Analysis
-
max time kernel
115s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 14:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe
-
Size
460KB
-
MD5
e75d63a1953dc1efea0eeec35a6d62a0
-
SHA1
ea591e86c7a5e5da038d6c243418a99e799ebecb
-
SHA256
99d749eaecb5dd06a5d3b312554d207c08ff0fa560faf1abd10e316395c152c6
-
SHA512
97fcf2e3d416ee9fbecab66e6c5433a5a48329294c9af6e83ce431f434f62a28d48208f011ce4d1da69dd035861f6d3b379e526f95a6505ad8a572c57e87647c
-
SSDEEP
6144:23W5qSTYaT15f7o+STYaT15fKj+v3WTlcy6TR9Tb:JTYapJoTYapI2mTlQTfT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiqom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idonlbff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ongijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghohdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loodqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqajjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhelddln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeemiml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldblon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbenjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfbhflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gahcgg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgacegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Falmabki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loqjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opiidhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkkhnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqokhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklihbol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhnea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmfnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lipmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioafchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kinefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdeefpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohilc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfaaebnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbeeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbljoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkaqqoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkiqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgliapic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbokab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmginjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjcne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelddln.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpled32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkkaohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbljoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqghcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcaab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahnclp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfclcpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djalnkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdmojkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfenga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqdlpmce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldjnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphebml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onklkhnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkflpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmqne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dilmeida.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqdcio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnocpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegpkcbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecafgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ialhdh32.exe -
Executes dropped EXE 64 IoCs
pid Process 5036 Bbniai32.exe 4596 Bflagg32.exe 3556 Bgokdomj.exe 2596 Ciogobcm.exe 4540 Ceehcc32.exe 3952 Cejaobel.exe 384 Cpbbak32.exe 1356 Dhmgfm32.exe 4416 Ginenk32.exe 1188 Glnnofhi.exe 2468 Gckcap32.exe 4260 Gcmpgpkp.exe 1544 Hcaibo32.exe 4012 Hfbbdj32.exe 2140 Hqjcgbbo.exe 3644 Ijedehgm.exe 2244 Ifleji32.exe 4500 Iqaiga32.exe 1592 Imhjlb32.exe 4856 Ijlkfg32.exe 3452 Jfehpg32.exe 3196 Jfgefg32.exe 560 Jopiom32.exe 3736 Jqofippg.exe 3796 Jjjggede.exe 3880 Kgqdfi32.exe 3388 Kgemahmg.exe 4532 Lapopm32.exe 3848 Ljjpnb32.exe 4008 Lfcmhc32.exe 1272 Mdjjgggk.exe 1084 Mankaked.exe 2060 Mabdlk32.exe 1236 Mmiealgc.exe 4476 Najjmjkg.exe 2068 Nkboeobh.exe 5116 Ndjcne32.exe 4868 Nmbhgjoi.exe 2828 Nmedmj32.exe 2252 Ogmiepcf.exe 1824 Okkalnjm.exe 1608 Ohobebig.exe 3876 Okpkgm32.exe 3096 Oggllnkl.exe 4892 Phfhfa32.exe 2320 Paomog32.exe 4192 Pkgaglpp.exe 4144 Phkaqqoi.exe 2000 Pacfjfej.exe 3620 Pklkbl32.exe 4068 Phpklp32.exe 4916 Pnlcdg32.exe 1308 Qkqdnkge.exe 872 Qpmmfbfl.exe 3020 Aamipe32.exe 3336 Agiahlkf.exe 3720 Aaofedkl.exe 3872 Aglnnkid.exe 4944 Ahkkhnpg.exe 4136 Abdoqd32.exe 2204 Anjpeelk.exe 3488 Ahpdcn32.exe 4884 Bdgehobe.exe 2428 Bkamdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kmmedi32.exe Koiejemn.exe File created C:\Windows\SysWOW64\Dedpelma.dll Aocamk32.exe File created C:\Windows\SysWOW64\Ebnocpfp.exe Ehekjk32.exe File created C:\Windows\SysWOW64\Jkjikd32.dll Eflhiolf.exe File opened for modification C:\Windows\SysWOW64\Linojbdc.exe Lbdgmh32.exe File created C:\Windows\SysWOW64\Qpoaai32.dll Mfgiof32.exe File created C:\Windows\SysWOW64\Pmfiba32.dll Fcfocb32.exe File created C:\Windows\SysWOW64\Clmicmbn.dll Jkcpia32.exe File created C:\Windows\SysWOW64\Caakehij.dll Gfaaebnj.exe File created C:\Windows\SysWOW64\Maicgdbl.dll Fmjjqhpn.exe File created C:\Windows\SysWOW64\Mjhqcmjo.exe Mgidgakk.exe File created C:\Windows\SysWOW64\Qckbggad.exe Qnniopcm.exe File created C:\Windows\SysWOW64\Ofocia32.dll Qbeaba32.exe File created C:\Windows\SysWOW64\Moqknklp.dll Jhhgmlli.exe File created C:\Windows\SysWOW64\Pnoope32.dll Ijlkfg32.exe File opened for modification C:\Windows\SysWOW64\Cpedckdl.exe Cpbgnlfo.exe File opened for modification C:\Windows\SysWOW64\Idinej32.exe Hmlicp32.exe File created C:\Windows\SysWOW64\Lbbjhini.exe Lkhbko32.exe File created C:\Windows\SysWOW64\Cpbbak32.exe Cejaobel.exe File opened for modification C:\Windows\SysWOW64\Lmhnea32.exe Lbbjhini.exe File created C:\Windows\SysWOW64\Ahkkhnpg.exe Aglnnkid.exe File opened for modification C:\Windows\SysWOW64\Hdmojkjg.exe Ghfnej32.exe File created C:\Windows\SysWOW64\Ipaeedpp.exe Iophnl32.exe File created C:\Windows\SysWOW64\Ekakgcih.dll Ioafchai.exe File created C:\Windows\SysWOW64\Opmmoa32.dll Nacboi32.exe File opened for modification C:\Windows\SysWOW64\Dobnpm32.exe Cckmklac.exe File opened for modification C:\Windows\SysWOW64\Eflhiolf.exe Ehhgpj32.exe File created C:\Windows\SysWOW64\Dglpfmji.dll Eljknl32.exe File created C:\Windows\SysWOW64\Jkpqce32.dll Ncpelbap.exe File created C:\Windows\SysWOW64\Pnqlfh32.dll Nkqpcnig.exe File opened for modification C:\Windows\SysWOW64\Mmcnap32.exe Mfiedfmd.exe File opened for modification C:\Windows\SysWOW64\Mgidgakk.exe Mallojmd.exe File created C:\Windows\SysWOW64\Bjhpqn32.exe Bgicdc32.exe File created C:\Windows\SysWOW64\Jgdphm32.exe Jhocgqjj.exe File created C:\Windows\SysWOW64\Plfipakk.exe Pnbifmla.exe File created C:\Windows\SysWOW64\Ellliaek.dll Dllmoj32.exe File created C:\Windows\SysWOW64\Egnkjb32.dll Dbphcpog.exe File created C:\Windows\SysWOW64\Nceonmdp.dll Lmqggncn.exe File created C:\Windows\SysWOW64\Oammna32.dll Impeib32.exe File opened for modification C:\Windows\SysWOW64\Ipihkobl.exe Hpenpp32.exe File created C:\Windows\SysWOW64\Ionbcb32.exe Idinej32.exe File created C:\Windows\SysWOW64\Ngaabfio.exe Nqgiel32.exe File opened for modification C:\Windows\SysWOW64\Flbhia32.exe Fehplggn.exe File opened for modification C:\Windows\SysWOW64\Dgmpkg32.exe Dbphcpog.exe File created C:\Windows\SysWOW64\Kiifdfig.dll Mnndhi32.exe File created C:\Windows\SysWOW64\Enomic32.exe Egeemiml.exe File created C:\Windows\SysWOW64\Anjpeelk.exe Abdoqd32.exe File created C:\Windows\SysWOW64\Idhciojn.dll Kicfijal.exe File opened for modification C:\Windows\SysWOW64\Gaglma32.exe Ghohdk32.exe File created C:\Windows\SysWOW64\Fhmfcc32.dll Opdpih32.exe File created C:\Windows\SysWOW64\Eomjgpen.dll Clnanlhn.exe File opened for modification C:\Windows\SysWOW64\Nmbhgjoi.exe Ndjcne32.exe File created C:\Windows\SysWOW64\Ahpdcn32.exe Anjpeelk.exe File created C:\Windows\SysWOW64\Hnfjkbji.dll Hmlicp32.exe File created C:\Windows\SysWOW64\Gflapl32.exe Gqohge32.exe File created C:\Windows\SysWOW64\Nkboeobh.exe Najjmjkg.exe File opened for modification C:\Windows\SysWOW64\Lbenho32.exe Lmheph32.exe File created C:\Windows\SysWOW64\Pbokab32.exe Pldcdhpi.exe File created C:\Windows\SysWOW64\Jpfbco32.dll Qipjokik.exe File created C:\Windows\SysWOW64\Fncjigbo.dll Dhmgfm32.exe File created C:\Windows\SysWOW64\Lmnjan32.exe Lcifde32.exe File created C:\Windows\SysWOW64\Bbokjkfp.dll Kinefp32.exe File opened for modification C:\Windows\SysWOW64\Olkqnjhd.exe Oeahap32.exe File created C:\Windows\SysWOW64\Bgpmgi32.dll Nkjqme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6060 5484 WerFault.exe 631 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhndme32.dll" Kdpmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll" Dilmeida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnfanjqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melibq32.dll" Ejhanj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalion32.dll" Lqdcio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amagqp32.dll" Dnfanjqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjnkn32.dll" Dcgcaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlegokbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpojml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fclohg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbniai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpgihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppdbfpaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjmnomi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdlajf32.dll" Ikifhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgokdomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qciebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkdpgnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meepoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fomohc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mankaked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaofedkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnkjb32.dll" Dbphcpog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknfnbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcjhnoh.dll" Pmfldkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnbhc32.dll" Ialhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkhceh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obkiqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjlchnk.dll" Bkbcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkhbko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfjkdhk.dll" Dnhncjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldibcl32.dll" Loqjlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkggfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olfgcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qipjokik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnako32.dll" Mbfmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmiepcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhdbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkkdddh.dll" Gbenjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfidij32.dll" Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfgiof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmfldkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmadipo.dll" Lgnleiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dilmeida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmdhnhkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahogoog.dll" Fnacfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlhpmmi.dll" Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccigdih.dll" Qpmmfbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abflab32.dll" Ckfofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liofdigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnniopcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdiglgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foieod32.dll" Neeifa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpelbap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginenk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jamhflqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdnqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqnlp32.dll" Nbjhph32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 5036 4032 NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe 84 PID 4032 wrote to memory of 5036 4032 NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe 84 PID 4032 wrote to memory of 5036 4032 NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe 84 PID 5036 wrote to memory of 4596 5036 Bbniai32.exe 85 PID 5036 wrote to memory of 4596 5036 Bbniai32.exe 85 PID 5036 wrote to memory of 4596 5036 Bbniai32.exe 85 PID 4596 wrote to memory of 3556 4596 Bflagg32.exe 86 PID 4596 wrote to memory of 3556 4596 Bflagg32.exe 86 PID 4596 wrote to memory of 3556 4596 Bflagg32.exe 86 PID 3556 wrote to memory of 2596 3556 Bgokdomj.exe 87 PID 3556 wrote to memory of 2596 3556 Bgokdomj.exe 87 PID 3556 wrote to memory of 2596 3556 Bgokdomj.exe 87 PID 2596 wrote to memory of 4540 2596 Ciogobcm.exe 88 PID 2596 wrote to memory of 4540 2596 Ciogobcm.exe 88 PID 2596 wrote to memory of 4540 2596 Ciogobcm.exe 88 PID 4540 wrote to memory of 3952 4540 Ceehcc32.exe 90 PID 4540 wrote to memory of 3952 4540 Ceehcc32.exe 90 PID 4540 wrote to memory of 3952 4540 Ceehcc32.exe 90 PID 3952 wrote to memory of 384 3952 Cejaobel.exe 91 PID 3952 wrote to memory of 384 3952 Cejaobel.exe 91 PID 3952 wrote to memory of 384 3952 Cejaobel.exe 91 PID 384 wrote to memory of 1356 384 Cpbbak32.exe 92 PID 384 wrote to memory of 1356 384 Cpbbak32.exe 92 PID 384 wrote to memory of 1356 384 Cpbbak32.exe 92 PID 1356 wrote to memory of 4416 1356 Dhmgfm32.exe 93 PID 1356 wrote to memory of 4416 1356 Dhmgfm32.exe 93 PID 1356 wrote to memory of 4416 1356 Dhmgfm32.exe 93 PID 4416 wrote to memory of 1188 4416 Ginenk32.exe 94 PID 4416 wrote to memory of 1188 4416 Ginenk32.exe 94 PID 4416 wrote to memory of 1188 4416 Ginenk32.exe 94 PID 1188 wrote to memory of 2468 1188 Glnnofhi.exe 96 PID 1188 wrote to memory of 2468 1188 Glnnofhi.exe 96 PID 1188 wrote to memory of 2468 1188 Glnnofhi.exe 96 PID 2468 wrote to memory of 4260 2468 Gckcap32.exe 97 PID 2468 wrote to memory of 4260 2468 Gckcap32.exe 97 PID 2468 wrote to memory of 4260 2468 Gckcap32.exe 97 PID 4260 wrote to memory of 1544 4260 Gcmpgpkp.exe 98 PID 4260 wrote to memory of 1544 4260 Gcmpgpkp.exe 98 PID 4260 wrote to memory of 1544 4260 Gcmpgpkp.exe 98 PID 1544 wrote to memory of 4012 1544 Hcaibo32.exe 100 PID 1544 wrote to memory of 4012 1544 Hcaibo32.exe 100 PID 1544 wrote to memory of 4012 1544 Hcaibo32.exe 100 PID 4012 wrote to memory of 2140 4012 Hfbbdj32.exe 101 PID 4012 wrote to memory of 2140 4012 Hfbbdj32.exe 101 PID 4012 wrote to memory of 2140 4012 Hfbbdj32.exe 101 PID 2140 wrote to memory of 3644 2140 Hqjcgbbo.exe 102 PID 2140 wrote to memory of 3644 2140 Hqjcgbbo.exe 102 PID 2140 wrote to memory of 3644 2140 Hqjcgbbo.exe 102 PID 3644 wrote to memory of 2244 3644 Ijedehgm.exe 103 PID 3644 wrote to memory of 2244 3644 Ijedehgm.exe 103 PID 3644 wrote to memory of 2244 3644 Ijedehgm.exe 103 PID 2244 wrote to memory of 4500 2244 Ifleji32.exe 104 PID 2244 wrote to memory of 4500 2244 Ifleji32.exe 104 PID 2244 wrote to memory of 4500 2244 Ifleji32.exe 104 PID 4500 wrote to memory of 1592 4500 Iqaiga32.exe 105 PID 4500 wrote to memory of 1592 4500 Iqaiga32.exe 105 PID 4500 wrote to memory of 1592 4500 Iqaiga32.exe 105 PID 1592 wrote to memory of 4856 1592 Imhjlb32.exe 106 PID 1592 wrote to memory of 4856 1592 Imhjlb32.exe 106 PID 1592 wrote to memory of 4856 1592 Imhjlb32.exe 106 PID 4856 wrote to memory of 3452 4856 Ijlkfg32.exe 107 PID 4856 wrote to memory of 3452 4856 Ijlkfg32.exe 107 PID 4856 wrote to memory of 3452 4856 Ijlkfg32.exe 107 PID 3452 wrote to memory of 3196 3452 Jfehpg32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e75d63a1953dc1efea0eeec35a6d62a0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Bbniai32.exeC:\Windows\system32\Bbniai32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Bflagg32.exeC:\Windows\system32\Bflagg32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Ciogobcm.exeC:\Windows\system32\Ciogobcm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ceehcc32.exeC:\Windows\system32\Ceehcc32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Cpbbak32.exeC:\Windows\system32\Cpbbak32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Dhmgfm32.exeC:\Windows\system32\Dhmgfm32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Ginenk32.exeC:\Windows\system32\Ginenk32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Glnnofhi.exeC:\Windows\system32\Glnnofhi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Gckcap32.exeC:\Windows\system32\Gckcap32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\Hcaibo32.exeC:\Windows\system32\Hcaibo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Hfbbdj32.exeC:\Windows\system32\Hfbbdj32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Hqjcgbbo.exeC:\Windows\system32\Hqjcgbbo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Ijedehgm.exeC:\Windows\system32\Ijedehgm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Ifleji32.exeC:\Windows\system32\Ifleji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Iqaiga32.exeC:\Windows\system32\Iqaiga32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\Imhjlb32.exeC:\Windows\system32\Imhjlb32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Ijlkfg32.exeC:\Windows\system32\Ijlkfg32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Jfehpg32.exeC:\Windows\system32\Jfehpg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Jfgefg32.exeC:\Windows\system32\Jfgefg32.exe23⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe24⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jqofippg.exeC:\Windows\system32\Jqofippg.exe25⤵
- Executes dropped EXE
PID:3736 -
C:\Windows\SysWOW64\Jjjggede.exeC:\Windows\system32\Jjjggede.exe26⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Kgqdfi32.exeC:\Windows\system32\Kgqdfi32.exe27⤵
- Executes dropped EXE
PID:3880 -
C:\Windows\SysWOW64\Kgemahmg.exeC:\Windows\system32\Kgemahmg.exe28⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Lapopm32.exeC:\Windows\system32\Lapopm32.exe29⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe30⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Lipmoo32.exeC:\Windows\system32\Lipmoo32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4412 -
C:\Windows\SysWOW64\Lfcmhc32.exeC:\Windows\system32\Lfcmhc32.exe32⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Mdjjgggk.exeC:\Windows\system32\Mdjjgggk.exe33⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Mankaked.exeC:\Windows\system32\Mankaked.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Mabdlk32.exeC:\Windows\system32\Mabdlk32.exe35⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe36⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Najjmjkg.exeC:\Windows\system32\Najjmjkg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4476 -
C:\Windows\SysWOW64\Nkboeobh.exeC:\Windows\system32\Nkboeobh.exe38⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe40⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Nmedmj32.exeC:\Windows\system32\Nmedmj32.exe41⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Okkalnjm.exeC:\Windows\system32\Okkalnjm.exe43⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ohobebig.exeC:\Windows\system32\Ohobebig.exe44⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe45⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe46⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Phfhfa32.exeC:\Windows\system32\Phfhfa32.exe47⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Paomog32.exeC:\Windows\system32\Paomog32.exe48⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4192 -
C:\Windows\SysWOW64\Phkaqqoi.exeC:\Windows\system32\Phkaqqoi.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe51⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pklkbl32.exeC:\Windows\system32\Pklkbl32.exe52⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Phpklp32.exeC:\Windows\system32\Phpklp32.exe53⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe54⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe55⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Qpmmfbfl.exeC:\Windows\system32\Qpmmfbfl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Aamipe32.exeC:\Windows\system32\Aamipe32.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Agiahlkf.exeC:\Windows\system32\Agiahlkf.exe58⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Aaofedkl.exeC:\Windows\system32\Aaofedkl.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3872 -
C:\Windows\SysWOW64\Ahkkhnpg.exeC:\Windows\system32\Ahkkhnpg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Abdoqd32.exeC:\Windows\system32\Abdoqd32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4136 -
C:\Windows\SysWOW64\Anjpeelk.exeC:\Windows\system32\Anjpeelk.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Ahpdcn32.exeC:\Windows\system32\Ahpdcn32.exe64⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe65⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bkamdi32.exeC:\Windows\system32\Bkamdi32.exe66⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Bbkeacqo.exeC:\Windows\system32\Bbkeacqo.exe67⤵PID:2112
-
C:\Windows\SysWOW64\Bjfjee32.exeC:\Windows\system32\Bjfjee32.exe68⤵PID:4388
-
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe69⤵PID:3512
-
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe70⤵PID:3996
-
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe71⤵PID:4332
-
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe72⤵
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe73⤵PID:4364
-
C:\Windows\SysWOW64\Bkjpkg32.exeC:\Windows\system32\Bkjpkg32.exe74⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Cqghcn32.exeC:\Windows\system32\Cqghcn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3544 -
C:\Windows\SysWOW64\Ckmmpg32.exeC:\Windows\system32\Ckmmpg32.exe76⤵PID:3716
-
C:\Windows\SysWOW64\Cbfema32.exeC:\Windows\system32\Cbfema32.exe77⤵PID:2336
-
C:\Windows\SysWOW64\Cbiabq32.exeC:\Windows\system32\Cbiabq32.exe78⤵PID:3132
-
C:\Windows\SysWOW64\Cbknhqbl.exeC:\Windows\system32\Cbknhqbl.exe79⤵PID:4300
-
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Ckfofe32.exeC:\Windows\system32\Ckfofe32.exe81⤵
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3448 -
C:\Windows\SysWOW64\Dgmpkg32.exeC:\Windows\system32\Dgmpkg32.exe83⤵PID:2912
-
C:\Windows\SysWOW64\Dnghhqdk.exeC:\Windows\system32\Dnghhqdk.exe84⤵PID:4460
-
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe86⤵PID:3964
-
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe87⤵PID:4316
-
C:\Windows\SysWOW64\Deejpjgc.exeC:\Windows\system32\Deejpjgc.exe88⤵PID:4328
-
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe89⤵PID:2392
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe90⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Fehplggn.exeC:\Windows\system32\Fehplggn.exe91⤵
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Flbhia32.exeC:\Windows\system32\Flbhia32.exe92⤵PID:4440
-
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe93⤵PID:3664
-
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe94⤵PID:3232
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe95⤵PID:5128
-
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe96⤵PID:5172
-
C:\Windows\SysWOW64\Gknkkmmj.exeC:\Windows\system32\Gknkkmmj.exe97⤵PID:5216
-
C:\Windows\SysWOW64\Gahcgg32.exeC:\Windows\system32\Gahcgg32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe99⤵PID:5312
-
C:\Windows\SysWOW64\Gooqfkan.exeC:\Windows\system32\Gooqfkan.exe100⤵PID:5360
-
C:\Windows\SysWOW64\Giddddad.exeC:\Windows\system32\Giddddad.exe101⤵PID:5404
-
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe102⤵PID:5444
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe103⤵PID:5484
-
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe105⤵PID:5584
-
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe106⤵PID:5624
-
C:\Windows\SysWOW64\Hepoddcc.exeC:\Windows\system32\Hepoddcc.exe107⤵PID:5676
-
C:\Windows\SysWOW64\Hohcmjic.exeC:\Windows\system32\Hohcmjic.exe108⤵PID:5720
-
C:\Windows\SysWOW64\Hebkid32.exeC:\Windows\system32\Hebkid32.exe109⤵PID:5768
-
C:\Windows\SysWOW64\Hllcfnhm.exeC:\Windows\system32\Hllcfnhm.exe110⤵PID:5812
-
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe111⤵PID:5856
-
C:\Windows\SysWOW64\Hhbdko32.exeC:\Windows\system32\Hhbdko32.exe112⤵PID:5904
-
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe113⤵PID:5948
-
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe114⤵PID:5992
-
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe115⤵PID:6040
-
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe116⤵PID:6084
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe118⤵PID:5140
-
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe119⤵PID:5224
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe120⤵PID:5300
-
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe121⤵PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-