWOW64\Gmnfglcd.exeC:\Windows\system32\Gmnfglcd.exe75⤵PID:4832
-
C:\Windows\SysWOW64\Hhjqec32.exeC:\Windows\system32\Hhjqec32.exe76⤵PID:3492
-
C:\Windows\SysWOW64\Hoibmmpi.exeC:\Windows\system32\Hoibmmpi.exe77⤵PID:4340
-
C:\Windows\SysWOW64\Ipjoee32.exeC:\Windows\system32\Ipjoee32.exe78⤵PID:3408
-
C:\Windows\SysWOW64\Imnoni32.exeC:\Windows\system32\Imnoni32.exe79⤵PID:324
-
C:\Windows\SysWOW64\Ikbphn32.exeC:\Windows\system32\Ikbphn32.exe80⤵PID:3988
-
C:\Windows\SysWOW64\Imgbdh32.exeC:\Windows\system32\Imgbdh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Jkplilgk.exeC:\Windows\system32\Jkplilgk.exe82⤵
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Kaajfe32.exeC:\Windows\system32\Kaajfe32.exe83⤵PID:4540
-
C:\Windows\SysWOW64\Khkbcopl.exeC:\Windows\system32\Khkbcopl.exe84⤵PID:4820
-
C:\Windows\SysWOW64\Knhkkfod.exeC:\Windows\system32\Knhkkfod.exe85⤵PID:396
-
C:\Windows\SysWOW64\Kdbchp32.exeC:\Windows\system32\Kdbchp32.exe86⤵PID:1160
-
C:\Windows\SysWOW64\Koggehff.exeC:\Windows\system32\Koggehff.exe87⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe88⤵PID:1816
-
C:\Windows\SysWOW64\Knldfe32.exeC:\Windows\system32\Knldfe32.exe89⤵PID:1404
-
C:\Windows\SysWOW64\Kkqepi32.exeC:\Windows\system32\Kkqepi32.exe90⤵PID:3272
-
C:\Windows\SysWOW64\Lhgbomfo.exeC:\Windows\system32\Lhgbomfo.exe91⤵PID:1532
-
C:\Windows\SysWOW64\Lncjgddf.exeC:\Windows\system32\Lncjgddf.exe92⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Lhiodm32.exeC:\Windows\system32\Lhiodm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4680 -
C:\Windows\SysWOW64\Lkgkqh32.exeC:\Windows\system32\Lkgkqh32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Lqdcio32.exeC:\Windows\system32\Lqdcio32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5160 -
C:\Windows\SysWOW64\Lgnleiid.exeC:\Windows\system32\Lgnleiid.exe96⤵PID:5192
-
C:\Windows\SysWOW64\Ldblon32.exeC:\Windows\system32\Ldblon32.exe97⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Lkldlgok.exeC:\Windows\system32\Lkldlgok.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5288 -
C:\Windows\SysWOW64\Mbfmha32.exeC:\Windows\system32\Mbfmha32.exe99⤵PID:5336
-
C:\Windows\SysWOW64\Moljgeco.exeC:\Windows\system32\Moljgeco.exe100⤵PID:5380
-
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe101⤵PID:5424
-
C:\Windows\SysWOW64\Niqnli32.exeC:\Windows\system32\Niqnli32.exe102⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Nicjaino.exeC:\Windows\system32\Nicjaino.exe103⤵PID:5508
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Obdbqm32.exeC:\Windows\system32\Obdbqm32.exe105⤵PID:5604
-
C:\Windows\SysWOW64\Pelacg32.exeC:\Windows\system32\Pelacg32.exe106⤵PID:5640
-
C:\Windows\SysWOW64\Pneelmjo.exeC:\Windows\system32\Pneelmjo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5688 -
C:\Windows\SysWOW64\Aaoadg32.exeC:\Windows\system32\Aaoadg32.exe108⤵PID:5724
-
C:\Windows\SysWOW64\Aldeap32.exeC:\Windows\system32\Aldeap32.exe109⤵PID:5776
-
C:\Windows\SysWOW64\Apbngn32.exeC:\Windows\system32\Apbngn32.exe110⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe111⤵PID:5884
-
C:\Windows\SysWOW64\Dcjfpfnh.exeC:\Windows\system32\Dcjfpfnh.exe112⤵PID:5928
-
C:\Windows\SysWOW64\Djihhoao.exeC:\Windows\system32\Djihhoao.exe113⤵PID:5972
-
C:\Windows\SysWOW64\Dfphmp32.exeC:\Windows\system32\Dfphmp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Dphipidf.exeC:\Windows\system32\Dphipidf.exe115⤵
- Drops file in System32 directory
PID:6072 -
C:\Windows\SysWOW64\Ecfeldcj.exeC:\Windows\system32\Ecfeldcj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Efikco32.exeC:\Windows\system32\Efikco32.exe117⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Elccpife.exeC:\Windows\system32\Elccpife.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Ejiqom32.exeC:\Windows\system32\Ejiqom32.exe119⤵PID:5216
-
C:\Windows\SysWOW64\Fcbehbim.exeC:\Windows\system32\Fcbehbim.exe120⤵PID:5256
-
C:\Windows\SysWOW64\Fmjjqhpn.exeC:\Windows\system32\Fmjjqhpn.exe121⤵PID:5316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-