Analysis
-
max time kernel
165s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 16:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.1e0089fc5bce0215d973dbfd2d359390.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1e0089fc5bce0215d973dbfd2d359390.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
NEAS.1e0089fc5bce0215d973dbfd2d359390.exe
-
Size
90KB
-
MD5
1e0089fc5bce0215d973dbfd2d359390
-
SHA1
030ef327f9d8518c4e374beb58630052b13f71ec
-
SHA256
73a77e113a05b9ea3e8ba63568e23c1b55bf56a4598c612fa3276750d5179907
-
SHA512
1eaec99f36d5a2ec51286fa3e930efbc81ffb987411980840ff3e818e8e1e8e3a742f843ca28094bd991ca937c254f60f7fdeda81d85144345eeb5477e75e6ed
-
SSDEEP
1536:OD/lQPNtgOBNi6yf8yzD4okTKE6bhQ8szupbERCdrohG/GIbu/Ub0VkVNK:2/UtjU6khveKphQ8fF8Cd84GIbu/Ub05
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filailgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khlaoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lacbiiik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnbnqdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgicdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fealcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaiocjae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmpfhfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aegbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponfdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpqhdkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcnmogm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognpilmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naejcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpkaqmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedjfodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqjbnjfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckpihef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhfmhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emhdeoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbhkfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clnopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agfpoqog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adccnpqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeknfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lacbiiik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcboan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhipiihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khmjga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inlibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dqpffaib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdbnhco.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjmcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbnhhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpdmdhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbpcah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldpkfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlhlcnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgkfhngo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfmda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgqnhpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locgagli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcpok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekoddodi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbegmin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganlnmop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqabhecb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bahkcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpoemef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdohbmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nneboemj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nockfgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jljiimeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiadecm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbodpnl.exe -
Executes dropped EXE 64 IoCs
pid Process 2772 Lmmokgne.exe 2516 Ndliin32.exe 2056 Opefdo32.exe 536 Ofalfi32.exe 4528 Plejoode.exe 4964 Adohmidb.exe 4192 Bgicdc32.exe 1684 Debfpd32.exe 4272 Eclmlpfl.exe 4684 Febogbhg.exe 4912 Gaglma32.exe 3152 Haeino32.exe 4512 Ikgpmc32.exe 4668 Ikjmcc32.exe 1116 Jlblcdpf.exe 4164 Knhbflbp.exe 3712 Lilbdcfe.exe 4716 Megldcgd.exe 4772 Nehekq32.exe 2000 Oecego32.exe 2028 Oianmm32.exe 4748 Pmbcik32.exe 4460 Algiaepd.exe 3188 Bjgifhep.exe 2992 Bgkipl32.exe 3444 Egeemiml.exe 912 Emhdeoel.exe 3560 Fpnfbi32.exe 4436 Gnkflo32.exe 3296 Hpchdf32.exe 4048 Idjdqc32.exe 2276 Jajdff32.exe 2204 Khmoionj.exe 1764 Locgagli.exe 4344 Mhpeelnd.exe 3204 Cikkga32.exe 2140 Ebnocpfp.exe 4212 Fqcilgji.exe 4324 Gbcaemdg.exe 4408 Ipldpo32.exe 4396 Kinefp32.exe 3740 Mpoljg32.exe 1996 Njcpok32.exe 1544 Ocldhqgb.exe 2472 Ojhijjll.exe 2548 Pengna32.exe 4220 Beefenie.exe 3500 Cbcieqpd.exe 1960 Dkedjbgg.exe 884 Deoabj32.exe 1528 Ecjhmm32.exe 5068 Ekemap32.exe 1552 Gcmnijkd.exe 5116 Gohhik32.exe 4564 Gkoinlbg.exe 3780 Homadjin.exe 1644 Hkdbik32.exe 2188 Imjddmpl.exe 224 Ifcimb32.exe 3428 Jpdqlgdc.exe 2044 Ldoadabi.exe 1820 Mljficpd.exe 4908 Nneboemj.exe 4792 Ndokko32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Debfpd32.exe Bgicdc32.exe File opened for modification C:\Windows\SysWOW64\Foocegea.exe Fdiohnek.exe File created C:\Windows\SysWOW64\Bbmjjk32.exe Bmpaad32.exe File created C:\Windows\SysWOW64\Lompka32.dll Khlaoeoj.exe File created C:\Windows\SysWOW64\Jcnbnqdh.exe Jjemek32.exe File created C:\Windows\SysWOW64\Jleddnfj.dll Kfokplai.exe File opened for modification C:\Windows\SysWOW64\Kepdfo32.exe Kkhpmigp.exe File opened for modification C:\Windows\SysWOW64\Fmdach32.exe Fldeie32.exe File opened for modification C:\Windows\SysWOW64\Fpejec32.exe Fmdach32.exe File created C:\Windows\SysWOW64\Nflkkf32.exe Nqpccp32.exe File opened for modification C:\Windows\SysWOW64\Omldnfkj.exe Nclida32.exe File opened for modification C:\Windows\SysWOW64\Aoioeo32.exe Aabafkgh.exe File created C:\Windows\SysWOW64\Ojblpdbb.dll Pmpoemef.exe File opened for modification C:\Windows\SysWOW64\Aibilf32.exe Abhqolee.exe File created C:\Windows\SysWOW64\Lepfneal.dll Lfpkapgb.exe File created C:\Windows\SysWOW64\Hgcccmnm.dll Kinefp32.exe File created C:\Windows\SysWOW64\Ijlkqj32.exe Halmaiog.exe File opened for modification C:\Windows\SysWOW64\Nlbkjf32.exe Mbgjlq32.exe File created C:\Windows\SysWOW64\Ljcejhnh.exe Lomqmoob.exe File opened for modification C:\Windows\SysWOW64\Fjicfhhf.exe Fdmjnajo.exe File opened for modification C:\Windows\SysWOW64\Ijmajc32.exe Iepial32.exe File created C:\Windows\SysWOW64\Hahcfi32.exe Hphglf32.exe File opened for modification C:\Windows\SysWOW64\Dhdaao32.exe Dnondf32.exe File opened for modification C:\Windows\SysWOW64\Fgenoj32.exe Ekoniian.exe File created C:\Windows\SysWOW64\Fjeikh32.exe Fckaoneo.exe File created C:\Windows\SysWOW64\Mhpeelnd.exe Locgagli.exe File created C:\Windows\SysWOW64\Lmbjgocg.dll Hpdlajfe.exe File created C:\Windows\SysWOW64\Leknan32.dll Defhnldg.exe File created C:\Windows\SysWOW64\Mpbich32.dll Lpeljp32.exe File opened for modification C:\Windows\SysWOW64\Qoboofnb.exe Ponfdf32.exe File created C:\Windows\SysWOW64\Aampgb32.dll Efeiahdo.exe File opened for modification C:\Windows\SysWOW64\Hlnjlkjf.exe Hedaoa32.exe File created C:\Windows\SysWOW64\Ggfgegho.exe Filailgl.exe File opened for modification C:\Windows\SysWOW64\Pmbcik32.exe Oianmm32.exe File opened for modification C:\Windows\SysWOW64\Agqekeeb.exe Qjjhla32.exe File opened for modification C:\Windows\SysWOW64\Kgenlldo.exe Kbiede32.exe File created C:\Windows\SysWOW64\Kepdfo32.exe Kkhpmigp.exe File opened for modification C:\Windows\SysWOW64\Dmifdjio.exe Debncm32.exe File opened for modification C:\Windows\SysWOW64\Igmqpbab.exe Ilepmjdo.exe File opened for modification C:\Windows\SysWOW64\Mfjfoidl.exe Ljcejhnh.exe File created C:\Windows\SysWOW64\Fqdbnhco.exe Fkgiea32.exe File created C:\Windows\SysWOW64\Cjnqoc32.dll Mjfocf32.exe File opened for modification C:\Windows\SysWOW64\Cjfaon32.exe Bmbpeiaa.exe File opened for modification C:\Windows\SysWOW64\Hnfafpfd.exe Hbppaopp.exe File created C:\Windows\SysWOW64\Mbgjlq32.exe Maealn32.exe File created C:\Windows\SysWOW64\Mkagaa32.dll Oajcnkdl.exe File created C:\Windows\SysWOW64\Nbphqahb.exe Nqjbnjfi.exe File opened for modification C:\Windows\SysWOW64\Eclmlpfl.exe Debfpd32.exe File created C:\Windows\SysWOW64\Ocldhqgb.exe Njcpok32.exe File opened for modification C:\Windows\SysWOW64\Ldoadabi.exe Jpdqlgdc.exe File created C:\Windows\SysWOW64\Jkmllk32.dll Cpmajdig.exe File created C:\Windows\SysWOW64\Bdkommof.dll Jmamlgon.exe File opened for modification C:\Windows\SysWOW64\Mapgpqio.exe Mjfocf32.exe File created C:\Windows\SysWOW64\Ecjhmm32.exe Deoabj32.exe File created C:\Windows\SysWOW64\Bmngjj32.exe Ajfhhp32.exe File created C:\Windows\SysWOW64\Odbblp32.dll Knefnkla.exe File created C:\Windows\SysWOW64\Mijjfb32.dll Jcllcgjf.exe File created C:\Windows\SysWOW64\Lmmokgne.exe NEAS.1e0089fc5bce0215d973dbfd2d359390.exe File opened for modification C:\Windows\SysWOW64\Kfokplai.exe Kqabhecb.exe File opened for modification C:\Windows\SysWOW64\Fcikcekm.exe Eddnbhfe.exe File created C:\Windows\SysWOW64\Alenpcjn.dll Memaelip.exe File opened for modification C:\Windows\SysWOW64\Imjddmpl.exe Hkdbik32.exe File opened for modification C:\Windows\SysWOW64\Ealanc32.exe Deokhc32.exe File created C:\Windows\SysWOW64\Efccfojn.exe Ebejpp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnphio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Engbehmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbjkabdh.dll" Ellpgeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjicfhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffcabnh.dll" Infqdbdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlijc32.dll" Hnodkjhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqihjbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeqnlmk.dll" Nabpiocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgenoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopeilpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgppgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maojmg32.dll" Npjelo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdmoe32.dll" Capikhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcipkpg.dll" Nclida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoeqnjb.dll" Fkfcjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcnbnqdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbcieqpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cihcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjgpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkomblep.dll" Dmifdjio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nneboemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejbhf32.dll" Maealn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfiapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjbbbga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlnjlkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kleajegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkknpq32.dll" Qanhkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dklhmlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adohmidb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljhcbhnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqmpfhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhpeelnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkdkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blgiphni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Filailgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkhlhlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekgqnccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaiflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Debfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iickdgpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gikdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijkloi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mijfqhaj.dll" Gfemfhje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlblcdpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fijknbmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckbegmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbphqahb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhdgqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maleohqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pengna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjgpoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoboofnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnjee32.dll" Ckbegmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgeegled.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Filailgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakdhcgi.dll" Kmpphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oejijiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgnqm32.dll" Ffaogm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjminj32.dll" Omldnfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bddjijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdqkap32.dll" Headjael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glndff32.dll" Hlkmfkli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llmhkd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4704 wrote to memory of 2772 4704 NEAS.1e0089fc5bce0215d973dbfd2d359390.exe 91 PID 4704 wrote to memory of 2772 4704 NEAS.1e0089fc5bce0215d973dbfd2d359390.exe 91 PID 4704 wrote to memory of 2772 4704 NEAS.1e0089fc5bce0215d973dbfd2d359390.exe 91 PID 2772 wrote to memory of 2516 2772 Lmmokgne.exe 93 PID 2772 wrote to memory of 2516 2772 Lmmokgne.exe 93 PID 2772 wrote to memory of 2516 2772 Lmmokgne.exe 93 PID 2516 wrote to memory of 2056 2516 Ndliin32.exe 94 PID 2516 wrote to memory of 2056 2516 Ndliin32.exe 94 PID 2516 wrote to memory of 2056 2516 Ndliin32.exe 94 PID 2056 wrote to memory of 536 2056 Opefdo32.exe 95 PID 2056 wrote to memory of 536 2056 Opefdo32.exe 95 PID 2056 wrote to memory of 536 2056 Opefdo32.exe 95 PID 536 wrote to memory of 4528 536 Ofalfi32.exe 96 PID 536 wrote to memory of 4528 536 Ofalfi32.exe 96 PID 536 wrote to memory of 4528 536 Ofalfi32.exe 96 PID 4528 wrote to memory of 4964 4528 Plejoode.exe 97 PID 4528 wrote to memory of 4964 4528 Plejoode.exe 97 PID 4528 wrote to memory of 4964 4528 Plejoode.exe 97 PID 4964 wrote to memory of 4192 4964 Adohmidb.exe 98 PID 4964 wrote to memory of 4192 4964 Adohmidb.exe 98 PID 4964 wrote to memory of 4192 4964 Adohmidb.exe 98 PID 4192 wrote to memory of 1684 4192 Bgicdc32.exe 99 PID 4192 wrote to memory of 1684 4192 Bgicdc32.exe 99 PID 4192 wrote to memory of 1684 4192 Bgicdc32.exe 99 PID 1684 wrote to memory of 4272 1684 Debfpd32.exe 100 PID 1684 wrote to memory of 4272 1684 Debfpd32.exe 100 PID 1684 wrote to memory of 4272 1684 Debfpd32.exe 100 PID 4272 wrote to memory of 4684 4272 Eclmlpfl.exe 101 PID 4272 wrote to memory of 4684 4272 Eclmlpfl.exe 101 PID 4272 wrote to memory of 4684 4272 Eclmlpfl.exe 101 PID 4684 wrote to memory of 4912 4684 Febogbhg.exe 102 PID 4684 wrote to memory of 4912 4684 Febogbhg.exe 102 PID 4684 wrote to memory of 4912 4684 Febogbhg.exe 102 PID 4912 wrote to memory of 3152 4912 Gaglma32.exe 103 PID 4912 wrote to memory of 3152 4912 Gaglma32.exe 103 PID 4912 wrote to memory of 3152 4912 Gaglma32.exe 103 PID 3152 wrote to memory of 4512 3152 Haeino32.exe 104 PID 3152 wrote to memory of 4512 3152 Haeino32.exe 104 PID 3152 wrote to memory of 4512 3152 Haeino32.exe 104 PID 4512 wrote to memory of 4668 4512 Ikgpmc32.exe 106 PID 4512 wrote to memory of 4668 4512 Ikgpmc32.exe 106 PID 4512 wrote to memory of 4668 4512 Ikgpmc32.exe 106 PID 4668 wrote to memory of 1116 4668 Ikjmcc32.exe 107 PID 4668 wrote to memory of 1116 4668 Ikjmcc32.exe 107 PID 4668 wrote to memory of 1116 4668 Ikjmcc32.exe 107 PID 1116 wrote to memory of 4164 1116 Jlblcdpf.exe 108 PID 1116 wrote to memory of 4164 1116 Jlblcdpf.exe 108 PID 1116 wrote to memory of 4164 1116 Jlblcdpf.exe 108 PID 4164 wrote to memory of 3712 4164 Knhbflbp.exe 109 PID 4164 wrote to memory of 3712 4164 Knhbflbp.exe 109 PID 4164 wrote to memory of 3712 4164 Knhbflbp.exe 109 PID 3712 wrote to memory of 4716 3712 Lilbdcfe.exe 110 PID 3712 wrote to memory of 4716 3712 Lilbdcfe.exe 110 PID 3712 wrote to memory of 4716 3712 Lilbdcfe.exe 110 PID 4716 wrote to memory of 4772 4716 Megldcgd.exe 111 PID 4716 wrote to memory of 4772 4716 Megldcgd.exe 111 PID 4716 wrote to memory of 4772 4716 Megldcgd.exe 111 PID 4772 wrote to memory of 2000 4772 Nehekq32.exe 112 PID 4772 wrote to memory of 2000 4772 Nehekq32.exe 112 PID 4772 wrote to memory of 2000 4772 Nehekq32.exe 112 PID 2000 wrote to memory of 2028 2000 Oecego32.exe 113 PID 2000 wrote to memory of 2028 2000 Oecego32.exe 113 PID 2000 wrote to memory of 2028 2000 Oecego32.exe 113 PID 2028 wrote to memory of 4748 2028 Oianmm32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1e0089fc5bce0215d973dbfd2d359390.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1e0089fc5bce0215d973dbfd2d359390.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ndliin32.exeC:\Windows\system32\Ndliin32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Opefdo32.exeC:\Windows\system32\Opefdo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ofalfi32.exeC:\Windows\system32\Ofalfi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Adohmidb.exeC:\Windows\system32\Adohmidb.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\Debfpd32.exeC:\Windows\system32\Debfpd32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Eclmlpfl.exeC:\Windows\system32\Eclmlpfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Ikgpmc32.exeC:\Windows\system32\Ikgpmc32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Ikjmcc32.exeC:\Windows\system32\Ikjmcc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\Jlblcdpf.exeC:\Windows\system32\Jlblcdpf.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Lilbdcfe.exeC:\Windows\system32\Lilbdcfe.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\Megldcgd.exeC:\Windows\system32\Megldcgd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Nehekq32.exeC:\Windows\system32\Nehekq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Oecego32.exeC:\Windows\system32\Oecego32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Oianmm32.exeC:\Windows\system32\Oianmm32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Pmbcik32.exeC:\Windows\system32\Pmbcik32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Algiaepd.exeC:\Windows\system32\Algiaepd.exe24⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Bjgifhep.exeC:\Windows\system32\Bjgifhep.exe25⤵
- Executes dropped EXE
PID:3188 -
C:\Windows\SysWOW64\Bgkipl32.exeC:\Windows\system32\Bgkipl32.exe26⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Egeemiml.exeC:\Windows\system32\Egeemiml.exe27⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Emhdeoel.exeC:\Windows\system32\Emhdeoel.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Fpnfbi32.exeC:\Windows\system32\Fpnfbi32.exe29⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Gnkflo32.exeC:\Windows\system32\Gnkflo32.exe30⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Hpchdf32.exeC:\Windows\system32\Hpchdf32.exe31⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Idjdqc32.exeC:\Windows\system32\Idjdqc32.exe32⤵
- Executes dropped EXE
PID:4048 -
C:\Windows\SysWOW64\Jajdff32.exeC:\Windows\system32\Jajdff32.exe33⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Khmoionj.exeC:\Windows\system32\Khmoionj.exe34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Locgagli.exeC:\Windows\system32\Locgagli.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Mhpeelnd.exeC:\Windows\system32\Mhpeelnd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4344 -
C:\Windows\SysWOW64\Cikkga32.exeC:\Windows\system32\Cikkga32.exe37⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ebnocpfp.exeC:\Windows\system32\Ebnocpfp.exe38⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Fqcilgji.exeC:\Windows\system32\Fqcilgji.exe39⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Gbcaemdg.exeC:\Windows\system32\Gbcaemdg.exe40⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Ipldpo32.exeC:\Windows\system32\Ipldpo32.exe41⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Kinefp32.exeC:\Windows\system32\Kinefp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Mpoljg32.exeC:\Windows\system32\Mpoljg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Njcpok32.exeC:\Windows\system32\Njcpok32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ocldhqgb.exeC:\Windows\system32\Ocldhqgb.exe45⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ojhijjll.exeC:\Windows\system32\Ojhijjll.exe46⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Pengna32.exeC:\Windows\system32\Pengna32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Beefenie.exeC:\Windows\system32\Beefenie.exe48⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\Cbcieqpd.exeC:\Windows\system32\Cbcieqpd.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Dkedjbgg.exeC:\Windows\system32\Dkedjbgg.exe50⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Deoabj32.exeC:\Windows\system32\Deoabj32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Ecjhmm32.exeC:\Windows\system32\Ecjhmm32.exe52⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ekemap32.exeC:\Windows\system32\Ekemap32.exe53⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Gcmnijkd.exeC:\Windows\system32\Gcmnijkd.exe54⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Gohhik32.exeC:\Windows\system32\Gohhik32.exe55⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Gkoinlbg.exeC:\Windows\system32\Gkoinlbg.exe56⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Homadjin.exeC:\Windows\system32\Homadjin.exe57⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Hkdbik32.exeC:\Windows\system32\Hkdbik32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Imjddmpl.exeC:\Windows\system32\Imjddmpl.exe59⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ifcimb32.exeC:\Windows\system32\Ifcimb32.exe60⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Jpdqlgdc.exeC:\Windows\system32\Jpdqlgdc.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Ldoadabi.exeC:\Windows\system32\Ldoadabi.exe62⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Mljficpd.exeC:\Windows\system32\Mljficpd.exe63⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Nneboemj.exeC:\Windows\system32\Nneboemj.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Ndokko32.exeC:\Windows\system32\Ndokko32.exe65⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Ngbpbjoe.exeC:\Windows\system32\Ngbpbjoe.exe66⤵PID:3572
-
C:\Windows\SysWOW64\Npjelo32.exeC:\Windows\system32\Npjelo32.exe67⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Olaeqp32.exeC:\Windows\system32\Olaeqp32.exe68⤵PID:4708
-
C:\Windows\SysWOW64\Odkjgm32.exeC:\Windows\system32\Odkjgm32.exe69⤵PID:2232
-
C:\Windows\SysWOW64\Ojgbpd32.exeC:\Windows\system32\Ojgbpd32.exe70⤵PID:4604
-
C:\Windows\SysWOW64\Pmdkmnkd.exeC:\Windows\system32\Pmdkmnkd.exe71⤵PID:3152
-
C:\Windows\SysWOW64\Qjjhla32.exeC:\Windows\system32\Qjjhla32.exe72⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Agqekeeb.exeC:\Windows\system32\Agqekeeb.exe73⤵PID:4340
-
C:\Windows\SysWOW64\Ajanmqbc.exeC:\Windows\system32\Ajanmqbc.exe74⤵PID:4208
-
C:\Windows\SysWOW64\Aegbji32.exeC:\Windows\system32\Aegbji32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Ajfhhp32.exeC:\Windows\system32\Ajfhhp32.exe76⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Bmngjj32.exeC:\Windows\system32\Bmngjj32.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Bjagcndq.exeC:\Windows\system32\Bjagcndq.exe78⤵PID:1408
-
C:\Windows\SysWOW64\Bcjlld32.exeC:\Windows\system32\Bcjlld32.exe79⤵PID:3036
-
C:\Windows\SysWOW64\Bmbpeiaa.exeC:\Windows\system32\Bmbpeiaa.exe80⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Cjfaon32.exeC:\Windows\system32\Cjfaon32.exe81⤵PID:4716
-
C:\Windows\SysWOW64\Capikhgh.exeC:\Windows\system32\Capikhgh.exe82⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Chokcakp.exeC:\Windows\system32\Chokcakp.exe83⤵PID:3340
-
C:\Windows\SysWOW64\Cdfkhb32.exeC:\Windows\system32\Cdfkhb32.exe84⤵PID:2528
-
C:\Windows\SysWOW64\Dkgjekai.exeC:\Windows\system32\Dkgjekai.exe85⤵PID:400
-
C:\Windows\SysWOW64\Delnbdao.exeC:\Windows\system32\Delnbdao.exe86⤵PID:2312
-
C:\Windows\SysWOW64\Deokhc32.exeC:\Windows\system32\Deokhc32.exe87⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Ealanc32.exeC:\Windows\system32\Ealanc32.exe88⤵PID:3712
-
C:\Windows\SysWOW64\Ehifpm32.exeC:\Windows\system32\Ehifpm32.exe89⤵PID:4772
-
C:\Windows\SysWOW64\Fobomglo.exeC:\Windows\system32\Fobomglo.exe90⤵PID:4460
-
C:\Windows\SysWOW64\Foekbg32.exeC:\Windows\system32\Foekbg32.exe91⤵PID:3792
-
C:\Windows\SysWOW64\Fgppgi32.exeC:\Windows\system32\Fgppgi32.exe92⤵
- Modifies registry class
PID:4680 -
C:\Windows\SysWOW64\Fojenfeg.exeC:\Windows\system32\Fojenfeg.exe93⤵PID:4904
-
C:\Windows\SysWOW64\Gaadpqmp.exeC:\Windows\system32\Gaadpqmp.exe94⤵PID:4176
-
C:\Windows\SysWOW64\Gkjhif32.exeC:\Windows\system32\Gkjhif32.exe95⤵PID:4444
-
C:\Windows\SysWOW64\Hbppaopp.exeC:\Windows\system32\Hbppaopp.exe96⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Hnfafpfd.exeC:\Windows\system32\Hnfafpfd.exe97⤵PID:4800
-
C:\Windows\SysWOW64\Ihlechfj.exeC:\Windows\system32\Ihlechfj.exe98⤵PID:740
-
C:\Windows\SysWOW64\Idebniil.exeC:\Windows\system32\Idebniil.exe99⤵PID:3068
-
C:\Windows\SysWOW64\Iickdgpb.exeC:\Windows\system32\Iickdgpb.exe100⤵
- Modifies registry class
PID:4348 -
C:\Windows\SysWOW64\Jkhnab32.exeC:\Windows\system32\Jkhnab32.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Jgonfcnb.exeC:\Windows\system32\Jgonfcnb.exe102⤵PID:832
-
C:\Windows\SysWOW64\Kehhjfif.exeC:\Windows\system32\Kehhjfif.exe103⤵PID:3172
-
C:\Windows\SysWOW64\Knefnkla.exeC:\Windows\system32\Knefnkla.exe104⤵
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Khmjga32.exeC:\Windows\system32\Khmjga32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3296 -
C:\Windows\SysWOW64\Lblakh32.exeC:\Windows\system32\Lblakh32.exe106⤵PID:4612
-
C:\Windows\SysWOW64\Lppbdmig.exeC:\Windows\system32\Lppbdmig.exe107⤵PID:2168
-
C:\Windows\SysWOW64\Mefmbbod.exeC:\Windows\system32\Mefmbbod.exe108⤵PID:2476
-
C:\Windows\SysWOW64\Nekgna32.exeC:\Windows\system32\Nekgna32.exe109⤵PID:4572
-
C:\Windows\SysWOW64\Nockfgao.exeC:\Windows\system32\Nockfgao.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3816 -
C:\Windows\SysWOW64\Niipdpae.exeC:\Windows\system32\Niipdpae.exe111⤵PID:1768
-
C:\Windows\SysWOW64\Noehlgol.exeC:\Windows\system32\Noehlgol.exe112⤵PID:5172
-
C:\Windows\SysWOW64\Ogfccchd.exeC:\Windows\system32\Ogfccchd.exe113⤵PID:5216
-
C:\Windows\SysWOW64\Pjnbfmom.exeC:\Windows\system32\Pjnbfmom.exe114⤵PID:5252
-
C:\Windows\SysWOW64\Pokjnd32.exeC:\Windows\system32\Pokjnd32.exe115⤵PID:5300
-
C:\Windows\SysWOW64\Phcogice.exeC:\Windows\system32\Phcogice.exe116⤵PID:5348
-
C:\Windows\SysWOW64\Plagmh32.exeC:\Windows\system32\Plagmh32.exe117⤵PID:5400
-
C:\Windows\SysWOW64\Bcboan32.exeC:\Windows\system32\Bcboan32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5456 -
C:\Windows\SysWOW64\Cmfcfb32.exeC:\Windows\system32\Cmfcfb32.exe119⤵PID:5496
-
C:\Windows\SysWOW64\Cjjcof32.exeC:\Windows\system32\Cjjcof32.exe120⤵PID:5680
-
C:\Windows\SysWOW64\Dikpla32.exeC:\Windows\system32\Dikpla32.exe121⤵PID:5756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-