Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 18:07
Behavioral task
behavioral1
Sample
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe
-
Size
235KB
-
MD5
c0ebe06faaf07fee4a6f20b7d4cef691
-
SHA1
76e1f1bfe0dbe96b1e1909ade8be7be7c98bbfdf
-
SHA256
da813ca37b224e8ab8f3cf4c9d69bc3b2c8a477b38b09f9bb14f22ec012d76f4
-
SHA512
060bf8ad666183bec96b315c2a21eb0fa0a810d8824eeee820a2aa7d8ac9690c6658b3deaafebb0d6e9232dc18d56d45b9f9ff0ea4b0c39b2532bb052a0e12e9
-
SSDEEP
3072:+V0woZeAnFYDKvAzHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJaW4q:GJWFYDhzulrtMsQB+vn87L5A5
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agkako32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kambcbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbqgldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhmkbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endklmlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcfmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cealdjcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qigebglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnimkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oingii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmoaoikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckndmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebknblho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhhed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manljd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmabnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkhdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqmcgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpoab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nebnigmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdjalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodgkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnlpaln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjaodmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfblmofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqeka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chohqebq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qboikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebknblho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fopnpaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjljpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkhch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdbab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qigebglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfhde32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00070000000120bd-5.dat family_berbew behavioral1/files/0x00070000000120bd-9.dat family_berbew behavioral1/files/0x00070000000120bd-14.dat family_berbew behavioral1/files/0x00070000000120bd-13.dat family_berbew behavioral1/files/0x00070000000120bd-8.dat family_berbew behavioral1/files/0x0033000000016cec-28.dat family_berbew behavioral1/files/0x0033000000016cec-26.dat family_berbew behavioral1/files/0x0033000000016cec-23.dat family_berbew behavioral1/files/0x0033000000016cec-22.dat family_berbew behavioral1/files/0x0033000000016cec-20.dat family_berbew behavioral1/files/0x0007000000016d66-33.dat family_berbew behavioral1/files/0x0007000000016d66-36.dat family_berbew behavioral1/files/0x0007000000016d66-35.dat family_berbew behavioral1/files/0x0007000000016d66-41.dat family_berbew behavioral1/files/0x0007000000016d66-40.dat family_berbew behavioral1/files/0x00090000000170ed-49.dat family_berbew behavioral1/files/0x00090000000170ed-50.dat family_berbew behavioral1/files/0x00090000000170ed-47.dat family_berbew behavioral1/files/0x00090000000170ed-55.dat family_berbew behavioral1/files/0x00090000000170ed-54.dat family_berbew behavioral1/files/0x0006000000017562-68.dat family_berbew behavioral1/files/0x0006000000017562-60.dat family_berbew behavioral1/files/0x0006000000017562-66.dat family_berbew behavioral1/files/0x0006000000017562-63.dat family_berbew behavioral1/files/0x0006000000017562-62.dat family_berbew behavioral1/files/0x0033000000016cfd-77.dat family_berbew behavioral1/files/0x0033000000016cfd-74.dat family_berbew behavioral1/files/0x0033000000016cfd-83.dat family_berbew behavioral1/files/0x0033000000016cfd-81.dat family_berbew behavioral1/files/0x0033000000016cfd-78.dat family_berbew behavioral1/files/0x00050000000186cf-88.dat family_berbew behavioral1/files/0x00050000000186cf-94.dat family_berbew behavioral1/files/0x00050000000186cf-91.dat family_berbew behavioral1/files/0x00050000000186cf-90.dat family_berbew behavioral1/files/0x00050000000186cf-96.dat family_berbew behavioral1/memory/756-101-0x0000000000220000-0x0000000000258000-memory.dmp family_berbew behavioral1/files/0x0006000000018b10-102.dat family_berbew behavioral1/files/0x0006000000018b10-106.dat family_berbew behavioral1/files/0x0006000000018b10-109.dat family_berbew behavioral1/files/0x0006000000018b10-105.dat family_berbew behavioral1/files/0x0006000000018b10-110.dat family_berbew behavioral1/files/0x0006000000018b43-116.dat family_berbew behavioral1/files/0x0006000000018b43-119.dat family_berbew behavioral1/files/0x0006000000018b43-118.dat family_berbew behavioral1/files/0x0006000000018b43-124.dat family_berbew behavioral1/files/0x0006000000018b43-123.dat family_berbew behavioral1/files/0x0006000000018b6c-133.dat family_berbew behavioral1/files/0x0006000000018b6c-138.dat family_berbew behavioral1/files/0x0006000000018b6c-137.dat family_berbew behavioral1/files/0x0006000000018b6c-132.dat family_berbew behavioral1/files/0x0006000000018b6c-130.dat family_berbew behavioral1/files/0x0006000000018b8c-143.dat family_berbew behavioral1/files/0x0006000000018b8c-149.dat family_berbew behavioral1/files/0x0006000000018b8c-146.dat family_berbew behavioral1/files/0x0006000000018b8c-145.dat family_berbew behavioral1/files/0x0006000000018b8c-151.dat family_berbew behavioral1/files/0x0006000000018bc0-158.dat family_berbew behavioral1/files/0x0006000000018bc0-161.dat family_berbew behavioral1/files/0x0006000000018bc0-160.dat family_berbew behavioral1/files/0x0006000000018bc0-164.dat family_berbew behavioral1/files/0x0006000000018bc0-166.dat family_berbew behavioral1/files/0x0006000000018f90-178.dat family_berbew behavioral1/files/0x0006000000018f90-175.dat family_berbew behavioral1/files/0x0006000000018f90-174.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2764 Iaimipjl.exe 2800 Jjfkmdlg.exe 2608 Jikhnaao.exe 2936 Jcciqi32.exe 1832 Kambcbhb.exe 756 Koaclfgl.exe 2744 Kkjpggkn.exe 1652 Kageia32.exe 2040 Llpfjomf.exe 2848 Laahme32.exe 852 Lcadghnk.exe 2352 Mgcjpkak.exe 2060 Mkacfiga.exe 3044 Mlelda32.exe 1828 Nghpjn32.exe 2072 Omiand32.exe 2408 Obkcajde.exe 1984 Phobjp32.exe 1296 Pnhjgj32.exe 1052 Pdecoa32.exe 1784 Pnkglj32.exe 692 Pjahakgb.exe 1156 Pdjljpnc.exe 1484 Qigebglj.exe 3052 Qboikm32.exe 2144 Qmenhe32.exe 2088 Qpcjeaad.exe 2248 Afmbak32.exe 1596 Aljjjb32.exe 2228 Aohgfm32.exe 2708 Ainkcf32.exe 2632 Allgoa32.exe 2492 Abfoll32.exe 2552 Ahchdb32.exe 2772 Ahedjb32.exe 528 Anbmbi32.exe 796 Adleoc32.exe 2820 Agkako32.exe 2444 Andjgidl.exe 1996 Bdobdc32.exe 1992 Bikjmj32.exe 1100 Bccoeo32.exe 1020 Bdckobhd.exe 320 Bedhgj32.exe 1768 Bpjldc32.exe 2388 Bfgdmjlp.exe 2584 Blqmid32.exe 1812 Baneak32.exe 952 Chgnneiq.exe 2996 Ckfjjqhd.exe 1452 Cfknhi32.exe 1920 Cdnncfoe.exe 1612 Cngcll32.exe 2860 Cdqkifmb.exe 3000 Cgogealf.exe 1728 Cnipak32.exe 980 Cjppfl32.exe 2116 Cdedde32.exe 2412 Cnnimkom.exe 2196 Ddhaie32.exe 1588 Djdjalea.exe 2732 Dqobnf32.exe 2556 Djgfgkbo.exe 2496 Dqaode32.exe -
Loads dropped DLL 64 IoCs
pid Process 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 2764 Iaimipjl.exe 2764 Iaimipjl.exe 2800 Jjfkmdlg.exe 2800 Jjfkmdlg.exe 2608 Jikhnaao.exe 2608 Jikhnaao.exe 2936 Jcciqi32.exe 2936 Jcciqi32.exe 1832 Kambcbhb.exe 1832 Kambcbhb.exe 756 Koaclfgl.exe 756 Koaclfgl.exe 2744 Kkjpggkn.exe 2744 Kkjpggkn.exe 1652 Kageia32.exe 1652 Kageia32.exe 2040 Llpfjomf.exe 2040 Llpfjomf.exe 2848 Laahme32.exe 2848 Laahme32.exe 852 Lcadghnk.exe 852 Lcadghnk.exe 2352 Mgcjpkak.exe 2352 Mgcjpkak.exe 2060 Mkacfiga.exe 2060 Mkacfiga.exe 3044 Mlelda32.exe 3044 Mlelda32.exe 1828 Nghpjn32.exe 1828 Nghpjn32.exe 2072 Omiand32.exe 2072 Omiand32.exe 2408 Obkcajde.exe 2408 Obkcajde.exe 1984 Phobjp32.exe 1984 Phobjp32.exe 1296 Pnhjgj32.exe 1296 Pnhjgj32.exe 1052 Pdecoa32.exe 1052 Pdecoa32.exe 1784 Pnkglj32.exe 1784 Pnkglj32.exe 692 Pjahakgb.exe 692 Pjahakgb.exe 1156 Pdjljpnc.exe 1156 Pdjljpnc.exe 1484 Qigebglj.exe 1484 Qigebglj.exe 3052 Qboikm32.exe 3052 Qboikm32.exe 2144 Qmenhe32.exe 2144 Qmenhe32.exe 2088 Qpcjeaad.exe 2088 Qpcjeaad.exe 2248 Afmbak32.exe 2248 Afmbak32.exe 1596 Aljjjb32.exe 1596 Aljjjb32.exe 2228 Aohgfm32.exe 2228 Aohgfm32.exe 2708 Ainkcf32.exe 2708 Ainkcf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jikhnaao.exe Jjfkmdlg.exe File created C:\Windows\SysWOW64\Ebknblho.exe Egfjdchi.exe File created C:\Windows\SysWOW64\Mldlaa32.dll Ghoijebj.exe File created C:\Windows\SysWOW64\Dkhdhoei.dll Nilndfgl.exe File created C:\Windows\SysWOW64\Onlooh32.exe Odckfb32.exe File created C:\Windows\SysWOW64\Nemfepee.dll Bcfmfc32.exe File created C:\Windows\SysWOW64\Ephdjeol.exe Ehmpeb32.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Dmncccnh.dll Mmbnam32.exe File created C:\Windows\SysWOW64\Loocanbe.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Kcipdg32.dll Oingii32.exe File created C:\Windows\SysWOW64\Bkdbab32.exe Agfikc32.exe File opened for modification C:\Windows\SysWOW64\Dlkqpg32.exe Dcblgbfe.exe File created C:\Windows\SysWOW64\Kkjpggkn.exe Koaclfgl.exe File created C:\Windows\SysWOW64\Cmmlkk32.dll Kgjlgm32.exe File opened for modification C:\Windows\SysWOW64\Bmjhdi32.exe Bfppgohb.exe File created C:\Windows\SysWOW64\Klheoobo.dll Celbik32.exe File created C:\Windows\SysWOW64\Oeoedmpg.dll Mlhmkbhb.exe File created C:\Windows\SysWOW64\Eijhgopb.dll Chohqebq.exe File opened for modification C:\Windows\SysWOW64\Qboikm32.exe Qigebglj.exe File opened for modification C:\Windows\SysWOW64\Abfoll32.exe Allgoa32.exe File created C:\Windows\SysWOW64\Mmmmil32.dll Adleoc32.exe File opened for modification C:\Windows\SysWOW64\Chgnneiq.exe Baneak32.exe File opened for modification C:\Windows\SysWOW64\Cdnncfoe.exe Cfknhi32.exe File opened for modification C:\Windows\SysWOW64\Dqaode32.exe Djgfgkbo.exe File opened for modification C:\Windows\SysWOW64\Manljd32.exe Mmcpjfcj.exe File created C:\Windows\SysWOW64\Niqgof32.exe Naionh32.exe File created C:\Windows\SysWOW64\Aegobiom.dll Nomphm32.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Ocihgo32.exe File created C:\Windows\SysWOW64\Qboikm32.exe Qigebglj.exe File created C:\Windows\SysWOW64\Acbbhobn.dll Dmgoif32.exe File created C:\Windows\SysWOW64\Lblcge32.dll Fejfmk32.exe File opened for modification C:\Windows\SysWOW64\Gdjcjf32.exe Ggfbpaeo.exe File created C:\Windows\SysWOW64\Lgcpif32.dll Bfppgohb.exe File created C:\Windows\SysWOW64\Iifmcp32.dll Mgcjpkak.exe File opened for modification C:\Windows\SysWOW64\Qigebglj.exe Pdjljpnc.exe File created C:\Windows\SysWOW64\Koenpgkf.dll Chgnneiq.exe File created C:\Windows\SysWOW64\Bfblmofp.exe Bmjhdi32.exe File opened for modification C:\Windows\SysWOW64\Cogdhpkp.exe Cligkdlm.exe File created C:\Windows\SysWOW64\Bmkedj32.dll Dfpcblfp.exe File opened for modification C:\Windows\SysWOW64\Fobkfqpo.exe Fejfmk32.exe File created C:\Windows\SysWOW64\Felcbk32.exe Fobkfqpo.exe File created C:\Windows\SysWOW64\Jhniebne.exe Jgmlmj32.exe File created C:\Windows\SysWOW64\Dhmbnh32.dll Koogbk32.exe File opened for modification C:\Windows\SysWOW64\Kqcqpc32.exe Knddcg32.exe File opened for modification C:\Windows\SysWOW64\Npffaq32.exe Nilndfgl.exe File created C:\Windows\SysWOW64\Obchjdci.dll Bfblmofp.exe File created C:\Windows\SysWOW64\Hepmmlkl.dll Pnkglj32.exe File created C:\Windows\SysWOW64\Jcdmbk32.exe Jpeafo32.exe File created C:\Windows\SysWOW64\Dkpgohdb.dll Jcdmbk32.exe File opened for modification C:\Windows\SysWOW64\Pcmabnhm.exe Phhmeehg.exe File created C:\Windows\SysWOW64\Cealdjcm.exe Cogdhpkp.exe File created C:\Windows\SysWOW64\Idjeonbj.dll Ddhaie32.exe File opened for modification C:\Windows\SysWOW64\Dcageqgm.exe Dmgoif32.exe File created C:\Windows\SysWOW64\Omjkkb32.dll Agfikc32.exe File opened for modification C:\Windows\SysWOW64\Omiand32.exe Nghpjn32.exe File opened for modification C:\Windows\SysWOW64\Pnkglj32.exe Pdecoa32.exe File created C:\Windows\SysWOW64\Gjkaenpg.dll Bdckobhd.exe File created C:\Windows\SysWOW64\Dmgoif32.exe Dqaode32.exe File created C:\Windows\SysWOW64\Pmhikf32.dll Lkhalo32.exe File opened for modification C:\Windows\SysWOW64\Nebnigmp.exe Nbdbml32.exe File created C:\Windows\SysWOW64\Naionh32.exe Nbfobllj.exe File created C:\Windows\SysWOW64\Ngcjbg32.dll Caccnllf.exe File created C:\Windows\SysWOW64\Hlokefce.dll Dkpabqoa.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1328 3000 WerFault.exe 242 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dandbm32.dll" Pjahakgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfipdjm.dll" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlnjcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmjhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkggck.dll" Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmogdkh.dll" Bdobdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnmoiqo.dll" Figocipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naionh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" Dijgnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll" Cbljgpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkacfiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlelda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhina32.dll" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Allgoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlkqpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adleoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpacogjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmnfogl.dll" Pofomolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdbhb32.dll" Abfoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjnmd32.dll" Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhqeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgfkeda.dll" Leqeed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oheppe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cealdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baneak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpfoboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Podbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkacfiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmgldgl.dll" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpjaodmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjpggkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohecb32.dll" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdqifajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfekom32.dll" Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bccoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnimkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapcghh.dll" Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblmfa32.dll" Kninog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loocanbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Milaecdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2764 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 29 PID 2692 wrote to memory of 2764 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 29 PID 2692 wrote to memory of 2764 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 29 PID 2692 wrote to memory of 2764 2692 NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe 29 PID 2764 wrote to memory of 2800 2764 Iaimipjl.exe 30 PID 2764 wrote to memory of 2800 2764 Iaimipjl.exe 30 PID 2764 wrote to memory of 2800 2764 Iaimipjl.exe 30 PID 2764 wrote to memory of 2800 2764 Iaimipjl.exe 30 PID 2800 wrote to memory of 2608 2800 Jjfkmdlg.exe 31 PID 2800 wrote to memory of 2608 2800 Jjfkmdlg.exe 31 PID 2800 wrote to memory of 2608 2800 Jjfkmdlg.exe 31 PID 2800 wrote to memory of 2608 2800 Jjfkmdlg.exe 31 PID 2608 wrote to memory of 2936 2608 Jikhnaao.exe 32 PID 2608 wrote to memory of 2936 2608 Jikhnaao.exe 32 PID 2608 wrote to memory of 2936 2608 Jikhnaao.exe 32 PID 2608 wrote to memory of 2936 2608 Jikhnaao.exe 32 PID 2936 wrote to memory of 1832 2936 Jcciqi32.exe 33 PID 2936 wrote to memory of 1832 2936 Jcciqi32.exe 33 PID 2936 wrote to memory of 1832 2936 Jcciqi32.exe 33 PID 2936 wrote to memory of 1832 2936 Jcciqi32.exe 33 PID 1832 wrote to memory of 756 1832 Kambcbhb.exe 34 PID 1832 wrote to memory of 756 1832 Kambcbhb.exe 34 PID 1832 wrote to memory of 756 1832 Kambcbhb.exe 34 PID 1832 wrote to memory of 756 1832 Kambcbhb.exe 34 PID 756 wrote to memory of 2744 756 Koaclfgl.exe 35 PID 756 wrote to memory of 2744 756 Koaclfgl.exe 35 PID 756 wrote to memory of 2744 756 Koaclfgl.exe 35 PID 756 wrote to memory of 2744 756 Koaclfgl.exe 35 PID 2744 wrote to memory of 1652 2744 Kkjpggkn.exe 36 PID 2744 wrote to memory of 1652 2744 Kkjpggkn.exe 36 PID 2744 wrote to memory of 1652 2744 Kkjpggkn.exe 36 PID 2744 wrote to memory of 1652 2744 Kkjpggkn.exe 36 PID 1652 wrote to memory of 2040 1652 Kageia32.exe 37 PID 1652 wrote to memory of 2040 1652 Kageia32.exe 37 PID 1652 wrote to memory of 2040 1652 Kageia32.exe 37 PID 1652 wrote to memory of 2040 1652 Kageia32.exe 37 PID 2040 wrote to memory of 2848 2040 Llpfjomf.exe 38 PID 2040 wrote to memory of 2848 2040 Llpfjomf.exe 38 PID 2040 wrote to memory of 2848 2040 Llpfjomf.exe 38 PID 2040 wrote to memory of 2848 2040 Llpfjomf.exe 38 PID 2848 wrote to memory of 852 2848 Laahme32.exe 39 PID 2848 wrote to memory of 852 2848 Laahme32.exe 39 PID 2848 wrote to memory of 852 2848 Laahme32.exe 39 PID 2848 wrote to memory of 852 2848 Laahme32.exe 39 PID 852 wrote to memory of 2352 852 Lcadghnk.exe 40 PID 852 wrote to memory of 2352 852 Lcadghnk.exe 40 PID 852 wrote to memory of 2352 852 Lcadghnk.exe 40 PID 852 wrote to memory of 2352 852 Lcadghnk.exe 40 PID 2352 wrote to memory of 2060 2352 Mgcjpkak.exe 41 PID 2352 wrote to memory of 2060 2352 Mgcjpkak.exe 41 PID 2352 wrote to memory of 2060 2352 Mgcjpkak.exe 41 PID 2352 wrote to memory of 2060 2352 Mgcjpkak.exe 41 PID 2060 wrote to memory of 3044 2060 Mkacfiga.exe 42 PID 2060 wrote to memory of 3044 2060 Mkacfiga.exe 42 PID 2060 wrote to memory of 3044 2060 Mkacfiga.exe 42 PID 2060 wrote to memory of 3044 2060 Mkacfiga.exe 42 PID 3044 wrote to memory of 1828 3044 Mlelda32.exe 43 PID 3044 wrote to memory of 1828 3044 Mlelda32.exe 43 PID 3044 wrote to memory of 1828 3044 Mlelda32.exe 43 PID 3044 wrote to memory of 1828 3044 Mlelda32.exe 43 PID 1828 wrote to memory of 2072 1828 Nghpjn32.exe 44 PID 1828 wrote to memory of 2072 1828 Nghpjn32.exe 44 PID 1828 wrote to memory of 2072 1828 Nghpjn32.exe 44 PID 1828 wrote to memory of 2072 1828 Nghpjn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c0ebe06faaf07fee4a6f20b7d4cef691_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe36⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe40⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe42⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe45⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe47⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe48⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe51⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe53⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe54⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe55⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe56⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe57⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe58⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe59⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe67⤵PID:596
-
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe68⤵
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe69⤵PID:1160
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe70⤵PID:1472
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe73⤵PID:544
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe75⤵
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1856 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe77⤵PID:1820
-
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe78⤵PID:1084
-
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe79⤵PID:2276
-
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe82⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe83⤵PID:2204
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe84⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe85⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe87⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe90⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe91⤵PID:2480
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe92⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe94⤵PID:2424
-
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe96⤵PID:1476
-
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe97⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe98⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe99⤵PID:1388
-
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe100⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe101⤵PID:1912
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe103⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe104⤵PID:2240
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe105⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe106⤵PID:1632
-
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe108⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe109⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe111⤵PID:912
-
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe112⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Jkobgm32.exeC:\Windows\system32\Jkobgm32.exe116⤵PID:2264
-
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe118⤵PID:2596
-
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe119⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe120⤵PID:2932
-
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe121⤵
- Drops file in System32 directory
PID:688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-