Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 11:13
Behavioral task
behavioral1
Sample
NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe
-
Size
98KB
-
MD5
ef69cb7c5dc8a833ee9e476cbf8580b0
-
SHA1
936d725d0107b1193fa0fbdd90d33da1d4c1869b
-
SHA256
0c7600e9efcba9a1c72a303f0cf181add5e55b119002fb22a8277546e9d6e0db
-
SHA512
42f2145366456d78173a66cbc54a3548fd0dd36fda9f57b6cf45ec81e71679a40b19a8531e12d32678afa9e666f13f5a0b2ce41091652304e4e485bb5d8aad3d
-
SSDEEP
1536:qtDz3UImOivVmpVp5P0H/2ZAf3NYJZLVbCU5flSjbEjw2xt8v:qVz3RmOhpVfP0fUvZ5GURlSjgjxxt8v
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdlkdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egllae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcofe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlhkpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hobcak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkncmmle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjcabmga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljmlbfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdacop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alegac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolnad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkofpgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bocolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lapnnafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anccmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfmffhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hapicp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npfgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efcfga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmcfhkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/memory/2096-6-0x00000000003C0000-0x00000000003FE000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x002f00000001482f-21.dat family_berbew behavioral1/files/0x002f00000001482f-26.dat family_berbew behavioral1/memory/2136-31-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x002f00000001482f-25.dat family_berbew behavioral1/files/0x002f00000001482f-20.dat family_berbew behavioral1/files/0x002f00000001482f-18.dat family_berbew behavioral1/files/0x0007000000015008-32.dat family_berbew behavioral1/files/0x0007000000015008-40.dat family_berbew behavioral1/files/0x0007000000015008-39.dat family_berbew behavioral1/files/0x0007000000015008-36.dat family_berbew behavioral1/files/0x0007000000015008-35.dat family_berbew behavioral1/memory/2136-34-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0009000000015474-51.dat family_berbew behavioral1/files/0x0009000000015474-48.dat family_berbew behavioral1/memory/2712-53-0x0000000000290000-0x00000000002CE000-memory.dmp family_berbew behavioral1/files/0x0009000000015474-52.dat family_berbew behavioral1/files/0x0009000000015474-47.dat family_berbew behavioral1/files/0x0009000000015474-45.dat family_berbew behavioral1/memory/2276-54-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/memory/2712-59-0x0000000000290000-0x00000000002CE000-memory.dmp family_berbew behavioral1/files/0x000600000001564c-63.dat family_berbew behavioral1/files/0x000600000001564c-68.dat family_berbew behavioral1/files/0x000600000001564c-67.dat family_berbew behavioral1/files/0x000600000001564c-62.dat family_berbew behavioral1/files/0x000600000001564c-60.dat family_berbew behavioral1/files/0x0006000000015c22-79.dat family_berbew behavioral1/files/0x0006000000015c22-76.dat family_berbew behavioral1/files/0x0006000000015c22-75.dat family_berbew behavioral1/files/0x0006000000015c22-73.dat family_berbew behavioral1/files/0x0006000000015c22-80.dat family_berbew behavioral1/memory/2524-86-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/memory/2628-85-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0006000000015c47-87.dat family_berbew behavioral1/memory/2524-93-0x0000000000230000-0x000000000026E000-memory.dmp family_berbew behavioral1/files/0x0006000000015c47-90.dat family_berbew behavioral1/files/0x0006000000015c47-89.dat family_berbew behavioral1/files/0x0006000000015c5f-103.dat family_berbew behavioral1/files/0x0006000000015c5f-97.dat family_berbew behavioral1/memory/3008-121-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0006000000015c80-122.dat family_berbew behavioral1/files/0x002f000000014958-127.dat family_berbew behavioral1/files/0x002f000000014958-129.dat family_berbew behavioral1/files/0x002f000000014958-133.dat family_berbew behavioral1/memory/1092-134-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x002f000000014958-130.dat family_berbew behavioral1/files/0x0006000000015ca0-140.dat family_berbew behavioral1/files/0x0006000000015ca0-143.dat family_berbew behavioral1/memory/616-147-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca0-146.dat family_berbew behavioral1/files/0x0006000000015ca0-148.dat family_berbew behavioral1/files/0x0006000000015ca0-142.dat family_berbew behavioral1/files/0x0006000000015cc9-156.dat family_berbew behavioral1/files/0x0006000000015dc0-162.dat family_berbew behavioral1/files/0x0006000000015e35-187.dat family_berbew behavioral1/memory/1772-186-0x0000000000400000-0x000000000043E000-memory.dmp family_berbew behavioral1/files/0x0006000000015e35-185.dat family_berbew behavioral1/files/0x0006000000015e35-182.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1708 Hobcak32.exe 2136 Hhmepp32.exe 2712 Idceea32.exe 2276 Idfbkq32.exe 2628 Iokfhi32.exe 2524 Iblpjdpk.exe 2352 Incpoe32.exe 2900 Jjjacf32.exe 3008 Jmhmpb32.exe 1092 Jgnamk32.exe 616 Jqfffqpm.exe 604 Jkpgfn32.exe 1772 Jehkodcm.exe 528 Jonplmcb.exe 2456 Jejhecaj.exe 2088 Jbnhng32.exe 2940 Keoapb32.exe 1276 Kngfih32.exe 2256 Knjbnh32.exe 2448 Kpkofpgq.exe 1540 Kjqccigf.exe 1824 Kjcpii32.exe 112 Lldlqakb.exe 1548 Lihmjejl.exe 2308 Leonofpp.exe 1748 Lpdbloof.exe 2788 Leajdfnm.exe 1604 Lkncmmle.exe 2016 Lecgje32.exe 2724 Lajhofao.exe 2916 Mggpgmof.exe 2808 Mihiih32.exe 2656 Mgljbm32.exe 2996 Mpdnkb32.exe 2200 Meagci32.exe 2860 Mmhodf32.exe 1936 Mpfkqb32.exe 1620 Mcegmm32.exe 2668 Mhbped32.exe 2704 Mpigfa32.exe 2072 Najdnj32.exe 2948 Nhdlkdkg.exe 2288 Nondgn32.exe 2300 Ndkmpe32.exe 572 Noqamn32.exe 696 Naoniipe.exe 2264 Nhiffc32.exe 828 Nnennj32.exe 1920 Ndpfkdmf.exe 748 Njlockkm.exe 2112 Npfgpe32.exe 1272 Oklkmnbp.exe 984 Onjgiiad.exe 2968 Ocgpappk.exe 2228 Onmdoioa.exe 3020 Ocimgp32.exe 2640 Pfoocjfd.exe 2688 Pbfpik32.exe 2760 Piphee32.exe 2732 Pjadmnic.exe 2536 Pciifc32.exe 3048 Pjcabmga.exe 1932 Pnajilng.exe 2892 Ppbfpd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 1708 Hobcak32.exe 1708 Hobcak32.exe 2136 Hhmepp32.exe 2136 Hhmepp32.exe 2712 Idceea32.exe 2712 Idceea32.exe 2276 Idfbkq32.exe 2276 Idfbkq32.exe 2628 Iokfhi32.exe 2628 Iokfhi32.exe 2524 Iblpjdpk.exe 2524 Iblpjdpk.exe 2352 Incpoe32.exe 2352 Incpoe32.exe 2900 Jjjacf32.exe 2900 Jjjacf32.exe 3008 Jmhmpb32.exe 3008 Jmhmpb32.exe 1092 Jgnamk32.exe 1092 Jgnamk32.exe 616 Jqfffqpm.exe 616 Jqfffqpm.exe 604 Jkpgfn32.exe 604 Jkpgfn32.exe 1772 Jehkodcm.exe 1772 Jehkodcm.exe 528 Jonplmcb.exe 528 Jonplmcb.exe 2456 Jejhecaj.exe 2456 Jejhecaj.exe 2088 Jbnhng32.exe 2088 Jbnhng32.exe 2940 Keoapb32.exe 2940 Keoapb32.exe 1276 Kngfih32.exe 1276 Kngfih32.exe 2256 Knjbnh32.exe 2256 Knjbnh32.exe 2448 Kpkofpgq.exe 2448 Kpkofpgq.exe 1540 Kjqccigf.exe 1540 Kjqccigf.exe 1824 Kjcpii32.exe 1824 Kjcpii32.exe 112 Lldlqakb.exe 112 Lldlqakb.exe 1548 Lihmjejl.exe 1548 Lihmjejl.exe 2308 Leonofpp.exe 2308 Leonofpp.exe 1748 Lpdbloof.exe 1748 Lpdbloof.exe 2788 Leajdfnm.exe 2788 Leajdfnm.exe 1604 Lkncmmle.exe 1604 Lkncmmle.exe 2016 Lecgje32.exe 2016 Lecgje32.exe 2724 Lajhofao.exe 2724 Lajhofao.exe 2916 Mggpgmof.exe 2916 Mggpgmof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jqfffqpm.exe Jgnamk32.exe File opened for modification C:\Windows\SysWOW64\Najdnj32.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Hobcak32.exe NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe File created C:\Windows\SysWOW64\Gfkdmglc.dll Moidahcn.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Hobcak32.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Dljnnb32.dll Ipgbjl32.exe File opened for modification C:\Windows\SysWOW64\Mpdnkb32.exe Mgljbm32.exe File opened for modification C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Efcfga32.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Bjjppa32.dll Fbopgb32.exe File created C:\Windows\SysWOW64\Fbamma32.exe Fglipi32.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Ogikcfnb.dll Lcagpl32.exe File opened for modification C:\Windows\SysWOW64\Hobcak32.exe NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Nnennj32.exe File created C:\Windows\SysWOW64\Cgejac32.exe Cdgneh32.exe File created C:\Windows\SysWOW64\Dmkmmi32.dll Eplkpgnh.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Meagci32.exe File created C:\Windows\SysWOW64\Mooaljkh.exe Mmneda32.exe File opened for modification C:\Windows\SysWOW64\Njlockkm.exe Ndpfkdmf.exe File created C:\Windows\SysWOW64\Dpeekh32.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Ofbjgh32.dll Mmhodf32.exe File created C:\Windows\SysWOW64\Pcnbablo.exe Ppbfpd32.exe File created C:\Windows\SysWOW64\Qpecfc32.exe Qmfgjh32.exe File created C:\Windows\SysWOW64\Fojebabb.dll Amkpegnj.exe File created C:\Windows\SysWOW64\Copeil32.dll Jehkodcm.exe File created C:\Windows\SysWOW64\Hoamnbaf.dll Knjbnh32.exe File created C:\Windows\SysWOW64\Meagci32.exe Mpdnkb32.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kegqdqbl.exe File created C:\Windows\SysWOW64\Dndlim32.exe Cnaocmmi.exe File created C:\Windows\SysWOW64\Agjiphda.dll Bdgafdfp.exe File created C:\Windows\SysWOW64\Dbhnhp32.exe Dojald32.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kngfih32.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Onjgiiad.exe File created C:\Windows\SysWOW64\Edekcace.dll Dojald32.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Eibbcm32.exe File created C:\Windows\SysWOW64\Mpcnkg32.dll Lanaiahq.exe File created C:\Windows\SysWOW64\Eeoliecf.dll Jkpgfn32.exe File created C:\Windows\SysWOW64\Onmdoioa.exe Ocgpappk.exe File created C:\Windows\SysWOW64\Eeoffcnl.dll Pnajilng.exe File created C:\Windows\SysWOW64\Ncdbcl32.dll Aoepcn32.exe File created C:\Windows\SysWOW64\Flehkhai.exe Fekpnn32.exe File opened for modification C:\Windows\SysWOW64\Gpncej32.exe Gjakmc32.exe File created C:\Windows\SysWOW64\Ipgbjl32.exe Inifnq32.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Dhnmij32.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Jjdmmdnh.exe Jgfqaiod.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Jqnejn32.exe File created C:\Windows\SysWOW64\Kklpekno.exe Kebgia32.exe File created C:\Windows\SysWOW64\Ejhlgaeh.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Ndpfkdmf.exe Nnennj32.exe File created C:\Windows\SysWOW64\Iddnkn32.dll Jkmcfhkc.exe File created C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Kacgbnfl.dll Laegiq32.exe File created C:\Windows\SysWOW64\Malllmgi.dll Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Mmneda32.exe Lbiqfied.exe File opened for modification C:\Windows\SysWOW64\Anccmo32.exe Alegac32.exe File created C:\Windows\SysWOW64\Bdacap32.dll Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Mbpgggol.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Nmfmhhoj.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Kbbngf32.exe Kocbkk32.exe File opened for modification C:\Windows\SysWOW64\Ljmlbfhi.exe Lbfdaigg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3124 3144 WerFault.exe 286 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djmicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdbkjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifnmmhq.dll" Alpmfdcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdnepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jehkodcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoliecf.dll" Jkpgfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lecgje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll" Ncpcfkbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aibajhdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cohigamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egjpkffe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobjlngg.dll" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmfgjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjfjbdle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bghjhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilqpdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kngfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cehkbgdf.dll" Gbcfadgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fljafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiijnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll" Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdniqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mihiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bfcampgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idfbkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljkomfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjjacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnajilng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmneda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll" Meijhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoepcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmkonce.dll" Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjiphda.dll" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Eibbcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cohigamf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 1708 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 28 PID 2096 wrote to memory of 1708 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 28 PID 2096 wrote to memory of 1708 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 28 PID 2096 wrote to memory of 1708 2096 NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe 28 PID 1708 wrote to memory of 2136 1708 Hobcak32.exe 29 PID 1708 wrote to memory of 2136 1708 Hobcak32.exe 29 PID 1708 wrote to memory of 2136 1708 Hobcak32.exe 29 PID 1708 wrote to memory of 2136 1708 Hobcak32.exe 29 PID 2136 wrote to memory of 2712 2136 Hhmepp32.exe 30 PID 2136 wrote to memory of 2712 2136 Hhmepp32.exe 30 PID 2136 wrote to memory of 2712 2136 Hhmepp32.exe 30 PID 2136 wrote to memory of 2712 2136 Hhmepp32.exe 30 PID 2712 wrote to memory of 2276 2712 Idceea32.exe 31 PID 2712 wrote to memory of 2276 2712 Idceea32.exe 31 PID 2712 wrote to memory of 2276 2712 Idceea32.exe 31 PID 2712 wrote to memory of 2276 2712 Idceea32.exe 31 PID 2276 wrote to memory of 2628 2276 Idfbkq32.exe 32 PID 2276 wrote to memory of 2628 2276 Idfbkq32.exe 32 PID 2276 wrote to memory of 2628 2276 Idfbkq32.exe 32 PID 2276 wrote to memory of 2628 2276 Idfbkq32.exe 32 PID 2628 wrote to memory of 2524 2628 Iokfhi32.exe 33 PID 2628 wrote to memory of 2524 2628 Iokfhi32.exe 33 PID 2628 wrote to memory of 2524 2628 Iokfhi32.exe 33 PID 2628 wrote to memory of 2524 2628 Iokfhi32.exe 33 PID 2524 wrote to memory of 2352 2524 Iblpjdpk.exe 34 PID 2524 wrote to memory of 2352 2524 Iblpjdpk.exe 34 PID 2524 wrote to memory of 2352 2524 Iblpjdpk.exe 34 PID 2524 wrote to memory of 2352 2524 Iblpjdpk.exe 34 PID 2352 wrote to memory of 2900 2352 Incpoe32.exe 42 PID 2352 wrote to memory of 2900 2352 Incpoe32.exe 42 PID 2352 wrote to memory of 2900 2352 Incpoe32.exe 42 PID 2352 wrote to memory of 2900 2352 Incpoe32.exe 42 PID 2900 wrote to memory of 3008 2900 Jjjacf32.exe 41 PID 2900 wrote to memory of 3008 2900 Jjjacf32.exe 41 PID 2900 wrote to memory of 3008 2900 Jjjacf32.exe 41 PID 2900 wrote to memory of 3008 2900 Jjjacf32.exe 41 PID 3008 wrote to memory of 1092 3008 Jmhmpb32.exe 35 PID 3008 wrote to memory of 1092 3008 Jmhmpb32.exe 35 PID 3008 wrote to memory of 1092 3008 Jmhmpb32.exe 35 PID 3008 wrote to memory of 1092 3008 Jmhmpb32.exe 35 PID 1092 wrote to memory of 616 1092 Jgnamk32.exe 36 PID 1092 wrote to memory of 616 1092 Jgnamk32.exe 36 PID 1092 wrote to memory of 616 1092 Jgnamk32.exe 36 PID 1092 wrote to memory of 616 1092 Jgnamk32.exe 36 PID 616 wrote to memory of 604 616 Jqfffqpm.exe 37 PID 616 wrote to memory of 604 616 Jqfffqpm.exe 37 PID 616 wrote to memory of 604 616 Jqfffqpm.exe 37 PID 616 wrote to memory of 604 616 Jqfffqpm.exe 37 PID 604 wrote to memory of 1772 604 Jkpgfn32.exe 40 PID 604 wrote to memory of 1772 604 Jkpgfn32.exe 40 PID 604 wrote to memory of 1772 604 Jkpgfn32.exe 40 PID 604 wrote to memory of 1772 604 Jkpgfn32.exe 40 PID 1772 wrote to memory of 528 1772 Jehkodcm.exe 39 PID 1772 wrote to memory of 528 1772 Jehkodcm.exe 39 PID 1772 wrote to memory of 528 1772 Jehkodcm.exe 39 PID 1772 wrote to memory of 528 1772 Jehkodcm.exe 39 PID 528 wrote to memory of 2456 528 Jonplmcb.exe 38 PID 528 wrote to memory of 2456 528 Jonplmcb.exe 38 PID 528 wrote to memory of 2456 528 Jonplmcb.exe 38 PID 528 wrote to memory of 2456 528 Jonplmcb.exe 38 PID 2456 wrote to memory of 2088 2456 Jejhecaj.exe 43 PID 2456 wrote to memory of 2088 2456 Jejhecaj.exe 43 PID 2456 wrote to memory of 2088 2456 Jejhecaj.exe 43 PID 2456 wrote to memory of 2088 2456 Jejhecaj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ef69cb7c5dc8a833ee9e476cbf8580b0_JC.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772
-
-
-
-
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Kngfih32.exeC:\Windows\system32\Kngfih32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Lkncmmle.exeC:\Windows\system32\Lkncmmle.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Mgljbm32.exeC:\Windows\system32\Mgljbm32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Mpfkqb32.exeC:\Windows\system32\Mpfkqb32.exe23⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe25⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe27⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe30⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe31⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe32⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe33⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Ndpfkdmf.exeC:\Windows\system32\Ndpfkdmf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe36⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe38⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:984 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe42⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe43⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe46⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe47⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Pnajilng.exeC:\Windows\system32\Pnajilng.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe51⤵PID:812
-
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe52⤵PID:2416
-
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe54⤵PID:2824
-
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe55⤵PID:1128
-
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe56⤵PID:2100
-
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe57⤵PID:2944
-
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe60⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe61⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe62⤵PID:2332
-
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe65⤵PID:624
-
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe66⤵PID:3036
-
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Aaaoij32.exeC:\Windows\system32\Aaaoij32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe70⤵PID:2620
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe72⤵PID:2624
-
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe73⤵PID:2652
-
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe74⤵PID:2508
-
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe75⤵PID:2104
-
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe76⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe78⤵PID:1524
-
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe80⤵PID:1016
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe81⤵PID:2052
-
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe82⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe83⤵PID:2928
-
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:292 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe85⤵PID:2108
-
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe86⤵PID:400
-
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe87⤵PID:964
-
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe88⤵PID:108
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe90⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe91⤵PID:868
-
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe92⤵PID:1960
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe93⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe94⤵PID:2708
-
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe95⤵PID:2616
-
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe96⤵PID:2512
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe97⤵PID:2992
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe98⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe99⤵PID:2372
-
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe100⤵
- Drops file in System32 directory
PID:1380 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe102⤵PID:676
-
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe103⤵PID:1992
-
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe104⤵
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe105⤵PID:628
-
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe106⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe107⤵PID:1084
-
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe108⤵PID:2380
-
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe109⤵PID:2336
-
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1596 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe111⤵PID:1996
-
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe115⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe119⤵PID:800
-
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe121⤵
- Drops file in System32 directory
PID:1000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-