Analysis
-
max time kernel
156s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e797675948d7018863d017d65ecd9bf0.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e797675948d7018863d017d65ecd9bf0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.e797675948d7018863d017d65ecd9bf0.exe
-
Size
128KB
-
MD5
e797675948d7018863d017d65ecd9bf0
-
SHA1
5af0e8421f0334b0a1e20bfca459ea2f20d064c3
-
SHA256
1625b7628c48c41dcbf5b0b9cf7b9528270988f009351642d77f25d51626ecc1
-
SHA512
eaabcf7061c8cc26e694257e6ab62216b88a166e86c166779725df873f80a1b7eae873e155b2e2dc45e39141aac667503b230c6120a36d5331e667550c9ebe91
-
SSDEEP
3072:K0an6yajnxCJ6ez9pui6yYPaI7DehizrVtNq:Ny7ppui6yYPaIGcs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcdifdem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dphipidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghgbakhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbhplnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cofnba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keceoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flddoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckeigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjmgomjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgkeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfcelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dqgjoenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbjhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbjegg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iameid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpggkbfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qjdpoacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjfoqhpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakidd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqdgop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhjlkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlkhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqdakjak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehcfkhel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcphkhad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knaldo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqhooh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiokacgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dndlba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iameid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqgbjoh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqopj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfehcnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjgkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbfjljhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjeoablq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bglefdke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahpmckpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbgqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anijjkbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcgekjgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihicah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfjljhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcijoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfonin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbdacbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odooqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlkmlhea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmloa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlooef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ljcldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alpboida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fghkdjdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pphlpl32.exe -
Executes dropped EXE 64 IoCs
pid Process 640 Ajdbac32.exe 3068 Bgdemb32.exe 1744 Cmpjoloh.exe 396 Ddfbgelh.exe 3140 Ekimjn32.exe 1660 Fnffhgon.exe 1180 Gdnjfojj.exe 3972 Jnpjlajn.exe 4636 Keceoj32.exe 3904 Kdmlkfjb.exe 3268 Llngbabj.exe 2488 Maaekg32.exe 2208 Nkapelka.exe 3248 Ncaklhdi.exe 2136 Obfhmd32.exe 1808 Ohcmpn32.exe 1516 Ocmjhfjl.exe 2796 Podkmgop.exe 4740 Pbgqdb32.exe 4880 Pfeijqqe.exe 1520 Qckfid32.exe 1164 Abcppq32.exe 444 Amkabind.exe 1428 Ammnhilb.exe 5076 Apngjd32.exe 1780 Bpgjpb32.exe 3740 Cbjogmlf.exe 3600 Dlcmgqdd.exe 840 Eljchpnl.exe 3012 Eibmlc32.exe 3368 Fnqebaog.exe 948 Fjgfgbek.exe 3352 Fpfholhc.exe 4688 Ggbmafnm.exe 468 Gmfkjl32.exe 1372 Hjlhipbc.exe 3460 Hcifmdeo.exe 212 Hdicggla.exe 4324 Imdgljil.exe 404 Infqklol.exe 3620 Ijonfmbn.exe 3952 Jegohe32.exe 4316 Jmgmhgig.exe 3576 Jglaepim.exe 5004 Khonkogj.exe 2788 Kmbmdeoj.exe 208 Kfkamk32.exe 3288 Leqkeajd.exe 516 Pocdba32.exe 2572 Poeahaib.exe 1632 Qbkcek32.exe 1068 Andqol32.exe 1152 Anijjkbj.exe 2176 Aeglbeea.exe 1572 Bfieagka.exe 544 Bfnnmg32.exe 2552 Bpfcelml.exe 1132 Clbmfm32.exe 1456 Dngobghg.exe 1724 Eldbbjof.exe 4660 Eemgkpef.exe 716 Eoladdeo.exe 4596 Ghqeihbb.exe 4756 Gjghdj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dekioo32.dll Cneknh32.exe File opened for modification C:\Windows\SysWOW64\Hobcgdjm.exe Hldgkiki.exe File created C:\Windows\SysWOW64\Iphihnjk.exe Icdhojka.exe File opened for modification C:\Windows\SysWOW64\Adhdcepc.exe Amnlfk32.exe File created C:\Windows\SysWOW64\Fcpadd32.exe Fdihmh32.exe File created C:\Windows\SysWOW64\Fiilmofe.exe Fdlcehhn.exe File created C:\Windows\SysWOW64\Faecedlb.dll Hljnkdnk.exe File created C:\Windows\SysWOW64\Aappdj32.exe Qjmeaafi.exe File opened for modification C:\Windows\SysWOW64\Nhfpjghi.exe Mlooef32.exe File created C:\Windows\SysWOW64\Aiifeg32.exe Qmbepfoh.exe File created C:\Windows\SysWOW64\Cojaijla.dll Pfeijqqe.exe File created C:\Windows\SysWOW64\Folkjnbc.exe Eelpqi32.exe File created C:\Windows\SysWOW64\Jkggfeam.dll Liofdigo.exe File opened for modification C:\Windows\SysWOW64\Ghohdk32.exe Gmjcgb32.exe File created C:\Windows\SysWOW64\Iippne32.exe Hadkib32.exe File created C:\Windows\SysWOW64\Hbflnl32.exe Hkkgii32.exe File opened for modification C:\Windows\SysWOW64\Eldbbjof.exe Dngobghg.exe File opened for modification C:\Windows\SysWOW64\Qdldgg32.exe Qjdpoacp.exe File created C:\Windows\SysWOW64\Cmonmaem.dll Ihmfmd32.exe File opened for modification C:\Windows\SysWOW64\Omjfij32.exe Nbbefafp.exe File created C:\Windows\SysWOW64\Emihbp32.exe Ehlpjikd.exe File created C:\Windows\SysWOW64\Pkaijl32.exe Oqgkadod.exe File created C:\Windows\SysWOW64\Fengfmaj.dll Jqgldb32.exe File created C:\Windows\SysWOW64\Oampdkbj.exe Okbhgq32.exe File opened for modification C:\Windows\SysWOW64\Oldjlm32.exe Ojdnbj32.exe File created C:\Windows\SysWOW64\Dfclmfhl.exe Djlkhe32.exe File created C:\Windows\SysWOW64\Igmcbplc.dll Iahgki32.exe File created C:\Windows\SysWOW64\Dffknpdm.dll Binhgd32.exe File created C:\Windows\SysWOW64\Fhjlkg32.exe Fiilmofe.exe File opened for modification C:\Windows\SysWOW64\Pkcannmj.exe Pakleh32.exe File created C:\Windows\SysWOW64\Cpiofp32.dll Qhinmb32.exe File created C:\Windows\SysWOW64\Dpnddg32.dll Omjfij32.exe File created C:\Windows\SysWOW64\Ijonfmbn.exe Infqklol.exe File created C:\Windows\SysWOW64\Ijngkf32.exe Iiokacgp.exe File opened for modification C:\Windows\SysWOW64\Gdfhil32.exe Ghohdk32.exe File created C:\Windows\SysWOW64\Bomknp32.exe Bipcei32.exe File created C:\Windows\SysWOW64\Bammeebe.exe Ppmleagi.exe File created C:\Windows\SysWOW64\Fbfdnp32.dll Iippne32.exe File created C:\Windows\SysWOW64\Nghkcamn.dll Mlnpdc32.exe File created C:\Windows\SysWOW64\Ghgbakhb.exe Fhbifl32.exe File created C:\Windows\SysWOW64\Pbgqdb32.exe Podkmgop.exe File created C:\Windows\SysWOW64\Iecbdhad.dll Dndnjllg.exe File created C:\Windows\SysWOW64\Gffhbljh.exe Fbhplnca.exe File created C:\Windows\SysWOW64\Fffcpnjo.dll Hcifmdeo.exe File created C:\Windows\SysWOW64\Ehhpge32.exe Dgaiffii.exe File opened for modification C:\Windows\SysWOW64\Dajlafon.exe Chagiqhm.exe File created C:\Windows\SysWOW64\Fjgfgbek.exe Fnqebaog.exe File created C:\Windows\SysWOW64\Imdgljil.exe Hdicggla.exe File opened for modification C:\Windows\SysWOW64\Dkjbgooi.exe Cjflblll.exe File created C:\Windows\SysWOW64\Ffggdmbi.exe Fomohc32.exe File created C:\Windows\SysWOW64\Hbbdad32.exe Hmcocn32.exe File created C:\Windows\SysWOW64\Pcmloa32.exe Plagmh32.exe File opened for modification C:\Windows\SysWOW64\Dbkpokhf.exe Ddgpfgil.exe File opened for modification C:\Windows\SysWOW64\Mledgm32.exe Mbppjd32.exe File created C:\Windows\SysWOW64\Agecdgmk.dll Cmpjoloh.exe File created C:\Windows\SysWOW64\Pmkopgep.exe Pimfji32.exe File created C:\Windows\SysWOW64\Mchhamcl.exe Mlnpdc32.exe File created C:\Windows\SysWOW64\Bioplm32.dll Ilfehcnp.exe File created C:\Windows\SysWOW64\Jlanikqg.exe Iniddhfc.exe File created C:\Windows\SysWOW64\Maaekg32.exe Llngbabj.exe File created C:\Windows\SysWOW64\Agkmki32.dll Nhheepbk.exe File created C:\Windows\SysWOW64\Kpbdjgcj.dll Amnlfk32.exe File opened for modification C:\Windows\SysWOW64\Pehekgmp.exe Pkcannmj.exe File opened for modification C:\Windows\SysWOW64\Jhbfgflc.exe Jnjednnp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbinda32.dll" Khmoionj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfgaa32.dll" Dhndil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffcpnjo.dll" Hcifmdeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkcepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjaendej.dll" Jijhom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqdbec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oldjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gegkilik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okndkohj.dll" Iiokacgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlahp32.dll" Emllbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbchkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjpkh32.dll" Cponodge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklja32.dll" Pmkopgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppkopail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjcllilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dceplm32.dll" Ceaealoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbbodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpfjfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmbngd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggcceagf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclpgc32.dll" Eibmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phdngljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkcgj32.dll" Ghohdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbnhma32.dll" Abhqolee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbhgkfkg.dll" Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll" Qckfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkplho.dll" Pidamcgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhndil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkcdoia.dll" Clbmfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhjlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idbonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anmfkane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkjbgooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkjaaqb.dll" Galfhpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkdjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbjac32.dll" Bjkhme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omjfij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hdicggla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmgmhgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cclhbcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Amcmie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ffqhmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmejlcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mijofaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phobaibg.dll" Bipcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfieepcf.dll" Gqdbbelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iidiidgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmpcpjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbjogmlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aqpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdoadlje.dll" Fongpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Emllbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efbnklil.dll" Ajqgbjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obfhmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpelqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qkjlpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmpcpjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanja32.dll" Ealanc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpndo32.dll" Fmjqjqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbgqdb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 640 2984 NEAS.e797675948d7018863d017d65ecd9bf0.exe 90 PID 2984 wrote to memory of 640 2984 NEAS.e797675948d7018863d017d65ecd9bf0.exe 90 PID 2984 wrote to memory of 640 2984 NEAS.e797675948d7018863d017d65ecd9bf0.exe 90 PID 640 wrote to memory of 3068 640 Ajdbac32.exe 91 PID 640 wrote to memory of 3068 640 Ajdbac32.exe 91 PID 640 wrote to memory of 3068 640 Ajdbac32.exe 91 PID 3068 wrote to memory of 1744 3068 Bgdemb32.exe 92 PID 3068 wrote to memory of 1744 3068 Bgdemb32.exe 92 PID 3068 wrote to memory of 1744 3068 Bgdemb32.exe 92 PID 1744 wrote to memory of 396 1744 Cmpjoloh.exe 93 PID 1744 wrote to memory of 396 1744 Cmpjoloh.exe 93 PID 1744 wrote to memory of 396 1744 Cmpjoloh.exe 93 PID 396 wrote to memory of 3140 396 Ddfbgelh.exe 94 PID 396 wrote to memory of 3140 396 Ddfbgelh.exe 94 PID 396 wrote to memory of 3140 396 Ddfbgelh.exe 94 PID 3140 wrote to memory of 1660 3140 Ekimjn32.exe 95 PID 3140 wrote to memory of 1660 3140 Ekimjn32.exe 95 PID 3140 wrote to memory of 1660 3140 Ekimjn32.exe 95 PID 1660 wrote to memory of 1180 1660 Fnffhgon.exe 96 PID 1660 wrote to memory of 1180 1660 Fnffhgon.exe 96 PID 1660 wrote to memory of 1180 1660 Fnffhgon.exe 96 PID 1180 wrote to memory of 3972 1180 Gdnjfojj.exe 97 PID 1180 wrote to memory of 3972 1180 Gdnjfojj.exe 97 PID 1180 wrote to memory of 3972 1180 Gdnjfojj.exe 97 PID 3972 wrote to memory of 4636 3972 Jnpjlajn.exe 98 PID 3972 wrote to memory of 4636 3972 Jnpjlajn.exe 98 PID 3972 wrote to memory of 4636 3972 Jnpjlajn.exe 98 PID 4636 wrote to memory of 3904 4636 Keceoj32.exe 99 PID 4636 wrote to memory of 3904 4636 Keceoj32.exe 99 PID 4636 wrote to memory of 3904 4636 Keceoj32.exe 99 PID 3904 wrote to memory of 3268 3904 Kdmlkfjb.exe 100 PID 3904 wrote to memory of 3268 3904 Kdmlkfjb.exe 100 PID 3904 wrote to memory of 3268 3904 Kdmlkfjb.exe 100 PID 3268 wrote to memory of 2488 3268 Llngbabj.exe 101 PID 3268 wrote to memory of 2488 3268 Llngbabj.exe 101 PID 3268 wrote to memory of 2488 3268 Llngbabj.exe 101 PID 2488 wrote to memory of 2208 2488 Maaekg32.exe 102 PID 2488 wrote to memory of 2208 2488 Maaekg32.exe 102 PID 2488 wrote to memory of 2208 2488 Maaekg32.exe 102 PID 2208 wrote to memory of 3248 2208 Nkapelka.exe 103 PID 2208 wrote to memory of 3248 2208 Nkapelka.exe 103 PID 2208 wrote to memory of 3248 2208 Nkapelka.exe 103 PID 3248 wrote to memory of 2136 3248 Ncaklhdi.exe 104 PID 3248 wrote to memory of 2136 3248 Ncaklhdi.exe 104 PID 3248 wrote to memory of 2136 3248 Ncaklhdi.exe 104 PID 2136 wrote to memory of 1808 2136 Obfhmd32.exe 105 PID 2136 wrote to memory of 1808 2136 Obfhmd32.exe 105 PID 2136 wrote to memory of 1808 2136 Obfhmd32.exe 105 PID 1808 wrote to memory of 1516 1808 Ohcmpn32.exe 106 PID 1808 wrote to memory of 1516 1808 Ohcmpn32.exe 106 PID 1808 wrote to memory of 1516 1808 Ohcmpn32.exe 106 PID 1516 wrote to memory of 2796 1516 Ocmjhfjl.exe 107 PID 1516 wrote to memory of 2796 1516 Ocmjhfjl.exe 107 PID 1516 wrote to memory of 2796 1516 Ocmjhfjl.exe 107 PID 2796 wrote to memory of 4740 2796 Podkmgop.exe 108 PID 2796 wrote to memory of 4740 2796 Podkmgop.exe 108 PID 2796 wrote to memory of 4740 2796 Podkmgop.exe 108 PID 4740 wrote to memory of 4880 4740 Pbgqdb32.exe 109 PID 4740 wrote to memory of 4880 4740 Pbgqdb32.exe 109 PID 4740 wrote to memory of 4880 4740 Pbgqdb32.exe 109 PID 4880 wrote to memory of 1520 4880 Pfeijqqe.exe 110 PID 4880 wrote to memory of 1520 4880 Pfeijqqe.exe 110 PID 4880 wrote to memory of 1520 4880 Pfeijqqe.exe 110 PID 1520 wrote to memory of 1164 1520 Qckfid32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e797675948d7018863d017d65ecd9bf0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e797675948d7018863d017d65ecd9bf0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Bgdemb32.exeC:\Windows\system32\Bgdemb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Cmpjoloh.exeC:\Windows\system32\Cmpjoloh.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Ekimjn32.exeC:\Windows\system32\Ekimjn32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Jnpjlajn.exeC:\Windows\system32\Jnpjlajn.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Keceoj32.exeC:\Windows\system32\Keceoj32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Llngbabj.exeC:\Windows\system32\Llngbabj.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Maaekg32.exeC:\Windows\system32\Maaekg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ncaklhdi.exeC:\Windows\system32\Ncaklhdi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\Obfhmd32.exeC:\Windows\system32\Obfhmd32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe23⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe24⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe25⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Apngjd32.exeC:\Windows\system32\Apngjd32.exe26⤵
- Executes dropped EXE
PID:5076 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe27⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Cbjogmlf.exeC:\Windows\system32\Cbjogmlf.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe29⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe30⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3368 -
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe33⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe34⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe35⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe36⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe37⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Hcifmdeo.exeC:\Windows\system32\Hcifmdeo.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3460 -
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Imdgljil.exeC:\Windows\system32\Imdgljil.exe40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Infqklol.exeC:\Windows\system32\Infqklol.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:404 -
C:\Windows\SysWOW64\Ijonfmbn.exeC:\Windows\system32\Ijonfmbn.exe42⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Jegohe32.exeC:\Windows\system32\Jegohe32.exe43⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Jmgmhgig.exeC:\Windows\system32\Jmgmhgig.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe45⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Khonkogj.exeC:\Windows\system32\Khonkogj.exe46⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Kmbmdeoj.exeC:\Windows\system32\Kmbmdeoj.exe47⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kfkamk32.exeC:\Windows\system32\Kfkamk32.exe48⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Leqkeajd.exeC:\Windows\system32\Leqkeajd.exe49⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe50⤵
- Executes dropped EXE
PID:516 -
C:\Windows\SysWOW64\Poeahaib.exeC:\Windows\system32\Poeahaib.exe51⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Qbkcek32.exeC:\Windows\system32\Qbkcek32.exe52⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Andqol32.exeC:\Windows\system32\Andqol32.exe53⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Anijjkbj.exeC:\Windows\system32\Anijjkbj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe55⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bfieagka.exeC:\Windows\system32\Bfieagka.exe56⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe57⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Bpfcelml.exeC:\Windows\system32\Bpfcelml.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Clbmfm32.exeC:\Windows\system32\Clbmfm32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Dngobghg.exeC:\Windows\system32\Dngobghg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Eemgkpef.exeC:\Windows\system32\Eemgkpef.exe62⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Eoladdeo.exeC:\Windows\system32\Eoladdeo.exe63⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Ghqeihbb.exeC:\Windows\system32\Ghqeihbb.exe64⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Gjghdj32.exeC:\Windows\system32\Gjghdj32.exe65⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Hcommoin.exeC:\Windows\system32\Hcommoin.exe66⤵PID:4844
-
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe67⤵PID:1476
-
C:\Windows\SysWOW64\Hljnkdnk.exeC:\Windows\system32\Hljnkdnk.exe68⤵
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\Homcbo32.exeC:\Windows\system32\Homcbo32.exe69⤵PID:4964
-
C:\Windows\SysWOW64\Hjbhph32.exeC:\Windows\system32\Hjbhph32.exe70⤵PID:3588
-
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Ijngkf32.exeC:\Windows\system32\Ijngkf32.exe72⤵PID:4360
-
C:\Windows\SysWOW64\Jihngboe.exeC:\Windows\system32\Jihngboe.exe73⤵PID:3912
-
C:\Windows\SysWOW64\Jcpojk32.exeC:\Windows\system32\Jcpojk32.exe74⤵PID:3108
-
C:\Windows\SysWOW64\Kgqdfi32.exeC:\Windows\system32\Kgqdfi32.exe75⤵PID:2128
-
C:\Windows\SysWOW64\Kmmmnp32.exeC:\Windows\system32\Kmmmnp32.exe76⤵PID:3580
-
C:\Windows\SysWOW64\Kcgekjgp.exeC:\Windows\system32\Kcgekjgp.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Kanbjn32.exeC:\Windows\system32\Kanbjn32.exe78⤵PID:4312
-
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Lcnkli32.exeC:\Windows\system32\Lcnkli32.exe80⤵PID:4124
-
C:\Windows\SysWOW64\Lpelqj32.exeC:\Windows\system32\Lpelqj32.exe81⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Pgpobmca.exeC:\Windows\system32\Pgpobmca.exe82⤵PID:4888
-
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe83⤵PID:4364
-
C:\Windows\SysWOW64\Qgehml32.exeC:\Windows\system32\Qgehml32.exe84⤵PID:5016
-
C:\Windows\SysWOW64\Qhddgofo.exeC:\Windows\system32\Qhddgofo.exe85⤵PID:3828
-
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe86⤵PID:5008
-
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe87⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Akgjnj32.exeC:\Windows\system32\Akgjnj32.exe88⤵PID:5088
-
C:\Windows\SysWOW64\Abflfc32.exeC:\Windows\system32\Abflfc32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe90⤵PID:5188
-
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe91⤵PID:5236
-
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe92⤵PID:5288
-
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5332 -
C:\Windows\SysWOW64\Dijppjfd.exeC:\Windows\system32\Dijppjfd.exe94⤵PID:5404
-
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe95⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe96⤵PID:5496
-
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe97⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Folkjnbc.exeC:\Windows\system32\Folkjnbc.exe98⤵PID:5612
-
C:\Windows\SysWOW64\Fhdocc32.exeC:\Windows\system32\Fhdocc32.exe99⤵PID:5660
-
C:\Windows\SysWOW64\Fongpm32.exeC:\Windows\system32\Fongpm32.exe100⤵
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe101⤵PID:5748
-
C:\Windows\SysWOW64\Flddoa32.exeC:\Windows\system32\Flddoa32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe103⤵PID:5844
-
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe104⤵PID:5888
-
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe106⤵PID:5996
-
C:\Windows\SysWOW64\Hahlnefd.exeC:\Windows\system32\Hahlnefd.exe107⤵PID:6040
-
C:\Windows\SysWOW64\Hakidd32.exeC:\Windows\system32\Hakidd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Iheaqolo.exeC:\Windows\system32\Iheaqolo.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Iameid32.exeC:\Windows\system32\Iameid32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe111⤵PID:5228
-
C:\Windows\SysWOW64\Ieknpb32.exeC:\Windows\system32\Ieknpb32.exe112⤵PID:5268
-
C:\Windows\SysWOW64\Iocchhof.exeC:\Windows\system32\Iocchhof.exe113⤵PID:2984
-
C:\Windows\SysWOW64\Jhcmbm32.exeC:\Windows\system32\Jhcmbm32.exe114⤵PID:2828
-
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe115⤵PID:5460
-
C:\Windows\SysWOW64\Jkhpogij.exeC:\Windows\system32\Jkhpogij.exe116⤵PID:5548
-
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe117⤵PID:3992
-
C:\Windows\SysWOW64\Kbgafqla.exeC:\Windows\system32\Kbgafqla.exe118⤵PID:5596
-
C:\Windows\SysWOW64\Kmmedi32.exeC:\Windows\system32\Kmmedi32.exe119⤵PID:5668
-
C:\Windows\SysWOW64\Kkabefqp.exeC:\Windows\system32\Kkabefqp.exe120⤵PID:5820
-
C:\Windows\SysWOW64\Lcpqgbkj.exeC:\Windows\system32\Lcpqgbkj.exe121⤵PID:5872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-