Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 22:43
Behavioral task
behavioral1
Sample
NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe
-
Size
130KB
-
MD5
f214c8dc49c6480ede84a736732a7a40
-
SHA1
d4c72d7a18673a75ef2271290e9432d275c93537
-
SHA256
4347c68b02121b8a0f919b201d69f48d81cb4956adc456eacc30bb55a509e136
-
SHA512
c5d3caebf2a2b9d28db2adf39060d0d48062c41c2860893eb4fb665dbc2c94b8cb8b468b606eaa58d8517f77d59299eb03e911d0b8d25c48d56e8383b24647fe
-
SSDEEP
3072:2MWqat3iG22/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:2Hqc3iB4BhHmNEcYj9nhV8NCV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqfaldbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conkepdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkbkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioliqbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknpkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqdidim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihgainbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabcggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjipenda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhplhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmiihjak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njaoeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghlndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aonjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenakoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdnlhco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohncdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imleli32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0008000000012027-5.dat family_berbew behavioral1/memory/1968-6-0x0000000000230000-0x0000000000271000-memory.dmp family_berbew behavioral1/files/0x0008000000012027-8.dat family_berbew behavioral1/files/0x0008000000012027-9.dat family_berbew behavioral1/files/0x0008000000012027-12.dat family_berbew behavioral1/files/0x0008000000012027-13.dat family_berbew behavioral1/files/0x001b000000015003-22.dat family_berbew behavioral1/files/0x001b000000015003-20.dat family_berbew behavioral1/files/0x001b000000015003-18.dat family_berbew behavioral1/files/0x001b000000015003-24.dat family_berbew behavioral1/files/0x001b000000015003-26.dat family_berbew behavioral1/files/0x000700000001564d-37.dat family_berbew behavioral1/files/0x000700000001564d-34.dat family_berbew behavioral1/files/0x000700000001564d-33.dat family_berbew behavioral1/files/0x000700000001564d-31.dat family_berbew behavioral1/memory/2668-41-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000700000001564d-38.dat family_berbew behavioral1/memory/2636-44-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000015c2f-53.dat family_berbew behavioral1/memory/2872-52-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000015c2f-51.dat family_berbew behavioral1/files/0x0009000000015c2f-48.dat family_berbew behavioral1/files/0x0006000000015c7d-58.dat family_berbew behavioral1/files/0x0006000000015c7d-64.dat family_berbew behavioral1/files/0x0006000000015c7d-61.dat family_berbew behavioral1/files/0x0006000000015c7d-60.dat family_berbew behavioral1/files/0x0009000000015c2f-47.dat family_berbew behavioral1/files/0x0009000000015c2f-45.dat family_berbew behavioral1/files/0x0006000000015c7d-65.dat family_berbew behavioral1/files/0x0006000000015c94-74.dat family_berbew behavioral1/files/0x0006000000015c94-73.dat family_berbew behavioral1/files/0x0006000000015c94-71.dat family_berbew behavioral1/memory/2648-70-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015c94-79.dat family_berbew behavioral1/memory/2532-78-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015c94-77.dat family_berbew behavioral1/files/0x0006000000015ca8-84.dat family_berbew behavioral1/files/0x0006000000015dab-93.dat family_berbew behavioral1/files/0x0006000000015ca8-92.dat family_berbew behavioral1/files/0x0006000000015dab-103.dat family_berbew behavioral1/files/0x0006000000015dab-99.dat family_berbew behavioral1/files/0x0006000000015dab-97.dat family_berbew behavioral1/memory/2556-91-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca8-90.dat family_berbew behavioral1/files/0x0006000000015ca8-87.dat family_berbew behavioral1/files/0x0006000000015ca8-86.dat family_berbew behavioral1/files/0x0006000000015e04-113.dat family_berbew behavioral1/files/0x0006000000015dab-105.dat family_berbew behavioral1/memory/2408-104-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/528-117-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015e04-118.dat family_berbew behavioral1/files/0x0006000000015e04-116.dat family_berbew behavioral1/files/0x0006000000015e04-112.dat family_berbew behavioral1/files/0x0006000000015e04-110.dat family_berbew behavioral1/files/0x0006000000015ea7-123.dat family_berbew behavioral1/memory/528-125-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x0006000000015ea7-132.dat family_berbew behavioral1/memory/1504-131-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ea7-130.dat family_berbew behavioral1/files/0x0006000000015ea7-127.dat family_berbew behavioral1/files/0x001e0000000152c4-137.dat family_berbew behavioral1/files/0x001e0000000152c4-143.dat family_berbew behavioral1/files/0x001e0000000152c4-140.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2064 Fnkjhb32.exe 2668 Gifhnpea.exe 2636 Gbomfe32.exe 2872 Gfmemc32.exe 2648 Gpejeihi.exe 2532 Hpgfki32.exe 2556 Hedocp32.exe 2408 Hbhomd32.exe 528 Hkcdafqb.exe 1504 Hdlhjl32.exe 2672 Habfipdj.exe 1856 Illgimph.exe 752 Igakgfpn.exe 2184 Ijbdha32.exe 2696 Ilqpdm32.exe 1732 Ihgainbg.exe 1756 Ikhjki32.exe 2328 Jgojpjem.exe 3032 Jdbkjn32.exe 1108 Jdehon32.exe 1704 Jjbpgd32.exe 956 Jqlhdo32.exe 2284 Jfiale32.exe 992 Jqnejn32.exe 2148 Jfknbe32.exe 1972 Kiijnq32.exe 2348 Kconkibf.exe 1528 Kilfcpqm.exe 2968 Kbdklf32.exe 1592 Kmjojo32.exe 1272 Kbfhbeek.exe 2200 Kiqpop32.exe 2760 Kbidgeci.exe 2796 Kgemplap.exe 2604 Leimip32.exe 2404 Llcefjgf.exe 2588 Lapnnafn.exe 2416 Lgjfkk32.exe 1960 Lndohedg.exe 2156 Lphhenhc.exe 324 Lmlhnagm.exe 524 Lbiqfied.exe 2720 Mmneda32.exe 1656 Mbkmlh32.exe 1988 Pfdabino.exe 372 Blkioa32.exe 1596 Behgcf32.exe 1532 Bjdplm32.exe 1456 Bejdiffp.exe 1824 Bkglameg.exe 2828 Baadng32.exe 2252 Ckiigmcd.exe 440 Cdanpb32.exe 1672 Cinfhigl.exe 1344 Cphndc32.exe 1320 Cgbfamff.exe 592 Conkepdq.exe 1716 Cgdcgm32.exe 2080 Cpmhpbkc.exe 1524 Cejphiik.exe 2936 Delmmigh.exe 1780 Deojci32.exe 1760 Dkkbkp32.exe 2136 Dphjcf32.exe -
Loads dropped DLL 64 IoCs
pid Process 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 2064 Fnkjhb32.exe 2064 Fnkjhb32.exe 2668 Gifhnpea.exe 2668 Gifhnpea.exe 2636 Gbomfe32.exe 2636 Gbomfe32.exe 2872 Gfmemc32.exe 2872 Gfmemc32.exe 2648 Gpejeihi.exe 2648 Gpejeihi.exe 2532 Hpgfki32.exe 2532 Hpgfki32.exe 2556 Hedocp32.exe 2556 Hedocp32.exe 2408 Hbhomd32.exe 2408 Hbhomd32.exe 528 Hkcdafqb.exe 528 Hkcdafqb.exe 1504 Hdlhjl32.exe 1504 Hdlhjl32.exe 2672 Habfipdj.exe 2672 Habfipdj.exe 1856 Illgimph.exe 1856 Illgimph.exe 752 Igakgfpn.exe 752 Igakgfpn.exe 2184 Ijbdha32.exe 2184 Ijbdha32.exe 2696 Ilqpdm32.exe 2696 Ilqpdm32.exe 1732 Ihgainbg.exe 1732 Ihgainbg.exe 1756 Ikhjki32.exe 1756 Ikhjki32.exe 2328 Jgojpjem.exe 2328 Jgojpjem.exe 3032 Jdbkjn32.exe 3032 Jdbkjn32.exe 1108 Jdehon32.exe 1108 Jdehon32.exe 1704 Jjbpgd32.exe 1704 Jjbpgd32.exe 956 Jqlhdo32.exe 956 Jqlhdo32.exe 2284 Jfiale32.exe 2284 Jfiale32.exe 992 Jqnejn32.exe 992 Jqnejn32.exe 2148 Jfknbe32.exe 2148 Jfknbe32.exe 1972 Kiijnq32.exe 1972 Kiijnq32.exe 2348 Kconkibf.exe 2348 Kconkibf.exe 1528 Kilfcpqm.exe 1528 Kilfcpqm.exe 2968 Kbdklf32.exe 2968 Kbdklf32.exe 1592 Kmjojo32.exe 1592 Kmjojo32.exe 1272 Kbfhbeek.exe 1272 Kbfhbeek.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dmgkgeah.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Hkcdafqb.exe Hbhomd32.exe File created C:\Windows\SysWOW64\Mlncpkde.dll Gnpmfqap.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Dpnladjl.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Ljbmbpkb.exe Lcieef32.exe File opened for modification C:\Windows\SysWOW64\Jgaiobjn.exe Jniefm32.exe File created C:\Windows\SysWOW64\Lpeqncja.dll Hqfaldbo.exe File created C:\Windows\SysWOW64\Gmhdjk32.dll Okgjodmi.exe File opened for modification C:\Windows\SysWOW64\Amfognic.exe Ajgbkbjp.exe File created C:\Windows\SysWOW64\Onnnml32.exe Ohbikbkb.exe File opened for modification C:\Windows\SysWOW64\Aggkdlod.exe Aellfe32.exe File opened for modification C:\Windows\SysWOW64\Cgdcgm32.exe Conkepdq.exe File created C:\Windows\SysWOW64\Phmaeh32.dll Njdqka32.exe File created C:\Windows\SysWOW64\Femijbfb.dll Mdghaf32.exe File opened for modification C:\Windows\SysWOW64\Fkcilc32.exe Fdgdji32.exe File created C:\Windows\SysWOW64\Imglhaji.dll Jlelhe32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dddimn32.exe File created C:\Windows\SysWOW64\Coalledf.dll Cjjkpe32.exe File created C:\Windows\SysWOW64\Hdbpekam.exe Hkjkle32.exe File opened for modification C:\Windows\SysWOW64\Oiifcdhn.exe Memncbmj.exe File created C:\Windows\SysWOW64\Bdpoifde.dll Jjbpgd32.exe File opened for modification C:\Windows\SysWOW64\Lnbdko32.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Egikjh32.exe File created C:\Windows\SysWOW64\Mommgm32.dll Dcbnpgkh.exe File created C:\Windows\SysWOW64\Hldjnhce.exe Hjcmgp32.exe File opened for modification C:\Windows\SysWOW64\Cjlheehe.exe Cbepdhgc.exe File opened for modification C:\Windows\SysWOW64\Hjaeba32.exe Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Lbiqfied.exe Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Ejaphpnp.exe Qggoeilh.exe File created C:\Windows\SysWOW64\Fidhof32.exe Fokdfajl.exe File created C:\Windows\SysWOW64\Kkigfdjo.exe Jpfcohfk.exe File created C:\Windows\SysWOW64\Hjipenda.exe Hapklimq.exe File opened for modification C:\Windows\SysWOW64\Hnjplo32.exe Gmjcblbb.exe File created C:\Windows\SysWOW64\Hlafnbal.exe Hpjeialg.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Eoebgcol.exe File created C:\Windows\SysWOW64\Gjicfk32.exe Gpcoib32.exe File created C:\Windows\SysWOW64\Jabdql32.exe Jlelhe32.exe File created C:\Windows\SysWOW64\Ekmfne32.exe Eaebeoan.exe File created C:\Windows\SysWOW64\Cjedgmpi.dll Pacajg32.exe File opened for modification C:\Windows\SysWOW64\Kofaicon.exe Klhemhpk.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\Ckiigmcd.exe Baadng32.exe File created C:\Windows\SysWOW64\Aeeeakip.dll Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Daacecfc.exe File created C:\Windows\SysWOW64\Fjkgob32.dll Dklddhka.exe File created C:\Windows\SysWOW64\Eocieq32.exe Eleliepj.exe File opened for modification C:\Windows\SysWOW64\Lfingaaf.exe Loofjg32.exe File opened for modification C:\Windows\SysWOW64\Mnilfc32.exe Mgodjico.exe File opened for modification C:\Windows\SysWOW64\Gnenfjdh.exe Fldbnb32.exe File created C:\Windows\SysWOW64\Ckiigmcd.exe Baadng32.exe File created C:\Windows\SysWOW64\Pfpfldpo.dll Cgdcgm32.exe File opened for modification C:\Windows\SysWOW64\Ggncop32.exe Gnenfjdh.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Imndmnob.exe File created C:\Windows\SysWOW64\Mgbnoj32.dll Bcfmfc32.exe File opened for modification C:\Windows\SysWOW64\Cpcnonob.exe Jlpeij32.exe File created C:\Windows\SysWOW64\Jmhjff32.dll Eaebeoan.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Aggkdlod.exe File created C:\Windows\SysWOW64\Hbhomd32.exe Hedocp32.exe File created C:\Windows\SysWOW64\Jlpeij32.exe Jajala32.exe File created C:\Windows\SysWOW64\Ehjkan32.dll Ddfebnoo.exe File created C:\Windows\SysWOW64\Giioglkn.dll Ghmkjedk.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cnnnnh32.exe File created C:\Windows\SysWOW64\Inafbooe.exe Iggned32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4692 3508 WerFault.exe 647 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjdeeh.dll" Fnejbmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekolhln.dll" Eobapbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipdmc32.dll" Hldjnhce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qejpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnppdb.dll" Oiifcdhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijklknbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loofjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll" Lphhenhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infjfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnlcdfj.dll" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeiloh32.dll" Jcbhee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jniefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbeofpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Keqkofno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbcbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clkfjman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkkgi32.dll" Ghkndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciajik32.dll" Hdlkcdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnnalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djidckbd.dll" Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Nbjeinje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhfppnm.dll" Daofpchf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padajbnl.dll" Kmjojo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhklj32.dll" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknaqdia.dll" Ieofkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpeonkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnjplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpcoib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afgmodel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dplbpaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efghmkeb.dll" Gcimop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnkglik.dll" Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhniof32.dll" Goekpm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2064 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 28 PID 1968 wrote to memory of 2064 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 28 PID 1968 wrote to memory of 2064 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 28 PID 1968 wrote to memory of 2064 1968 NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe 28 PID 2064 wrote to memory of 2668 2064 Fnkjhb32.exe 29 PID 2064 wrote to memory of 2668 2064 Fnkjhb32.exe 29 PID 2064 wrote to memory of 2668 2064 Fnkjhb32.exe 29 PID 2064 wrote to memory of 2668 2064 Fnkjhb32.exe 29 PID 2668 wrote to memory of 2636 2668 Gifhnpea.exe 30 PID 2668 wrote to memory of 2636 2668 Gifhnpea.exe 30 PID 2668 wrote to memory of 2636 2668 Gifhnpea.exe 30 PID 2668 wrote to memory of 2636 2668 Gifhnpea.exe 30 PID 2636 wrote to memory of 2872 2636 Gbomfe32.exe 31 PID 2636 wrote to memory of 2872 2636 Gbomfe32.exe 31 PID 2636 wrote to memory of 2872 2636 Gbomfe32.exe 31 PID 2636 wrote to memory of 2872 2636 Gbomfe32.exe 31 PID 2872 wrote to memory of 2648 2872 Gfmemc32.exe 32 PID 2872 wrote to memory of 2648 2872 Gfmemc32.exe 32 PID 2872 wrote to memory of 2648 2872 Gfmemc32.exe 32 PID 2872 wrote to memory of 2648 2872 Gfmemc32.exe 32 PID 2648 wrote to memory of 2532 2648 Gpejeihi.exe 33 PID 2648 wrote to memory of 2532 2648 Gpejeihi.exe 33 PID 2648 wrote to memory of 2532 2648 Gpejeihi.exe 33 PID 2648 wrote to memory of 2532 2648 Gpejeihi.exe 33 PID 2532 wrote to memory of 2556 2532 Hpgfki32.exe 34 PID 2532 wrote to memory of 2556 2532 Hpgfki32.exe 34 PID 2532 wrote to memory of 2556 2532 Hpgfki32.exe 34 PID 2532 wrote to memory of 2556 2532 Hpgfki32.exe 34 PID 2556 wrote to memory of 2408 2556 Hedocp32.exe 36 PID 2556 wrote to memory of 2408 2556 Hedocp32.exe 36 PID 2556 wrote to memory of 2408 2556 Hedocp32.exe 36 PID 2556 wrote to memory of 2408 2556 Hedocp32.exe 36 PID 2408 wrote to memory of 528 2408 Hbhomd32.exe 35 PID 2408 wrote to memory of 528 2408 Hbhomd32.exe 35 PID 2408 wrote to memory of 528 2408 Hbhomd32.exe 35 PID 2408 wrote to memory of 528 2408 Hbhomd32.exe 35 PID 528 wrote to memory of 1504 528 Hkcdafqb.exe 37 PID 528 wrote to memory of 1504 528 Hkcdafqb.exe 37 PID 528 wrote to memory of 1504 528 Hkcdafqb.exe 37 PID 528 wrote to memory of 1504 528 Hkcdafqb.exe 37 PID 1504 wrote to memory of 2672 1504 Hdlhjl32.exe 38 PID 1504 wrote to memory of 2672 1504 Hdlhjl32.exe 38 PID 1504 wrote to memory of 2672 1504 Hdlhjl32.exe 38 PID 1504 wrote to memory of 2672 1504 Hdlhjl32.exe 38 PID 2672 wrote to memory of 1856 2672 Habfipdj.exe 39 PID 2672 wrote to memory of 1856 2672 Habfipdj.exe 39 PID 2672 wrote to memory of 1856 2672 Habfipdj.exe 39 PID 2672 wrote to memory of 1856 2672 Habfipdj.exe 39 PID 1856 wrote to memory of 752 1856 Illgimph.exe 40 PID 1856 wrote to memory of 752 1856 Illgimph.exe 40 PID 1856 wrote to memory of 752 1856 Illgimph.exe 40 PID 1856 wrote to memory of 752 1856 Illgimph.exe 40 PID 752 wrote to memory of 2184 752 Igakgfpn.exe 41 PID 752 wrote to memory of 2184 752 Igakgfpn.exe 41 PID 752 wrote to memory of 2184 752 Igakgfpn.exe 41 PID 752 wrote to memory of 2184 752 Igakgfpn.exe 41 PID 2184 wrote to memory of 2696 2184 Ijbdha32.exe 42 PID 2184 wrote to memory of 2696 2184 Ijbdha32.exe 42 PID 2184 wrote to memory of 2696 2184 Ijbdha32.exe 42 PID 2184 wrote to memory of 2696 2184 Ijbdha32.exe 42 PID 2696 wrote to memory of 1732 2696 Ilqpdm32.exe 43 PID 2696 wrote to memory of 1732 2696 Ilqpdm32.exe 43 PID 2696 wrote to memory of 1732 2696 Ilqpdm32.exe 43 PID 2696 wrote to memory of 1732 2696 Ilqpdm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f214c8dc49c6480ede84a736732a7a40_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe24⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe25⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe27⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe28⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe29⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe30⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe31⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe34⤵
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe36⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe37⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe38⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe39⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe40⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe41⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe42⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe44⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe45⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe47⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe48⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe51⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe52⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe53⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe54⤵PID:2992
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe55⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe57⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe58⤵PID:2612
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe59⤵PID:2660
-
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe60⤵PID:2700
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe61⤵PID:2984
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe62⤵PID:552
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe63⤵PID:2964
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe64⤵
- Modifies registry class
PID:724 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe65⤵PID:952
-
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe66⤵PID:312
-
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe68⤵PID:1388
-
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe69⤵PID:1992
-
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe70⤵PID:1564
-
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe71⤵
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe72⤵PID:1100
-
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe73⤵PID:2276
-
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe74⤵PID:3048
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe75⤵PID:1396
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe76⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe77⤵PID:1060
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe78⤵PID:2860
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe79⤵PID:2876
-
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe80⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe81⤵PID:2128
-
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe83⤵PID:2792
-
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe84⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe86⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe87⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe88⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe89⤵PID:1496
-
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe90⤵PID:1384
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe91⤵PID:2232
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe92⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe93⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe94⤵PID:1752
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe95⤵PID:2684
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe96⤵PID:2896
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe97⤵PID:1568
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe98⤵PID:1676
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe99⤵PID:924
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe101⤵PID:1156
-
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe102⤵
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe104⤵PID:2852
-
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe105⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe106⤵PID:1772
-
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe107⤵PID:880
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe108⤵PID:1348
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe109⤵PID:2552
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe110⤵PID:2220
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe111⤵PID:1300
-
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe112⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe113⤵PID:300
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe114⤵PID:2816
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe115⤵PID:1328
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe116⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe117⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe118⤵PID:1632
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe119⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe120⤵PID:2884
-
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-