Analysis
-
max time kernel
140s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 08:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe
-
Size
80KB
-
MD5
199baa3fad8e3dd1f977e0e846bc3484
-
SHA1
73a05e4624f9d406289ec42065ea5a2e52f625e8
-
SHA256
1c03373288fdca52b748ab6095c23050c224b171648b736df4e30bb4a69116a3
-
SHA512
48bc207152a7bf0bd2cb9421ea72e519853d9f51bc46fdb0d724892964a7790ca1a87c3b3cb83353a919bfd2f1833b6f48baced704884e02cbdad17b5da638d8
-
SSDEEP
1536:O+whVCvYnaz5J3gby/G7FuqTw5QkjeQA5YMkhohBE8VGh:OsAaz5J9/M8qTw5cQsUAEQGh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjaiac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idpdfija.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoenbkll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgphje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpglqgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhigk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqpcnig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqloo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmbmiag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpjjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqpeaeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjipmoai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namnmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfoac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfhmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdalkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehice32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpljdjnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcopke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcqlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjpceko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqalfgll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdjfmjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmegkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqimikfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdkfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhkjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffahnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaibhj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfldf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligglo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgihh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaeegjeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjeklfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnnnjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpljdjnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgoolbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejennd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmhjb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4652 Gbfldf32.exe 1304 Hmlpaoaj.exe 4984 Hlambk32.exe 2980 Hgfapd32.exe 3976 Hdjbiheb.exe 4836 Hlegnjbm.exe 2064 Hgkkkcbc.exe 2384 Icdheded.exe 3460 Injmcmej.exe 1984 Igbalblk.exe 4572 Iloidijb.exe 3204 Igdnabjh.exe 400 Innfnl32.exe 1592 Idhnkf32.exe 1852 Ilccoh32.exe 3124 Jkgpbp32.exe 2520 Jpdhkf32.exe 1576 Jlkipgpe.exe 4748 Jgpmmp32.exe 2324 Eiloco32.exe 4048 Efgemb32.exe 4552 Gnqfcbnj.exe 1380 Hmmfmhll.exe 2460 Hoobdp32.exe 2608 Hmpcbhji.exe 2368 Hoaojp32.exe 1432 Hifcgion.exe 4632 Hpqldc32.exe 2160 Hmdlmg32.exe 4244 Ibaeen32.exe 4592 Iikmbh32.exe 4176 Ibcaknbi.exe 2412 Imiehfao.exe 220 Ibfnqmpf.exe 912 Iipfmggc.exe 4436 Ipjoja32.exe 1364 Igdgglfl.exe 4812 Imnocf32.exe 2400 Ioolkncg.exe 2684 Kckqbj32.exe 1700 Kjeiodek.exe 1100 Kcmmhj32.exe 2392 Kjgeedch.exe 3636 Kodnmkap.exe 4776 Kjjbjd32.exe 4792 Kpcjgnhb.exe 3428 Kjlopc32.exe 3380 Lpfgmnfp.exe 3208 Lfjfecno.exe 3796 Lnangaoa.exe 812 Lgibpf32.exe 2808 Lncjlq32.exe 2404 Modgdicm.exe 3084 Mnegbp32.exe 3196 Mqdcnl32.exe 3040 Mjlhgaqp.exe 4768 Mcelpggq.exe 4212 Mjodla32.exe 3716 Mqimikfj.exe 2848 Mjaabq32.exe 4648 Mfhbga32.exe 1792 Nmbjcljl.exe 1228 Nggnadib.exe 4848 Njfkmphe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nkghqo32.exe Npadcfnl.exe File created C:\Windows\SysWOW64\Qbdclc32.dll Oaeegjeb.exe File opened for modification C:\Windows\SysWOW64\Ocbdni32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Odgqopeb.exe Obidcdfo.exe File created C:\Windows\SysWOW64\Hikkdc32.exe Hadcce32.exe File created C:\Windows\SysWOW64\Jqpiiffa.dll Hkggfe32.exe File opened for modification C:\Windows\SysWOW64\Inflio32.exe Ildpbfmf.exe File created C:\Windows\SysWOW64\Cmkehicj.exe Cjlilndf.exe File opened for modification C:\Windows\SysWOW64\Dllmoj32.exe Dfphmp32.exe File created C:\Windows\SysWOW64\Pacahhib.exe Plfipakk.exe File opened for modification C:\Windows\SysWOW64\Injmcmej.exe Icdheded.exe File created C:\Windows\SysWOW64\Ppgomnai.exe Pfojdh32.exe File created C:\Windows\SysWOW64\Odedipge.exe Obfhmd32.exe File created C:\Windows\SysWOW64\Bdnkhn32.exe Bndblcdq.exe File created C:\Windows\SysWOW64\Mbccpfai.dll Gaccbaeq.exe File created C:\Windows\SysWOW64\Cnkjaaqb.dll Gdkbdllj.exe File created C:\Windows\SysWOW64\Enomic32.exe Egeemiml.exe File opened for modification C:\Windows\SysWOW64\Qgalelin.exe Qagdia32.exe File created C:\Windows\SysWOW64\Bhaeli32.exe Process not Found File created C:\Windows\SysWOW64\Lmqiag32.dll Lacihleo.exe File created C:\Windows\SysWOW64\Lifqbi32.exe Process not Found File created C:\Windows\SysWOW64\Nmjfodne.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Gdadcp32.dll Pblhalfm.exe File created C:\Windows\SysWOW64\Pkoldl32.exe Peddhb32.exe File created C:\Windows\SysWOW64\Lmchfocl.dll Process not Found File created C:\Windows\SysWOW64\Bqdlmo32.exe Bnfoac32.exe File created C:\Windows\SysWOW64\Ifdgaond.exe Hdaajd32.exe File created C:\Windows\SysWOW64\Aoenbkll.exe Ahkffqdo.exe File created C:\Windows\SysWOW64\Fghcqq32.exe Fbhnec32.exe File opened for modification C:\Windows\SysWOW64\Ieiajckh.exe Ikcmmjkb.exe File opened for modification C:\Windows\SysWOW64\Ofadlbhj.exe Opgloh32.exe File opened for modification C:\Windows\SysWOW64\Gmhogppb.exe Process not Found File created C:\Windows\SysWOW64\Eiaofa32.dll Ankgpk32.exe File created C:\Windows\SysWOW64\Ojcidelf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pmjhlklg.exe Pfppoa32.exe File opened for modification C:\Windows\SysWOW64\Cgnmpbec.exe Bdpqcg32.exe File created C:\Windows\SysWOW64\Lpmfnj32.exe Libnapmg.exe File created C:\Windows\SysWOW64\Lgiibc32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bagmpoco.exe Process not Found File created C:\Windows\SysWOW64\Hlambk32.exe Hmlpaoaj.exe File opened for modification C:\Windows\SysWOW64\Ikcmmjkb.exe Iefedcmk.exe File opened for modification C:\Windows\SysWOW64\Cikkga32.exe Cadcfd32.exe File opened for modification C:\Windows\SysWOW64\Mqdcnl32.exe Mnegbp32.exe File opened for modification C:\Windows\SysWOW64\Pbgqdb32.exe Poidhg32.exe File opened for modification C:\Windows\SysWOW64\Lnanadfi.exe Lggeej32.exe File opened for modification C:\Windows\SysWOW64\Pelacg32.exe Pbndgl32.exe File created C:\Windows\SysWOW64\Neebkkgi.exe Nnkioq32.exe File created C:\Windows\SysWOW64\Flekgd32.dll Nconfh32.exe File opened for modification C:\Windows\SysWOW64\Fhbbmc32.exe Ebejem32.exe File created C:\Windows\SysWOW64\Hodioegj.dll Bmhibi32.exe File created C:\Windows\SysWOW64\Plgpjhnf.exe Pihdnloc.exe File created C:\Windows\SysWOW64\Caakehij.dll Ggoaje32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Nfihbk32.exe File opened for modification C:\Windows\SysWOW64\Dkokbn32.exe Dqigee32.exe File opened for modification C:\Windows\SysWOW64\Nlcidopb.exe Ndlacapp.exe File created C:\Windows\SysWOW64\Agdghm32.dll Bblcfo32.exe File created C:\Windows\SysWOW64\Flgadake.exe Femigg32.exe File created C:\Windows\SysWOW64\Gdqgfbop.exe Process not Found File created C:\Windows\SysWOW64\Mkfoeejd.dll Oaplqh32.exe File created C:\Windows\SysWOW64\Fcldac32.dll Gajpmg32.exe File created C:\Windows\SysWOW64\Chebcmna.exe Cchikf32.exe File created C:\Windows\SysWOW64\Dafmjm32.dll Imiehfao.exe File opened for modification C:\Windows\SysWOW64\Mojopk32.exe Mhpgca32.exe File opened for modification C:\Windows\SysWOW64\Piikhc32.exe Pdlbpldg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11064 2596 Process not Found 1299 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendcmjg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmklqblp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idfilp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkhpogij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonnge32.dll" Flcndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biaebpbi.dll" Idmhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgpbknd.dll" Piepnfnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcccom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchlb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jginej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjinjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbegg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll" Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjofambd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eepbabjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeikl32.dll" Fckhnaab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdfphnn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mojopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niadfpcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqfeag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqgjoenq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmjinjnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagbljcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpcdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicjokll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfmhjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgeiokao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll" Khfkfedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieonn32.dll" Pmeoqlpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glmqjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbokab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgaifgon.dll" Bjhpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjjmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdhdbhl.dll" Obgeqcnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offeahhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpikao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfedfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnemc32.dll" Mknjgajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhlkj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odbgdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okailj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgjcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kingpj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meadlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiajck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpmobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll" Jpgdai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhiglji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmjdbpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahnae32.dll" Aaoadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfoece32.dll" Elagjihh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fifhbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 4652 1152 NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe 86 PID 1152 wrote to memory of 4652 1152 NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe 86 PID 1152 wrote to memory of 4652 1152 NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe 86 PID 4652 wrote to memory of 1304 4652 Gbfldf32.exe 88 PID 4652 wrote to memory of 1304 4652 Gbfldf32.exe 88 PID 4652 wrote to memory of 1304 4652 Gbfldf32.exe 88 PID 1304 wrote to memory of 4984 1304 Hmlpaoaj.exe 87 PID 1304 wrote to memory of 4984 1304 Hmlpaoaj.exe 87 PID 1304 wrote to memory of 4984 1304 Hmlpaoaj.exe 87 PID 4984 wrote to memory of 2980 4984 Hlambk32.exe 89 PID 4984 wrote to memory of 2980 4984 Hlambk32.exe 89 PID 4984 wrote to memory of 2980 4984 Hlambk32.exe 89 PID 2980 wrote to memory of 3976 2980 Hgfapd32.exe 91 PID 2980 wrote to memory of 3976 2980 Hgfapd32.exe 91 PID 2980 wrote to memory of 3976 2980 Hgfapd32.exe 91 PID 3976 wrote to memory of 4836 3976 Hdjbiheb.exe 92 PID 3976 wrote to memory of 4836 3976 Hdjbiheb.exe 92 PID 3976 wrote to memory of 4836 3976 Hdjbiheb.exe 92 PID 4836 wrote to memory of 2064 4836 Hlegnjbm.exe 93 PID 4836 wrote to memory of 2064 4836 Hlegnjbm.exe 93 PID 4836 wrote to memory of 2064 4836 Hlegnjbm.exe 93 PID 2064 wrote to memory of 2384 2064 Hgkkkcbc.exe 94 PID 2064 wrote to memory of 2384 2064 Hgkkkcbc.exe 94 PID 2064 wrote to memory of 2384 2064 Hgkkkcbc.exe 94 PID 2384 wrote to memory of 3460 2384 Icdheded.exe 95 PID 2384 wrote to memory of 3460 2384 Icdheded.exe 95 PID 2384 wrote to memory of 3460 2384 Icdheded.exe 95 PID 3460 wrote to memory of 1984 3460 Injmcmej.exe 96 PID 3460 wrote to memory of 1984 3460 Injmcmej.exe 96 PID 3460 wrote to memory of 1984 3460 Injmcmej.exe 96 PID 1984 wrote to memory of 4572 1984 Igbalblk.exe 97 PID 1984 wrote to memory of 4572 1984 Igbalblk.exe 97 PID 1984 wrote to memory of 4572 1984 Igbalblk.exe 97 PID 4572 wrote to memory of 3204 4572 Iloidijb.exe 98 PID 4572 wrote to memory of 3204 4572 Iloidijb.exe 98 PID 4572 wrote to memory of 3204 4572 Iloidijb.exe 98 PID 3204 wrote to memory of 400 3204 Igdnabjh.exe 99 PID 3204 wrote to memory of 400 3204 Igdnabjh.exe 99 PID 3204 wrote to memory of 400 3204 Igdnabjh.exe 99 PID 400 wrote to memory of 1592 400 Innfnl32.exe 100 PID 400 wrote to memory of 1592 400 Innfnl32.exe 100 PID 400 wrote to memory of 1592 400 Innfnl32.exe 100 PID 1592 wrote to memory of 1852 1592 Idhnkf32.exe 101 PID 1592 wrote to memory of 1852 1592 Idhnkf32.exe 101 PID 1592 wrote to memory of 1852 1592 Idhnkf32.exe 101 PID 1852 wrote to memory of 3124 1852 Ilccoh32.exe 102 PID 1852 wrote to memory of 3124 1852 Ilccoh32.exe 102 PID 1852 wrote to memory of 3124 1852 Ilccoh32.exe 102 PID 3124 wrote to memory of 2520 3124 Jkgpbp32.exe 103 PID 3124 wrote to memory of 2520 3124 Jkgpbp32.exe 103 PID 3124 wrote to memory of 2520 3124 Jkgpbp32.exe 103 PID 2520 wrote to memory of 1576 2520 Jpdhkf32.exe 104 PID 2520 wrote to memory of 1576 2520 Jpdhkf32.exe 104 PID 2520 wrote to memory of 1576 2520 Jpdhkf32.exe 104 PID 1576 wrote to memory of 4748 1576 Jlkipgpe.exe 106 PID 1576 wrote to memory of 4748 1576 Jlkipgpe.exe 106 PID 1576 wrote to memory of 4748 1576 Jlkipgpe.exe 106 PID 4748 wrote to memory of 2324 4748 Jgpmmp32.exe 108 PID 4748 wrote to memory of 2324 4748 Jgpmmp32.exe 108 PID 4748 wrote to memory of 2324 4748 Jgpmmp32.exe 108 PID 2324 wrote to memory of 4048 2324 Eiloco32.exe 109 PID 2324 wrote to memory of 4048 2324 Eiloco32.exe 109 PID 2324 wrote to memory of 4048 2324 Eiloco32.exe 109 PID 4048 wrote to memory of 4552 4048 Efgemb32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.199baa3fad8e3dd1f977e0e846bc3484_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1304
-
-
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\Hlegnjbm.exeC:\Windows\system32\Hlegnjbm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe20⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Hmmfmhll.exeC:\Windows\system32\Hmmfmhll.exe21⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe22⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hmpcbhji.exeC:\Windows\system32\Hmpcbhji.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe24⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe25⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe26⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Hmdlmg32.exeC:\Windows\system32\Hmdlmg32.exe27⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe28⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe29⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe30⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\Imiehfao.exeC:\Windows\system32\Imiehfao.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe32⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Iipfmggc.exeC:\Windows\system32\Iipfmggc.exe33⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe34⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe35⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe36⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe37⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe38⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe39⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Kcmmhj32.exeC:\Windows\system32\Kcmmhj32.exe40⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Kjgeedch.exeC:\Windows\system32\Kjgeedch.exe41⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Kodnmkap.exeC:\Windows\system32\Kodnmkap.exe42⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Kjjbjd32.exeC:\Windows\system32\Kjjbjd32.exe43⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe44⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe45⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe46⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe47⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe48⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe49⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe50⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe51⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mnegbp32.exeC:\Windows\system32\Mnegbp32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3084 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe53⤵
- Executes dropped EXE
PID:3196 -
C:\Windows\SysWOW64\Mjlhgaqp.exeC:\Windows\system32\Mjlhgaqp.exe54⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe55⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Mjodla32.exeC:\Windows\system32\Mjodla32.exe56⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe58⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe59⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe61⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe62⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe63⤵PID:4448
-
C:\Windows\SysWOW64\Nflkbanj.exeC:\Windows\system32\Nflkbanj.exe64⤵PID:1504
-
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe65⤵PID:2372
-
C:\Windows\SysWOW64\Ncqlkemc.exeC:\Windows\system32\Ncqlkemc.exe66⤵PID:3956
-
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe68⤵PID:1320
-
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe69⤵PID:3132
-
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe70⤵PID:5132
-
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe71⤵PID:5180
-
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe72⤵PID:5220
-
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe73⤵PID:5260
-
C:\Windows\SysWOW64\Offnhpfo.exeC:\Windows\system32\Offnhpfo.exe74⤵PID:5308
-
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe75⤵PID:5352
-
C:\Windows\SysWOW64\Ocjoadei.exeC:\Windows\system32\Ocjoadei.exe76⤵PID:5388
-
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe77⤵PID:5432
-
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe78⤵PID:5472
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe79⤵PID:5520
-
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe80⤵PID:5576
-
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe81⤵
- Drops file in System32 directory
PID:5616 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe82⤵PID:5664
-
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe83⤵PID:5712
-
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe84⤵PID:5760
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe85⤵PID:5804
-
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe86⤵PID:5848
-
C:\Windows\SysWOW64\Pjmjdm32.exeC:\Windows\system32\Pjmjdm32.exe87⤵
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Pmlfqh32.exeC:\Windows\system32\Pmlfqh32.exe88⤵PID:5972
-
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe89⤵PID:6020
-
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe90⤵PID:6064
-
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe91⤵PID:6108
-
C:\Windows\SysWOW64\Ihmfco32.exeC:\Windows\system32\Ihmfco32.exe92⤵PID:5172
-
C:\Windows\SysWOW64\Iefphb32.exeC:\Windows\system32\Iefphb32.exe93⤵PID:5240
-
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe94⤵PID:5280
-
C:\Windows\SysWOW64\Ibjqaf32.exeC:\Windows\system32\Ibjqaf32.exe95⤵PID:5380
-
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe96⤵PID:5460
-
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe97⤵PID:5536
-
C:\Windows\SysWOW64\Jifecp32.exeC:\Windows\system32\Jifecp32.exe98⤵PID:5608
-
C:\Windows\SysWOW64\Jldbpl32.exeC:\Windows\system32\Jldbpl32.exe99⤵PID:5704
-
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe100⤵PID:5744
-
C:\Windows\SysWOW64\Jihbip32.exeC:\Windows\system32\Jihbip32.exe101⤵PID:5832
-
C:\Windows\SysWOW64\Jadgnb32.exeC:\Windows\system32\Jadgnb32.exe102⤵PID:5884
-
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe103⤵PID:4808
-
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe104⤵PID:5072
-
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe105⤵PID:5924
-
C:\Windows\SysWOW64\Jpgdai32.exeC:\Windows\system32\Jpgdai32.exe106⤵
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Klndfj32.exeC:\Windows\system32\Klndfj32.exe107⤵PID:6060
-
C:\Windows\SysWOW64\Kibeoo32.exeC:\Windows\system32\Kibeoo32.exe108⤵PID:6104
-
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe109⤵PID:5212
-
C:\Windows\SysWOW64\Kcjjhdjb.exeC:\Windows\system32\Kcjjhdjb.exe110⤵PID:5336
-
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe111⤵PID:5448
-
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe112⤵PID:5592
-
C:\Windows\SysWOW64\Kcoccc32.exeC:\Windows\system32\Kcoccc32.exe113⤵PID:5648
-
C:\Windows\SysWOW64\Kiikpnmj.exeC:\Windows\system32\Kiikpnmj.exe114⤵PID:832
-
C:\Windows\SysWOW64\Likhem32.exeC:\Windows\system32\Likhem32.exe115⤵PID:5860
-
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe116⤵PID:3164
-
C:\Windows\SysWOW64\Lojmcdgl.exeC:\Windows\system32\Lojmcdgl.exe117⤵PID:5932
-
C:\Windows\SysWOW64\Ledepn32.exeC:\Windows\system32\Ledepn32.exe118⤵PID:6028
-
C:\Windows\SysWOW64\Lomjicei.exeC:\Windows\system32\Lomjicei.exe119⤵PID:6140
-
C:\Windows\SysWOW64\Ljbnfleo.exeC:\Windows\system32\Ljbnfleo.exe120⤵PID:5304
-
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe121⤵PID:5480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-