Analysis
-
max time kernel
143s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 16:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db9d52ae9902264da15e6f3506c733e0_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
db9d52ae9902264da15e6f3506c733e0_NEAS.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
db9d52ae9902264da15e6f3506c733e0_NEAS.exe
-
Size
397KB
-
MD5
db9d52ae9902264da15e6f3506c733e0
-
SHA1
b56cd6a9744be5b33641d418782dc4d62c47bb5c
-
SHA256
8e440951ef7155caa97f2b91a3507f889c87960610babd40c09dd5297284ed04
-
SHA512
bc330c1bc24147c6c3391898ab352f6f68c0ec6c75d9a73fb793a795a312e71ba9dfef2b863b5279eaa1df29b36eff9bf5db2d3d31111b089df9dbd66224149d
-
SSDEEP
6144:TjGrIWv9UhPfaPFM6234lKm3mo8Yvi4KsLTFM6234lKm3pT11Tgkz1581hW:7W1UhPfQFB24lwR45FB24lzx1skz15L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcedkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpnaca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbpdeogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphidanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bieopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieajkfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgoapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahifbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amfcikek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edccch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmhmlbkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blbfjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Objaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeemeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clooiddm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfeepelg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmopkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlqdei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmkncofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nibebfpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkjphcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2780 Bebkpn32.exe 2980 Bhcdaibd.exe 2636 Bkdmcdoe.exe 2484 Bjijdadm.exe 2616 Cljcelan.exe 2512 Cfbhnaho.exe 1268 Cciemedf.exe 2552 Cdlnkmha.exe 1656 Dodonf32.exe 1032 Dkkpbgli.exe 332 Dqjepm32.exe 1824 Dfgmhd32.exe 2392 Eijcpoac.exe 2144 Ebbgid32.exe 596 Enkece32.exe 616 Ebinic32.exe 552 Fejgko32.exe 952 Fnbkddem.exe 2068 Ffnphf32.exe 996 Filldb32.exe 1016 Fbdqmghm.exe 312 Fjlhneio.exe 1264 Fiaeoang.exe 304 Globlmmj.exe 352 Gbijhg32.exe 2900 Ghfbqn32.exe 1584 Gangic32.exe 2884 Gbnccfpb.exe 2592 Gkihhhnm.exe 2656 Gmgdddmq.exe 1724 Gmjaic32.exe 2448 Gddifnbk.exe 2452 Hdfflm32.exe 1880 Hgdbhi32.exe 1536 Hggomh32.exe 1672 Hiekid32.exe 1704 Hhjhkq32.exe 2184 Hodpgjha.exe 1468 Hhmepp32.exe 636 Ieqeidnl.exe 1256 Ioijbj32.exe 2816 Inljnfkg.exe 796 Inngcfid.exe 1492 Idhopq32.exe 1896 Ijeghgoh.exe 2400 Iqopea32.exe 288 Icmlam32.exe 1904 Ikddbj32.exe 1992 Incpoe32.exe 2984 Icpigm32.exe 2380 Jqdipqbp.exe 1756 Jfqahgpg.exe 2660 Joifam32.exe 2560 Jfcnngnd.exe 2720 Jjojofgn.exe 2476 Jmmfkafa.exe 2492 Jehkodcm.exe 1848 Jkbcln32.exe 2776 Jbllihbf.exe 1512 Jfghif32.exe 1884 Jifdebic.exe 1660 Jkdpanhg.exe 892 Jbnhng32.exe 2140 Kjjmbj32.exe -
Loads dropped DLL 64 IoCs
pid Process 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 2780 Bebkpn32.exe 2780 Bebkpn32.exe 2980 Bhcdaibd.exe 2980 Bhcdaibd.exe 2636 Bkdmcdoe.exe 2636 Bkdmcdoe.exe 2484 Bjijdadm.exe 2484 Bjijdadm.exe 2616 Cljcelan.exe 2616 Cljcelan.exe 2512 Cfbhnaho.exe 2512 Cfbhnaho.exe 1268 Cciemedf.exe 1268 Cciemedf.exe 2552 Cdlnkmha.exe 2552 Cdlnkmha.exe 1656 Dodonf32.exe 1656 Dodonf32.exe 1032 Dkkpbgli.exe 1032 Dkkpbgli.exe 332 Dqjepm32.exe 332 Dqjepm32.exe 1824 Dfgmhd32.exe 1824 Dfgmhd32.exe 2392 Eijcpoac.exe 2392 Eijcpoac.exe 2144 Ebbgid32.exe 2144 Ebbgid32.exe 596 Enkece32.exe 596 Enkece32.exe 616 Ebinic32.exe 616 Ebinic32.exe 552 Fejgko32.exe 552 Fejgko32.exe 952 Fnbkddem.exe 952 Fnbkddem.exe 2068 Ffnphf32.exe 2068 Ffnphf32.exe 996 Filldb32.exe 996 Filldb32.exe 1016 Fbdqmghm.exe 1016 Fbdqmghm.exe 312 Fjlhneio.exe 312 Fjlhneio.exe 1264 Fiaeoang.exe 1264 Fiaeoang.exe 304 Globlmmj.exe 304 Globlmmj.exe 352 Gbijhg32.exe 352 Gbijhg32.exe 2900 Ghfbqn32.exe 2900 Ghfbqn32.exe 1584 Gangic32.exe 1584 Gangic32.exe 2884 Gbnccfpb.exe 2884 Gbnccfpb.exe 2592 Gkihhhnm.exe 2592 Gkihhhnm.exe 2656 Gmgdddmq.exe 2656 Gmgdddmq.exe 1724 Gmjaic32.exe 1724 Gmjaic32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pcpbik32.exe Process not Found File created C:\Windows\SysWOW64\Oomjlk32.exe Odhfob32.exe File opened for modification C:\Windows\SysWOW64\Hnbaif32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhflcm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbopgb32.exe Fmbhok32.exe File opened for modification C:\Windows\SysWOW64\Fchijone.exe Eolmip32.exe File created C:\Windows\SysWOW64\Fhohnoea.dll Process not Found File created C:\Windows\SysWOW64\Lkjmfjmi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hkbkpcpd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Haiccald.exe Hpgfki32.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Eeaepd32.exe File created C:\Windows\SysWOW64\Dppllabf.dll Fjegog32.exe File created C:\Windows\SysWOW64\Kljdkpfl.exe Process not Found File created C:\Windows\SysWOW64\Nfiebi32.dll Process not Found File created C:\Windows\SysWOW64\Ijppackl.dll Ciohqa32.exe File opened for modification C:\Windows\SysWOW64\Liklhmom.exe Lbackc32.exe File created C:\Windows\SysWOW64\Ndlaqocp.dll Process not Found File created C:\Windows\SysWOW64\Icdepo32.dll Gakcimgf.exe File created C:\Windows\SysWOW64\Nefbga32.exe Noljjglk.exe File opened for modification C:\Windows\SysWOW64\Lfbdci32.exe Process not Found File created C:\Windows\SysWOW64\Mhcmedli.exe Process not Found File created C:\Windows\SysWOW64\Ejioln32.exe Process not Found File created C:\Windows\SysWOW64\Glhnji32.dll Fqajihle.exe File opened for modification C:\Windows\SysWOW64\Lonlkcho.exe Process not Found File created C:\Windows\SysWOW64\Gefmne32.dll Pdldnomh.exe File created C:\Windows\SysWOW64\Hgajal32.dll Jfhjbobc.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Plgolf32.exe File opened for modification C:\Windows\SysWOW64\Fekpnn32.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Egmpofck.dll Process not Found File created C:\Windows\SysWOW64\Jjjdhc32.exe Process not Found File created C:\Windows\SysWOW64\Dcdeed32.dll Process not Found File created C:\Windows\SysWOW64\Lalhgogb.exe Process not Found File created C:\Windows\SysWOW64\Ecfhengk.dll Papfegmk.exe File created C:\Windows\SysWOW64\Jpebhied.dll Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Daacecfc.exe Djgkii32.exe File opened for modification C:\Windows\SysWOW64\Pfgngh32.exe Pomfkndo.exe File opened for modification C:\Windows\SysWOW64\Ddhpod32.exe Dnnhbjnk.exe File created C:\Windows\SysWOW64\Qphcohgi.dll Mfllkece.exe File opened for modification C:\Windows\SysWOW64\Nkhdkgnj.exe Nhiholof.exe File opened for modification C:\Windows\SysWOW64\Cblfdg32.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Gbccnjjb.dll Gqlhkofn.exe File created C:\Windows\SysWOW64\Qjhjbhcg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dkkpbgli.exe File created C:\Windows\SysWOW64\Dnnhbjnk.exe Dkpkfooh.exe File created C:\Windows\SysWOW64\Fnipkkdl.exe Fkjdopeh.exe File opened for modification C:\Windows\SysWOW64\Ohcdhi32.exe Oeehln32.exe File opened for modification C:\Windows\SysWOW64\Nppofado.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bhpqcpkm.exe Process not Found File created C:\Windows\SysWOW64\Ccfcekqe.dll Jdbkjn32.exe File created C:\Windows\SysWOW64\Jcojdjpd.dll Naopaa32.exe File created C:\Windows\SysWOW64\Ojbapc32.dll Pdihiook.exe File created C:\Windows\SysWOW64\Canipj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Amjpgdik.exe Process not Found File created C:\Windows\SysWOW64\Egdlec32.exe Enlglnci.exe File created C:\Windows\SysWOW64\Hedocp32.exe Haiccald.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Blaopqpo.exe File opened for modification C:\Windows\SysWOW64\Enqdhj32.exe Egglkp32.exe File opened for modification C:\Windows\SysWOW64\Ecfldoph.exe Eniclh32.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eeohkeoe.exe File created C:\Windows\SysWOW64\Pgicjg32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Mhdqqjhl.dll Ohaeia32.exe File opened for modification C:\Windows\SysWOW64\Gfhgpg32.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Pfpgeall.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nlphkb32.exe Nialog32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 500 4016 Process not Found 266 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbhkj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibbi32.dll" Befmfpbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bccjdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhngh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpbbdfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhckf32.dll" Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnipd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pckoam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oohqqlei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohhkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alegac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmphi32.dll" Nlphkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdamcl32.dll" Hafock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcfkfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oiakgcnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icplghmh.dll" db9d52ae9902264da15e6f3506c733e0_NEAS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bpjkiogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edccch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Heglio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kkaiqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgodoah.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Figmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjboh32.dll" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmladcej.dll" Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Diibag32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2780 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 db9d52ae9902264da15e6f3506c733e0_NEAS.exe 28 PID 2780 wrote to memory of 2980 2780 Bebkpn32.exe 29 PID 2780 wrote to memory of 2980 2780 Bebkpn32.exe 29 PID 2780 wrote to memory of 2980 2780 Bebkpn32.exe 29 PID 2780 wrote to memory of 2980 2780 Bebkpn32.exe 29 PID 2980 wrote to memory of 2636 2980 Bhcdaibd.exe 30 PID 2980 wrote to memory of 2636 2980 Bhcdaibd.exe 30 PID 2980 wrote to memory of 2636 2980 Bhcdaibd.exe 30 PID 2980 wrote to memory of 2636 2980 Bhcdaibd.exe 30 PID 2636 wrote to memory of 2484 2636 Bkdmcdoe.exe 31 PID 2636 wrote to memory of 2484 2636 Bkdmcdoe.exe 31 PID 2636 wrote to memory of 2484 2636 Bkdmcdoe.exe 31 PID 2636 wrote to memory of 2484 2636 Bkdmcdoe.exe 31 PID 2484 wrote to memory of 2616 2484 Bjijdadm.exe 32 PID 2484 wrote to memory of 2616 2484 Bjijdadm.exe 32 PID 2484 wrote to memory of 2616 2484 Bjijdadm.exe 32 PID 2484 wrote to memory of 2616 2484 Bjijdadm.exe 32 PID 2616 wrote to memory of 2512 2616 Cljcelan.exe 33 PID 2616 wrote to memory of 2512 2616 Cljcelan.exe 33 PID 2616 wrote to memory of 2512 2616 Cljcelan.exe 33 PID 2616 wrote to memory of 2512 2616 Cljcelan.exe 33 PID 2512 wrote to memory of 1268 2512 Cfbhnaho.exe 34 PID 2512 wrote to memory of 1268 2512 Cfbhnaho.exe 34 PID 2512 wrote to memory of 1268 2512 Cfbhnaho.exe 34 PID 2512 wrote to memory of 1268 2512 Cfbhnaho.exe 34 PID 1268 wrote to memory of 2552 1268 Cciemedf.exe 35 PID 1268 wrote to memory of 2552 1268 Cciemedf.exe 35 PID 1268 wrote to memory of 2552 1268 Cciemedf.exe 35 PID 1268 wrote to memory of 2552 1268 Cciemedf.exe 35 PID 2552 wrote to memory of 1656 2552 Cdlnkmha.exe 36 PID 2552 wrote to memory of 1656 2552 Cdlnkmha.exe 36 PID 2552 wrote to memory of 1656 2552 Cdlnkmha.exe 36 PID 2552 wrote to memory of 1656 2552 Cdlnkmha.exe 36 PID 1656 wrote to memory of 1032 1656 Dodonf32.exe 37 PID 1656 wrote to memory of 1032 1656 Dodonf32.exe 37 PID 1656 wrote to memory of 1032 1656 Dodonf32.exe 37 PID 1656 wrote to memory of 1032 1656 Dodonf32.exe 37 PID 1032 wrote to memory of 332 1032 Dkkpbgli.exe 38 PID 1032 wrote to memory of 332 1032 Dkkpbgli.exe 38 PID 1032 wrote to memory of 332 1032 Dkkpbgli.exe 38 PID 1032 wrote to memory of 332 1032 Dkkpbgli.exe 38 PID 332 wrote to memory of 1824 332 Dqjepm32.exe 39 PID 332 wrote to memory of 1824 332 Dqjepm32.exe 39 PID 332 wrote to memory of 1824 332 Dqjepm32.exe 39 PID 332 wrote to memory of 1824 332 Dqjepm32.exe 39 PID 1824 wrote to memory of 2392 1824 Dfgmhd32.exe 40 PID 1824 wrote to memory of 2392 1824 Dfgmhd32.exe 40 PID 1824 wrote to memory of 2392 1824 Dfgmhd32.exe 40 PID 1824 wrote to memory of 2392 1824 Dfgmhd32.exe 40 PID 2392 wrote to memory of 2144 2392 Eijcpoac.exe 41 PID 2392 wrote to memory of 2144 2392 Eijcpoac.exe 41 PID 2392 wrote to memory of 2144 2392 Eijcpoac.exe 41 PID 2392 wrote to memory of 2144 2392 Eijcpoac.exe 41 PID 2144 wrote to memory of 596 2144 Ebbgid32.exe 42 PID 2144 wrote to memory of 596 2144 Ebbgid32.exe 42 PID 2144 wrote to memory of 596 2144 Ebbgid32.exe 42 PID 2144 wrote to memory of 596 2144 Ebbgid32.exe 42 PID 596 wrote to memory of 616 596 Enkece32.exe 43 PID 596 wrote to memory of 616 596 Enkece32.exe 43 PID 596 wrote to memory of 616 596 Enkece32.exe 43 PID 596 wrote to memory of 616 596 Enkece32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\db9d52ae9902264da15e6f3506c733e0_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\db9d52ae9902264da15e6f3506c733e0_NEAS.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:312 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Gbnccfpb.exeC:\Windows\system32\Gbnccfpb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe33⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Hdfflm32.exeC:\Windows\system32\Hdfflm32.exe34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hgdbhi32.exeC:\Windows\system32\Hgdbhi32.exe35⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Hggomh32.exeC:\Windows\system32\Hggomh32.exe36⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe37⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe38⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe40⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ieqeidnl.exeC:\Windows\system32\Ieqeidnl.exe41⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe43⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe44⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe45⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe46⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Iqopea32.exeC:\Windows\system32\Iqopea32.exe47⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe48⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe49⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe50⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe51⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe52⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe53⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe55⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe56⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jmmfkafa.exeC:\Windows\system32\Jmmfkafa.exe57⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe58⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe59⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe60⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe61⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe62⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe63⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe64⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe65⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe66⤵PID:2548
-
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe67⤵PID:488
-
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe68⤵PID:660
-
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe69⤵
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Kcfkfo32.exeC:\Windows\system32\Kcfkfo32.exe70⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe71⤵PID:2508
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe72⤵PID:1720
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe73⤵PID:2316
-
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe74⤵PID:1596
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe75⤵PID:2600
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe76⤵PID:2736
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe77⤵PID:2620
-
C:\Windows\SysWOW64\Lliflp32.exeC:\Windows\system32\Lliflp32.exe78⤵PID:2880
-
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe79⤵PID:2488
-
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe80⤵PID:1864
-
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe81⤵PID:1328
-
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe82⤵PID:2824
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe83⤵PID:980
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe85⤵PID:2344
-
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe86⤵PID:1156
-
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe87⤵PID:2004
-
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe88⤵PID:2368
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe89⤵PID:2292
-
C:\Windows\SysWOW64\Mpbaebdd.exeC:\Windows\system32\Mpbaebdd.exe90⤵PID:2612
-
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe91⤵PID:2672
-
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe92⤵PID:2572
-
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe93⤵PID:1200
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe94⤵PID:2248
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe95⤵PID:1828
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe96⤵PID:1336
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe97⤵PID:2960
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe98⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe99⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe100⤵PID:1684
-
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe101⤵PID:1788
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe102⤵PID:1308
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe103⤵PID:920
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe104⤵PID:888
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe105⤵PID:872
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe106⤵PID:1588
-
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe107⤵PID:2640
-
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe108⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe109⤵PID:2240
-
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe110⤵PID:2236
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe111⤵PID:1744
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe112⤵PID:2272
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe113⤵PID:2108
-
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe114⤵PID:604
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe115⤵PID:1488
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe116⤵PID:1796
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe117⤵PID:2888
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe118⤵PID:1872
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe119⤵PID:1696
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe120⤵PID:2688
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe121⤵PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-