Analysis
-
max time kernel
163s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.fd97af288e58ce076ce899a075ec3980.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fd97af288e58ce076ce899a075ec3980.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.fd97af288e58ce076ce899a075ec3980.exe
-
Size
92KB
-
MD5
fd97af288e58ce076ce899a075ec3980
-
SHA1
c2088c1d4646d64336d34dad693ded8a1f3fceff
-
SHA256
edb0a502fa5d6851cf1c954d97ff0c1c01cb1a9b193616c2d3fdce2bb7f2e74d
-
SHA512
bb27b7bb63228fed0168a85c85bc8b8df4bc6426d8e14cf6f448b69ab5e47bde3a55633273df402dd8c3282f7ca89d90591886af48c1183859db352170c0746b
-
SSDEEP
1536:hA8zMZqDNVRhAJAiG/ORfrBSacCwCjXq+66DFUABABOVLefE3:7zcqZbhA2afdSacCwCj6+JB8M3
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofhlmbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebekgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkckoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oceepj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgapfpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncekjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohiefdhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpajdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiplff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpcnceab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijioijao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgfhddn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojqchnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jajmfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdiqkah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Filicodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdogcqhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clhbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddklnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhlndqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcdlgnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pacahhib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoecol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnccmddi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmkehcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnlbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmifdjio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmodfqhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbibeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbkal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filicodb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkdcgpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncekjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjbfdakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijdcljo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockdfceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkebekgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdenghpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlljglpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbfdakf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhajq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbonci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbcamn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpcmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balpph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacmnlkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkgmlko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoape32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjldfqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmbomp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippecbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcgoha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejiqom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbnflihq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cneknh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1540 Ieiajckh.exe 4108 Komoed32.exe 4328 Lijlii32.exe 1336 Njfafhjf.exe 4888 Pdjeklfj.exe 5012 Pindcboi.exe 1168 Apcllk32.exe 3476 Bknidbhi.exe 3556 Cggpfa32.exe 3292 Ddpjjd32.exe 1112 Egelgoah.exe 4496 Fagcfc32.exe 4748 Glhgojef.exe 3380 Hkggfe32.exe 5044 Ildpbfmf.exe 2436 Jnalem32.exe 4188 Loodqn32.exe 3988 Mmodfqhf.exe 1004 Nnlqig32.exe 1936 Nmommn32.exe 3932 Oflkqc32.exe 2592 Olpjii32.exe 1272 Plgpjhnf.exe 4472 Bpjkbcbe.exe 5080 Clhbhc32.exe 4840 Dgbhgi32.exe 3460 Eggbbhkj.exe 1620 Eglkmh32.exe 2984 Fcibchgq.exe 644 Gmkibl32.exe 1352 Hhhdpd32.exe 4296 Hndibn32.exe 4236 Hphbpehj.exe 4816 Iokocmnf.exe 1568 Ipaeedpp.exe 988 Imeeohoi.exe 3628 Jaekkfcm.exe 3224 Jpoagb32.exe 4272 Khplnn32.exe 1632 Locgagli.exe 3788 Mhpeelnd.exe 2400 Mqnfon32.exe 3316 Mndcnafd.exe 4800 Nqifkl32.exe 3968 Nbibeo32.exe 4124 Nejkfj32.exe 4616 Oendaipn.exe 4372 Plfipakk.exe 2800 Pacahhib.exe 1968 Ppdbfpaa.exe 1212 Apndloif.exe 2628 Aldeap32.exe 3520 Algbfo32.exe 3468 Aogkhjii.exe 1328 Blkkaohc.exe 1116 Bajqpe32.exe 4864 Cbofdg32.exe 4592 Cimhlakl.exe 3480 Ccfmef32.exe 3208 Damflb32.exe 4464 Dohmff32.exe 4060 Ecfeldcj.exe 820 Efgono32.exe 4336 Elagjihh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ifmfdg32.dll Bqkifb32.exe File created C:\Windows\SysWOW64\Blfnkb32.dll Qcobjk32.exe File created C:\Windows\SysWOW64\Clbhkfdl.exe Cfipol32.exe File created C:\Windows\SysWOW64\Pecknb32.dll Gpolld32.exe File created C:\Windows\SysWOW64\Pfacfmlb.dll Cimhlakl.exe File opened for modification C:\Windows\SysWOW64\Nigjifgc.exe Mdjapphl.exe File created C:\Windows\SysWOW64\Dflebj32.dll Ibkpmm32.exe File created C:\Windows\SysWOW64\Nfmjkpje.dll Epndddnk.exe File opened for modification C:\Windows\SysWOW64\Nchhooaa.exe Ncekjp32.exe File created C:\Windows\SysWOW64\Pacahhib.exe Plfipakk.exe File created C:\Windows\SysWOW64\Neljcnfo.dll Capikhgh.exe File created C:\Windows\SysWOW64\Nmpfmc32.dll Kicdke32.exe File created C:\Windows\SysWOW64\Caaikieh.dll Gfcebf32.exe File created C:\Windows\SysWOW64\Nnmmleja.exe Ncgiolkk.exe File opened for modification C:\Windows\SysWOW64\Ejiqom32.exe Eoapldei.exe File created C:\Windows\SysWOW64\Mlkldmjf.exe Meadgc32.exe File opened for modification C:\Windows\SysWOW64\Pplcnf32.exe Pjbkal32.exe File opened for modification C:\Windows\SysWOW64\Hhfplejl.exe Hnnlcpcl.exe File created C:\Windows\SysWOW64\Fjbopnqa.dll Damflb32.exe File created C:\Windows\SysWOW64\Eklmdakb.dll Lcggbd32.exe File created C:\Windows\SysWOW64\Fnnkplho.dll Njfafhjf.exe File created C:\Windows\SysWOW64\Akcjel32.exe Afgame32.exe File created C:\Windows\SysWOW64\Bfngmd32.exe Bfkkhdlk.exe File created C:\Windows\SysWOW64\Gjkadiif.dll Qemhlp32.exe File created C:\Windows\SysWOW64\Nhqmiipo.dll Fdfdmbpf.exe File created C:\Windows\SysWOW64\Fcmndncl.exe Flcegd32.exe File created C:\Windows\SysWOW64\Pbpdkf32.dll Kmncbl32.exe File created C:\Windows\SysWOW64\Ildpbfmf.exe Hkggfe32.exe File opened for modification C:\Windows\SysWOW64\Gmkibl32.exe Fcibchgq.exe File created C:\Windows\SysWOW64\Algbfo32.exe Aldeap32.exe File opened for modification C:\Windows\SysWOW64\Mlkldmjf.exe Meadgc32.exe File created C:\Windows\SysWOW64\Nhhlog32.exe Nophfa32.exe File created C:\Windows\SysWOW64\Lfgiejmq.dll Mccfnc32.exe File created C:\Windows\SysWOW64\Hfgjad32.exe Hmoehojj.exe File created C:\Windows\SysWOW64\Feimkjdb.exe Flaibd32.exe File opened for modification C:\Windows\SysWOW64\Elagjihh.exe Efgono32.exe File opened for modification C:\Windows\SysWOW64\Cjindm32.exe Capikhgh.exe File created C:\Windows\SysWOW64\Lgnpeenp.dll Qcpieamc.exe File created C:\Windows\SysWOW64\Hfodnd32.exe Gmfpeoga.exe File opened for modification C:\Windows\SysWOW64\Pihmojco.exe Ockdfceh.exe File created C:\Windows\SysWOW64\Ngdcjqhe.dll Gggmqa32.exe File created C:\Windows\SysWOW64\Lcdlci32.dll Daeioo32.exe File created C:\Windows\SysWOW64\Egknco32.exe Eigmjjhk.exe File created C:\Windows\SysWOW64\Pindcboi.exe Pdjeklfj.exe File created C:\Windows\SysWOW64\Qcpieamc.exe Qleahgff.exe File created C:\Windows\SysWOW64\Gildicea.dll Qleahgff.exe File created C:\Windows\SysWOW64\Cinbhb32.dll Gdglfqjd.exe File opened for modification C:\Windows\SysWOW64\Hlnjlkjf.exe Hfaaddlo.exe File created C:\Windows\SysWOW64\Ccmcaicm.exe Calfiq32.exe File created C:\Windows\SysWOW64\Mlkfcmki.dll Mjqjbn32.exe File opened for modification C:\Windows\SysWOW64\Ajoagadf.exe Adbiojfo.exe File created C:\Windows\SysWOW64\Fagjolao.exe Filicodb.exe File created C:\Windows\SysWOW64\Okkiocmc.dll Ljcejhnh.exe File opened for modification C:\Windows\SysWOW64\Bddcocff.exe Bogkgmho.exe File opened for modification C:\Windows\SysWOW64\Nnmmleja.exe Ncgiolkk.exe File opened for modification C:\Windows\SysWOW64\Fbaabk32.exe Fkgiea32.exe File created C:\Windows\SysWOW64\Lbienbef.dll Gjmffn32.exe File created C:\Windows\SysWOW64\Ckbiip32.dll Aldeap32.exe File created C:\Windows\SysWOW64\Nqfqfill.dll Mclhca32.exe File created C:\Windows\SysWOW64\Kallhjoc.exe Kjadlp32.exe File created C:\Windows\SysWOW64\Ibkpmm32.exe Hbbmgn32.exe File opened for modification C:\Windows\SysWOW64\Mflgff32.exe Lihfmb32.exe File opened for modification C:\Windows\SysWOW64\Mfaqafjl.exe Mlkldmjf.exe File created C:\Windows\SysWOW64\Mkjnop32.exe Mccfnc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oendaipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacpncqg.dll" Ghgbakhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbnflihq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abedil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gakehk32.dll" Neakpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddllcd32.dll" Ddhhldlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acemfcjn.dll" Iokocmnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafcjijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pchljlpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajndbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmjfpco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcdbh32.dll" Kbneij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfikaeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhbfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acddjpmd.dll" Filicodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjcpbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cneknh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggepkadc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lennih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chblebll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enmjedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhmilcf.dll" Idfmmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fegqejfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mabnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldeap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifcfc32.dll" Bcahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcmndncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfipakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flaibd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbjlflk.dll" Ndidgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdbhepf.dll" Lomjbikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkkhdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehejpnfb.dll" Efgono32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflink32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhojlfpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfemfhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiifdfig.dll" Lnfngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nimbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibcjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfkafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ochjmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgmegi.dll" Fbomfokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcdlil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apmhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjgpp32.dll" Hagodlge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqolii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmhnidh.dll" Diqnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmnpojej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odfljp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaaddlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmenn32.dll" Memaelip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdmceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llmpco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfipakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkmbe32.dll" Acfhkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnkplho.dll" Njfafhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfndopfh.dll" Mjgneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllnhn32.dll" Adcjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhideka.dll" Enmjedpa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4548 wrote to memory of 1540 4548 NEAS.fd97af288e58ce076ce899a075ec3980.exe 92 PID 4548 wrote to memory of 1540 4548 NEAS.fd97af288e58ce076ce899a075ec3980.exe 92 PID 4548 wrote to memory of 1540 4548 NEAS.fd97af288e58ce076ce899a075ec3980.exe 92 PID 1540 wrote to memory of 4108 1540 Ieiajckh.exe 94 PID 1540 wrote to memory of 4108 1540 Ieiajckh.exe 94 PID 1540 wrote to memory of 4108 1540 Ieiajckh.exe 94 PID 4108 wrote to memory of 4328 4108 Komoed32.exe 95 PID 4108 wrote to memory of 4328 4108 Komoed32.exe 95 PID 4108 wrote to memory of 4328 4108 Komoed32.exe 95 PID 4328 wrote to memory of 1336 4328 Lijlii32.exe 96 PID 4328 wrote to memory of 1336 4328 Lijlii32.exe 96 PID 4328 wrote to memory of 1336 4328 Lijlii32.exe 96 PID 1336 wrote to memory of 4888 1336 Njfafhjf.exe 97 PID 1336 wrote to memory of 4888 1336 Njfafhjf.exe 97 PID 1336 wrote to memory of 4888 1336 Njfafhjf.exe 97 PID 4888 wrote to memory of 5012 4888 Pdjeklfj.exe 98 PID 4888 wrote to memory of 5012 4888 Pdjeklfj.exe 98 PID 4888 wrote to memory of 5012 4888 Pdjeklfj.exe 98 PID 5012 wrote to memory of 1168 5012 Pindcboi.exe 99 PID 5012 wrote to memory of 1168 5012 Pindcboi.exe 99 PID 5012 wrote to memory of 1168 5012 Pindcboi.exe 99 PID 1168 wrote to memory of 3476 1168 Apcllk32.exe 100 PID 1168 wrote to memory of 3476 1168 Apcllk32.exe 100 PID 1168 wrote to memory of 3476 1168 Apcllk32.exe 100 PID 3476 wrote to memory of 3556 3476 Bknidbhi.exe 101 PID 3476 wrote to memory of 3556 3476 Bknidbhi.exe 101 PID 3476 wrote to memory of 3556 3476 Bknidbhi.exe 101 PID 3556 wrote to memory of 3292 3556 Cggpfa32.exe 102 PID 3556 wrote to memory of 3292 3556 Cggpfa32.exe 102 PID 3556 wrote to memory of 3292 3556 Cggpfa32.exe 102 PID 3292 wrote to memory of 1112 3292 Ddpjjd32.exe 103 PID 3292 wrote to memory of 1112 3292 Ddpjjd32.exe 103 PID 3292 wrote to memory of 1112 3292 Ddpjjd32.exe 103 PID 1112 wrote to memory of 4496 1112 Egelgoah.exe 104 PID 1112 wrote to memory of 4496 1112 Egelgoah.exe 104 PID 1112 wrote to memory of 4496 1112 Egelgoah.exe 104 PID 4496 wrote to memory of 4748 4496 Fagcfc32.exe 105 PID 4496 wrote to memory of 4748 4496 Fagcfc32.exe 105 PID 4496 wrote to memory of 4748 4496 Fagcfc32.exe 105 PID 4748 wrote to memory of 3380 4748 Glhgojef.exe 106 PID 4748 wrote to memory of 3380 4748 Glhgojef.exe 106 PID 4748 wrote to memory of 3380 4748 Glhgojef.exe 106 PID 3380 wrote to memory of 5044 3380 Hkggfe32.exe 107 PID 3380 wrote to memory of 5044 3380 Hkggfe32.exe 107 PID 3380 wrote to memory of 5044 3380 Hkggfe32.exe 107 PID 5044 wrote to memory of 2436 5044 Ildpbfmf.exe 108 PID 5044 wrote to memory of 2436 5044 Ildpbfmf.exe 108 PID 5044 wrote to memory of 2436 5044 Ildpbfmf.exe 108 PID 2436 wrote to memory of 4188 2436 Jnalem32.exe 109 PID 2436 wrote to memory of 4188 2436 Jnalem32.exe 109 PID 2436 wrote to memory of 4188 2436 Jnalem32.exe 109 PID 996 wrote to memory of 3988 996 Lnfngj32.exe 111 PID 996 wrote to memory of 3988 996 Lnfngj32.exe 111 PID 996 wrote to memory of 3988 996 Lnfngj32.exe 111 PID 3988 wrote to memory of 1004 3988 Mmodfqhf.exe 112 PID 3988 wrote to memory of 1004 3988 Mmodfqhf.exe 112 PID 3988 wrote to memory of 1004 3988 Mmodfqhf.exe 112 PID 1004 wrote to memory of 1936 1004 Nnlqig32.exe 114 PID 1004 wrote to memory of 1936 1004 Nnlqig32.exe 114 PID 1004 wrote to memory of 1936 1004 Nnlqig32.exe 114 PID 1936 wrote to memory of 3932 1936 Nmommn32.exe 115 PID 1936 wrote to memory of 3932 1936 Nmommn32.exe 115 PID 1936 wrote to memory of 3932 1936 Nmommn32.exe 115 PID 3932 wrote to memory of 2592 3932 Oflkqc32.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fd97af288e58ce076ce899a075ec3980.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fd97af288e58ce076ce899a075ec3980.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Komoed32.exeC:\Windows\system32\Komoed32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Lijlii32.exeC:\Windows\system32\Lijlii32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Njfafhjf.exeC:\Windows\system32\Njfafhjf.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Pdjeklfj.exeC:\Windows\system32\Pdjeklfj.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Pindcboi.exeC:\Windows\system32\Pindcboi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Apcllk32.exeC:\Windows\system32\Apcllk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Bknidbhi.exeC:\Windows\system32\Bknidbhi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Cggpfa32.exeC:\Windows\system32\Cggpfa32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Egelgoah.exeC:\Windows\system32\Egelgoah.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Fagcfc32.exeC:\Windows\system32\Fagcfc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Glhgojef.exeC:\Windows\system32\Glhgojef.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Hkggfe32.exeC:\Windows\system32\Hkggfe32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\Ildpbfmf.exeC:\Windows\system32\Ildpbfmf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Jnalem32.exeC:\Windows\system32\Jnalem32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Loodqn32.exeC:\Windows\system32\Loodqn32.exe18⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\SysWOW64\Lnfngj32.exeC:\Windows\system32\Lnfngj32.exe19⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Mmodfqhf.exeC:\Windows\system32\Mmodfqhf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Nnlqig32.exeC:\Windows\system32\Nnlqig32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Nmommn32.exeC:\Windows\system32\Nmommn32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Oflkqc32.exeC:\Windows\system32\Oflkqc32.exe23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Olpjii32.exeC:\Windows\system32\Olpjii32.exe24⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Plgpjhnf.exeC:\Windows\system32\Plgpjhnf.exe25⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Bpjkbcbe.exeC:\Windows\system32\Bpjkbcbe.exe26⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Clhbhc32.exeC:\Windows\system32\Clhbhc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\Dgbhgi32.exeC:\Windows\system32\Dgbhgi32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\Eggbbhkj.exeC:\Windows\system32\Eggbbhkj.exe29⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Eglkmh32.exeC:\Windows\system32\Eglkmh32.exe30⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Fcibchgq.exeC:\Windows\system32\Fcibchgq.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Gmkibl32.exeC:\Windows\system32\Gmkibl32.exe32⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Hhhdpd32.exeC:\Windows\system32\Hhhdpd32.exe33⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Hndibn32.exeC:\Windows\system32\Hndibn32.exe34⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Hphbpehj.exeC:\Windows\system32\Hphbpehj.exe35⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Iokocmnf.exeC:\Windows\system32\Iokocmnf.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Ipaeedpp.exeC:\Windows\system32\Ipaeedpp.exe37⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Imeeohoi.exeC:\Windows\system32\Imeeohoi.exe38⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Jaekkfcm.exeC:\Windows\system32\Jaekkfcm.exe39⤵
- Executes dropped EXE
PID:3628 -
C:\Windows\SysWOW64\Jpoagb32.exeC:\Windows\system32\Jpoagb32.exe40⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Khplnn32.exeC:\Windows\system32\Khplnn32.exe41⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Locgagli.exeC:\Windows\system32\Locgagli.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe43⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Mqnfon32.exeC:\Windows\system32\Mqnfon32.exe44⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mndcnafd.exeC:\Windows\system32\Mndcnafd.exe45⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Nqifkl32.exeC:\Windows\system32\Nqifkl32.exe46⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Nbibeo32.exeC:\Windows\system32\Nbibeo32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Nejkfj32.exeC:\Windows\system32\Nejkfj32.exe48⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Oendaipn.exeC:\Windows\system32\Oendaipn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Plfipakk.exeC:\Windows\system32\Plfipakk.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4372 -
C:\Windows\SysWOW64\Pacahhib.exeC:\Windows\system32\Pacahhib.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ppdbfpaa.exeC:\Windows\system32\Ppdbfpaa.exe52⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Apndloif.exeC:\Windows\system32\Apndloif.exe53⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Aldeap32.exeC:\Windows\system32\Aldeap32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Algbfo32.exeC:\Windows\system32\Algbfo32.exe55⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\Aogkhjii.exeC:\Windows\system32\Aogkhjii.exe56⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Blkkaohc.exeC:\Windows\system32\Blkkaohc.exe57⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Bajqpe32.exeC:\Windows\system32\Bajqpe32.exe58⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Cbofdg32.exeC:\Windows\system32\Cbofdg32.exe59⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Cimhlakl.exeC:\Windows\system32\Cimhlakl.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4592 -
C:\Windows\SysWOW64\Ccfmef32.exeC:\Windows\system32\Ccfmef32.exe61⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Damflb32.exeC:\Windows\system32\Damflb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\Dohmff32.exeC:\Windows\system32\Dohmff32.exe63⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Ecfeldcj.exeC:\Windows\system32\Ecfeldcj.exe64⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Efgono32.exeC:\Windows\system32\Efgono32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Elagjihh.exeC:\Windows\system32\Elagjihh.exe66⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Eoapldei.exeC:\Windows\system32\Eoapldei.exe67⤵
- Drops file in System32 directory
PID:3092 -
C:\Windows\SysWOW64\Ejiqom32.exeC:\Windows\system32\Ejiqom32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5164 -
C:\Windows\SysWOW64\Ffbnin32.exeC:\Windows\system32\Ffbnin32.exe69⤵PID:5224
-
C:\Windows\SysWOW64\Gbqeonfj.exeC:\Windows\system32\Gbqeonfj.exe70⤵PID:5272
-
C:\Windows\SysWOW64\Gjocaj32.exeC:\Windows\system32\Gjocaj32.exe71⤵PID:5332
-
C:\Windows\SysWOW64\Ipckqnja.exeC:\Windows\system32\Ipckqnja.exe72⤵PID:5372
-
C:\Windows\SysWOW64\Jdembk32.exeC:\Windows\system32\Jdembk32.exe73⤵PID:5420
-
C:\Windows\SysWOW64\Kapclned.exeC:\Windows\system32\Kapclned.exe74⤵PID:5472
-
C:\Windows\SysWOW64\Mjqjbn32.exeC:\Windows\system32\Mjqjbn32.exe75⤵
- Drops file in System32 directory
PID:5512 -
C:\Windows\SysWOW64\Ndpafe32.exeC:\Windows\system32\Ndpafe32.exe76⤵PID:5604
-
C:\Windows\SysWOW64\Pcgdcome.exeC:\Windows\system32\Pcgdcome.exe77⤵PID:5680
-
C:\Windows\SysWOW64\Pkebekgo.exeC:\Windows\system32\Pkebekgo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Bejoqm32.exeC:\Windows\system32\Bejoqm32.exe79⤵PID:5780
-
C:\Windows\SysWOW64\Cddemi32.exeC:\Windows\system32\Cddemi32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Coijja32.exeC:\Windows\system32\Coijja32.exe81⤵PID:5860
-
C:\Windows\SysWOW64\Cdfbbhdp.exeC:\Windows\system32\Cdfbbhdp.exe82⤵PID:5900
-
C:\Windows\SysWOW64\Colfpace.exeC:\Windows\system32\Colfpace.exe83⤵PID:5940
-
C:\Windows\SysWOW64\Cdiohhbm.exeC:\Windows\system32\Cdiohhbm.exe84⤵PID:5988
-
C:\Windows\SysWOW64\Dbjofp32.exeC:\Windows\system32\Dbjofp32.exe85⤵PID:6036
-
C:\Windows\SysWOW64\Ddklnh32.exeC:\Windows\system32\Ddklnh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Dhnnoe32.exeC:\Windows\system32\Dhnnoe32.exe87⤵PID:4528
-
C:\Windows\SysWOW64\Elbmebbj.exeC:\Windows\system32\Elbmebbj.exe88⤵PID:1656
-
C:\Windows\SysWOW64\Fkjfloeo.exeC:\Windows\system32\Fkjfloeo.exe89⤵PID:4208
-
C:\Windows\SysWOW64\Fdegkdim.exeC:\Windows\system32\Fdegkdim.exe90⤵PID:4400
-
C:\Windows\SysWOW64\Gohhik32.exeC:\Windows\system32\Gohhik32.exe91⤵PID:5252
-
C:\Windows\SysWOW64\Giqlbqcc.exeC:\Windows\system32\Giqlbqcc.exe92⤵PID:5340
-
C:\Windows\SysWOW64\Hfemkdbm.exeC:\Windows\system32\Hfemkdbm.exe93⤵PID:5212
-
C:\Windows\SysWOW64\Hmoehojj.exeC:\Windows\system32\Hmoehojj.exe94⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Hfgjad32.exeC:\Windows\system32\Hfgjad32.exe95⤵PID:5564
-
C:\Windows\SysWOW64\Hoonjjgk.exeC:\Windows\system32\Hoonjjgk.exe96⤵PID:4588
-
C:\Windows\SysWOW64\Hfiffd32.exeC:\Windows\system32\Hfiffd32.exe97⤵PID:5704
-
C:\Windows\SysWOW64\Hkfookmo.exeC:\Windows\system32\Hkfookmo.exe98⤵PID:4808
-
C:\Windows\SysWOW64\Iioicn32.exeC:\Windows\system32\Iioicn32.exe99⤵PID:5012
-
C:\Windows\SysWOW64\Iehfno32.exeC:\Windows\system32\Iehfno32.exe100⤵PID:5816
-
C:\Windows\SysWOW64\Iciflfcd.exeC:\Windows\system32\Iciflfcd.exe101⤵PID:5892
-
C:\Windows\SysWOW64\Ildkpiqo.exeC:\Windows\system32\Ildkpiqo.exe102⤵PID:5976
-
C:\Windows\SysWOW64\Iempingp.exeC:\Windows\system32\Iempingp.exe103⤵PID:6044
-
C:\Windows\SysWOW64\Ilfhfh32.exeC:\Windows\system32\Ilfhfh32.exe104⤵PID:6088
-
C:\Windows\SysWOW64\Jefbomoe.exeC:\Windows\system32\Jefbomoe.exe105⤵PID:5152
-
C:\Windows\SysWOW64\Jlpklg32.exeC:\Windows\system32\Jlpklg32.exe106⤵PID:968
-
C:\Windows\SysWOW64\Jfeoip32.exeC:\Windows\system32\Jfeoip32.exe107⤵PID:3768
-
C:\Windows\SysWOW64\Klbgag32.exeC:\Windows\system32\Klbgag32.exe108⤵PID:3240
-
C:\Windows\SysWOW64\Kfhkop32.exeC:\Windows\system32\Kfhkop32.exe109⤵PID:1028
-
C:\Windows\SysWOW64\Kppphe32.exeC:\Windows\system32\Kppphe32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Kihdqkaf.exeC:\Windows\system32\Kihdqkaf.exe111⤵PID:5428
-
C:\Windows\SysWOW64\Kpgfhddn.exeC:\Windows\system32\Kpgfhddn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Kipkaj32.exeC:\Windows\system32\Kipkaj32.exe113⤵PID:4932
-
C:\Windows\SysWOW64\Libggiik.exeC:\Windows\system32\Libggiik.exe114⤵PID:468
-
C:\Windows\SysWOW64\Lpnlicne.exeC:\Windows\system32\Lpnlicne.exe115⤵PID:116
-
C:\Windows\SysWOW64\Lpcedbjp.exeC:\Windows\system32\Lpcedbjp.exe116⤵PID:5856
-
C:\Windows\SysWOW64\Mdckpqod.exeC:\Windows\system32\Mdckpqod.exe117⤵PID:5996
-
C:\Windows\SysWOW64\Midmcgif.exeC:\Windows\system32\Midmcgif.exe118⤵PID:4088
-
C:\Windows\SysWOW64\Mdjapphl.exeC:\Windows\system32\Mdjapphl.exe119⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Nigjifgc.exeC:\Windows\system32\Nigjifgc.exe120⤵PID:1900
-
C:\Windows\SysWOW64\Npabeq32.exeC:\Windows\system32\Npabeq32.exe121⤵PID:2292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-