Analysis
-
max time kernel
144s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2023, 20:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.b95c0d535e440205481b71edd3987030.exe
Resource
win7-20231025-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b95c0d535e440205481b71edd3987030.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.b95c0d535e440205481b71edd3987030.exe
-
Size
80KB
-
MD5
b95c0d535e440205481b71edd3987030
-
SHA1
d7d22ec7ac2331b80b2f8c4e5399f61ca19cebee
-
SHA256
2760715bfa46023b9e15767cd07c03edd74fe10bc9f3bc3ec53598ee0def2d8f
-
SHA512
0f05fd32fe7bab72b276d80165d4b1dcfbbb54152b17ea0a6cf2ca4bc27c55d2f7dbf81bf5d5599886e99c977b68cf970a802acfb178c22552395f4d9cc0976a
-
SSDEEP
1536:h74o0qsYGwOIyG8XKffjJ8uxOoJ6yniR0Q8B2LWS5DUHRbPa9b6i+sIk:Wo/BGwVyxXKfLqIOoJ6yniR0UWS5DSCR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebimqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbbimih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjemkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holfhfij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emenhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoomd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afelal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdjbcnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjocgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpboida.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmdkbok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiiiml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaabci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Himqjpme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlpgibd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fclmkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmgji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akipdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goccbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imkbglei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chiigadc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccednl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kggjghkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjjjghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdphgmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnekcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ankdbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalndaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjgmdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlogfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jopiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddodfhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjeaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abipfifn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjafoapj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldccjno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higjkehf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akniofoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnojad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciaddaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlafhkfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdglfqjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmplbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhiphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichkpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhplnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlkmfkli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idceim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpcajflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmomga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnqld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekmhnpfl.exe -
Executes dropped EXE 64 IoCs
pid Process 2848 Aaohcj32.exe 312 Akglloai.exe 3968 Bdpaeehj.exe 1940 Bkjiao32.exe 2604 Badanigc.exe 3028 Bnkbcj32.exe 4592 Bhpfqcln.exe 3604 Bnmoijje.exe 3716 Bnoknihb.exe 4548 Cnahdi32.exe 2708 Chglab32.exe 2180 Chiigadc.exe 2908 Chnbbqpn.exe 3456 Cbfgkffn.exe 4644 Dkokcl32.exe 3392 Ddgplado.exe 4732 Dbkqfe32.exe 812 Dheibpje.exe 552 Dbnmke32.exe 1348 Dmcain32.exe 3164 Dbpjaeoc.exe 1784 Dodjjimm.exe 2872 Dfnbgc32.exe 3600 Emhkdmlg.exe 1628 Efpomccg.exe 1208 Ekmhejao.exe 2088 Glipgf32.exe 3744 Hedafk32.exe 3080 Holfoqcm.exe 3184 Hplbickp.exe 3248 Iidphgcn.exe 4824 Joahqn32.exe 3224 Jmbhoeid.exe 380 Pmnbfhal.exe 3832 Pdhkcb32.exe 2312 Pnmopk32.exe 3544 Palklf32.exe 4924 Pfiddm32.exe 1844 Nmcpoedn.exe 1652 Ncmhko32.exe 3528 Nfldgk32.exe 1112 Nijqcf32.exe 1448 Nqaiecjd.exe 2672 Ncpeaoih.exe 440 Nmhijd32.exe 4864 Pmhbqbae.exe 1128 Pjlcjf32.exe 4932 Pbhgoh32.exe 1320 Piapkbeg.exe 4296 Pcgdhkem.exe 3064 Pidlqb32.exe 1884 Nehjmnei.exe 4224 Ohdbkh32.exe 3800 Oamgcm32.exe 868 Okeklcen.exe 4840 Pdnpeh32.exe 744 Pocdba32.exe 2904 Pdpmkhjl.exe 3964 Pnhacn32.exe 4108 Phneqf32.exe 3564 Pnknim32.exe 4328 Pkonbamc.exe 3556 Qhekaejj.exe 3456 Akhaipei.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kbedaand.exe Kofheeoq.exe File opened for modification C:\Windows\SysWOW64\Gldgflba.exe Gejoib32.exe File opened for modification C:\Windows\SysWOW64\Hfacai32.exe Hbldkllm.exe File opened for modification C:\Windows\SysWOW64\Bkobfdao.exe Bhpfjh32.exe File created C:\Windows\SysWOW64\Ehkllbpl.dll Ackiqpce.exe File opened for modification C:\Windows\SysWOW64\Ofcale32.exe Oafido32.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dheibpje.exe File created C:\Windows\SysWOW64\Lmfodn32.exe Ljhchc32.exe File created C:\Windows\SysWOW64\Inmmfl32.dll Ekqcfpmj.exe File created C:\Windows\SysWOW64\Dpknhfoq.exe Dfcqjg32.exe File created C:\Windows\SysWOW64\Qdphgmlj.exe Qaalkamf.exe File created C:\Windows\SysWOW64\Fpbfem32.exe Fbnflihq.exe File created C:\Windows\SysWOW64\Jpqedfne.exe Jekqgnno.exe File opened for modification C:\Windows\SysWOW64\Dbpjaeoc.exe Dmcain32.exe File created C:\Windows\SysWOW64\Lgokfblh.dll Dhmgfm32.exe File created C:\Windows\SysWOW64\Kcbkpj32.exe Kmhccpci.exe File created C:\Windows\SysWOW64\Gdglfqjd.exe Gplpfb32.exe File created C:\Windows\SysWOW64\Fkgeph32.dll Nalgbi32.exe File created C:\Windows\SysWOW64\Lajfbmmi.exe Lgdbedmc.exe File opened for modification C:\Windows\SysWOW64\Fbecgned.exe Fpggkbfq.exe File created C:\Windows\SysWOW64\Bbemdb32.exe Blkdgheg.exe File created C:\Windows\SysWOW64\Hedafk32.exe Glipgf32.exe File created C:\Windows\SysWOW64\Leffdi32.dll Akjgdjoj.exe File opened for modification C:\Windows\SysWOW64\Mkepgp32.exe Mdkhkflh.exe File created C:\Windows\SysWOW64\Adblnh32.dll Ekoddodi.exe File opened for modification C:\Windows\SysWOW64\Ciogobcm.exe Bbeobhlp.exe File created C:\Windows\SysWOW64\Kbedaand.exe Kofheeoq.exe File created C:\Windows\SysWOW64\Igmgji32.exe Ipcomo32.exe File created C:\Windows\SysWOW64\Lqmmgb32.exe Lnnakg32.exe File opened for modification C:\Windows\SysWOW64\Kcphpdil.exe Jhjcbljf.exe File created C:\Windows\SysWOW64\Ganikk32.dll Dkljka32.exe File created C:\Windows\SysWOW64\Qaalkamf.exe Qldccjno.exe File created C:\Windows\SysWOW64\Dcaefo32.exe Dkjmea32.exe File created C:\Windows\SysWOW64\Oioldk32.dll Fdgdpdgj.exe File created C:\Windows\SysWOW64\Afboah32.exe Afpbkicl.exe File opened for modification C:\Windows\SysWOW64\Kpilekqj.exe Kiodha32.exe File created C:\Windows\SysWOW64\Fijbhpbc.dll Anjpeelk.exe File created C:\Windows\SysWOW64\Oaigckee.dll Doanno32.exe File opened for modification C:\Windows\SysWOW64\Mqhmbqlh.exe Mfchehla.exe File created C:\Windows\SysWOW64\Ljhchc32.exe Lmdbooik.exe File created C:\Windows\SysWOW64\Nnmbaadg.dll Mdkhkflh.exe File created C:\Windows\SysWOW64\Fjfegl32.exe Ffjignde.exe File created C:\Windows\SysWOW64\Fmamgp32.dll Hlcjaq32.exe File opened for modification C:\Windows\SysWOW64\Mjeaph32.exe Mggecl32.exe File created C:\Windows\SysWOW64\Cqpclm32.dll Gmdcpoid.exe File created C:\Windows\SysWOW64\Himqjpme.exe Hoglmg32.exe File created C:\Windows\SysWOW64\Plogne32.dll Bnbmqjjo.exe File created C:\Windows\SysWOW64\Necjpgbn.dll Lpghfi32.exe File opened for modification C:\Windows\SysWOW64\Nqaipgal.exe Mkepgp32.exe File created C:\Windows\SysWOW64\Holfhfij.exe Hlnjlkjf.exe File created C:\Windows\SysWOW64\Jcmdkbok.exe Jpnhof32.exe File created C:\Windows\SysWOW64\Mqdcga32.exe Mfnojh32.exe File opened for modification C:\Windows\SysWOW64\Anjpeelk.exe Aklciimh.exe File created C:\Windows\SysWOW64\Chkhbh32.exe Bjbnndgl.exe File created C:\Windows\SysWOW64\Dhnbkfek.exe Dfpfokfg.exe File opened for modification C:\Windows\SysWOW64\Ccednl32.exe Cjmpeffh.exe File created C:\Windows\SysWOW64\Fmikoggm.exe Fimonh32.exe File created C:\Windows\SysWOW64\Bncllqhm.exe Bkeppeii.exe File opened for modification C:\Windows\SysWOW64\Lckicnei.exe Lqmmgb32.exe File created C:\Windows\SysWOW64\Dmcnoekk.dll Iidphgcn.exe File created C:\Windows\SysWOW64\Lhcjbfag.exe Lmneemaq.exe File opened for modification C:\Windows\SysWOW64\Kpagbk32.exe Kkdnjd32.exe File opened for modification C:\Windows\SysWOW64\Fimonh32.exe Ffobbmpp.exe File created C:\Windows\SysWOW64\Jkjhoebc.dll Kfgpblda.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihancje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfchehla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jobfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hojibgkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkbglei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll" Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhpd32.dll" Gpbplkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjonepq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppnnac.dll" Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooiokonl.dll" Ekemap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefneq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehofbhf.dll" Hefneq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmdkbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpghfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjbcnjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" Hedafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnieaef.dll" Aqilaplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjqaldi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emenhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpqel32.dll" Mggecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkqde32.dll" Gcfjfqah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icoail32.dll" Cknnjcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbllj32.dll" Ipflcnln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhij32.dll" Mpmodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmfodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agcdnjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dboiaoff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpkblqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohoibbd.dll" Hpaqqdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacnkkem.dll" Jopiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcejnpck.dll" Gfedfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgoaln32.dll" Hdmohnhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcgdhkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbjoe32.dll" Dndnjllg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebimqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgacaopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mggecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gheodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfeidbm.dll" Fealcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adqeaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edcfml32.dll" Eldbbjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpghfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfikaqme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkimnea.dll" Jofaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafido32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeedb32.dll" Bjpaheio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndakp32.dll" Cdiohhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmedcqge.dll" Amodnenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdokg32.dll" Aonokdce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 2848 2560 NEAS.b95c0d535e440205481b71edd3987030.exe 89 PID 2560 wrote to memory of 2848 2560 NEAS.b95c0d535e440205481b71edd3987030.exe 89 PID 2560 wrote to memory of 2848 2560 NEAS.b95c0d535e440205481b71edd3987030.exe 89 PID 2848 wrote to memory of 312 2848 Aaohcj32.exe 90 PID 2848 wrote to memory of 312 2848 Aaohcj32.exe 90 PID 2848 wrote to memory of 312 2848 Aaohcj32.exe 90 PID 312 wrote to memory of 3968 312 Akglloai.exe 91 PID 312 wrote to memory of 3968 312 Akglloai.exe 91 PID 312 wrote to memory of 3968 312 Akglloai.exe 91 PID 3968 wrote to memory of 1940 3968 Bdpaeehj.exe 92 PID 3968 wrote to memory of 1940 3968 Bdpaeehj.exe 92 PID 3968 wrote to memory of 1940 3968 Bdpaeehj.exe 92 PID 1940 wrote to memory of 2604 1940 Bkjiao32.exe 93 PID 1940 wrote to memory of 2604 1940 Bkjiao32.exe 93 PID 1940 wrote to memory of 2604 1940 Bkjiao32.exe 93 PID 2604 wrote to memory of 3028 2604 Badanigc.exe 94 PID 2604 wrote to memory of 3028 2604 Badanigc.exe 94 PID 2604 wrote to memory of 3028 2604 Badanigc.exe 94 PID 3028 wrote to memory of 4592 3028 Bnkbcj32.exe 95 PID 3028 wrote to memory of 4592 3028 Bnkbcj32.exe 95 PID 3028 wrote to memory of 4592 3028 Bnkbcj32.exe 95 PID 4592 wrote to memory of 3604 4592 Bhpfqcln.exe 96 PID 4592 wrote to memory of 3604 4592 Bhpfqcln.exe 96 PID 4592 wrote to memory of 3604 4592 Bhpfqcln.exe 96 PID 3604 wrote to memory of 3716 3604 Bnmoijje.exe 97 PID 3604 wrote to memory of 3716 3604 Bnmoijje.exe 97 PID 3604 wrote to memory of 3716 3604 Bnmoijje.exe 97 PID 3716 wrote to memory of 4548 3716 Bnoknihb.exe 98 PID 3716 wrote to memory of 4548 3716 Bnoknihb.exe 98 PID 3716 wrote to memory of 4548 3716 Bnoknihb.exe 98 PID 4548 wrote to memory of 2708 4548 Cnahdi32.exe 99 PID 4548 wrote to memory of 2708 4548 Cnahdi32.exe 99 PID 4548 wrote to memory of 2708 4548 Cnahdi32.exe 99 PID 2708 wrote to memory of 2180 2708 Chglab32.exe 100 PID 2708 wrote to memory of 2180 2708 Chglab32.exe 100 PID 2708 wrote to memory of 2180 2708 Chglab32.exe 100 PID 2180 wrote to memory of 2908 2180 Chiigadc.exe 101 PID 2180 wrote to memory of 2908 2180 Chiigadc.exe 101 PID 2180 wrote to memory of 2908 2180 Chiigadc.exe 101 PID 2908 wrote to memory of 3456 2908 Chnbbqpn.exe 102 PID 2908 wrote to memory of 3456 2908 Chnbbqpn.exe 102 PID 2908 wrote to memory of 3456 2908 Chnbbqpn.exe 102 PID 3456 wrote to memory of 4644 3456 Cbfgkffn.exe 103 PID 3456 wrote to memory of 4644 3456 Cbfgkffn.exe 103 PID 3456 wrote to memory of 4644 3456 Cbfgkffn.exe 103 PID 4644 wrote to memory of 3392 4644 Dkokcl32.exe 104 PID 4644 wrote to memory of 3392 4644 Dkokcl32.exe 104 PID 4644 wrote to memory of 3392 4644 Dkokcl32.exe 104 PID 3392 wrote to memory of 4732 3392 Ddgplado.exe 105 PID 3392 wrote to memory of 4732 3392 Ddgplado.exe 105 PID 3392 wrote to memory of 4732 3392 Ddgplado.exe 105 PID 4732 wrote to memory of 812 4732 Dbkqfe32.exe 106 PID 4732 wrote to memory of 812 4732 Dbkqfe32.exe 106 PID 4732 wrote to memory of 812 4732 Dbkqfe32.exe 106 PID 812 wrote to memory of 552 812 Dheibpje.exe 107 PID 812 wrote to memory of 552 812 Dheibpje.exe 107 PID 812 wrote to memory of 552 812 Dheibpje.exe 107 PID 552 wrote to memory of 1348 552 Dbnmke32.exe 108 PID 552 wrote to memory of 1348 552 Dbnmke32.exe 108 PID 552 wrote to memory of 1348 552 Dbnmke32.exe 108 PID 1348 wrote to memory of 3164 1348 Dmcain32.exe 109 PID 1348 wrote to memory of 3164 1348 Dmcain32.exe 109 PID 1348 wrote to memory of 3164 1348 Dmcain32.exe 109 PID 3164 wrote to memory of 1784 3164 Dbpjaeoc.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b95c0d535e440205481b71edd3987030.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b95c0d535e440205481b71edd3987030.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Akglloai.exeC:\Windows\system32\Akglloai.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Bnoknihb.exeC:\Windows\system32\Bnoknihb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Cnahdi32.exeC:\Windows\system32\Cnahdi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Chiigadc.exeC:\Windows\system32\Chiigadc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Dmcain32.exeC:\Windows\system32\Dmcain32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe23⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Dfnbgc32.exeC:\Windows\system32\Dfnbgc32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe25⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe27⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Glipgf32.exeC:\Windows\system32\Glipgf32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Holfoqcm.exeC:\Windows\system32\Holfoqcm.exe30⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe31⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Iidphgcn.exeC:\Windows\system32\Iidphgcn.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248 -
C:\Windows\SysWOW64\Joahqn32.exeC:\Windows\system32\Joahqn32.exe33⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Jmbhoeid.exeC:\Windows\system32\Jmbhoeid.exe34⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe35⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe36⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Pnmopk32.exeC:\Windows\system32\Pnmopk32.exe37⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe39⤵
- Executes dropped EXE
PID:4924 -
C:\Windows\SysWOW64\Nmcpoedn.exeC:\Windows\system32\Nmcpoedn.exe40⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ncmhko32.exeC:\Windows\system32\Ncmhko32.exe41⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Nfldgk32.exeC:\Windows\system32\Nfldgk32.exe42⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Nijqcf32.exeC:\Windows\system32\Nijqcf32.exe43⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Nqaiecjd.exeC:\Windows\system32\Nqaiecjd.exe44⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe45⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nmhijd32.exeC:\Windows\system32\Nmhijd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Pmhbqbae.exeC:\Windows\system32\Pmhbqbae.exe47⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe48⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Pbhgoh32.exeC:\Windows\system32\Pbhgoh32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Piapkbeg.exeC:\Windows\system32\Piapkbeg.exe50⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\Pidlqb32.exeC:\Windows\system32\Pidlqb32.exe52⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe53⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ohdbkh32.exeC:\Windows\system32\Ohdbkh32.exe54⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Oamgcm32.exeC:\Windows\system32\Oamgcm32.exe55⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe56⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Pdnpeh32.exeC:\Windows\system32\Pdnpeh32.exe57⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Pocdba32.exeC:\Windows\system32\Pocdba32.exe58⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe59⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe60⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe61⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe62⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Pkonbamc.exeC:\Windows\system32\Pkonbamc.exe63⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Qhekaejj.exeC:\Windows\system32\Qhekaejj.exe64⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Akhaipei.exeC:\Windows\system32\Akhaipei.exe65⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Anfmeldl.exeC:\Windows\system32\Anfmeldl.exe66⤵PID:1556
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe67⤵
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Afpbkicl.exeC:\Windows\system32\Afpbkicl.exe68⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe69⤵PID:3896
-
C:\Windows\SysWOW64\Aiqkmd32.exeC:\Windows\system32\Aiqkmd32.exe70⤵PID:1488
-
C:\Windows\SysWOW64\Abipfifn.exeC:\Windows\system32\Abipfifn.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Bkadoo32.exeC:\Windows\system32\Bkadoo32.exe72⤵PID:3448
-
C:\Windows\SysWOW64\Bbklli32.exeC:\Windows\system32\Bbklli32.exe73⤵PID:2392
-
C:\Windows\SysWOW64\Biedhclh.exeC:\Windows\system32\Biedhclh.exe74⤵PID:3692
-
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe75⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Bihancje.exeC:\Windows\system32\Bihancje.exe76⤵
- Modifies registry class
PID:4488 -
C:\Windows\SysWOW64\Bpaikm32.exeC:\Windows\system32\Bpaikm32.exe77⤵PID:444
-
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe78⤵PID:1640
-
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe79⤵PID:3240
-
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe80⤵PID:4008
-
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe81⤵PID:380
-
C:\Windows\SysWOW64\Bbeobhlp.exeC:\Windows\system32\Bbeobhlp.exe82⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe83⤵PID:1980
-
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4792 -
C:\Windows\SysWOW64\Ciaddaaj.exeC:\Windows\system32\Ciaddaaj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5000 -
C:\Windows\SysWOW64\Cbihmg32.exeC:\Windows\system32\Cbihmg32.exe86⤵PID:4600
-
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe87⤵PID:3932
-
C:\Windows\SysWOW64\Cpmifkgd.exeC:\Windows\system32\Cpmifkgd.exe88⤵PID:5024
-
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe89⤵PID:4292
-
C:\Windows\SysWOW64\Cldjkl32.exeC:\Windows\system32\Cldjkl32.exe90⤵PID:3880
-
C:\Windows\SysWOW64\Cbnbhfde.exeC:\Windows\system32\Cbnbhfde.exe91⤵PID:212
-
C:\Windows\SysWOW64\Chkjpm32.exeC:\Windows\system32\Chkjpm32.exe92⤵PID:3440
-
C:\Windows\SysWOW64\Cbqonf32.exeC:\Windows\system32\Cbqonf32.exe93⤵PID:3796
-
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe94⤵
- Drops file in System32 directory
PID:4996 -
C:\Windows\SysWOW64\Dbckcf32.exeC:\Windows\system32\Dbckcf32.exe95⤵PID:1056
-
C:\Windows\SysWOW64\Dlkplk32.exeC:\Windows\system32\Dlkplk32.exe96⤵PID:3968
-
C:\Windows\SysWOW64\Decdeama.exeC:\Windows\system32\Decdeama.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Dpihbjmg.exeC:\Windows\system32\Dpihbjmg.exe98⤵PID:4032
-
C:\Windows\SysWOW64\Defajqko.exeC:\Windows\system32\Defajqko.exe99⤵PID:1508
-
C:\Windows\SysWOW64\Donecfao.exeC:\Windows\system32\Donecfao.exe100⤵PID:4644
-
C:\Windows\SysWOW64\Dpnbmi32.exeC:\Windows\system32\Dpnbmi32.exe101⤵PID:4616
-
C:\Windows\SysWOW64\Eldbbjof.exeC:\Windows\system32\Eldbbjof.exe102⤵
- Modifies registry class
PID:3184 -
C:\Windows\SysWOW64\Efjgpc32.exeC:\Windows\system32\Efjgpc32.exe103⤵PID:4532
-
C:\Windows\SysWOW64\Ehkcgkdj.exeC:\Windows\system32\Ehkcgkdj.exe104⤵PID:4432
-
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe105⤵PID:4656
-
C:\Windows\SysWOW64\Fhiphi32.exeC:\Windows\system32\Fhiphi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3516 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe107⤵PID:420
-
C:\Windows\SysWOW64\Fgjpfqpi.exeC:\Windows\system32\Fgjpfqpi.exe108⤵PID:3504
-
C:\Windows\SysWOW64\Fpcdof32.exeC:\Windows\system32\Fpcdof32.exe109⤵PID:3480
-
C:\Windows\SysWOW64\Fgmllpng.exeC:\Windows\system32\Fgmllpng.exe110⤵PID:1516
-
C:\Windows\SysWOW64\Fpeaeedg.exeC:\Windows\system32\Fpeaeedg.exe111⤵PID:4456
-
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe112⤵PID:5128
-
C:\Windows\SysWOW64\Gllajf32.exeC:\Windows\system32\Gllajf32.exe113⤵PID:5168
-
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe114⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Gipbck32.exeC:\Windows\system32\Gipbck32.exe115⤵PID:5252
-
C:\Windows\SysWOW64\Ggdbmoho.exeC:\Windows\system32\Ggdbmoho.exe116⤵PID:5292
-
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe117⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Glchjedc.exeC:\Windows\system32\Glchjedc.exe118⤵PID:5392
-
C:\Windows\SysWOW64\Geklckkd.exeC:\Windows\system32\Geklckkd.exe119⤵PID:5436
-
C:\Windows\SysWOW64\Hpaqqdjj.exeC:\Windows\system32\Hpaqqdjj.exe120⤵
- Modifies registry class
PID:5480 -
C:\Windows\SysWOW64\Hgkimn32.exeC:\Windows\system32\Hgkimn32.exe121⤵PID:5524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-