Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 22:36
Behavioral task
behavioral1
Sample
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe
-
Size
143KB
-
MD5
f8dca8f94af44bc9be469b5e21efd450
-
SHA1
b5a74642c68db3ee0c83e16c2b68561daec53656
-
SHA256
316d18e0be3d968056f38728dcc34c31b94a593cae05731e1ab1e39b0df9c477
-
SHA512
5a570274ce0706ddbf1e267b750842b8d1951dd025722405c84e59ce2c4e05ac6ab613ccfba3fd65e56b0797b1769e48979032978867aec0e9e33a5e993fefdd
-
SSDEEP
1536:8PsT0ct7sCaEjEzAKzi7yLLUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:msT0esCjs4Ov3N93bsGfhv0vt3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmcijcbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjoifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhplhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebdfind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmgclfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogqaehak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciifbchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgoopkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnhng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjipenda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aflfjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocnbmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhkjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcpgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdneebf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoopkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhilkege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpbdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1752-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/files/0x0009000000012024-7.dat family_berbew behavioral1/files/0x00090000000146a0-14.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x00090000000146a0-18.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0007000000014b59-35.dat family_berbew behavioral1/files/0x0007000000014b59-34.dat family_berbew behavioral1/files/0x0007000000014b59-32.dat family_berbew behavioral1/memory/2052-24-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00090000000146a0-20.dat family_berbew behavioral1/memory/2276-44-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000014c0a-40.dat family_berbew behavioral1/files/0x0007000000014b59-39.dat family_berbew behavioral1/memory/2104-31-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x00090000000146a0-26.dat family_berbew behavioral1/files/0x00090000000146a0-25.dat family_berbew behavioral1/files/0x0007000000014b59-38.dat family_berbew behavioral1/files/0x0007000000014c0a-51.dat family_berbew behavioral1/memory/2912-57-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000014c0a-52.dat family_berbew behavioral1/files/0x0007000000014c0a-47.dat family_berbew behavioral1/files/0x0007000000014c0a-45.dat family_berbew behavioral1/files/0x0009000000015561-64.dat family_berbew behavioral1/files/0x0009000000015561-66.dat family_berbew behavioral1/files/0x0009000000015561-61.dat family_berbew behavioral1/files/0x0009000000015561-60.dat family_berbew behavioral1/files/0x0009000000015561-58.dat family_berbew behavioral1/memory/2928-65-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000600000001561b-71.dat family_berbew behavioral1/files/0x000600000001561b-73.dat family_berbew behavioral1/files/0x000600000001561b-80.dat family_berbew behavioral1/memory/2928-79-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000600000001561b-78.dat family_berbew behavioral1/memory/2928-75-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000600000001561b-74.dat family_berbew behavioral1/files/0x0006000000015c14-85.dat family_berbew behavioral1/files/0x0006000000015c14-92.dat family_berbew behavioral1/files/0x0006000000015c14-89.dat family_berbew behavioral1/files/0x0006000000015c14-88.dat family_berbew behavioral1/memory/2164-87-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0006000000015c41-98.dat family_berbew behavioral1/files/0x0006000000015c14-93.dat family_berbew behavioral1/memory/2512-107-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015c41-106.dat family_berbew behavioral1/memory/1208-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000015c63-118.dat family_berbew behavioral1/files/0x0006000000015c63-115.dat family_berbew behavioral1/files/0x0006000000015c63-114.dat family_berbew behavioral1/files/0x0006000000015c63-112.dat family_berbew behavioral1/files/0x0006000000015c41-105.dat family_berbew behavioral1/files/0x0006000000015c41-104.dat family_berbew behavioral1/files/0x0006000000015c41-101.dat family_berbew behavioral1/memory/2608-100-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0006000000015c63-120.dat family_berbew behavioral1/files/0x0006000000015c8b-125.dat family_berbew behavioral1/files/0x0006000000015c8b-127.dat family_berbew behavioral1/files/0x0006000000015c8b-128.dat family_berbew behavioral1/memory/1208-131-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0006000000015c8b-132.dat family_berbew behavioral1/files/0x0006000000015ca2-142.dat family_berbew behavioral1/files/0x0006000000015ca2-141.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2052 Ifcbodli.exe 2104 Iokfhi32.exe 2276 Iggkllpe.exe 2912 Ijeghgoh.exe 2928 Idklfpon.exe 2164 Iqalka32.exe 2608 Jgnamk32.exe 2512 Jbgbni32.exe 1208 Jiakjb32.exe 1220 Jkbcln32.exe 2824 Jkdpanhg.exe 1512 Jbnhng32.exe 2884 Kkgmgmfd.exe 2180 Kneicieh.exe 688 Kcbakpdo.exe 592 Kmjfdejp.exe 1872 Kahojc32.exe 436 Kgbggnhc.exe 2552 Kaklpcoc.exe 868 Kcihlong.exe 1356 Lbnemk32.exe 2012 Lmcijcbe.exe 564 Lbqabkql.exe 2436 Lkncmmle.exe 980 Mmahdggc.exe 872 Mppepcfg.exe 2124 Mdmmfa32.exe 2216 Mmfbogcn.exe 2108 Mimbdhhb.exe 2480 Mgqcmlgl.exe 2600 Najdnj32.exe 2748 Nlphkb32.exe 2936 Noqamn32.exe 2520 Naoniipe.exe 2668 Nocnbmoo.exe 1884 Nnennj32.exe 2516 Nhkbkc32.exe 672 Nkiogn32.exe 2660 Npfgpe32.exe 2952 Ojcecjee.exe 1368 Oqmmpd32.exe 2868 Oclilp32.exe 1740 Omdneebf.exe 1084 Okgnab32.exe 2004 Oikojfgk.exe 1592 Ooeggp32.exe 1360 Pfoocjfd.exe 1324 Pklhlael.exe 932 Kicmdo32.exe 1132 Lapnnafn.exe 2320 Ljibgg32.exe 880 Hpbbdfik.exe 1608 Ippbnjni.exe 2676 Ikefkcmo.exe 2896 Iihfgp32.exe 2696 Ipbocjlg.exe 2616 Idmkdh32.exe 2944 Jkgcab32.exe 2760 Jolepe32.exe 1064 Jfemlpdf.exe 1044 Jlpeij32.exe 2840 Jblnaq32.exe 2864 Jhffnk32.exe 292 Kncofa32.exe -
Loads dropped DLL 64 IoCs
pid Process 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 2052 Ifcbodli.exe 2052 Ifcbodli.exe 2104 Iokfhi32.exe 2104 Iokfhi32.exe 2276 Iggkllpe.exe 2276 Iggkllpe.exe 2912 Ijeghgoh.exe 2912 Ijeghgoh.exe 2928 Idklfpon.exe 2928 Idklfpon.exe 2164 Iqalka32.exe 2164 Iqalka32.exe 2608 Jgnamk32.exe 2608 Jgnamk32.exe 2512 Jbgbni32.exe 2512 Jbgbni32.exe 1208 Jiakjb32.exe 1208 Jiakjb32.exe 1220 Jkbcln32.exe 1220 Jkbcln32.exe 2824 Jkdpanhg.exe 2824 Jkdpanhg.exe 1512 Jbnhng32.exe 1512 Jbnhng32.exe 2884 Kkgmgmfd.exe 2884 Kkgmgmfd.exe 2180 Kneicieh.exe 2180 Kneicieh.exe 688 Kcbakpdo.exe 688 Kcbakpdo.exe 592 Kmjfdejp.exe 592 Kmjfdejp.exe 1872 Kahojc32.exe 1872 Kahojc32.exe 436 Kgbggnhc.exe 436 Kgbggnhc.exe 2552 Kaklpcoc.exe 2552 Kaklpcoc.exe 868 Kcihlong.exe 868 Kcihlong.exe 1356 Lbnemk32.exe 1356 Lbnemk32.exe 2012 Lmcijcbe.exe 2012 Lmcijcbe.exe 564 Lbqabkql.exe 564 Lbqabkql.exe 2436 Lkncmmle.exe 2436 Lkncmmle.exe 980 Mmahdggc.exe 980 Mmahdggc.exe 872 Mppepcfg.exe 872 Mppepcfg.exe 2124 Mdmmfa32.exe 2124 Mdmmfa32.exe 2216 Mmfbogcn.exe 2216 Mmfbogcn.exe 2108 Mimbdhhb.exe 2108 Mimbdhhb.exe 2480 Mgqcmlgl.exe 2480 Mgqcmlgl.exe 2600 Najdnj32.exe 2600 Najdnj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nlhjhi32.exe Nijnln32.exe File opened for modification C:\Windows\SysWOW64\Bkpeci32.exe Biaign32.exe File created C:\Windows\SysWOW64\Mdkmeh32.dll Ifcbodli.exe File created C:\Windows\SysWOW64\Fljdpbcc.dll Naoniipe.exe File opened for modification C:\Windows\SysWOW64\Ohhmcinf.exe Opaebkmc.exe File created C:\Windows\SysWOW64\Cgnnab32.exe Cmhjdiap.exe File opened for modification C:\Windows\SysWOW64\Akqpom32.exe Aibcba32.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Ajeeeblb.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File created C:\Windows\SysWOW64\Lcadghnk.exe Liipnb32.exe File created C:\Windows\SysWOW64\Clgbno32.exe Ciifbchf.exe File opened for modification C:\Windows\SysWOW64\Ncfoch32.exe Nmlgfnal.exe File created C:\Windows\SysWOW64\Ogqaehak.exe Npgihn32.exe File created C:\Windows\SysWOW64\Npaich32.exe Njdqka32.exe File created C:\Windows\SysWOW64\Nijnln32.exe Npaich32.exe File opened for modification C:\Windows\SysWOW64\Adfqgl32.exe Anlhkbhq.exe File created C:\Windows\SysWOW64\Bnnaoe32.exe Bkpeci32.exe File created C:\Windows\SysWOW64\Bflbhgjm.dll Cfcijf32.exe File created C:\Windows\SysWOW64\Oikojfgk.exe Okgnab32.exe File opened for modification C:\Windows\SysWOW64\Lpedeg32.exe Liklhmom.exe File created C:\Windows\SysWOW64\Pknedeoi.dll Dhiomn32.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kocpbfei.exe File created C:\Windows\SysWOW64\Qfmafg32.exe Pcnejk32.exe File opened for modification C:\Windows\SysWOW64\Qndigd32.exe Qfmafg32.exe File created C:\Windows\SysWOW64\Aibcba32.exe Afdgfelo.exe File created C:\Windows\SysWOW64\Egflhe32.dll Oajlkojn.exe File created C:\Windows\SysWOW64\Ipnlibhd.dll Phcpgm32.exe File created C:\Windows\SysWOW64\Nlhhkjkc.dll Agbpnh32.exe File created C:\Windows\SysWOW64\Ipnnggjm.dll Jkdpanhg.exe File created C:\Windows\SysWOW64\Lnmfog32.dll Mmahdggc.exe File opened for modification C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Dfggnkoj.dll Fkcilc32.exe File created C:\Windows\SysWOW64\Dmgkgeah.exe Dgmbkk32.exe File created C:\Windows\SysWOW64\Omlflo32.dll Dmjqpdje.exe File opened for modification C:\Windows\SysWOW64\Plpopddd.exe Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Hpbbdfik.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Fknjekca.dll Omkjbb32.exe File opened for modification C:\Windows\SysWOW64\Jgfcja32.exe Jdhgnf32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Djjjga32.exe File created C:\Windows\SysWOW64\Gmiflpof.dll Hddmjk32.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kcbakpdo.exe File created C:\Windows\SysWOW64\Kjfmokdk.dll Hpbbdfik.exe File created C:\Windows\SysWOW64\Pqkobqhd.exe Pnmcfeia.exe File created C:\Windows\SysWOW64\Paodbg32.dll Gjojef32.exe File created C:\Windows\SysWOW64\Kqiaclhj.exe Kjoifb32.exe File opened for modification C:\Windows\SysWOW64\Ooclji32.exe Oldpnn32.exe File created C:\Windows\SysWOW64\Mpbdnk32.exe Mnaggcej.exe File created C:\Windows\SysWOW64\Gckmjbbc.dll Ajmfad32.exe File opened for modification C:\Windows\SysWOW64\Gmgpbf32.exe Gjicfk32.exe File opened for modification C:\Windows\SysWOW64\Caaggpdh.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Pmjaohol.exe Pdppqbkn.exe File opened for modification C:\Windows\SysWOW64\Ljibgg32.exe Lapnnafn.exe File created C:\Windows\SysWOW64\Liklhmom.exe Lbackc32.exe File created C:\Windows\SysWOW64\Bgibnj32.exe Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Ddblgn32.exe Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Diaaeepi.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Eobchk32.exe Eldglp32.exe File created C:\Windows\SysWOW64\Ppjllffc.dll Lfbdci32.exe File created C:\Windows\SysWOW64\Diphbfdi.exe Dojddmec.exe File opened for modification C:\Windows\SysWOW64\Hegnahjo.exe Hbiaemkk.exe File opened for modification C:\Windows\SysWOW64\Jdejhfig.exe Jagnlkjd.exe File opened for modification C:\Windows\SysWOW64\Nkiogn32.exe Nhkbkc32.exe File opened for modification C:\Windows\SysWOW64\Bpqain32.exe Bcjqdmla.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3796 3640 WerFault.exe 461 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnghm32.dll" Cafgle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekjgpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacocpm.dll" Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiehea32.dll" Ijeghgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naalga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imleli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojcecjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmkeb32.dll" Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idmkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmhaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnckp32.dll" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fciang32.dll" Jfemlpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqlebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" Kkojbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjjhk32.dll" Qqdbiopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbggnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kncofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgcb32.dll" Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beimfpfn.dll" Cacclpae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioooiack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefqie32.dll" Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcqf32.dll" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpodcba.dll" Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieabog32.dll" Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibbi32.dll" Bkpeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegkqmai.dll" Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmfcd32.dll" Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccpoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhjdiap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdpanhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjfae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfbngfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcpgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoamb32.dll" Becpap32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2052 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 28 PID 1752 wrote to memory of 2052 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 28 PID 1752 wrote to memory of 2052 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 28 PID 1752 wrote to memory of 2052 1752 NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe 28 PID 2052 wrote to memory of 2104 2052 Ifcbodli.exe 29 PID 2052 wrote to memory of 2104 2052 Ifcbodli.exe 29 PID 2052 wrote to memory of 2104 2052 Ifcbodli.exe 29 PID 2052 wrote to memory of 2104 2052 Ifcbodli.exe 29 PID 2104 wrote to memory of 2276 2104 Iokfhi32.exe 30 PID 2104 wrote to memory of 2276 2104 Iokfhi32.exe 30 PID 2104 wrote to memory of 2276 2104 Iokfhi32.exe 30 PID 2104 wrote to memory of 2276 2104 Iokfhi32.exe 30 PID 2276 wrote to memory of 2912 2276 Iggkllpe.exe 31 PID 2276 wrote to memory of 2912 2276 Iggkllpe.exe 31 PID 2276 wrote to memory of 2912 2276 Iggkllpe.exe 31 PID 2276 wrote to memory of 2912 2276 Iggkllpe.exe 31 PID 2912 wrote to memory of 2928 2912 Ijeghgoh.exe 32 PID 2912 wrote to memory of 2928 2912 Ijeghgoh.exe 32 PID 2912 wrote to memory of 2928 2912 Ijeghgoh.exe 32 PID 2912 wrote to memory of 2928 2912 Ijeghgoh.exe 32 PID 2928 wrote to memory of 2164 2928 Idklfpon.exe 33 PID 2928 wrote to memory of 2164 2928 Idklfpon.exe 33 PID 2928 wrote to memory of 2164 2928 Idklfpon.exe 33 PID 2928 wrote to memory of 2164 2928 Idklfpon.exe 33 PID 2164 wrote to memory of 2608 2164 Iqalka32.exe 34 PID 2164 wrote to memory of 2608 2164 Iqalka32.exe 34 PID 2164 wrote to memory of 2608 2164 Iqalka32.exe 34 PID 2164 wrote to memory of 2608 2164 Iqalka32.exe 34 PID 2608 wrote to memory of 2512 2608 Jgnamk32.exe 35 PID 2608 wrote to memory of 2512 2608 Jgnamk32.exe 35 PID 2608 wrote to memory of 2512 2608 Jgnamk32.exe 35 PID 2608 wrote to memory of 2512 2608 Jgnamk32.exe 35 PID 2512 wrote to memory of 1208 2512 Jbgbni32.exe 36 PID 2512 wrote to memory of 1208 2512 Jbgbni32.exe 36 PID 2512 wrote to memory of 1208 2512 Jbgbni32.exe 36 PID 2512 wrote to memory of 1208 2512 Jbgbni32.exe 36 PID 1208 wrote to memory of 1220 1208 Jiakjb32.exe 37 PID 1208 wrote to memory of 1220 1208 Jiakjb32.exe 37 PID 1208 wrote to memory of 1220 1208 Jiakjb32.exe 37 PID 1208 wrote to memory of 1220 1208 Jiakjb32.exe 37 PID 1220 wrote to memory of 2824 1220 Jkbcln32.exe 38 PID 1220 wrote to memory of 2824 1220 Jkbcln32.exe 38 PID 1220 wrote to memory of 2824 1220 Jkbcln32.exe 38 PID 1220 wrote to memory of 2824 1220 Jkbcln32.exe 38 PID 2824 wrote to memory of 1512 2824 Jkdpanhg.exe 39 PID 2824 wrote to memory of 1512 2824 Jkdpanhg.exe 39 PID 2824 wrote to memory of 1512 2824 Jkdpanhg.exe 39 PID 2824 wrote to memory of 1512 2824 Jkdpanhg.exe 39 PID 1512 wrote to memory of 2884 1512 Jbnhng32.exe 40 PID 1512 wrote to memory of 2884 1512 Jbnhng32.exe 40 PID 1512 wrote to memory of 2884 1512 Jbnhng32.exe 40 PID 1512 wrote to memory of 2884 1512 Jbnhng32.exe 40 PID 2884 wrote to memory of 2180 2884 Kkgmgmfd.exe 41 PID 2884 wrote to memory of 2180 2884 Kkgmgmfd.exe 41 PID 2884 wrote to memory of 2180 2884 Kkgmgmfd.exe 41 PID 2884 wrote to memory of 2180 2884 Kkgmgmfd.exe 41 PID 2180 wrote to memory of 688 2180 Kneicieh.exe 43 PID 2180 wrote to memory of 688 2180 Kneicieh.exe 43 PID 2180 wrote to memory of 688 2180 Kneicieh.exe 43 PID 2180 wrote to memory of 688 2180 Kneicieh.exe 43 PID 688 wrote to memory of 592 688 Kcbakpdo.exe 42 PID 688 wrote to memory of 592 688 Kcbakpdo.exe 42 PID 688 wrote to memory of 592 688 Kcbakpdo.exe 42 PID 688 wrote to memory of 592 688 Kcbakpdo.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f8dca8f94af44bc9be469b5e21efd450_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ijeghgoh.exeC:\Windows\system32\Ijeghgoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Kahojc32.exeC:\Windows\system32\Kahojc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Lbqabkql.exeC:\Windows\system32\Lbqabkql.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:980 -
C:\Windows\SysWOW64\Mppepcfg.exeC:\Windows\system32\Mppepcfg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Mimbdhhb.exeC:\Windows\system32\Mimbdhhb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Nlphkb32.exeC:\Windows\system32\Nlphkb32.exe17⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe18⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe21⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe23⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe24⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ojcecjee.exeC:\Windows\system32\Ojcecjee.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe27⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Oikojfgk.exeC:\Windows\system32\Oikojfgk.exe30⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe31⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe32⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe33⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe34⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe38⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe39⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe40⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe41⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe43⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe44⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe47⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe48⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe51⤵PID:1924
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe52⤵PID:2080
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe53⤵PID:2632
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe55⤵PID:2688
-
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe56⤵PID:1728
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe57⤵PID:1596
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe58⤵PID:1264
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe59⤵PID:1832
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe60⤵PID:2008
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe61⤵PID:2560
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe62⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe63⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe64⤵PID:2092
-
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe65⤵PID:2176
-
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe66⤵PID:2308
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe67⤵
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe68⤵PID:2800
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe69⤵PID:1160
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe70⤵PID:2784
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe71⤵PID:2712
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe72⤵PID:1836
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe73⤵PID:2032
-
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe74⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe76⤵PID:2992
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe77⤵PID:1028
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe79⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe80⤵PID:2948
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe81⤵PID:3048
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe82⤵PID:1764
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe83⤵PID:1784
-
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe84⤵PID:2152
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe85⤵PID:2356
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe86⤵PID:1648
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe87⤵PID:2352
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe88⤵PID:1528
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe89⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe90⤵PID:1632
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe91⤵PID:2720
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe92⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe95⤵PID:1800
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe96⤵PID:1928
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe97⤵PID:1760
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe98⤵PID:2956
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe99⤵PID:1812
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe100⤵PID:1148
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe101⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe102⤵PID:288
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe103⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe104⤵PID:2000
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe105⤵PID:1544
-
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe106⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe107⤵PID:2556
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe108⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe110⤵PID:2172
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe111⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe112⤵PID:2916
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe113⤵PID:1712
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe114⤵PID:1332
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe116⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe117⤵PID:1004
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe118⤵PID:2980
-
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe119⤵PID:3032
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe120⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe121⤵PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-