Analysis
-
max time kernel
172s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 14:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe
-
Size
99KB
-
MD5
2d44aafdf315f3ded4db84f6caf7ffc0
-
SHA1
4288dbb046239e43c94991a0307a7809f3dfd45e
-
SHA256
de7bcfd37a109c6e51cb770be459e16d3996a23da5058aea8ab1464fb3380408
-
SHA512
fef0c9ef40a60eac5f5c67d7cdd3bcc4afa0c74d4f91a7cd9167f9f5f1aea1aa034ffe06bcf3e2f5ae1910c7fb94c1bd12f565893dd97de2962cd18e29465bc5
-
SSDEEP
3072:3Yct3wofDvJp1PTuY1HeytpwoTRBmDRGGurhUI:3hJ7vpP6G+Dm7UI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngipjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Haphiiee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebfhcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhlipla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqoidmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbkml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdigkjpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjjlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laqhao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhndlno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oajccgmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimonh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqafgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lklbnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokeolc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfidb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ielfgmnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgclja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qldccjno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlakjig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glenpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmpjfdcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhndlno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ojgjhicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddcebe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpagc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeakakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phfjmlhh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ooibkpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Liifnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkioq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbgbione.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plkpmlfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llngbabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgngqico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgqdfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eahobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kjopbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmhim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmghdpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqdkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Heepfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odjmdocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbhgjoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihkgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmfbcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggkbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Coadgacp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dagfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbfmgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmnnlk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmfalimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjahfl32.exe -
Executes dropped EXE 64 IoCs
pid Process 1008 Kpccmhdg.exe 3572 Lpepbgbd.exe 1536 Lhqefjpo.exe 872 Lcfidb32.exe 5088 Llnnmhfe.exe 2628 Legben32.exe 2828 Lplfcf32.exe 4084 Lhgkgijg.exe 3908 Lcmodajm.exe 4316 Mhjhmhhd.exe 4492 Mcoljagj.exe 912 Mofmobmo.exe 1504 Mfpell32.exe 2880 Mohidbkl.exe 556 Mhanngbl.exe 2832 Mcfbkpab.exe 1816 Mjpjgj32.exe 1992 Nblolm32.exe 3824 Nqmojd32.exe 3776 Nfihbk32.exe 3424 Ncmhko32.exe 4940 Nijqcf32.exe 2204 Ncpeaoih.exe 328 Nimmifgo.exe 2784 Nfqnbjfi.exe 4312 Ooibkpmi.exe 5056 Ommceclc.exe 2116 Ocgkan32.exe 4756 Omopjcjp.exe 2548 Ofgdcipq.exe 1788 Oihmedma.exe 2276 Opbean32.exe 3500 Omfekbdh.exe 1464 Pcpnhl32.exe 2436 Pcbkml32.exe 3624 Pcgdhkem.exe 400 Pjaleemj.exe 1600 Pblajhje.exe 2776 Qbonoghb.exe 1260 Qbajeg32.exe 1700 Qikbaaml.exe 648 Abcgjg32.exe 388 Aimogakj.exe 4872 Abfdpfaj.exe 4300 Amkhmoap.exe 4144 Abhqefpg.exe 4732 Aibibp32.exe 3556 Aaiqcnhg.exe 4680 Adgmoigj.exe 828 Affikdfn.exe 2996 Ampaho32.exe 1576 Abmjqe32.exe 2960 Ajdbac32.exe 3684 Banjnm32.exe 4508 Bboffejp.exe 3844 Bpcgpihi.exe 3164 Bfmolc32.exe 3716 Bmggingc.exe 1168 Bdapehop.exe 2220 Bphqji32.exe 2652 Bbfmgd32.exe 1608 Bagmdllg.exe 3704 Bbhildae.exe 1352 Calfpk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnmobopb.exe Bllbkg32.exe File created C:\Windows\SysWOW64\Omopjcjp.exe Ocgkan32.exe File opened for modification C:\Windows\SysWOW64\Maaekg32.exe Mkgmoncl.exe File opened for modification C:\Windows\SysWOW64\Cmiffhkj.exe Amdddkma.exe File created C:\Windows\SysWOW64\Cpggemjp.dll Cpdgjc32.exe File created C:\Windows\SysWOW64\Dajbaika.exe Dgdncplk.exe File opened for modification C:\Windows\SysWOW64\Gjaphgpl.exe Gcghkm32.exe File created C:\Windows\SysWOW64\Adeimibe.dll Nhafcd32.exe File created C:\Windows\SysWOW64\Bifblbad.exe Boanniao.exe File created C:\Windows\SysWOW64\Innfgb32.exe Ikpjkf32.exe File created C:\Windows\SysWOW64\Maicmgoc.exe Mjokpm32.exe File opened for modification C:\Windows\SysWOW64\Nqmojd32.exe Nblolm32.exe File created C:\Windows\SysWOW64\Giialc32.dll Cdicdi32.exe File created C:\Windows\SysWOW64\Affikdfn.exe Adgmoigj.exe File created C:\Windows\SysWOW64\Gadeee32.dll Fncibg32.exe File created C:\Windows\SysWOW64\Gbmigm32.exe Gmpqof32.exe File created C:\Windows\SysWOW64\Hdclbopg.exe Hlldaape.exe File created C:\Windows\SysWOW64\Ndjcne32.exe Nmpkakak.exe File created C:\Windows\SysWOW64\Llnado32.dll Gjadck32.exe File created C:\Windows\SysWOW64\Kenmbb32.dll Menimfnd.exe File created C:\Windows\SysWOW64\Pencqe32.dll Pcbkml32.exe File created C:\Windows\SysWOW64\Nngihj32.dll Mkjjdmaj.exe File created C:\Windows\SysWOW64\Hbfhni32.dll Llngbabj.exe File created C:\Windows\SysWOW64\Dnjhjpin.dll Kclnfi32.exe File created C:\Windows\SysWOW64\Cpiing32.dll Hhpaki32.exe File opened for modification C:\Windows\SysWOW64\Bfmolc32.exe Bpcgpihi.exe File created C:\Windows\SysWOW64\Dcjdilmf.dll Cgiohbfi.exe File created C:\Windows\SysWOW64\Qhomgchl.dll Jhkljfok.exe File opened for modification C:\Windows\SysWOW64\Oagpne32.exe Ojmhaklf.exe File opened for modification C:\Windows\SysWOW64\Nnkioq32.exe Nbbldp32.exe File created C:\Windows\SysWOW64\Olqnjime.dll Gbmigm32.exe File opened for modification C:\Windows\SysWOW64\Idceim32.exe Ijnqld32.exe File created C:\Windows\SysWOW64\Lfmghdpl.exe Lgjglg32.exe File opened for modification C:\Windows\SysWOW64\Odjmdocp.exe Okailj32.exe File created C:\Windows\SysWOW64\Paenokbf.dll Aaiqcnhg.exe File created C:\Windows\SysWOW64\Lcjldk32.exe Llpchaqg.exe File opened for modification C:\Windows\SysWOW64\Madjbg32.exe Mjkbemll.exe File created C:\Windows\SysWOW64\Gehhom32.dll Nagngjmj.exe File created C:\Windows\SysWOW64\Gmpqof32.exe Gjadck32.exe File created C:\Windows\SysWOW64\Jjeflc32.exe Jggjpgmc.exe File created C:\Windows\SysWOW64\Gggmgk32.exe Gdiakp32.exe File created C:\Windows\SysWOW64\Gfkbnk32.exe Gpqjaanf.exe File opened for modification C:\Windows\SysWOW64\Qikbaaml.exe Qbajeg32.exe File created C:\Windows\SysWOW64\Abhqefpg.exe Amkhmoap.exe File created C:\Windows\SysWOW64\Icembg32.dll Ecbeip32.exe File created C:\Windows\SysWOW64\Bijnai32.dll Lihpbl32.exe File opened for modification C:\Windows\SysWOW64\Iciaji32.exe Iloimopp.exe File created C:\Windows\SysWOW64\Ohhnln32.exe Oejbpb32.exe File opened for modification C:\Windows\SysWOW64\Ajdbac32.exe Abmjqe32.exe File opened for modification C:\Windows\SysWOW64\Lmdbooik.exe Liifnp32.exe File opened for modification C:\Windows\SysWOW64\Nblolm32.exe Mjpjgj32.exe File created C:\Windows\SysWOW64\Gpcffalc.exe Gmdjjemp.exe File opened for modification C:\Windows\SysWOW64\Lgibjj32.exe Haphiiee.exe File created C:\Windows\SysWOW64\Pmheflog.dll Boenam32.exe File created C:\Windows\SysWOW64\Chgnfq32.dll Lpepbgbd.exe File opened for modification C:\Windows\SysWOW64\Ifcpgiji.exe Iafgob32.exe File created C:\Windows\SysWOW64\Fegbnohh.dll Lhgkgijg.exe File created C:\Windows\SysWOW64\Popbqhhf.dll Gbdgpfni.exe File created C:\Windows\SysWOW64\Mjankb32.dll Hkbmjhdo.exe File created C:\Windows\SysWOW64\Bhdhng32.dll Iciaji32.exe File created C:\Windows\SysWOW64\Nanmhf32.exe Nnpalk32.exe File created C:\Windows\SysWOW64\Hejjanpm.exe Hbknebqi.exe File created C:\Windows\SysWOW64\Labkempb.exe Likcdpop.exe File created C:\Windows\SysWOW64\Bgqppbdk.dll Mhjpnibf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ljmfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll" Hkohchko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikpjkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbgbione.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjkofh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljmfdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anmfkane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kajfdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nndjgjhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfpghccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgccccec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Clihcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaoofaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgdeb32.dll" Llpchaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdaaqg32.dll" Odjmdocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll" Hcjmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfglafn.dll" Ohfafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domabi32.dll" Coohbbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdnmphag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll" Ecdbop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncpeaoih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojbamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaced32.dll" Phfjmlhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cpajdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lknjhokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqqnqo32.dll" Peeakakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Delnbdao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdhndlno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lklbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nblolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofacao32.dll" Ldoafodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llnnmhfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igpdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lccdghmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcoihmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kqphpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmgjbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjnaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leeigm32.dll" Qbajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Higjkehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hplimpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcfidmn.dll" Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adeimibe.dll" Nhafcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjjinp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hejjanpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldoafodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll" Kbeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dckoia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neqoidmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhkfdcbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfjlecdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll" Cmgqpkip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmfalimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcqpalio.dll" Hbknebqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lehhqg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4776 wrote to memory of 1008 4776 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 89 PID 4776 wrote to memory of 1008 4776 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 89 PID 4776 wrote to memory of 1008 4776 NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe 89 PID 1008 wrote to memory of 3572 1008 Kpccmhdg.exe 90 PID 1008 wrote to memory of 3572 1008 Kpccmhdg.exe 90 PID 1008 wrote to memory of 3572 1008 Kpccmhdg.exe 90 PID 3572 wrote to memory of 1536 3572 Lpepbgbd.exe 91 PID 3572 wrote to memory of 1536 3572 Lpepbgbd.exe 91 PID 3572 wrote to memory of 1536 3572 Lpepbgbd.exe 91 PID 1536 wrote to memory of 872 1536 Lhqefjpo.exe 92 PID 1536 wrote to memory of 872 1536 Lhqefjpo.exe 92 PID 1536 wrote to memory of 872 1536 Lhqefjpo.exe 92 PID 872 wrote to memory of 5088 872 Lcfidb32.exe 93 PID 872 wrote to memory of 5088 872 Lcfidb32.exe 93 PID 872 wrote to memory of 5088 872 Lcfidb32.exe 93 PID 5088 wrote to memory of 2628 5088 Llnnmhfe.exe 94 PID 5088 wrote to memory of 2628 5088 Llnnmhfe.exe 94 PID 5088 wrote to memory of 2628 5088 Llnnmhfe.exe 94 PID 2628 wrote to memory of 2828 2628 Legben32.exe 95 PID 2628 wrote to memory of 2828 2628 Legben32.exe 95 PID 2628 wrote to memory of 2828 2628 Legben32.exe 95 PID 2828 wrote to memory of 4084 2828 Lplfcf32.exe 96 PID 2828 wrote to memory of 4084 2828 Lplfcf32.exe 96 PID 2828 wrote to memory of 4084 2828 Lplfcf32.exe 96 PID 4084 wrote to memory of 3908 4084 Lhgkgijg.exe 97 PID 4084 wrote to memory of 3908 4084 Lhgkgijg.exe 97 PID 4084 wrote to memory of 3908 4084 Lhgkgijg.exe 97 PID 3908 wrote to memory of 4316 3908 Lcmodajm.exe 98 PID 3908 wrote to memory of 4316 3908 Lcmodajm.exe 98 PID 3908 wrote to memory of 4316 3908 Lcmodajm.exe 98 PID 4316 wrote to memory of 4492 4316 Mhjhmhhd.exe 99 PID 4316 wrote to memory of 4492 4316 Mhjhmhhd.exe 99 PID 4316 wrote to memory of 4492 4316 Mhjhmhhd.exe 99 PID 4492 wrote to memory of 912 4492 Mcoljagj.exe 100 PID 4492 wrote to memory of 912 4492 Mcoljagj.exe 100 PID 4492 wrote to memory of 912 4492 Mcoljagj.exe 100 PID 912 wrote to memory of 1504 912 Mofmobmo.exe 101 PID 912 wrote to memory of 1504 912 Mofmobmo.exe 101 PID 912 wrote to memory of 1504 912 Mofmobmo.exe 101 PID 1504 wrote to memory of 2880 1504 Mfpell32.exe 102 PID 1504 wrote to memory of 2880 1504 Mfpell32.exe 102 PID 1504 wrote to memory of 2880 1504 Mfpell32.exe 102 PID 2880 wrote to memory of 556 2880 Mohidbkl.exe 103 PID 2880 wrote to memory of 556 2880 Mohidbkl.exe 103 PID 2880 wrote to memory of 556 2880 Mohidbkl.exe 103 PID 556 wrote to memory of 2832 556 Mhanngbl.exe 104 PID 556 wrote to memory of 2832 556 Mhanngbl.exe 104 PID 556 wrote to memory of 2832 556 Mhanngbl.exe 104 PID 2832 wrote to memory of 1816 2832 Mcfbkpab.exe 105 PID 2832 wrote to memory of 1816 2832 Mcfbkpab.exe 105 PID 2832 wrote to memory of 1816 2832 Mcfbkpab.exe 105 PID 1816 wrote to memory of 1992 1816 Mjpjgj32.exe 106 PID 1816 wrote to memory of 1992 1816 Mjpjgj32.exe 106 PID 1816 wrote to memory of 1992 1816 Mjpjgj32.exe 106 PID 1992 wrote to memory of 3824 1992 Nblolm32.exe 107 PID 1992 wrote to memory of 3824 1992 Nblolm32.exe 107 PID 1992 wrote to memory of 3824 1992 Nblolm32.exe 107 PID 3824 wrote to memory of 3776 3824 Nqmojd32.exe 108 PID 3824 wrote to memory of 3776 3824 Nqmojd32.exe 108 PID 3824 wrote to memory of 3776 3824 Nqmojd32.exe 108 PID 3776 wrote to memory of 3424 3776 Nfihbk32.exe 109 PID 3776 wrote to memory of 3424 3776 Nfihbk32.exe 109 PID 3776 wrote to memory of 3424 3776 Nfihbk32.exe 109 PID 3424 wrote to memory of 4940 3424 Ncmhko32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2d44aafdf315f3ded4db84f6caf7ffc0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Lhqefjpo.exeC:\Windows\system32\Lhqefjpo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Lcfidb32.exeC:\Windows\system32\Lcfidb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Llnnmhfe.exeC:\Windows\system32\Llnnmhfe.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Legben32.exeC:\Windows\system32\Legben32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Lhgkgijg.exeC:\Windows\system32\Lhgkgijg.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Lcmodajm.exeC:\Windows\system32\Lcmodajm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\Mhjhmhhd.exeC:\Windows\system32\Mhjhmhhd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Mcoljagj.exeC:\Windows\system32\Mcoljagj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Mofmobmo.exeC:\Windows\system32\Mofmobmo.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Mfpell32.exeC:\Windows\system32\Mfpell32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Mohidbkl.exeC:\Windows\system32\Mohidbkl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Mhanngbl.exeC:\Windows\system32\Mhanngbl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Mcfbkpab.exeC:\Windows\system32\Mcfbkpab.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Mjpjgj32.exeC:\Windows\system32\Mjpjgj32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Nblolm32.exeC:\Windows\system32\Nblolm32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Nqmojd32.exeC:\Windows\system32\Nqmojd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Nfihbk32.exeC:\Windows\system32\Nfihbk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe23⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Nimmifgo.exeC:\Windows\system32\Nimmifgo.exe25⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Nfqnbjfi.exeC:\Windows\system32\Nfqnbjfi.exe26⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ooibkpmi.exeC:\Windows\system32\Ooibkpmi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Ommceclc.exeC:\Windows\system32\Ommceclc.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Ocgkan32.exeC:\Windows\system32\Ocgkan32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Omopjcjp.exeC:\Windows\system32\Omopjcjp.exe30⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Ofgdcipq.exeC:\Windows\system32\Ofgdcipq.exe31⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Oihmedma.exeC:\Windows\system32\Oihmedma.exe32⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Opbean32.exeC:\Windows\system32\Opbean32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Omfekbdh.exeC:\Windows\system32\Omfekbdh.exe34⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Pcpnhl32.exeC:\Windows\system32\Pcpnhl32.exe35⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Pcbkml32.exeC:\Windows\system32\Pcbkml32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe37⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Pjaleemj.exeC:\Windows\system32\Pjaleemj.exe38⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Pblajhje.exeC:\Windows\system32\Pblajhje.exe39⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe40⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Qbajeg32.exeC:\Windows\system32\Qbajeg32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Qikbaaml.exeC:\Windows\system32\Qikbaaml.exe42⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe43⤵
- Executes dropped EXE
PID:648 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe44⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Abfdpfaj.exeC:\Windows\system32\Abfdpfaj.exe45⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Amkhmoap.exeC:\Windows\system32\Amkhmoap.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4300 -
C:\Windows\SysWOW64\Abhqefpg.exeC:\Windows\system32\Abhqefpg.exe47⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Aibibp32.exeC:\Windows\system32\Aibibp32.exe48⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Aaiqcnhg.exeC:\Windows\system32\Aaiqcnhg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4680 -
C:\Windows\SysWOW64\Affikdfn.exeC:\Windows\system32\Affikdfn.exe51⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ampaho32.exeC:\Windows\system32\Ampaho32.exe52⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Abmjqe32.exeC:\Windows\system32\Abmjqe32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe54⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Banjnm32.exeC:\Windows\system32\Banjnm32.exe55⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Bboffejp.exeC:\Windows\system32\Bboffejp.exe56⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Bpcgpihi.exeC:\Windows\system32\Bpcgpihi.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844 -
C:\Windows\SysWOW64\Bfmolc32.exeC:\Windows\system32\Bfmolc32.exe58⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Bmggingc.exeC:\Windows\system32\Bmggingc.exe59⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Bdapehop.exeC:\Windows\system32\Bdapehop.exe60⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Bphqji32.exeC:\Windows\system32\Bphqji32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bbfmgd32.exeC:\Windows\system32\Bbfmgd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Bagmdllg.exeC:\Windows\system32\Bagmdllg.exe63⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe64⤵
- Executes dropped EXE
PID:3704 -
C:\Windows\SysWOW64\Calfpk32.exeC:\Windows\system32\Calfpk32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Cgiohbfi.exeC:\Windows\system32\Cgiohbfi.exe66⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Cmbgdl32.exeC:\Windows\system32\Cmbgdl32.exe67⤵PID:4512
-
C:\Windows\SysWOW64\Cdmoafdb.exeC:\Windows\system32\Cdmoafdb.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4168 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe69⤵
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\Cmedjl32.exeC:\Windows\system32\Cmedjl32.exe70⤵PID:4068
-
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe72⤵PID:808
-
C:\Windows\SysWOW64\Cmgqpkip.exeC:\Windows\system32\Cmgqpkip.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Cdaile32.exeC:\Windows\system32\Cdaile32.exe74⤵PID:4788
-
C:\Windows\SysWOW64\Dinael32.exeC:\Windows\system32\Dinael32.exe75⤵PID:3228
-
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe77⤵PID:4960
-
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe78⤵PID:3204
-
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe79⤵PID:4780
-
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe80⤵
- Drops file in System32 directory
PID:5128 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe81⤵PID:5172
-
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe82⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Dkbgjo32.exeC:\Windows\system32\Dkbgjo32.exe83⤵PID:5260
-
C:\Windows\SysWOW64\Dnqcfjae.exeC:\Windows\system32\Dnqcfjae.exe84⤵PID:5304
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe85⤵PID:5348
-
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe86⤵PID:5392
-
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe87⤵PID:5436
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe88⤵PID:5480
-
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe89⤵
- Drops file in System32 directory
PID:5520 -
C:\Windows\SysWOW64\Enhifi32.exeC:\Windows\system32\Enhifi32.exe90⤵PID:5564
-
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe91⤵PID:5608
-
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe92⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe94⤵PID:5740
-
C:\Windows\SysWOW64\Eddnic32.exeC:\Windows\system32\Eddnic32.exe95⤵PID:5800
-
C:\Windows\SysWOW64\Ekngemhd.exeC:\Windows\system32\Ekngemhd.exe96⤵PID:5844
-
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe98⤵PID:5940
-
C:\Windows\SysWOW64\Ekqckmfb.exeC:\Windows\system32\Ekqckmfb.exe99⤵PID:5992
-
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe100⤵PID:6060
-
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe101⤵PID:6120
-
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe102⤵PID:5168
-
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe103⤵PID:5252
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe104⤵PID:5360
-
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe105⤵PID:5460
-
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe106⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe107⤵PID:5632
-
C:\Windows\SysWOW64\Fcpakn32.exeC:\Windows\system32\Fcpakn32.exe108⤵PID:5796
-
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe109⤵PID:5828
-
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe110⤵PID:5916
-
C:\Windows\SysWOW64\Fkjfakng.exeC:\Windows\system32\Fkjfakng.exe111⤵PID:3268
-
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe112⤵PID:6048
-
C:\Windows\SysWOW64\Fdbkja32.exeC:\Windows\system32\Fdbkja32.exe113⤵
- Modifies registry class
PID:4212 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe114⤵PID:5248
-
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe115⤵PID:5432
-
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe116⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe117⤵PID:5736
-
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe118⤵PID:5896
-
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Gkalbj32.exeC:\Windows\system32\Gkalbj32.exe120⤵PID:6104
-
C:\Windows\SysWOW64\Gbkdod32.exeC:\Windows\system32\Gbkdod32.exe121⤵PID:5332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-