Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 11:33
Behavioral task
behavioral1
Sample
NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe
-
Size
161KB
-
MD5
bd75981b96d46bb2cd3b3d335a8854e0
-
SHA1
d4cf7c321ad0209116c5b2f56abbdb8d765a904c
-
SHA256
448a60e209bb9384937c4673d396f8e6057eaa0c3c7789021206f42a96e01594
-
SHA512
fad814a135c3760137169037b14cfdfbbb4a90ba0b19686f6b22aa0d3c5d980626d741151fae578c0c61fcb57c7cb1156b35b8bd8f8b9b1086a789cb9c5c1ffa
-
SSDEEP
3072:gxYPEGM/dYloBTGqeu7sIbBunWsMOrssssss9MqkoVwtCJXeex7rrIRZK8K8/kv:iYPEGM/tleu5bB2Ws/ssssss9/koVwty
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hojgfemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfhil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plijimee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcjdkpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgqpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjdacik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqdiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplmop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqkobqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aipfmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bajqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npccpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkmcldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Magqncba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlklnjoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfllkece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjnamh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjclobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Behilopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfebnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poapfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpheb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flehkhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanaiahq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piekcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikefkcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heglio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmafj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgmijgc.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00070000000120e5-5.dat family_berbew behavioral1/files/0x00070000000120e5-8.dat family_berbew behavioral1/files/0x00070000000120e5-12.dat family_berbew behavioral1/files/0x0032000000015c5c-19.dat family_berbew behavioral1/files/0x0032000000015c5c-25.dat family_berbew behavioral1/files/0x0032000000015c5c-22.dat family_berbew behavioral1/files/0x0032000000015c5c-21.dat family_berbew behavioral1/files/0x00070000000120e5-13.dat family_berbew behavioral1/files/0x00070000000120e5-9.dat family_berbew behavioral1/files/0x0032000000015c5c-27.dat family_berbew behavioral1/files/0x0007000000015ce7-39.dat family_berbew behavioral1/files/0x0007000000015ce7-41.dat family_berbew behavioral1/files/0x0007000000015ce7-35.dat family_berbew behavioral1/files/0x0007000000015db7-53.dat family_berbew behavioral1/files/0x0007000000015db7-52.dat family_berbew behavioral1/files/0x0007000000015db7-49.dat family_berbew behavioral1/files/0x0007000000015db7-48.dat family_berbew behavioral1/files/0x0007000000015db7-46.dat family_berbew behavioral1/files/0x0007000000015ce7-34.dat family_berbew behavioral1/files/0x0007000000015ce7-32.dat family_berbew behavioral1/files/0x0009000000015ea9-62.dat family_berbew behavioral1/files/0x0009000000015ea9-67.dat family_berbew behavioral1/files/0x0009000000015ea9-65.dat family_berbew behavioral1/files/0x0009000000015ea9-61.dat family_berbew behavioral1/files/0x0009000000015ea9-59.dat family_berbew behavioral1/files/0x000600000001643f-72.dat family_berbew behavioral1/files/0x000600000001643f-74.dat family_berbew behavioral1/files/0x000600000001643f-80.dat family_berbew behavioral1/files/0x00060000000165ee-81.dat family_berbew behavioral1/files/0x00060000000165ee-92.dat family_berbew behavioral1/files/0x00060000000165ee-93.dat family_berbew behavioral1/files/0x0006000000016ae2-99.dat family_berbew behavioral1/files/0x0006000000016ae2-105.dat family_berbew behavioral1/files/0x0006000000016ae2-102.dat family_berbew behavioral1/files/0x0006000000016ae2-101.dat family_berbew behavioral1/files/0x00060000000165ee-87.dat family_berbew behavioral1/files/0x00060000000165ee-85.dat family_berbew behavioral1/files/0x000600000001643f-78.dat family_berbew behavioral1/files/0x000600000001643f-75.dat family_berbew behavioral1/files/0x0006000000016c12-115.dat family_berbew behavioral1/files/0x0006000000016c8e-138.dat family_berbew behavioral1/files/0x0006000000016c8e-144.dat family_berbew behavioral1/files/0x0006000000016c12-119.dat family_berbew behavioral1/files/0x0006000000016ccd-154.dat family_berbew behavioral1/files/0x0006000000016cdd-171.dat family_berbew behavioral1/files/0x0006000000016cdd-160.dat family_berbew behavioral1/files/0x0006000000016cdd-170.dat family_berbew behavioral1/files/0x0006000000016ccd-159.dat family_berbew behavioral1/files/0x0006000000016ccd-158.dat family_berbew behavioral1/files/0x0006000000016cdd-166.dat family_berbew behavioral1/files/0x0006000000016cdd-164.dat family_berbew behavioral1/files/0x0006000000016ccd-153.dat family_berbew behavioral1/files/0x0006000000016c12-120.dat family_berbew behavioral1/files/0x0006000000016c8e-145.dat family_berbew behavioral1/files/0x0006000000016ccd-151.dat family_berbew behavioral1/files/0x0006000000016c8e-140.dat family_berbew behavioral1/files/0x0006000000016c8e-134.dat family_berbew behavioral1/files/0x0006000000016c1b-133.dat family_berbew behavioral1/files/0x0006000000016c1b-132.dat family_berbew behavioral1/files/0x0006000000016c1b-128.dat family_berbew behavioral1/files/0x0006000000016c12-113.dat family_berbew behavioral1/files/0x0006000000016c1b-127.dat family_berbew behavioral1/files/0x0006000000016c1b-125.dat family_berbew behavioral1/files/0x0006000000016c12-108.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2332 Ajhgmpfg.exe 2700 Ajjcbpdd.exe 2740 Bafidiio.exe 2852 Bkommo32.exe 2508 Blpjegfm.exe 2536 Bifgdk32.exe 2404 Bhkdeggl.exe 780 Ceodnl32.exe 2276 Cgcmlcja.exe 1208 Cojema32.exe 2020 Cdgneh32.exe 2736 Caknol32.exe 2752 Cghggc32.exe 1780 Dndlim32.exe 2056 Dknekeef.exe 1944 Ddgjdk32.exe 1200 Ddigjkid.exe 2388 Ednpej32.exe 2884 Ekhhadmk.exe 1800 Egoife32.exe 1856 Ecejkf32.exe 1832 Emnndlod.exe 1076 Ebjglbml.exe 1284 Flehkhai.exe 3048 Fglipi32.exe 892 Fnhnbb32.exe 2080 Fhqbkhch.exe 2076 Gakcimgf.exe 3024 Gfhladfn.exe 2616 Glgaok32.exe 1704 Gikaio32.exe 3000 Gpejeihi.exe 2568 Gbcfadgl.exe 1760 Ghqnjk32.exe 800 Hojgfemq.exe 2848 Hlngpjlj.exe 2840 Heglio32.exe 2320 Hhehek32.exe 2040 Hmbpmapf.exe 1948 Ihgainbg.exe 1928 Jdpndnei.exe 2788 Jnicmdli.exe 2088 Jqgoiokm.exe 1376 Jgagfi32.exe 1104 Jnkpbcjg.exe 1512 Jkoplhip.exe 1492 Jmplcp32.exe 2680 Jfiale32.exe 2368 Jmbiipml.exe 636 Jcmafj32.exe 964 Jfknbe32.exe 1880 Kconkibf.exe 1532 Kilfcpqm.exe 980 Kcakaipc.exe 1652 Kebgia32.exe 2940 Kohkfj32.exe 2868 Kfbcbd32.exe 1012 Kkolkk32.exe 1916 Kaldcb32.exe 2164 Kkaiqk32.exe 2068 Lanaiahq.exe 2636 Lghjel32.exe 2648 Lnbbbffj.exe 1116 Lcojjmea.exe -
Loads dropped DLL 64 IoCs
pid Process 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 2332 Ajhgmpfg.exe 2332 Ajhgmpfg.exe 2700 Ajjcbpdd.exe 2700 Ajjcbpdd.exe 2740 Bafidiio.exe 2740 Bafidiio.exe 2852 Bkommo32.exe 2852 Bkommo32.exe 2508 Blpjegfm.exe 2508 Blpjegfm.exe 2536 Bifgdk32.exe 2536 Bifgdk32.exe 2404 Bhkdeggl.exe 2404 Bhkdeggl.exe 780 Ceodnl32.exe 780 Ceodnl32.exe 2276 Cgcmlcja.exe 2276 Cgcmlcja.exe 1208 Cojema32.exe 1208 Cojema32.exe 2020 Cdgneh32.exe 2020 Cdgneh32.exe 2736 Caknol32.exe 2736 Caknol32.exe 2752 Cghggc32.exe 2752 Cghggc32.exe 1780 Dndlim32.exe 1780 Dndlim32.exe 2056 Dknekeef.exe 2056 Dknekeef.exe 1944 Ddgjdk32.exe 1944 Ddgjdk32.exe 1200 Ddigjkid.exe 1200 Ddigjkid.exe 2388 Ednpej32.exe 2388 Ednpej32.exe 2884 Ekhhadmk.exe 2884 Ekhhadmk.exe 1800 Egoife32.exe 1800 Egoife32.exe 1856 Ecejkf32.exe 1856 Ecejkf32.exe 1832 Emnndlod.exe 1832 Emnndlod.exe 1076 Ebjglbml.exe 1076 Ebjglbml.exe 1284 Flehkhai.exe 1284 Flehkhai.exe 3048 Fglipi32.exe 3048 Fglipi32.exe 892 Fnhnbb32.exe 892 Fnhnbb32.exe 2080 Fhqbkhch.exe 2080 Fhqbkhch.exe 2076 Gakcimgf.exe 2076 Gakcimgf.exe 3024 Gfhladfn.exe 3024 Gfhladfn.exe 2616 Glgaok32.exe 2616 Glgaok32.exe 1704 Gikaio32.exe 1704 Gikaio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jcmafj32.exe Jmbiipml.exe File created C:\Windows\SysWOW64\Obmolfok.dll Nocpkf32.exe File created C:\Windows\SysWOW64\Jmkgnjmo.dll Pcnejk32.exe File created C:\Windows\SysWOW64\Bbbgod32.exe Aodkci32.exe File created C:\Windows\SysWOW64\Npojdpef.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Oedcmfgb.dll Kdpcikdi.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Goplilpf.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hcgjmo32.exe File created C:\Windows\SysWOW64\Ajjcbpdd.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Ialelpfl.dll Idmkdh32.exe File opened for modification C:\Windows\SysWOW64\Pqkobqhd.exe Plijimee.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Pqkobqhd.exe File created C:\Windows\SysWOW64\Eqnolc32.dll Nmpnhdfc.exe File created C:\Windows\SysWOW64\Dllhoqlh.dll Iamabm32.exe File created C:\Windows\SysWOW64\Pjcckf32.exe Pqkobqhd.exe File opened for modification C:\Windows\SysWOW64\Fqalaa32.exe Fgigil32.exe File created C:\Windows\SysWOW64\Gmqbcm32.dll Gdmdacnn.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bbjmpcab.exe File created C:\Windows\SysWOW64\Aekeef32.dll Gneijien.exe File opened for modification C:\Windows\SysWOW64\Bkommo32.exe Bafidiio.exe File created C:\Windows\SysWOW64\Kaldcb32.exe Kkolkk32.exe File opened for modification C:\Windows\SysWOW64\Oebimf32.exe Nkmdpm32.exe File opened for modification C:\Windows\SysWOW64\Oopfakpa.exe Ohendqhd.exe File opened for modification C:\Windows\SysWOW64\Ledibnco.exe Lnjafd32.exe File created C:\Windows\SysWOW64\Goackilq.dll Kglcogeo.exe File created C:\Windows\SysWOW64\Aodkci32.exe Ajgbkbjp.exe File opened for modification C:\Windows\SysWOW64\Hhehek32.exe Heglio32.exe File created C:\Windows\SysWOW64\Jmbiipml.exe Jfiale32.exe File opened for modification C:\Windows\SysWOW64\Mjekfd32.exe Mclcijfd.exe File opened for modification C:\Windows\SysWOW64\Anlhkbhq.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Ingkfk32.dll Amaelomh.exe File created C:\Windows\SysWOW64\Dndlim32.exe Cghggc32.exe File opened for modification C:\Windows\SysWOW64\Pqnlhpfb.exe Pjcckf32.exe File created C:\Windows\SysWOW64\Bifgdk32.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Acekjjmk.exe Aojojl32.exe File created C:\Windows\SysWOW64\Ciohqa32.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eijdkcgn.exe File opened for modification C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Bgdibkam.exe Bajqfq32.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Elfcbo32.exe File created C:\Windows\SysWOW64\Njlkihbk.dll Kqiaclhj.exe File created C:\Windows\SysWOW64\Ajfiadlm.dll Ooqpdj32.exe File created C:\Windows\SysWOW64\Egikjh32.exe Eobchk32.exe File created C:\Windows\SysWOW64\Lanaiahq.exe Kkaiqk32.exe File created C:\Windows\SysWOW64\Mdpldi32.exe Mmfdhojb.exe File created C:\Windows\SysWOW64\Mjekfd32.exe Mclcijfd.exe File opened for modification C:\Windows\SysWOW64\Agbpnh32.exe Abegfa32.exe File created C:\Windows\SysWOW64\Emagacdm.exe Eejopecj.exe File created C:\Windows\SysWOW64\Nmnlfg32.dll Cojema32.exe File created C:\Windows\SysWOW64\Dmjglq32.dll Ledibnco.exe File created C:\Windows\SysWOW64\Hqenoohi.dll Ooclji32.exe File created C:\Windows\SysWOW64\Achdqg32.dll Plijimee.exe File created C:\Windows\SysWOW64\Ehpalp32.exe Eeaepd32.exe File created C:\Windows\SysWOW64\Gfhgpg32.exe Gnaooi32.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Aaapnkij.dll Oomjlk32.exe File opened for modification C:\Windows\SysWOW64\Neklbppb.exe Nlbgikia.exe File created C:\Windows\SysWOW64\Dmdgpc32.dll Biolanld.exe File opened for modification C:\Windows\SysWOW64\Hinbppna.exe Fkhibino.exe File created C:\Windows\SysWOW64\Qoeeolig.exe Qjhmfekp.exe File created C:\Windows\SysWOW64\Pqgono32.dll Dklddhka.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Fqfemqod.exe File opened for modification C:\Windows\SysWOW64\Hkmollme.exe Hinbppna.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2132 1912 WerFault.exe 578 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlmfm32.dll" Ikefkcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqkobqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajgbkbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Ghqnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opknndcg.dll" Accnekon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlngpjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihgainbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll" Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdplfmo.dll" NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdbpnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malllmgi.dll" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll" Lfbpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfhfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lanaiahq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" Mhjbjopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll" Qodlkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgbeoibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlpkdkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apbfblll.dll" Lcojjmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iamabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hakkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbbmk32.dll" Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmnalja.dll" Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdkokpa.dll" Gikaio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgffb32.dll" Kbcdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfllkece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnppecd.dll" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll" Pngphgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihfjognl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jliohkak.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2332 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 28 PID 2444 wrote to memory of 2332 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 28 PID 2444 wrote to memory of 2332 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 28 PID 2444 wrote to memory of 2332 2444 NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe 28 PID 2332 wrote to memory of 2700 2332 Ajhgmpfg.exe 29 PID 2332 wrote to memory of 2700 2332 Ajhgmpfg.exe 29 PID 2332 wrote to memory of 2700 2332 Ajhgmpfg.exe 29 PID 2332 wrote to memory of 2700 2332 Ajhgmpfg.exe 29 PID 2700 wrote to memory of 2740 2700 Ajjcbpdd.exe 30 PID 2700 wrote to memory of 2740 2700 Ajjcbpdd.exe 30 PID 2700 wrote to memory of 2740 2700 Ajjcbpdd.exe 30 PID 2700 wrote to memory of 2740 2700 Ajjcbpdd.exe 30 PID 2740 wrote to memory of 2852 2740 Bafidiio.exe 31 PID 2740 wrote to memory of 2852 2740 Bafidiio.exe 31 PID 2740 wrote to memory of 2852 2740 Bafidiio.exe 31 PID 2740 wrote to memory of 2852 2740 Bafidiio.exe 31 PID 2852 wrote to memory of 2508 2852 Bkommo32.exe 32 PID 2852 wrote to memory of 2508 2852 Bkommo32.exe 32 PID 2852 wrote to memory of 2508 2852 Bkommo32.exe 32 PID 2852 wrote to memory of 2508 2852 Bkommo32.exe 32 PID 2508 wrote to memory of 2536 2508 Blpjegfm.exe 33 PID 2508 wrote to memory of 2536 2508 Blpjegfm.exe 33 PID 2508 wrote to memory of 2536 2508 Blpjegfm.exe 33 PID 2508 wrote to memory of 2536 2508 Blpjegfm.exe 33 PID 2536 wrote to memory of 2404 2536 Bifgdk32.exe 34 PID 2536 wrote to memory of 2404 2536 Bifgdk32.exe 34 PID 2536 wrote to memory of 2404 2536 Bifgdk32.exe 34 PID 2536 wrote to memory of 2404 2536 Bifgdk32.exe 34 PID 2404 wrote to memory of 780 2404 Bhkdeggl.exe 35 PID 2404 wrote to memory of 780 2404 Bhkdeggl.exe 35 PID 2404 wrote to memory of 780 2404 Bhkdeggl.exe 35 PID 2404 wrote to memory of 780 2404 Bhkdeggl.exe 35 PID 780 wrote to memory of 2276 780 Ceodnl32.exe 36 PID 780 wrote to memory of 2276 780 Ceodnl32.exe 36 PID 780 wrote to memory of 2276 780 Ceodnl32.exe 36 PID 780 wrote to memory of 2276 780 Ceodnl32.exe 36 PID 2276 wrote to memory of 1208 2276 Cgcmlcja.exe 40 PID 2276 wrote to memory of 1208 2276 Cgcmlcja.exe 40 PID 2276 wrote to memory of 1208 2276 Cgcmlcja.exe 40 PID 2276 wrote to memory of 1208 2276 Cgcmlcja.exe 40 PID 1208 wrote to memory of 2020 1208 Cojema32.exe 37 PID 1208 wrote to memory of 2020 1208 Cojema32.exe 37 PID 1208 wrote to memory of 2020 1208 Cojema32.exe 37 PID 1208 wrote to memory of 2020 1208 Cojema32.exe 37 PID 2020 wrote to memory of 2736 2020 Cdgneh32.exe 39 PID 2020 wrote to memory of 2736 2020 Cdgneh32.exe 39 PID 2020 wrote to memory of 2736 2020 Cdgneh32.exe 39 PID 2020 wrote to memory of 2736 2020 Cdgneh32.exe 39 PID 2736 wrote to memory of 2752 2736 Caknol32.exe 38 PID 2736 wrote to memory of 2752 2736 Caknol32.exe 38 PID 2736 wrote to memory of 2752 2736 Caknol32.exe 38 PID 2736 wrote to memory of 2752 2736 Caknol32.exe 38 PID 2752 wrote to memory of 1780 2752 Cghggc32.exe 41 PID 2752 wrote to memory of 1780 2752 Cghggc32.exe 41 PID 2752 wrote to memory of 1780 2752 Cghggc32.exe 41 PID 2752 wrote to memory of 1780 2752 Cghggc32.exe 41 PID 1780 wrote to memory of 2056 1780 Dndlim32.exe 42 PID 1780 wrote to memory of 2056 1780 Dndlim32.exe 42 PID 1780 wrote to memory of 2056 1780 Dndlim32.exe 42 PID 1780 wrote to memory of 2056 1780 Dndlim32.exe 42 PID 2056 wrote to memory of 1944 2056 Dknekeef.exe 43 PID 2056 wrote to memory of 1944 2056 Dknekeef.exe 43 PID 2056 wrote to memory of 1944 2056 Dknekeef.exe 43 PID 2056 wrote to memory of 1944 2056 Dknekeef.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.bd75981b96d46bb2cd3b3d335a8854e0_JC.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Bkommo32.exeC:\Windows\system32\Bkommo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1208
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe2⤵PID:2180
-
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe3⤵PID:3140
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe4⤵PID:3100
-
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe5⤵PID:2320
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe6⤵PID:3500
-
-
-
-
-
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
-
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe20⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe21⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe26⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe27⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ihgainbg.exeC:\Windows\system32\Ihgainbg.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe29⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe30⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe31⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe32⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe33⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe34⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe39⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Kconkibf.exeC:\Windows\system32\Kconkibf.exe40⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe43⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe44⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe45⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe50⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe51⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe53⤵PID:2548
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe54⤵PID:2960
-
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe55⤵PID:2972
-
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe56⤵PID:1912
-
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe57⤵
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1896 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe59⤵PID:2932
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:596 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe63⤵PID:2820
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe64⤵PID:1624
-
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe65⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe66⤵PID:2328
-
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe67⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe68⤵PID:2360
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe69⤵PID:2196
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1496 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe71⤵PID:1148
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe73⤵PID:916
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe74⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe75⤵PID:2224
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe76⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe77⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe78⤵PID:2632
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe81⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe82⤵PID:2472
-
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe83⤵PID:2760
-
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe84⤵PID:2132
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe85⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe86⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe87⤵PID:2160
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe88⤵PID:1636
-
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe89⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe90⤵PID:2104
-
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe91⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe92⤵
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe93⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe95⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe96⤵PID:1672
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe97⤵PID:1716
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe98⤵PID:240
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe100⤵PID:3056
-
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe103⤵PID:1404
-
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe104⤵PID:268
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe105⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe106⤵PID:2032
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe107⤵PID:584
-
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe108⤵PID:2824
-
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe109⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe110⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe111⤵PID:644
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe113⤵PID:2272
-
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe114⤵PID:772
-
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe115⤵PID:2212
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe116⤵PID:1764
-
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe117⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe118⤵PID:2772
-
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe119⤵PID:2660
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-