Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 20:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe
-
Size
896KB
-
MD5
fb6755d584a095b303e05b994a5e8140
-
SHA1
9e9c3d2cf7c823f42c2da58eabedecb9e5fb0793
-
SHA256
84a6568198a0c9314c6bf76b31cb106d8b74fe01865032d4d30411eee9197dde
-
SHA512
6298cf0e0aa38c7897a0d72a60328d403dcd710002a9727d9dd66922ddb3d044618e94a8ed2f484d2c9dd248d87561d58e2af9db08379c38de2b038ad5ba72b1
-
SSDEEP
24576:ykeTRTGryZ5d9TRTGryaITRTGryZ5d9TRTGryeLTRTGryZ5d9TRTGryaITRTGryb:i9bD99wI9bD99e9bD99wI9bD99
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckglc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakikoom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhdgfen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqpbglno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbefolao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhkdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdiobod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jianpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbopfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmlfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degdgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iickkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlgdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmdme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkibgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaemilci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcddlhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbkml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chebcmna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndflak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaooihb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpomiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifele32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkjef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgqmfpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkcqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdagbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najmjokc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loiong32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbobf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelonkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbljoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddhipdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdqkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcegclgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceppfbef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdpmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecdcckf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnbdao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkfcqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppoeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Helfbqeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aceijg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaekmdep.exe -
Executes dropped EXE 64 IoCs
pid Process 3856 Feapkk32.exe 4744 Fnmepn32.exe 4040 Fefjfked.exe 2748 Fnckpmql.exe 1440 Gempgj32.exe 2588 Gnhdkl32.exe 4660 Ghpendjj.exe 1780 Gfdfgiid.exe 3084 Gkaopp32.exe 1800 Hbmcbime.exe 4752 Hhlejcpm.exe 4868 Hdbfodfa.exe 3400 Idebdcdo.exe 3024 Ibicnh32.exe 2896 Iickkbje.exe 3628 Ifgldfio.exe 1588 Ioopml32.exe 1208 Ieliebnf.exe 3432 Indmnh32.exe 3984 Jngjch32.exe 4264 Jilnqqbj.exe 3192 Lpbopfag.exe 4844 Mfcmmp32.exe 4436 Mplafeil.exe 4388 Nhlpfgbb.exe 2932 Nbadcpbh.exe 2152 Nojanpej.exe 5024 Nchjdo32.exe 4520 Ooagno32.exe 400 Ohjlgefb.exe 5096 Oljaccjf.exe 4324 Oebflhaf.exe 980 Pgbbek32.exe 4008 Pfgogh32.exe 4808 Pckppl32.exe 1500 Phhhhc32.exe 2344 Pcmlfl32.exe 2872 Podmkm32.exe 1860 Pjjahe32.exe 3008 Qcbfakec.exe 1660 Qfbobf32.exe 5080 Qqhcpo32.exe 5040 Ahchda32.exe 2436 Afghneoo.exe 4600 Aqmlknnd.exe 5112 Aobilkcl.exe 2724 Aijnep32.exe 1796 Ajjjocap.exe 4376 Bjlgdc32.exe 4560 Bcelmhen.exe 2424 Bmmpfn32.exe 908 Bfedoc32.exe 1704 Bciehh32.exe 5020 Bggnof32.exe 4312 Cqpbglno.exe 992 Cgjjdf32.exe 4864 Cabomkll.exe 4732 Cglgjeci.exe 3172 Ccchof32.exe 380 Cjmpkqqj.exe 4444 Cpihcgoa.exe 652 Cibmlmeb.exe 892 Emmkiclm.exe 4468 Idfaefkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klambq32.dll Figgdg32.exe File created C:\Windows\SysWOW64\Pcbkml32.exe Pfojdh32.exe File opened for modification C:\Windows\SysWOW64\Jaemilci.exe Jhmhpfmi.exe File opened for modification C:\Windows\SysWOW64\Efampahd.exe Oggbfdog.exe File created C:\Windows\SysWOW64\Njfafhjf.exe Ndliin32.exe File created C:\Windows\SysWOW64\Faanobla.dll Njfafhjf.exe File opened for modification C:\Windows\SysWOW64\Nbbldp32.exe Nkhdgfen.exe File created C:\Windows\SysWOW64\Oeffbpak.dll Hdgmga32.exe File opened for modification C:\Windows\SysWOW64\Hkobdeok.exe Gohaod32.exe File created C:\Windows\SysWOW64\Cqpbglno.exe Bggnof32.exe File created C:\Windows\SysWOW64\Cbmjen32.dll Gdeqaa32.exe File created C:\Windows\SysWOW64\Naecop32.exe Ncabfkqo.exe File created C:\Windows\SysWOW64\Lechkaga.exe Loiong32.exe File created C:\Windows\SysWOW64\Mobbdf32.exe Mhhjhlqm.exe File created C:\Windows\SysWOW64\Kilphk32.exe Jbpkfa32.exe File created C:\Windows\SysWOW64\Jbeinb32.exe Jmhaek32.exe File created C:\Windows\SysWOW64\Cahijaij.dll Kboldq32.exe File opened for modification C:\Windows\SysWOW64\Nnlhod32.exe Ndcdfnpa.exe File created C:\Windows\SysWOW64\Kmonnmjm.dll NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe File opened for modification C:\Windows\SysWOW64\Ioopml32.exe Ifgldfio.exe File created C:\Windows\SysWOW64\Aobilkcl.exe Aqmlknnd.exe File created C:\Windows\SysWOW64\Bggnof32.exe Bciehh32.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Oobfob32.exe File created C:\Windows\SysWOW64\Fbgdmb32.dll Dqbcbkab.exe File created C:\Windows\SysWOW64\Oofial32.dll Lbqinm32.exe File opened for modification C:\Windows\SysWOW64\Mfhpilbc.exe Mcicma32.exe File created C:\Windows\SysWOW64\Imjddmpl.exe Hpfdkiac.exe File created C:\Windows\SysWOW64\Cgeqej32.dll Qmkanmel.exe File created C:\Windows\SysWOW64\Dmjhchjo.dll Ifgldfio.exe File opened for modification C:\Windows\SysWOW64\Njfagf32.exe Mmbanbmg.exe File created C:\Windows\SysWOW64\Ffahnd32.exe Epgpajdp.exe File created C:\Windows\SysWOW64\Oendaipn.exe Ooalibaf.exe File created C:\Windows\SysWOW64\Klgqmfpj.exe Kboldq32.exe File created C:\Windows\SysWOW64\Bfoebq32.exe Benijhla.exe File created C:\Windows\SysWOW64\Hggonfbm.exe Hffbfn32.exe File opened for modification C:\Windows\SysWOW64\Jegohe32.exe Ifcben32.exe File created C:\Windows\SysWOW64\Pblolb32.exe Ollgiplp.exe File created C:\Windows\SysWOW64\Bmpdbd32.dll Flgfqb32.exe File created C:\Windows\SysWOW64\Ldlghq32.dll Gkaopp32.exe File created C:\Windows\SysWOW64\Aonhghjl.exe Bdbnjdfg.exe File opened for modification C:\Windows\SysWOW64\Njokei32.exe Ncecioib.exe File created C:\Windows\SysWOW64\Hpifoq32.dll Klbgag32.exe File opened for modification C:\Windows\SysWOW64\Afghneoo.exe Ahchda32.exe File opened for modification C:\Windows\SysWOW64\Dkhgod32.exe Dqbcbkab.exe File created C:\Windows\SysWOW64\Eiekog32.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Nggjog32.exe Nefmgogl.exe File created C:\Windows\SysWOW64\Npaphh32.dll Ecpomiok.exe File opened for modification C:\Windows\SysWOW64\Ldeonbkd.exe Kpgfhddn.exe File created C:\Windows\SysWOW64\Iipejo32.dll Cabomkll.exe File created C:\Windows\SysWOW64\Hhbbmjne.exe Hbhjqp32.exe File opened for modification C:\Windows\SysWOW64\Efamkepl.exe Ppopcf32.exe File created C:\Windows\SysWOW64\Cjmpkqqj.exe Ccchof32.exe File created C:\Windows\SysWOW64\Ckgofgjn.dll Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Eklajcmc.exe Ehndnh32.exe File opened for modification C:\Windows\SysWOW64\Obqanjdb.exe Omdieb32.exe File created C:\Windows\SysWOW64\Mdagbl32.exe Mkicjgnn.exe File created C:\Windows\SysWOW64\Mfhpilbc.exe Mcicma32.exe File created C:\Windows\SysWOW64\Mcmall32.exe Mlciobhj.exe File created C:\Windows\SysWOW64\Pnbimd32.dll Eddhipdd.exe File created C:\Windows\SysWOW64\Khoana32.dll Naecop32.exe File created C:\Windows\SysWOW64\Nnckgmik.dll Fkfcqb32.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Oqmhqapg.exe File created C:\Windows\SysWOW64\Goconkah.exe Gfkjef32.exe File created C:\Windows\SysWOW64\Jnlpff32.dll Mcfkkmeo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgfjla32.dll" Iihkjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknifq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mibpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikbgh32.dll" Mdhdkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeeaibid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mholheco.dll" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdbil32.dll" Mboqnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmppmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoioabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmhqapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jelonkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll" Jaemilci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndfchdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goconkah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niifnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbmcbime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmpkqqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmobmfnn.dll" Fddqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelfcdif.dll" Acicefid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajckbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipoje32.dll" Ncecioib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkjqme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlciobhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Foekbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekpped32.dll" Qeodhjmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobbdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emhdeoel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malpdh32.dll" Icdmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfoihalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciagi32.dll" Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijnep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacemc32.dll" Pekkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkjooqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkiho32.dll" Eggmqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajhpbme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgjhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maaoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dagiba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmicbcff.dll" Hbiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdemhoen.dll" Lmppmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkcmild.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhpilbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enlqdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bifblbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiabl32.dll" Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keekjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngemjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faanobla.dll" Njfafhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olnkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhobd32.dll" Akepfpcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmlkfjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bammeebe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefebfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4980 wrote to memory of 3856 4980 NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe 87 PID 4980 wrote to memory of 3856 4980 NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe 87 PID 4980 wrote to memory of 3856 4980 NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe 87 PID 3856 wrote to memory of 4744 3856 Feapkk32.exe 89 PID 3856 wrote to memory of 4744 3856 Feapkk32.exe 89 PID 3856 wrote to memory of 4744 3856 Feapkk32.exe 89 PID 4744 wrote to memory of 4040 4744 Fnmepn32.exe 90 PID 4744 wrote to memory of 4040 4744 Fnmepn32.exe 90 PID 4744 wrote to memory of 4040 4744 Fnmepn32.exe 90 PID 4040 wrote to memory of 2748 4040 Fefjfked.exe 91 PID 4040 wrote to memory of 2748 4040 Fefjfked.exe 91 PID 4040 wrote to memory of 2748 4040 Fefjfked.exe 91 PID 2748 wrote to memory of 1440 2748 Fnckpmql.exe 93 PID 2748 wrote to memory of 1440 2748 Fnckpmql.exe 93 PID 2748 wrote to memory of 1440 2748 Fnckpmql.exe 93 PID 1440 wrote to memory of 2588 1440 Gempgj32.exe 94 PID 1440 wrote to memory of 2588 1440 Gempgj32.exe 94 PID 1440 wrote to memory of 2588 1440 Gempgj32.exe 94 PID 2588 wrote to memory of 4660 2588 Gnhdkl32.exe 95 PID 2588 wrote to memory of 4660 2588 Gnhdkl32.exe 95 PID 2588 wrote to memory of 4660 2588 Gnhdkl32.exe 95 PID 4660 wrote to memory of 1780 4660 Ghpendjj.exe 96 PID 4660 wrote to memory of 1780 4660 Ghpendjj.exe 96 PID 4660 wrote to memory of 1780 4660 Ghpendjj.exe 96 PID 1780 wrote to memory of 3084 1780 Gfdfgiid.exe 97 PID 1780 wrote to memory of 3084 1780 Gfdfgiid.exe 97 PID 1780 wrote to memory of 3084 1780 Gfdfgiid.exe 97 PID 3084 wrote to memory of 1800 3084 Gkaopp32.exe 98 PID 3084 wrote to memory of 1800 3084 Gkaopp32.exe 98 PID 3084 wrote to memory of 1800 3084 Gkaopp32.exe 98 PID 1800 wrote to memory of 4752 1800 Hbmcbime.exe 99 PID 1800 wrote to memory of 4752 1800 Hbmcbime.exe 99 PID 1800 wrote to memory of 4752 1800 Hbmcbime.exe 99 PID 4752 wrote to memory of 4868 4752 Hhlejcpm.exe 100 PID 4752 wrote to memory of 4868 4752 Hhlejcpm.exe 100 PID 4752 wrote to memory of 4868 4752 Hhlejcpm.exe 100 PID 4868 wrote to memory of 3400 4868 Hdbfodfa.exe 101 PID 4868 wrote to memory of 3400 4868 Hdbfodfa.exe 101 PID 4868 wrote to memory of 3400 4868 Hdbfodfa.exe 101 PID 3400 wrote to memory of 3024 3400 Idebdcdo.exe 102 PID 3400 wrote to memory of 3024 3400 Idebdcdo.exe 102 PID 3400 wrote to memory of 3024 3400 Idebdcdo.exe 102 PID 3024 wrote to memory of 2896 3024 Ibicnh32.exe 103 PID 3024 wrote to memory of 2896 3024 Ibicnh32.exe 103 PID 3024 wrote to memory of 2896 3024 Ibicnh32.exe 103 PID 2896 wrote to memory of 3628 2896 Iickkbje.exe 104 PID 2896 wrote to memory of 3628 2896 Iickkbje.exe 104 PID 2896 wrote to memory of 3628 2896 Iickkbje.exe 104 PID 3628 wrote to memory of 1588 3628 Ifgldfio.exe 105 PID 3628 wrote to memory of 1588 3628 Ifgldfio.exe 105 PID 3628 wrote to memory of 1588 3628 Ifgldfio.exe 105 PID 1588 wrote to memory of 1208 1588 Ioopml32.exe 106 PID 1588 wrote to memory of 1208 1588 Ioopml32.exe 106 PID 1588 wrote to memory of 1208 1588 Ioopml32.exe 106 PID 1208 wrote to memory of 3432 1208 Ieliebnf.exe 107 PID 1208 wrote to memory of 3432 1208 Ieliebnf.exe 107 PID 1208 wrote to memory of 3432 1208 Ieliebnf.exe 107 PID 3432 wrote to memory of 3984 3432 Indmnh32.exe 108 PID 3432 wrote to memory of 3984 3432 Indmnh32.exe 108 PID 3432 wrote to memory of 3984 3432 Indmnh32.exe 108 PID 3984 wrote to memory of 4264 3984 Jngjch32.exe 109 PID 3984 wrote to memory of 4264 3984 Jngjch32.exe 109 PID 3984 wrote to memory of 4264 3984 Jngjch32.exe 109 PID 4264 wrote to memory of 3192 4264 Jilnqqbj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fb6755d584a095b303e05b994a5e8140_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\Feapkk32.exeC:\Windows\system32\Feapkk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Gempgj32.exeC:\Windows\system32\Gempgj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Lpbopfag.exeC:\Windows\system32\Lpbopfag.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe24⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe25⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe26⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Nbadcpbh.exeC:\Windows\system32\Nbadcpbh.exe27⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nojanpej.exeC:\Windows\system32\Nojanpej.exe28⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe29⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe30⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe31⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe33⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe34⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe35⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe36⤵
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe37⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe39⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe40⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe41⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe43⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe45⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Aqmlknnd.exeC:\Windows\system32\Aqmlknnd.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe47⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe49⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4560 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe52⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe57⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe59⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3172 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Cpihcgoa.exeC:\Windows\system32\Cpihcgoa.exe62⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe63⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe65⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe66⤵PID:2492
-
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe67⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe68⤵
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Mminhceb.exeC:\Windows\system32\Mminhceb.exe69⤵PID:1124
-
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe70⤵PID:4036
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe71⤵PID:656
-
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe72⤵PID:1392
-
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3120 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe74⤵PID:1316
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe75⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe76⤵PID:1172
-
C:\Windows\SysWOW64\Ncabfkqo.exeC:\Windows\system32\Ncabfkqo.exe77⤵
- Drops file in System32 directory
PID:4160 -
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe78⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Nnicid32.exeC:\Windows\system32\Nnicid32.exe79⤵PID:5168
-
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5256 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe82⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe83⤵PID:5340
-
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe84⤵PID:5380
-
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Ohhnbhok.exeC:\Windows\system32\Ohhnbhok.exe86⤵PID:5480
-
C:\Windows\SysWOW64\Oobfob32.exeC:\Windows\system32\Oobfob32.exe87⤵
- Drops file in System32 directory
PID:5536 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe88⤵PID:5588
-
C:\Windows\SysWOW64\Ohkkhhmh.exeC:\Windows\system32\Ohkkhhmh.exe89⤵PID:5644
-
C:\Windows\SysWOW64\Oodcdb32.exeC:\Windows\system32\Oodcdb32.exe90⤵PID:5684
-
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe91⤵PID:5724
-
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe92⤵PID:5764
-
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe93⤵PID:5804
-
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe94⤵PID:5844
-
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe95⤵PID:5884
-
C:\Windows\SysWOW64\Phigif32.exeC:\Windows\system32\Phigif32.exe96⤵PID:5924
-
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe97⤵
- Modifies registry class
PID:5964 -
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe98⤵PID:6004
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe99⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe100⤵PID:6088
-
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe101⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe102⤵PID:5176
-
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe103⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe104⤵PID:5356
-
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe105⤵PID:5412
-
C:\Windows\SysWOW64\Baadiiif.exeC:\Windows\system32\Baadiiif.exe106⤵PID:5528
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe107⤵
- Drops file in System32 directory
PID:5672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Lmheph32.exeC:\Windows\system32\Lmheph32.exe22⤵PID:5756
-
C:\Windows\SysWOW64\Liofdigo.exeC:\Windows\system32\Liofdigo.exe23⤵PID:744
-
C:\Windows\SysWOW64\Mcggga32.exeC:\Windows\system32\Mcggga32.exe24⤵PID:2788
-
C:\Windows\SysWOW64\Mfeccm32.exeC:\Windows\system32\Mfeccm32.exe25⤵PID:5952
-
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe26⤵PID:1968
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe27⤵
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Mfhpilbc.exeC:\Windows\system32\Mfhpilbc.exe28⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Mmahff32.exeC:\Windows\system32\Mmahff32.exe29⤵PID:3568
-
C:\Windows\SysWOW64\Mboqnm32.exeC:\Windows\system32\Mboqnm32.exe30⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Mlgegcng.exeC:\Windows\system32\Mlgegcng.exe31⤵PID:4264
-
C:\Windows\SysWOW64\Mcnmhpoj.exeC:\Windows\system32\Mcnmhpoj.exe32⤵PID:6076
-
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe33⤵PID:1524
-
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe34⤵PID:2432
-
C:\Windows\SysWOW64\Mpenmadn.exeC:\Windows\system32\Mpenmadn.exe35⤵PID:3128
-
C:\Windows\SysWOW64\Mbcjimda.exeC:\Windows\system32\Mbcjimda.exe36⤵PID:5240
-
C:\Windows\SysWOW64\Mimbfg32.exeC:\Windows\system32\Mimbfg32.exe37⤵PID:1576
-
C:\Windows\SysWOW64\Nlknbb32.exeC:\Windows\system32\Nlknbb32.exe38⤵PID:5516
-
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Njmopj32.exeC:\Windows\system32\Njmopj32.exe40⤵PID:5364
-
C:\Windows\SysWOW64\Nmkkle32.exeC:\Windows\system32\Nmkkle32.exe41⤵PID:5784
-
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe42⤵
- Drops file in System32 directory
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Njokei32.exeC:\Windows\system32\Njokei32.exe43⤵PID:5580
-
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe44⤵PID:1732
-
C:\Windows\SysWOW64\Nbjpjl32.exeC:\Windows\system32\Nbjpjl32.exe45⤵PID:3000
-
C:\Windows\SysWOW64\Njahki32.exeC:\Windows\system32\Njahki32.exe46⤵PID:1580
-
C:\Windows\SysWOW64\Nmpdgdmp.exeC:\Windows\system32\Nmpdgdmp.exe47⤵PID:3200
-
C:\Windows\SysWOW64\Ndjldo32.exeC:\Windows\system32\Ndjldo32.exe48⤵PID:4400
-
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe49⤵PID:6036
-
C:\Windows\SysWOW64\Nifele32.exeC:\Windows\system32\Nifele32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4316 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe51⤵
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe52⤵
- Drops file in System32 directory
- Modifies registry class
PID:4368 -
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe53⤵PID:1512
-
C:\Windows\SysWOW64\Opcjno32.exeC:\Windows\system32\Opcjno32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4588 -
C:\Windows\SysWOW64\Ofmbkipk.exeC:\Windows\system32\Ofmbkipk.exe55⤵PID:4328
-
C:\Windows\SysWOW64\Omgjhc32.exeC:\Windows\system32\Omgjhc32.exe56⤵
- Modifies registry class
PID:4120 -
C:\Windows\SysWOW64\Odqbdnod.exeC:\Windows\system32\Odqbdnod.exe57⤵PID:2752
-
C:\Windows\SysWOW64\Ojkkah32.exeC:\Windows\system32\Ojkkah32.exe58⤵PID:3172
-
C:\Windows\SysWOW64\Ollgiplp.exeC:\Windows\system32\Ollgiplp.exe59⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Pblolb32.exeC:\Windows\system32\Pblolb32.exe60⤵PID:1772
-
C:\Windows\SysWOW64\Pekkhn32.exeC:\Windows\system32\Pekkhn32.exe61⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Pmbcik32.exeC:\Windows\system32\Pmbcik32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Pppoeg32.exeC:\Windows\system32\Pppoeg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Enlqdc32.exeC:\Windows\system32\Enlqdc32.exe64⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Eciilj32.exeC:\Windows\system32\Eciilj32.exe65⤵PID:5216
-
C:\Windows\SysWOW64\Enomic32.exeC:\Windows\system32\Enomic32.exe66⤵PID:492
-
C:\Windows\SysWOW64\Eckfaj32.exeC:\Windows\system32\Eckfaj32.exe67⤵PID:5252
-
C:\Windows\SysWOW64\Eqpfknbj.exeC:\Windows\system32\Eqpfknbj.exe68⤵PID:2648
-
C:\Windows\SysWOW64\Ecnbgian.exeC:\Windows\system32\Ecnbgian.exe69⤵PID:2024
-
C:\Windows\SysWOW64\Ejhkdc32.exeC:\Windows\system32\Ejhkdc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4476 -
C:\Windows\SysWOW64\Emfgpo32.exeC:\Windows\system32\Emfgpo32.exe71⤵PID:4124
-
C:\Windows\SysWOW64\Ecpomiok.exeC:\Windows\system32\Ecpomiok.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Efolidno.exeC:\Windows\system32\Efolidno.exe73⤵PID:4904
-
C:\Windows\SysWOW64\Emhdeoel.exeC:\Windows\system32\Emhdeoel.exe74⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Epgpajdp.exeC:\Windows\system32\Epgpajdp.exe75⤵
- Drops file in System32 directory
PID:5044 -
C:\Windows\SysWOW64\Ffahnd32.exeC:\Windows\system32\Ffahnd32.exe76⤵PID:5840
-
C:\Windows\SysWOW64\Fmkqknci.exeC:\Windows\system32\Fmkqknci.exe77⤵PID:4520
-
C:\Windows\SysWOW64\Fpimgjbm.exeC:\Windows\system32\Fpimgjbm.exe78⤵PID:1536
-
C:\Windows\SysWOW64\Mgjkag32.exeC:\Windows\system32\Mgjkag32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4660 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe80⤵PID:6088
-
C:\Windows\SysWOW64\Mhihkjfj.exeC:\Windows\system32\Mhihkjfj.exe81⤵PID:4376
-
C:\Windows\SysWOW64\Nkhdgfen.exeC:\Windows\system32\Nkhdgfen.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Nbbldp32.exeC:\Windows\system32\Nbbldp32.exe83⤵PID:3160
-
C:\Windows\SysWOW64\Ndphpk32.exeC:\Windows\system32\Ndphpk32.exe84⤵PID:4812
-
C:\Windows\SysWOW64\Nkjqme32.exeC:\Windows\system32\Nkjqme32.exe85⤵
- Modifies registry class
PID:5228 -
C:\Windows\SysWOW64\Nkagndmc.exeC:\Windows\system32\Nkagndmc.exe86⤵PID:3600
-
C:\Windows\SysWOW64\Nqnofkkj.exeC:\Windows\system32\Nqnofkkj.exe87⤵PID:5648
-
C:\Windows\SysWOW64\Nieggill.exeC:\Windows\system32\Nieggill.exe88⤵PID:4652
-
C:\Windows\SysWOW64\Oooodcci.exeC:\Windows\system32\Oooodcci.exe89⤵PID:1220
-
C:\Windows\SysWOW64\Oigdmh32.exeC:\Windows\system32\Oigdmh32.exe90⤵PID:5224
-
C:\Windows\SysWOW64\Ooalibaf.exeC:\Windows\system32\Ooalibaf.exe91⤵
- Drops file in System32 directory
PID:5600 -
C:\Windows\SysWOW64\Oendaipn.exeC:\Windows\system32\Oendaipn.exe92⤵
- Modifies registry class
PID:1196 -
C:\Windows\SysWOW64\Ogmaneoa.exeC:\Windows\system32\Ogmaneoa.exe93⤵PID:3512
-
C:\Windows\SysWOW64\Opdiobod.exeC:\Windows\system32\Opdiobod.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Oaeegjeb.exeC:\Windows\system32\Oaeegjeb.exe95⤵PID:4816
-
C:\Windows\SysWOW64\Bammeebe.exeC:\Windows\system32\Bammeebe.exe96⤵
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Blbabnbk.exeC:\Windows\system32\Blbabnbk.exe97⤵PID:692
-
C:\Windows\SysWOW64\Bbljoh32.exeC:\Windows\system32\Bbljoh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4420 -
C:\Windows\SysWOW64\Bifblbad.exeC:\Windows\system32\Bifblbad.exe99⤵
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Bocjdiol.exeC:\Windows\system32\Bocjdiol.exe100⤵PID:5928
-
C:\Windows\SysWOW64\Cemcqcgi.exeC:\Windows\system32\Cemcqcgi.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Chlomnfl.exeC:\Windows\system32\Chlomnfl.exe102⤵PID:5384
-
C:\Windows\SysWOW64\Ccacjgfb.exeC:\Windows\system32\Ccacjgfb.exe103⤵PID:6024
-
C:\Windows\SysWOW64\Ceppfbef.exeC:\Windows\system32\Ceppfbef.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4964 -
C:\Windows\SysWOW64\Clihcm32.exeC:\Windows\system32\Clihcm32.exe105⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Commjgga.exeC:\Windows\system32\Commjgga.exe106⤵PID:3224
-
C:\Windows\SysWOW64\Cakjfcfe.exeC:\Windows\system32\Cakjfcfe.exe107⤵PID:5524
-
C:\Windows\SysWOW64\Chebcmna.exeC:\Windows\system32\Chebcmna.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Coojpg32.exeC:\Windows\system32\Coojpg32.exe109⤵PID:804
-
C:\Windows\SysWOW64\Dabpgbpm.exeC:\Windows\system32\Dabpgbpm.exe110⤵PID:5732
-
C:\Windows\SysWOW64\Dhlhcl32.exeC:\Windows\system32\Dhlhcl32.exe111⤵PID:4844
-
C:\Windows\SysWOW64\Djkdnool.exeC:\Windows\system32\Djkdnool.exe112⤵PID:6008
-
C:\Windows\SysWOW64\Dagiba32.exeC:\Windows\system32\Dagiba32.exe113⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Djnaco32.exeC:\Windows\system32\Djnaco32.exe114⤵PID:5172
-
C:\Windows\SysWOW64\Eokjke32.exeC:\Windows\system32\Eokjke32.exe115⤵PID:2664
-
C:\Windows\SysWOW64\Efdbhpbn.exeC:\Windows\system32\Efdbhpbn.exe116⤵PID:652
-
C:\Windows\SysWOW64\Bhdbaihi.exeC:\Windows\system32\Bhdbaihi.exe117⤵PID:5668
-
C:\Windows\SysWOW64\Edgkif32.exeC:\Windows\system32\Edgkif32.exe118⤵PID:5892
-
C:\Windows\SysWOW64\Eamhhjbd.exeC:\Windows\system32\Eamhhjbd.exe119⤵PID:5040
-
C:\Windows\SysWOW64\Ehgqed32.exeC:\Windows\system32\Ehgqed32.exe120⤵PID:5960
-
C:\Windows\SysWOW64\Eoaianan.exeC:\Windows\system32\Eoaianan.exe121⤵PID:788
-
C:\Windows\SysWOW64\Femndhgh.exeC:\Windows\system32\Femndhgh.exe122⤵PID:5344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-