Analysis
-
max time kernel
31s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 18:11
Behavioral task
behavioral1
Sample
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.2b920f617b9814f34963af4528d8d830_JC.exe
-
Size
153KB
-
MD5
2b920f617b9814f34963af4528d8d830
-
SHA1
0846606ed77bf74fa80fe8ec84e81e9e3fde5346
-
SHA256
fc1c405d2192dd9e45b41dde4871032acf9fb671d53ddfd9ece383a841b12809
-
SHA512
98fa5c50ce9f1b366d52807f2ba00379a638675e3e78df5232a5d93814e0f6a45db3b88cbc4ba44ffb89e09a6657b5df6d3b80aa2377c5ec8b5f7d1ecaea474a
-
SSDEEP
3072:au7rvxXsL50JaPNYeUAEQGBcHN0OlaxP3DZyN/+oeRpxPdZFibDyxn:La9aaqdAHj05xP3DZyN1eRppzcexn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opplolac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmcoblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmhgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklpekno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibckfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkpeake.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpndnei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kconkibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmebnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moanaiie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpgpbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimemp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.2b920f617b9814f34963af4528d8d830_JC.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljabgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bghjhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhnifmq.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00070000000120ea-5.dat family_berbew behavioral1/files/0x00070000000120ea-8.dat family_berbew behavioral1/files/0x00070000000120ea-12.dat family_berbew behavioral1/files/0x00070000000120ea-9.dat family_berbew behavioral1/files/0x00070000000120ea-13.dat family_berbew behavioral1/files/0x0008000000014364-23.dat family_berbew behavioral1/files/0x0008000000014364-27.dat family_berbew behavioral1/files/0x0007000000014505-48.dat family_berbew behavioral1/files/0x0007000000014491-36.dat family_berbew behavioral1/files/0x0007000000014491-40.dat family_berbew behavioral1/files/0x0007000000014491-39.dat family_berbew behavioral1/files/0x0007000000014505-49.dat family_berbew behavioral1/files/0x0006000000014ad8-61.dat family_berbew behavioral1/files/0x0006000000014ad8-67.dat family_berbew behavioral1/files/0x0006000000014ad8-65.dat family_berbew behavioral1/files/0x0006000000014b9a-72.dat family_berbew behavioral1/files/0x0006000000014b9a-75.dat family_berbew behavioral1/files/0x0006000000014f77-81.dat family_berbew behavioral1/files/0x0006000000014f77-87.dat family_berbew behavioral1/files/0x0006000000014f77-92.dat family_berbew behavioral1/files/0x0006000000014f77-91.dat family_berbew behavioral1/files/0x0006000000014f77-85.dat family_berbew behavioral1/files/0x0006000000014b9a-80.dat family_berbew behavioral1/files/0x000600000001531d-98.dat family_berbew behavioral1/memory/2268-100-0x0000000000230000-0x000000000026E000-memory.dmp family_berbew behavioral1/files/0x000600000001531d-105.dat family_berbew behavioral1/files/0x001b00000001423c-108.dat family_berbew behavioral1/files/0x001b00000001423c-120.dat family_berbew behavioral1/files/0x00060000000155af-125.dat family_berbew behavioral1/files/0x00060000000155af-128.dat family_berbew behavioral1/files/0x0006000000015618-144.dat family_berbew behavioral1/files/0x0006000000015618-134.dat family_berbew behavioral1/files/0x00060000000155af-133.dat family_berbew behavioral1/files/0x0006000000015618-145.dat family_berbew behavioral1/files/0x0006000000015c13-151.dat family_berbew behavioral1/files/0x0006000000015618-140.dat family_berbew behavioral1/files/0x0006000000015c13-154.dat family_berbew behavioral1/memory/764-157-0x00000000002B0000-0x00000000002EE000-memory.dmp family_berbew behavioral1/files/0x0006000000015c13-159.dat family_berbew behavioral1/files/0x0006000000015c13-158.dat family_berbew behavioral1/files/0x0006000000015c13-153.dat family_berbew behavioral1/files/0x0006000000015618-138.dat family_berbew behavioral1/files/0x00060000000155af-131.dat family_berbew behavioral1/files/0x00060000000155af-127.dat family_berbew behavioral1/files/0x001b00000001423c-118.dat family_berbew behavioral1/files/0x001b00000001423c-114.dat family_berbew behavioral1/files/0x001b00000001423c-112.dat family_berbew behavioral1/files/0x000600000001531d-107.dat family_berbew behavioral1/files/0x000600000001531d-102.dat family_berbew behavioral1/files/0x000600000001531d-101.dat family_berbew behavioral1/files/0x0006000000014b9a-78.dat family_berbew behavioral1/files/0x0006000000014b9a-74.dat family_berbew behavioral1/files/0x0006000000014ad8-59.dat family_berbew behavioral1/files/0x0006000000014ad8-55.dat family_berbew behavioral1/files/0x0007000000014505-54.dat family_berbew behavioral1/files/0x0007000000014505-52.dat family_berbew behavioral1/files/0x0007000000014491-35.dat family_berbew behavioral1/files/0x0007000000014491-33.dat family_berbew behavioral1/files/0x0006000000015c3e-165.dat family_berbew behavioral1/files/0x0007000000014505-46.dat family_berbew behavioral1/memory/2972-170-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0006000000015c3e-174.dat family_berbew behavioral1/files/0x0006000000015c3e-172.dat family_berbew behavioral1/files/0x0006000000015c3e-168.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 632 Ojfaijcc.exe 1564 Pimkpfeh.exe 2796 Pkndaa32.exe 2720 Pefijfii.exe 2624 Peiepfgg.exe 2648 Pnajilng.exe 2268 Pjhknm32.exe 2580 Qpecfc32.exe 3068 Qcbllb32.exe 2856 Aipddi32.exe 764 Abhimnma.exe 2972 Aplifb32.exe 1580 Ahgnke32.exe 3040 Aemkjiem.exe 916 Bpgljfbl.exe 280 Bjlqhoba.exe 112 Blpjegfm.exe 1060 Bghjhp32.exe 1804 Bppoqeja.exe 1336 Bhkdeggl.exe 1900 Cadhnmnm.exe 952 Cohigamf.exe 2192 Ckoilb32.exe 848 Chbjffad.exe 1380 Cnobnmpl.exe 2016 Cppkph32.exe 1652 Dfoqmo32.exe 2124 Dkcofe32.exe 2824 Edpmjj32.exe 2792 Enhacojl.exe 1268 Ebjglbml.exe 2640 Fcjcfe32.exe 2716 Flehkhai.exe 2332 Ffklhqao.exe 3012 Fpcqaf32.exe 2932 Fbamma32.exe 1356 Fhneehek.exe 2256 Fbdjbaea.exe 1756 Fllnlg32.exe 2900 Faigdn32.exe 1624 Gdgcpi32.exe 1548 Gffoldhp.exe 2156 Gakcimgf.exe 2836 Ghelfg32.exe 572 Ganpomec.exe 1620 Gfjhgdck.exe 796 Gmdadnkh.exe 1556 Gdniqh32.exe 956 Gmgninie.exe 1924 Gohjaf32.exe 1108 Ginnnooi.exe 2088 Hojgfemq.exe 1680 Hhckpk32.exe 2004 Hkaglf32.exe 1092 Hdildlie.exe 2232 Hkcdafqb.exe 1604 Hdlhjl32.exe 2096 Hmdmcanc.exe 2288 Hiknhbcg.exe 2820 Hdqbekcm.exe 2416 Ikkjbe32.exe 2816 Inifnq32.exe 2612 Idcokkak.exe 2376 Iipgcaob.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 632 Ojfaijcc.exe 632 Ojfaijcc.exe 1564 Pimkpfeh.exe 1564 Pimkpfeh.exe 2796 Pkndaa32.exe 2796 Pkndaa32.exe 2720 Pefijfii.exe 2720 Pefijfii.exe 2624 Peiepfgg.exe 2624 Peiepfgg.exe 2648 Pnajilng.exe 2648 Pnajilng.exe 2268 Pjhknm32.exe 2268 Pjhknm32.exe 2580 Qpecfc32.exe 2580 Qpecfc32.exe 3068 Qcbllb32.exe 3068 Qcbllb32.exe 2856 Aipddi32.exe 2856 Aipddi32.exe 764 Abhimnma.exe 764 Abhimnma.exe 2972 Aplifb32.exe 2972 Aplifb32.exe 1580 Ahgnke32.exe 1580 Ahgnke32.exe 3040 Aemkjiem.exe 3040 Aemkjiem.exe 916 Bpgljfbl.exe 916 Bpgljfbl.exe 280 Bjlqhoba.exe 280 Bjlqhoba.exe 112 Blpjegfm.exe 112 Blpjegfm.exe 1060 Bghjhp32.exe 1060 Bghjhp32.exe 1804 Bppoqeja.exe 1804 Bppoqeja.exe 1336 Bhkdeggl.exe 1336 Bhkdeggl.exe 1900 Cadhnmnm.exe 1900 Cadhnmnm.exe 952 Cohigamf.exe 952 Cohigamf.exe 2192 Ckoilb32.exe 2192 Ckoilb32.exe 848 Chbjffad.exe 848 Chbjffad.exe 1380 Cnobnmpl.exe 1380 Cnobnmpl.exe 2208 Dndlim32.exe 2208 Dndlim32.exe 1652 Dfoqmo32.exe 1652 Dfoqmo32.exe 2124 Dkcofe32.exe 2124 Dkcofe32.exe 2824 Edpmjj32.exe 2824 Edpmjj32.exe 2792 Enhacojl.exe 2792 Enhacojl.exe 1268 Ebjglbml.exe 1268 Ebjglbml.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iohmol32.dll Ebjglbml.exe File created C:\Windows\SysWOW64\Hhckpk32.exe Hojgfemq.exe File created C:\Windows\SysWOW64\Lcojjmea.exe Lmebnb32.exe File created C:\Windows\SysWOW64\Faigdn32.exe Fllnlg32.exe File created C:\Windows\SysWOW64\Oegbkc32.dll Hmdmcanc.exe File opened for modification C:\Windows\SysWOW64\Pimkpfeh.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Fehofegb.dll Aipddi32.exe File created C:\Windows\SysWOW64\Iooklook.dll Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Bhkdeggl.exe Bppoqeja.exe File opened for modification C:\Windows\SysWOW64\Nbbbdcgi.exe Nlhjhi32.exe File created C:\Windows\SysWOW64\Lpjdjmfp.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Mbkmlh32.exe File created C:\Windows\SysWOW64\Ekaggl32.dll Kfpifm32.exe File opened for modification C:\Windows\SysWOW64\Mbkpeake.exe Mkaghg32.exe File opened for modification C:\Windows\SysWOW64\Mbpgggol.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Ibmgpoia.exe Ilcoce32.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Hhckpk32.exe File opened for modification C:\Windows\SysWOW64\Hdqbekcm.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Gccdbl32.dll Iompkh32.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Ipnndn32.dll Jofbag32.exe File opened for modification C:\Windows\SysWOW64\Ilcoce32.exe Opplolac.exe File created C:\Windows\SysWOW64\Bihmcd32.dll Lkakicam.exe File opened for modification C:\Windows\SysWOW64\Ihgainbg.exe Iamimc32.exe File created C:\Windows\SysWOW64\Jebpihab.dll Joiappkp.exe File created C:\Windows\SysWOW64\Mgjebg32.exe Mnbpjb32.exe File created C:\Windows\SysWOW64\Mnbkmo32.dll Kgkleabc.exe File opened for modification C:\Windows\SysWOW64\Qpecfc32.exe Pjhknm32.exe File opened for modification C:\Windows\SysWOW64\Aipddi32.exe Qcbllb32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Kilfcpqm.exe Kconkibf.exe File created C:\Windows\SysWOW64\Pefijfii.exe Pkndaa32.exe File created C:\Windows\SysWOW64\Chdkak32.dll Ibmgpoia.exe File created C:\Windows\SysWOW64\Jplkmgol.exe Jkpbdq32.exe File created C:\Windows\SysWOW64\Oldahfej.dll Jplkmgol.exe File created C:\Windows\SysWOW64\Micklk32.exe Lcfbdd32.exe File created C:\Windows\SysWOW64\Pkndaa32.exe Pimkpfeh.exe File created C:\Windows\SysWOW64\Ckoilb32.exe Cohigamf.exe File created C:\Windows\SysWOW64\Jjpcbe32.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Iimckbco.dll Kbkameaf.exe File created C:\Windows\SysWOW64\Ibckfa32.exe Mhloponc.exe File created C:\Windows\SysWOW64\Lcomce32.exe Lbnpkmfg.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pefijfii.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Aemkjiem.exe File opened for modification C:\Windows\SysWOW64\Fpcqaf32.exe Ffklhqao.exe File created C:\Windows\SysWOW64\Hojgfemq.exe Ginnnooi.exe File created C:\Windows\SysWOW64\Qlhpnakf.dll Gffoldhp.exe File created C:\Windows\SysWOW64\Jkpbdq32.exe Jdejhfig.exe File created C:\Windows\SysWOW64\Pnajilng.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Gmgninie.exe Gdniqh32.exe File opened for modification C:\Windows\SysWOW64\Lmebnb32.exe Llcefjgf.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Bgfgbaoo.dll Ffklhqao.exe File created C:\Windows\SysWOW64\Fbamma32.exe Fpcqaf32.exe File created C:\Windows\SysWOW64\Melfncqb.exe Moanaiie.exe File created C:\Windows\SysWOW64\Eiahmmdf.dll Kcamjb32.exe File created C:\Windows\SysWOW64\Pjhknm32.exe Pnajilng.exe File created C:\Windows\SysWOW64\Qbpbjelg.dll Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Lpjdjmfp.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lcojjmea.exe File created C:\Windows\SysWOW64\Oiobjk32.dll Ljnnko32.exe File created C:\Windows\SysWOW64\Mkaghg32.exe Micklk32.exe File created C:\Windows\SysWOW64\Nbbbdcgi.exe Nlhjhi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2352 1096 WerFault.exe 295 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpajg32.dll" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meabakda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpgpbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpcbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmicaonb.dll" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbkc32.dll" Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Edpmjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkcgmo.dll" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbdklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgghom32.dll" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhqpo32.dll" Iamimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opplolac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdkak32.dll" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnmgq32.dll" Lkdhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpgpbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhnifmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID NEAS.2b920f617b9814f34963af4528d8d830_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kilfcpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcbenjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogobaio.dll" Kcmcoblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqlhdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegime32.dll" Oiljam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepdfnja.dll" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kclhicjn.dll" Blpjegfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgaiobjn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 632 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 28 PID 2092 wrote to memory of 632 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 28 PID 2092 wrote to memory of 632 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 28 PID 2092 wrote to memory of 632 2092 NEAS.2b920f617b9814f34963af4528d8d830_JC.exe 28 PID 632 wrote to memory of 1564 632 Ojfaijcc.exe 29 PID 632 wrote to memory of 1564 632 Ojfaijcc.exe 29 PID 632 wrote to memory of 1564 632 Ojfaijcc.exe 29 PID 632 wrote to memory of 1564 632 Ojfaijcc.exe 29 PID 1564 wrote to memory of 2796 1564 Pimkpfeh.exe 40 PID 1564 wrote to memory of 2796 1564 Pimkpfeh.exe 40 PID 1564 wrote to memory of 2796 1564 Pimkpfeh.exe 40 PID 1564 wrote to memory of 2796 1564 Pimkpfeh.exe 40 PID 2796 wrote to memory of 2720 2796 Pkndaa32.exe 39 PID 2796 wrote to memory of 2720 2796 Pkndaa32.exe 39 PID 2796 wrote to memory of 2720 2796 Pkndaa32.exe 39 PID 2796 wrote to memory of 2720 2796 Pkndaa32.exe 39 PID 2720 wrote to memory of 2624 2720 Pefijfii.exe 30 PID 2720 wrote to memory of 2624 2720 Pefijfii.exe 30 PID 2720 wrote to memory of 2624 2720 Pefijfii.exe 30 PID 2720 wrote to memory of 2624 2720 Pefijfii.exe 30 PID 2624 wrote to memory of 2648 2624 Peiepfgg.exe 38 PID 2624 wrote to memory of 2648 2624 Peiepfgg.exe 38 PID 2624 wrote to memory of 2648 2624 Peiepfgg.exe 38 PID 2624 wrote to memory of 2648 2624 Peiepfgg.exe 38 PID 2648 wrote to memory of 2268 2648 Pnajilng.exe 37 PID 2648 wrote to memory of 2268 2648 Pnajilng.exe 37 PID 2648 wrote to memory of 2268 2648 Pnajilng.exe 37 PID 2648 wrote to memory of 2268 2648 Pnajilng.exe 37 PID 2268 wrote to memory of 2580 2268 Pjhknm32.exe 35 PID 2268 wrote to memory of 2580 2268 Pjhknm32.exe 35 PID 2268 wrote to memory of 2580 2268 Pjhknm32.exe 35 PID 2268 wrote to memory of 2580 2268 Pjhknm32.exe 35 PID 2580 wrote to memory of 3068 2580 Qpecfc32.exe 34 PID 2580 wrote to memory of 3068 2580 Qpecfc32.exe 34 PID 2580 wrote to memory of 3068 2580 Qpecfc32.exe 34 PID 2580 wrote to memory of 3068 2580 Qpecfc32.exe 34 PID 3068 wrote to memory of 2856 3068 Qcbllb32.exe 33 PID 3068 wrote to memory of 2856 3068 Qcbllb32.exe 33 PID 3068 wrote to memory of 2856 3068 Qcbllb32.exe 33 PID 3068 wrote to memory of 2856 3068 Qcbllb32.exe 33 PID 2856 wrote to memory of 764 2856 Aipddi32.exe 32 PID 2856 wrote to memory of 764 2856 Aipddi32.exe 32 PID 2856 wrote to memory of 764 2856 Aipddi32.exe 32 PID 2856 wrote to memory of 764 2856 Aipddi32.exe 32 PID 764 wrote to memory of 2972 764 Abhimnma.exe 31 PID 764 wrote to memory of 2972 764 Abhimnma.exe 31 PID 764 wrote to memory of 2972 764 Abhimnma.exe 31 PID 764 wrote to memory of 2972 764 Abhimnma.exe 31 PID 2972 wrote to memory of 1580 2972 Aplifb32.exe 36 PID 2972 wrote to memory of 1580 2972 Aplifb32.exe 36 PID 2972 wrote to memory of 1580 2972 Aplifb32.exe 36 PID 2972 wrote to memory of 1580 2972 Aplifb32.exe 36 PID 1580 wrote to memory of 3040 1580 Ahgnke32.exe 41 PID 1580 wrote to memory of 3040 1580 Ahgnke32.exe 41 PID 1580 wrote to memory of 3040 1580 Ahgnke32.exe 41 PID 1580 wrote to memory of 3040 1580 Ahgnke32.exe 41 PID 3040 wrote to memory of 916 3040 Aemkjiem.exe 42 PID 3040 wrote to memory of 916 3040 Aemkjiem.exe 42 PID 3040 wrote to memory of 916 3040 Aemkjiem.exe 42 PID 3040 wrote to memory of 916 3040 Aemkjiem.exe 42 PID 916 wrote to memory of 280 916 Bpgljfbl.exe 43 PID 916 wrote to memory of 280 916 Bpgljfbl.exe 43 PID 916 wrote to memory of 280 916 Bpgljfbl.exe 43 PID 916 wrote to memory of 280 916 Bpgljfbl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2b920f617b9814f34963af4528d8d830_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2b920f617b9814f34963af4528d8d830_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Pimkpfeh.exeC:\Windows\system32\Pimkpfeh.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796
-
-
-
-
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
-
-
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe15⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe16⤵
- Loads dropped DLL
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe22⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe23⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe27⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe30⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe34⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe35⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe44⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe46⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe47⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe51⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe53⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe55⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe57⤵PID:3044
-
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe58⤵
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe59⤵PID:1728
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe60⤵PID:1716
-
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe61⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe62⤵PID:2480
-
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe64⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe67⤵PID:1552
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe68⤵PID:1828
-
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe70⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe71⤵PID:1004
-
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe72⤵PID:1180
-
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe73⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe75⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe76⤵PID:2704
-
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe77⤵
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe79⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe80⤵PID:2296
-
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe82⤵PID:2924
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe83⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe84⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe88⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe89⤵PID:1980
-
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe90⤵
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe92⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe94⤵PID:2224
-
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe97⤵PID:2800
-
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe98⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe100⤵PID:2200
-
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe101⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe103⤵PID:876
-
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe104⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe107⤵PID:2320
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe111⤵PID:2452
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe113⤵
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe114⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe116⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe117⤵PID:2656
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe118⤵PID:2944
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe120⤵PID:2388
-
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-