Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe
Resource
win7-20240220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe
-
Size
92KB
-
MD5
c2fd08fadd2aa7a9e99f7e1f1ebf83a0
-
SHA1
4ada58365f27293aa606e688e11cc9ef680b0ef5
-
SHA256
448ff12922b5a60096e81274d3c2dcc064381b3b3c6937ffca35f99eaf313bf5
-
SHA512
019fdd66c6ed9dfbd84f50fcaa4d4a3e6843a46a59b6febcaa8a1b606641922bd8e26602685405e56e0f8445e8a69fdbecce21565886eb4f1e5bc218b0459918
-
SSDEEP
1536:Pc2fnNlN0axMHWeHySm+EVwGLv0Ybr1hdJlRN5VB9pFxtZdJlRNMI8xAUocwEYM9:PZPWk82UcO6THsR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpheidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqeqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihnkel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmgfbhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmphjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omcjep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfaigm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimekgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajohjon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cknnpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbkdkpp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbnepe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflibgil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npchgdcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhpqaiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lilanioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqkpeopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pemomqcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeddggd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdjoane.exe -
Executes dropped EXE 64 IoCs
pid Process 4976 Idacmfkj.exe 2224 Ijkljp32.exe 2192 Jaedgjjd.exe 2128 Jpgdbg32.exe 3568 Jjmhppqd.exe 2948 Jiphkm32.exe 4176 Jpjqhgol.exe 1492 Jjpeepnb.exe 3436 Jmnaakne.exe 4952 Jdhine32.exe 620 Jbkjjblm.exe 4216 Jidbflcj.exe 2936 Jpojcf32.exe 3000 Jbmfoa32.exe 4600 Jkdnpo32.exe 976 Jangmibi.exe 2080 Jbocea32.exe 364 Jiikak32.exe 1132 Kaqcbi32.exe 4680 Kbapjafe.exe 4520 Kkihknfg.exe 2316 Kmgdgjek.exe 2404 Kbdmpqcb.exe 4068 Kinemkko.exe 2056 Kphmie32.exe 3996 Kgbefoji.exe 2260 Kagichjo.exe 5112 Kdffocib.exe 3720 Kibnhjgj.exe 2424 Kajfig32.exe 4340 Kgfoan32.exe 744 Kkbkamnl.exe 4884 Lalcng32.exe 3500 Lcmofolg.exe 5104 Lgikfn32.exe 2400 Liggbi32.exe 1068 Lgkhlnbn.exe 4928 Lnepih32.exe 2692 Lpcmec32.exe 4500 Lgneampk.exe 4128 Lilanioo.exe 4692 Laciofpa.exe 1136 Ldaeka32.exe 1656 Lgpagm32.exe 3564 Ljnnch32.exe 4704 Laefdf32.exe 2512 Lphfpbdi.exe 2888 Lcgblncm.exe 3724 Mjqjih32.exe 2380 Mahbje32.exe 3136 Mdfofakp.exe 4392 Mkpgck32.exe 3064 Mjcgohig.exe 2468 Majopeii.exe 1712 Mcklgm32.exe 3328 Mjeddggd.exe 4156 Mamleegg.exe 2892 Mdkhapfj.exe 2776 Mgidml32.exe 2992 Mjhqjg32.exe 2456 Mncmjfmk.exe 892 Mdmegp32.exe 1268 Mkgmcjld.exe 64 Mjjmog32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Goaojagc.dll Nlmllkja.exe File created C:\Windows\SysWOW64\Bmngqdpj.exe Bcebhoii.exe File created C:\Windows\SysWOW64\Qeffca32.dll Idgojc32.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mjahlgpf.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nabfjpak.exe File opened for modification C:\Windows\SysWOW64\Mfqlfb32.exe Process not Found File created C:\Windows\SysWOW64\Majopeii.exe Mjcgohig.exe File opened for modification C:\Windows\SysWOW64\Gbiaapdf.exe Gkoiefmj.exe File created C:\Windows\SysWOW64\Cmbgdl32.exe Process not Found File created C:\Windows\SysWOW64\Fclbolkk.dll Jgogbgei.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Process not Found File created C:\Windows\SysWOW64\Poomegpf.exe Polppg32.exe File created C:\Windows\SysWOW64\Qimkic32.dll Process not Found File created C:\Windows\SysWOW64\Foniaq32.dll Process not Found File created C:\Windows\SysWOW64\Eclbio32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nacbfdao.exe File created C:\Windows\SysWOW64\Bgmakofh.dll Eleepoob.exe File opened for modification C:\Windows\SysWOW64\Kbddfmgl.exe Kjmmepfj.exe File created C:\Windows\SysWOW64\Glhimp32.exe Process not Found File created C:\Windows\SysWOW64\Lcfcfldc.dll Ajdbcano.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Cegdnopg.exe File created C:\Windows\SysWOW64\Mcelpggq.exe Process not Found File created C:\Windows\SysWOW64\Ajfmkfhq.dll Jknfcofa.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Ohfami32.exe File opened for modification C:\Windows\SysWOW64\Nafokcol.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Lfhdlh32.exe Lbmhlihl.exe File created C:\Windows\SysWOW64\Hqdkac32.dll Anclbkbp.exe File created C:\Windows\SysWOW64\Egcpgp32.dll Process not Found File created C:\Windows\SysWOW64\Bggnof32.exe Bmbiamhi.exe File created C:\Windows\SysWOW64\Ijadbdoj.exe Ihphkl32.exe File created C:\Windows\SysWOW64\Mmalnp32.dll Hdpiid32.exe File created C:\Windows\SysWOW64\Ocaegbjb.dll Idieem32.exe File created C:\Windows\SysWOW64\Idllbp32.dll Amjillkj.exe File created C:\Windows\SysWOW64\Eopjfnlo.dll Process not Found File created C:\Windows\SysWOW64\Edoencdm.exe Process not Found File created C:\Windows\SysWOW64\Ieqpbm32.exe Process not Found File created C:\Windows\SysWOW64\Hgfnoiid.dll Jddnfd32.exe File opened for modification C:\Windows\SysWOW64\Kjmfjj32.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Hkjafn32.exe Hdpiid32.exe File opened for modification C:\Windows\SysWOW64\Kjpijpdg.exe Kgamnded.exe File opened for modification C:\Windows\SysWOW64\Mablfnne.exe Process not Found File created C:\Windows\SysWOW64\Cpacqg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Enemaimp.exe Process not Found File created C:\Windows\SysWOW64\Aknmjgje.dll Process not Found File created C:\Windows\SysWOW64\Bpcbnd32.dll Kdffocib.exe File created C:\Windows\SysWOW64\Ojjolnaq.exe Ogkcpbam.exe File created C:\Windows\SysWOW64\Heomgj32.dll Fcfhof32.exe File created C:\Windows\SysWOW64\Himldi32.exe Hfnphn32.exe File created C:\Windows\SysWOW64\Leoghn32.exe Loeolc32.exe File created C:\Windows\SysWOW64\Jkdnhmdp.dll Ocamjm32.exe File created C:\Windows\SysWOW64\Efpgoecp.dll Hkpqkcpd.exe File created C:\Windows\SysWOW64\Ikjllm32.dll Process not Found File created C:\Windows\SysWOW64\Aldomc32.exe Acmflf32.exe File created C:\Windows\SysWOW64\Bgempgqo.dll Bjghpn32.exe File opened for modification C:\Windows\SysWOW64\Nnfgcd32.exe Ncabfkqo.exe File created C:\Windows\SysWOW64\Nfaemp32.exe Process not Found File created C:\Windows\SysWOW64\Piolkm32.exe Process not Found File created C:\Windows\SysWOW64\Ichhhi32.dll Jiikak32.exe File created C:\Windows\SysWOW64\Phadlp32.dll Ahmlgd32.exe File opened for modification C:\Windows\SysWOW64\Emlenj32.exe Dfamapjo.exe File created C:\Windows\SysWOW64\Akcipcnd.dll Mffjcopi.exe File opened for modification C:\Windows\SysWOW64\Oiihahme.exe Ocopdn32.exe File opened for modification C:\Windows\SysWOW64\Aonoao32.exe Ahdged32.exe File created C:\Windows\SysWOW64\Bnmqkjel.dll Fafkecel.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbkfdh.dll" Colffknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqncedbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmakofh.dll" Eleepoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bakgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbegho32.dll" Bemlmgnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cahfmgoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kagichjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nojjcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpnmg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqfoamfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jedeph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlmeco32.dll" Mifcejnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acpbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbaojpgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnjelkm.dll" Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpklg32.dll" Cijpahho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmfmgnc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffmfchle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kibnhjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cogmkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcbohigp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpeiioac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihjjl32.dll" Acnemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqpgdfnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ginnfgop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neafjdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhglla32.dll" Ecjhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkemhahj.dll" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll" Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdljpcg.dll" Fdkpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqnbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oifeab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neoogc32.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbmoen32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3872 wrote to memory of 4976 3872 c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe 85 PID 3872 wrote to memory of 4976 3872 c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe 85 PID 3872 wrote to memory of 4976 3872 c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe 85 PID 4976 wrote to memory of 2224 4976 Idacmfkj.exe 86 PID 4976 wrote to memory of 2224 4976 Idacmfkj.exe 86 PID 4976 wrote to memory of 2224 4976 Idacmfkj.exe 86 PID 2224 wrote to memory of 2192 2224 Ijkljp32.exe 87 PID 2224 wrote to memory of 2192 2224 Ijkljp32.exe 87 PID 2224 wrote to memory of 2192 2224 Ijkljp32.exe 87 PID 2192 wrote to memory of 2128 2192 Jaedgjjd.exe 88 PID 2192 wrote to memory of 2128 2192 Jaedgjjd.exe 88 PID 2192 wrote to memory of 2128 2192 Jaedgjjd.exe 88 PID 2128 wrote to memory of 3568 2128 Jpgdbg32.exe 89 PID 2128 wrote to memory of 3568 2128 Jpgdbg32.exe 89 PID 2128 wrote to memory of 3568 2128 Jpgdbg32.exe 89 PID 3568 wrote to memory of 2948 3568 Jjmhppqd.exe 90 PID 3568 wrote to memory of 2948 3568 Jjmhppqd.exe 90 PID 3568 wrote to memory of 2948 3568 Jjmhppqd.exe 90 PID 2948 wrote to memory of 4176 2948 Jiphkm32.exe 91 PID 2948 wrote to memory of 4176 2948 Jiphkm32.exe 91 PID 2948 wrote to memory of 4176 2948 Jiphkm32.exe 91 PID 4176 wrote to memory of 1492 4176 Jpjqhgol.exe 92 PID 4176 wrote to memory of 1492 4176 Jpjqhgol.exe 92 PID 4176 wrote to memory of 1492 4176 Jpjqhgol.exe 92 PID 1492 wrote to memory of 3436 1492 Jjpeepnb.exe 93 PID 1492 wrote to memory of 3436 1492 Jjpeepnb.exe 93 PID 1492 wrote to memory of 3436 1492 Jjpeepnb.exe 93 PID 3436 wrote to memory of 4952 3436 Jmnaakne.exe 94 PID 3436 wrote to memory of 4952 3436 Jmnaakne.exe 94 PID 3436 wrote to memory of 4952 3436 Jmnaakne.exe 94 PID 4952 wrote to memory of 620 4952 Jdhine32.exe 95 PID 4952 wrote to memory of 620 4952 Jdhine32.exe 95 PID 4952 wrote to memory of 620 4952 Jdhine32.exe 95 PID 620 wrote to memory of 4216 620 Jbkjjblm.exe 96 PID 620 wrote to memory of 4216 620 Jbkjjblm.exe 96 PID 620 wrote to memory of 4216 620 Jbkjjblm.exe 96 PID 4216 wrote to memory of 2936 4216 Jidbflcj.exe 97 PID 4216 wrote to memory of 2936 4216 Jidbflcj.exe 97 PID 4216 wrote to memory of 2936 4216 Jidbflcj.exe 97 PID 2936 wrote to memory of 3000 2936 Jpojcf32.exe 98 PID 2936 wrote to memory of 3000 2936 Jpojcf32.exe 98 PID 2936 wrote to memory of 3000 2936 Jpojcf32.exe 98 PID 3000 wrote to memory of 4600 3000 Jbmfoa32.exe 99 PID 3000 wrote to memory of 4600 3000 Jbmfoa32.exe 99 PID 3000 wrote to memory of 4600 3000 Jbmfoa32.exe 99 PID 4600 wrote to memory of 976 4600 Jkdnpo32.exe 100 PID 4600 wrote to memory of 976 4600 Jkdnpo32.exe 100 PID 4600 wrote to memory of 976 4600 Jkdnpo32.exe 100 PID 976 wrote to memory of 2080 976 Jangmibi.exe 101 PID 976 wrote to memory of 2080 976 Jangmibi.exe 101 PID 976 wrote to memory of 2080 976 Jangmibi.exe 101 PID 2080 wrote to memory of 364 2080 Jbocea32.exe 102 PID 2080 wrote to memory of 364 2080 Jbocea32.exe 102 PID 2080 wrote to memory of 364 2080 Jbocea32.exe 102 PID 364 wrote to memory of 1132 364 Jiikak32.exe 103 PID 364 wrote to memory of 1132 364 Jiikak32.exe 103 PID 364 wrote to memory of 1132 364 Jiikak32.exe 103 PID 1132 wrote to memory of 4680 1132 Kaqcbi32.exe 105 PID 1132 wrote to memory of 4680 1132 Kaqcbi32.exe 105 PID 1132 wrote to memory of 4680 1132 Kaqcbi32.exe 105 PID 4680 wrote to memory of 4520 4680 Kbapjafe.exe 106 PID 4680 wrote to memory of 4520 4680 Kbapjafe.exe 106 PID 4680 wrote to memory of 4520 4680 Kbapjafe.exe 106 PID 4520 wrote to memory of 2316 4520 Kkihknfg.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\c2fd08fadd2aa7a9e99f7e1f1ebf83a0_NEAS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Jpjqhgol.exeC:\Windows\system32\Jpjqhgol.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe23⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe24⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe25⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe26⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe27⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5112 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe31⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe32⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe33⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe34⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe35⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe36⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe37⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe38⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe39⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe40⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe41⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe43⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe45⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe46⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe47⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe48⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe49⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe50⤵
- Executes dropped EXE
PID:3724 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe51⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe52⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe53⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe55⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe56⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe58⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Mdkhapfj.exeC:\Windows\system32\Mdkhapfj.exe59⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe60⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe62⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe63⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe64⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe65⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe66⤵PID:1436
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe67⤵PID:3852
-
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe68⤵PID:3484
-
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe69⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe70⤵PID:3584
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe71⤵PID:2928
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe72⤵
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe73⤵PID:3416
-
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe75⤵PID:3188
-
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe76⤵PID:3084
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe77⤵PID:4236
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe79⤵PID:2784
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe80⤵PID:3120
-
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe81⤵PID:1228
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe82⤵PID:1076
-
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe83⤵PID:3464
-
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe84⤵PID:3204
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe85⤵PID:816
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe86⤵PID:1008
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe87⤵PID:5128
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe89⤵PID:5212
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe90⤵PID:5264
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe92⤵PID:5360
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe93⤵PID:5428
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe94⤵PID:5480
-
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe95⤵PID:5532
-
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe96⤵PID:5576
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe97⤵PID:5632
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe98⤵PID:5692
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe99⤵PID:5748
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe100⤵PID:5796
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe101⤵PID:5848
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe102⤵PID:5908
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe103⤵PID:5964
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe104⤵
- Drops file in System32 directory
PID:6032 -
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe105⤵PID:6092
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe106⤵PID:6132
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe107⤵
- Drops file in System32 directory
PID:5172 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe108⤵PID:5224
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe109⤵PID:5296
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe110⤵PID:5384
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe111⤵PID:5472
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe112⤵PID:5560
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe114⤵PID:5740
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe116⤵PID:5916
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe117⤵
- Drops file in System32 directory
PID:6028 -
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe118⤵PID:6124
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe119⤵PID:5140
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe120⤵PID:5284
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe121⤵PID:5444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-