Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.2be5996ff6a977aa1135fdd96b968473.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2be5996ff6a977aa1135fdd96b968473.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.2be5996ff6a977aa1135fdd96b968473.exe
-
Size
80KB
-
MD5
2be5996ff6a977aa1135fdd96b968473
-
SHA1
cb3754cb17bd5edb95409358f985789c80d0d4ae
-
SHA256
ad6061ab8216b9a9a8681c6f680272c0bb8ddd9ccff280cf55381daf50d494bd
-
SHA512
f92e705a1741ddc81bdf12b3f5bf72030abfe2261101fb250cfbf1a4a6d9663069fdb9a00141ab55778657ff8f2f219b150104ecefba4226c0b4f17c316171c3
-
SSDEEP
1536:cHaJWi0iesnNJ6oKcYdWIJ/O8ZbJ/9IK2LOCYrum8SPG2:cHFZidn76oKfwAOYJFIXOVT8SL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnfjiali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocieq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdlaplh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoecbheg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabicikf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibipmiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gindjqnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfnjnin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekhnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anljck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkgpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdlaplh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibipmiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhqll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnnfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmihgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhfgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipomlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elndpnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhjlioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdaid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekmjanpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmihgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdcllpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abdpngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqljdclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpghfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johaalea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknpadcn.exe -
Executes dropped EXE 64 IoCs
pid Process 1728 Hanlnp32.exe 2232 Hmfjha32.exe 2740 Iccbqh32.exe 2620 Idcokkak.exe 2588 Iipgcaob.exe 2680 Igchlf32.exe 2968 Iheddndj.exe 1976 Ipllekdl.exe 2832 Iamimc32.exe 2852 Ihgainbg.exe 1324 Ifkacb32.exe 1916 Ihjnom32.exe 1260 Jnffgd32.exe 2792 Jbdonb32.exe 2036 Jgagfi32.exe 2364 Jqilooij.exe 1524 Jmplcp32.exe 2184 Kocbkk32.exe 1804 Kfmjgeaj.exe 2032 Kmgbdo32.exe 2936 Kfpgmdog.exe 1080 Kohkfj32.exe 1412 Kfbcbd32.exe 816 Knmhgf32.exe 976 Kgemplap.exe 1964 Kbkameaf.exe 1596 Llcefjgf.exe 2216 Lgjfkk32.exe 1052 Ljibgg32.exe 2592 Lpekon32.exe 2676 Lgmcqkkh.exe 2516 Linphc32.exe 2544 Lphhenhc.exe 2416 Ljmlbfhi.exe 2560 Llohjo32.exe 2828 Lfdmggnm.exe 2836 Libicbma.exe 2132 Mieeibkn.exe 1148 Mlcbenjb.exe 1044 Mbmjah32.exe 2808 Melfncqb.exe 2360 Mhjbjopf.exe 2916 Modkfi32.exe 2328 Mencccop.exe 1880 Mkklljmg.exe 1680 Mmihhelk.exe 1612 Moidahcn.exe 1068 Nlcnda32.exe 2932 Nigome32.exe 2156 Nenobfak.exe 1664 Npccpo32.exe 1588 Nofdklgl.exe 1704 Neplhf32.exe 2256 Nhohda32.exe 2728 Oohqqlei.exe 2652 Oagmmgdm.exe 2712 Oancnfoe.exe 2400 Hfbaql32.exe 764 Hhcmhdke.exe 1340 Hloiib32.exe 2144 Hjdfjo32.exe 1188 Ifjlcmmj.exe 692 Piicpk32.exe 668 Plgolf32.exe -
Loads dropped DLL 64 IoCs
pid Process 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 1728 Hanlnp32.exe 1728 Hanlnp32.exe 2232 Hmfjha32.exe 2232 Hmfjha32.exe 2740 Iccbqh32.exe 2740 Iccbqh32.exe 2620 Idcokkak.exe 2620 Idcokkak.exe 2588 Iipgcaob.exe 2588 Iipgcaob.exe 2680 Igchlf32.exe 2680 Igchlf32.exe 2968 Iheddndj.exe 2968 Iheddndj.exe 1976 Ipllekdl.exe 1976 Ipllekdl.exe 2832 Iamimc32.exe 2832 Iamimc32.exe 2852 Ihgainbg.exe 2852 Ihgainbg.exe 1324 Ifkacb32.exe 1324 Ifkacb32.exe 1916 Ihjnom32.exe 1916 Ihjnom32.exe 1260 Jnffgd32.exe 1260 Jnffgd32.exe 2792 Jbdonb32.exe 2792 Jbdonb32.exe 2036 Jgagfi32.exe 2036 Jgagfi32.exe 2364 Jqilooij.exe 2364 Jqilooij.exe 1524 Jmplcp32.exe 1524 Jmplcp32.exe 2184 Kocbkk32.exe 2184 Kocbkk32.exe 1804 Kfmjgeaj.exe 1804 Kfmjgeaj.exe 2032 Kmgbdo32.exe 2032 Kmgbdo32.exe 2936 Kfpgmdog.exe 2936 Kfpgmdog.exe 1080 Kohkfj32.exe 1080 Kohkfj32.exe 1412 Kfbcbd32.exe 1412 Kfbcbd32.exe 816 Knmhgf32.exe 816 Knmhgf32.exe 976 Kgemplap.exe 976 Kgemplap.exe 1964 Kbkameaf.exe 1964 Kbkameaf.exe 1596 Llcefjgf.exe 1596 Llcefjgf.exe 2216 Lgjfkk32.exe 2216 Lgjfkk32.exe 1052 Ljibgg32.exe 1052 Ljibgg32.exe 2592 Lpekon32.exe 2592 Lpekon32.exe 2676 Lgmcqkkh.exe 2676 Lgmcqkkh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ilgjmckn.dll Emkfmioh.exe File opened for modification C:\Windows\SysWOW64\Jgagfi32.exe Jbdonb32.exe File opened for modification C:\Windows\SysWOW64\Kgemplap.exe Knmhgf32.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Fepjea32.exe File created C:\Windows\SysWOW64\Dgnjqe32.exe Dadbdkld.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Djocbqpb.exe File created C:\Windows\SysWOW64\Eoldfbid.dll Iofhmi32.exe File created C:\Windows\SysWOW64\Dkhnmfle.exe Dhibakmb.exe File opened for modification C:\Windows\SysWOW64\Eoomai32.exe Elpqemll.exe File created C:\Windows\SysWOW64\Jmplcp32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Ecnlcm32.dll Ggkibhjf.exe File created C:\Windows\SysWOW64\Gqcnln32.exe Gfnjne32.exe File opened for modification C:\Windows\SysWOW64\Anjnnk32.exe Aklabp32.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Bknjfb32.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cehhdkjf.exe File opened for modification C:\Windows\SysWOW64\Hipmoc32.exe Hfaqbh32.exe File opened for modification C:\Windows\SysWOW64\Bnkmakbb.exe Bklaepbn.exe File created C:\Windows\SysWOW64\Igmbgk32.exe Ieofkp32.exe File created C:\Windows\SysWOW64\Paifph32.dll Iigcobid.exe File opened for modification C:\Windows\SysWOW64\Jpqgkpcl.exe Jkdoci32.exe File opened for modification C:\Windows\SysWOW64\Qchmll32.exe Polakmbi.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Klhgfq32.exe File created C:\Windows\SysWOW64\Eajcmh32.dll Cglfndaa.exe File created C:\Windows\SysWOW64\Elookl32.dll Cgobcd32.exe File created C:\Windows\SysWOW64\Elqcnfdp.exe Ekofgnna.exe File created C:\Windows\SysWOW64\Ljiqml32.dll Bigohejb.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mencccop.exe File created C:\Windows\SysWOW64\Bfglkheo.dll Hnpdcf32.exe File created C:\Windows\SysWOW64\Kglbad32.dll Lnqjnhge.exe File created C:\Windows\SysWOW64\Cdoime32.dll Fppaej32.exe File opened for modification C:\Windows\SysWOW64\Cgobcd32.exe Cdqfgh32.exe File opened for modification C:\Windows\SysWOW64\Hfaqbh32.exe Hpghfn32.exe File opened for modification C:\Windows\SysWOW64\Ggapbcne.exe Gojhafnb.exe File created C:\Windows\SysWOW64\Noddcolo.dll Bbocak32.exe File opened for modification C:\Windows\SysWOW64\Lgjfkk32.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Ecqgacgg.dll Igoomk32.exe File created C:\Windows\SysWOW64\Jamgla32.dll Ldahkaij.exe File created C:\Windows\SysWOW64\Odecjfnl.dll Alageg32.exe File opened for modification C:\Windows\SysWOW64\Cncmcm32.exe Bqolji32.exe File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Fkocfa32.exe Fdekigip.exe File created C:\Windows\SysWOW64\Hhcmhdke.exe Hfbaql32.exe File opened for modification C:\Windows\SysWOW64\Fepjea32.exe Fnibcd32.exe File opened for modification C:\Windows\SysWOW64\Legaoehg.exe Lnqjnhge.exe File created C:\Windows\SysWOW64\Oajopl32.exe Ijopjhfh.exe File opened for modification C:\Windows\SysWOW64\Fikgda32.exe Ffmkhe32.exe File opened for modification C:\Windows\SysWOW64\Jbpfnh32.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Adaiee32.exe Aacmij32.exe File created C:\Windows\SysWOW64\Hqmepa32.dll Afhbljko.exe File created C:\Windows\SysWOW64\Fleihi32.exe Fkdlaplh.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jqilooij.exe File created C:\Windows\SysWOW64\Fckhhgcf.exe Fibcoalf.exe File created C:\Windows\SysWOW64\Hkgioloi.dll Gqcnln32.exe File created C:\Windows\SysWOW64\Mhcmedli.exe Mgbaml32.exe File opened for modification C:\Windows\SysWOW64\Jljeeqfn.exe Jgmlmj32.exe File created C:\Windows\SysWOW64\Agloko32.exe Adncoc32.exe File created C:\Windows\SysWOW64\Clnhajlc.exe Cedpdpdf.exe File created C:\Windows\SysWOW64\Elpqemll.exe Elndpnnn.exe File opened for modification C:\Windows\SysWOW64\Ffmkhe32.exe Fcoolj32.exe File created C:\Windows\SysWOW64\Mffjmq32.dll Jpqgkpcl.exe File opened for modification C:\Windows\SysWOW64\Kfmjgeaj.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Llmmpcfe.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Iibigbjj.dll Adaiee32.exe File opened for modification C:\Windows\SysWOW64\Akjham32.exe Ahllda32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdaaokbn.dll" Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlcjk32.dll" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Bhonjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdqfgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fepjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljecbkfm.dll" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keclgbfi.dll" Fimoiopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkahgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahp32.dll" Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjhfd32.dll" Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnap32.dll" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjflmmn.dll" Dekeeonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edidqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjecidcb.dll" Ddpbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afcklihm.dll" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egldgl32.dll" Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhdpd32.dll" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opqcibco.dll" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokjjgme.dll" Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chlojnpb.dll" Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofndb32.dll" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhibn32.dll" Amnanefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hanedg32.dll" Nhohda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjgehgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clnhajlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkhnmfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehlkfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgqhgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Hjdfjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmiljb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghnfci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokhie32.dll" Nqmnjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkklljmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagcpm32.dll" Mgbaml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgfqf32.dll" Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekfnoog.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 1728 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 28 PID 536 wrote to memory of 1728 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 28 PID 536 wrote to memory of 1728 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 28 PID 536 wrote to memory of 1728 536 NEAS.2be5996ff6a977aa1135fdd96b968473.exe 28 PID 1728 wrote to memory of 2232 1728 Hanlnp32.exe 29 PID 1728 wrote to memory of 2232 1728 Hanlnp32.exe 29 PID 1728 wrote to memory of 2232 1728 Hanlnp32.exe 29 PID 1728 wrote to memory of 2232 1728 Hanlnp32.exe 29 PID 2232 wrote to memory of 2740 2232 Hmfjha32.exe 30 PID 2232 wrote to memory of 2740 2232 Hmfjha32.exe 30 PID 2232 wrote to memory of 2740 2232 Hmfjha32.exe 30 PID 2232 wrote to memory of 2740 2232 Hmfjha32.exe 30 PID 2740 wrote to memory of 2620 2740 Iccbqh32.exe 31 PID 2740 wrote to memory of 2620 2740 Iccbqh32.exe 31 PID 2740 wrote to memory of 2620 2740 Iccbqh32.exe 31 PID 2740 wrote to memory of 2620 2740 Iccbqh32.exe 31 PID 2620 wrote to memory of 2588 2620 Idcokkak.exe 32 PID 2620 wrote to memory of 2588 2620 Idcokkak.exe 32 PID 2620 wrote to memory of 2588 2620 Idcokkak.exe 32 PID 2620 wrote to memory of 2588 2620 Idcokkak.exe 32 PID 2588 wrote to memory of 2680 2588 Iipgcaob.exe 33 PID 2588 wrote to memory of 2680 2588 Iipgcaob.exe 33 PID 2588 wrote to memory of 2680 2588 Iipgcaob.exe 33 PID 2588 wrote to memory of 2680 2588 Iipgcaob.exe 33 PID 2680 wrote to memory of 2968 2680 Igchlf32.exe 34 PID 2680 wrote to memory of 2968 2680 Igchlf32.exe 34 PID 2680 wrote to memory of 2968 2680 Igchlf32.exe 34 PID 2680 wrote to memory of 2968 2680 Igchlf32.exe 34 PID 2968 wrote to memory of 1976 2968 Iheddndj.exe 35 PID 2968 wrote to memory of 1976 2968 Iheddndj.exe 35 PID 2968 wrote to memory of 1976 2968 Iheddndj.exe 35 PID 2968 wrote to memory of 1976 2968 Iheddndj.exe 35 PID 1976 wrote to memory of 2832 1976 Ipllekdl.exe 36 PID 1976 wrote to memory of 2832 1976 Ipllekdl.exe 36 PID 1976 wrote to memory of 2832 1976 Ipllekdl.exe 36 PID 1976 wrote to memory of 2832 1976 Ipllekdl.exe 36 PID 2832 wrote to memory of 2852 2832 Iamimc32.exe 37 PID 2832 wrote to memory of 2852 2832 Iamimc32.exe 37 PID 2832 wrote to memory of 2852 2832 Iamimc32.exe 37 PID 2832 wrote to memory of 2852 2832 Iamimc32.exe 37 PID 2852 wrote to memory of 1324 2852 Ihgainbg.exe 38 PID 2852 wrote to memory of 1324 2852 Ihgainbg.exe 38 PID 2852 wrote to memory of 1324 2852 Ihgainbg.exe 38 PID 2852 wrote to memory of 1324 2852 Ihgainbg.exe 38 PID 1324 wrote to memory of 1916 1324 Ifkacb32.exe 39 PID 1324 wrote to memory of 1916 1324 Ifkacb32.exe 39 PID 1324 wrote to memory of 1916 1324 Ifkacb32.exe 39 PID 1324 wrote to memory of 1916 1324 Ifkacb32.exe 39 PID 1916 wrote to memory of 1260 1916 Ihjnom32.exe 40 PID 1916 wrote to memory of 1260 1916 Ihjnom32.exe 40 PID 1916 wrote to memory of 1260 1916 Ihjnom32.exe 40 PID 1916 wrote to memory of 1260 1916 Ihjnom32.exe 40 PID 1260 wrote to memory of 2792 1260 Jnffgd32.exe 41 PID 1260 wrote to memory of 2792 1260 Jnffgd32.exe 41 PID 1260 wrote to memory of 2792 1260 Jnffgd32.exe 41 PID 1260 wrote to memory of 2792 1260 Jnffgd32.exe 41 PID 2792 wrote to memory of 2036 2792 Jbdonb32.exe 42 PID 2792 wrote to memory of 2036 2792 Jbdonb32.exe 42 PID 2792 wrote to memory of 2036 2792 Jbdonb32.exe 42 PID 2792 wrote to memory of 2036 2792 Jbdonb32.exe 42 PID 2036 wrote to memory of 2364 2036 Jgagfi32.exe 43 PID 2036 wrote to memory of 2364 2036 Jgagfi32.exe 43 PID 2036 wrote to memory of 2364 2036 Jgagfi32.exe 43 PID 2036 wrote to memory of 2364 2036 Jgagfi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2be5996ff6a977aa1135fdd96b968473.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2be5996ff6a977aa1135fdd96b968473.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Kfpgmdog.exeC:\Windows\system32\Kfpgmdog.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe33⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe35⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe36⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe37⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe39⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe40⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe41⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe42⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe43⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe44⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe47⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe48⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe49⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe50⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe51⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe53⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe54⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe57⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe58⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe60⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe61⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe63⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe65⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe66⤵PID:2548
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe67⤵PID:2840
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe68⤵PID:1336
-
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe69⤵PID:2900
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe70⤵PID:2152
-
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe71⤵PID:1420
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe73⤵PID:1292
-
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe74⤵PID:2512
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe75⤵PID:688
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe76⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe77⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe78⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe79⤵PID:1960
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe80⤵PID:868
-
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe81⤵PID:2032
-
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe83⤵PID:2312
-
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe84⤵PID:1964
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe85⤵PID:2736
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe86⤵PID:2660
-
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe87⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe90⤵PID:2600
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe91⤵PID:296
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe92⤵PID:1880
-
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe93⤵PID:908
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe94⤵PID:2572
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe95⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe96⤵PID:2820
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe97⤵PID:1560
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe98⤵PID:2168
-
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe99⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe100⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe101⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe102⤵PID:2908
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe103⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe104⤵PID:840
-
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1220 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe106⤵PID:1064
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe107⤵PID:1976
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe108⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe109⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe110⤵PID:2012
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1184 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe112⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe113⤵PID:1772
-
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe115⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe116⤵PID:2632
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe117⤵PID:2392
-
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe118⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe120⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-