Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05/11/2023, 15:24
Behavioral task
behavioral1
Sample
NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe
-
Size
478KB
-
MD5
6e77b2deb66b3516e55c9e3ee8c886e4
-
SHA1
9f804542cc247d6c9deae4ff1ae727c38767776d
-
SHA256
b688a01dd966bb90c71b0442aaa8f38d7a103831e2c161748d43898cea67405e
-
SHA512
420c08a1364a3a94d4c28fdb2e61dda951e1830a16896e4af825be6d352ff3ba01440c01c7e5631b69249c50077897d845ff6015da9c3314ce7af2eb24c19052
-
SSDEEP
12288:0Sz6/NB7/N2xQbR71JPZg9miPPwwh6yGF/Pir1VlxJyTi/N:0SzYYxQbR71JPZg9miPPwwh6yGF/Pirr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpmjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpnoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkifld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklopg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aelgdhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfhqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjlgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcaiqfib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbcaome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobndj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkphj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efihcpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpfbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kooimpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobqgpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpihafp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmbilhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llefld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckboba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjnikpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdeoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkambhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijepc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hincna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idligq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbknmicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmiba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knpkhhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijepc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbomdjoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfmfjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjeknfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmfjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolbjahp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdqbbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgfpbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henjnica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biecoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boiagp32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a000000012267-5.dat family_berbew behavioral1/files/0x000a000000012267-9.dat family_berbew behavioral1/files/0x000a000000012267-8.dat family_berbew behavioral1/files/0x000a000000012267-12.dat family_berbew behavioral1/files/0x000a000000012267-13.dat family_berbew behavioral1/files/0x0009000000015ca8-19.dat family_berbew behavioral1/files/0x0009000000015ca8-22.dat family_berbew behavioral1/files/0x0009000000015ca8-21.dat family_berbew behavioral1/files/0x0009000000015ca8-27.dat family_berbew behavioral1/files/0x0009000000015ca8-26.dat family_berbew behavioral1/files/0x0007000000015db7-34.dat family_berbew behavioral1/files/0x0007000000015db7-42.dat family_berbew behavioral1/files/0x0007000000015db7-41.dat family_berbew behavioral1/files/0x0007000000015ea9-55.dat family_berbew behavioral1/files/0x0009000000015fea-62.dat family_berbew behavioral1/files/0x0009000000015fea-60.dat family_berbew behavioral1/files/0x0007000000015ea9-53.dat family_berbew behavioral1/files/0x0007000000015ea9-50.dat family_berbew behavioral1/files/0x0007000000015ea9-49.dat family_berbew behavioral1/files/0x0007000000015ea9-47.dat family_berbew behavioral1/files/0x0007000000015db7-38.dat family_berbew behavioral1/files/0x0007000000015db7-37.dat family_berbew behavioral1/files/0x0009000000015fea-69.dat family_berbew behavioral1/files/0x0009000000015fea-67.dat family_berbew behavioral1/files/0x00060000000165ee-74.dat family_berbew behavioral1/files/0x00060000000165ee-77.dat family_berbew behavioral1/files/0x00060000000165ee-76.dat family_berbew behavioral1/files/0x0009000000015fea-63.dat family_berbew behavioral1/files/0x00060000000165ee-82.dat family_berbew behavioral1/files/0x00060000000165ee-81.dat family_berbew behavioral1/files/0x0006000000016ae2-88.dat family_berbew behavioral1/files/0x0006000000016ae2-92.dat family_berbew behavioral1/files/0x0006000000016ae2-96.dat family_berbew behavioral1/files/0x0006000000016ae2-95.dat family_berbew behavioral1/files/0x0006000000016ae2-91.dat family_berbew behavioral1/files/0x0006000000016c12-101.dat family_berbew behavioral1/files/0x0006000000016c12-107.dat family_berbew behavioral1/files/0x0006000000016c12-104.dat family_berbew behavioral1/files/0x0006000000016c12-103.dat family_berbew behavioral1/files/0x0006000000016c12-109.dat family_berbew behavioral1/files/0x0006000000016c67-116.dat family_berbew behavioral1/files/0x0006000000016c67-123.dat family_berbew behavioral1/files/0x0006000000016cbc-137.dat family_berbew behavioral1/files/0x0006000000016cbc-131.dat family_berbew behavioral1/files/0x0006000000016cbc-135.dat family_berbew behavioral1/files/0x0006000000016cbc-132.dat family_berbew behavioral1/files/0x0006000000016cbc-129.dat family_berbew behavioral1/files/0x0006000000016c67-122.dat family_berbew behavioral1/files/0x0006000000016c67-119.dat family_berbew behavioral1/files/0x0006000000016c67-118.dat family_berbew behavioral1/files/0x0006000000016cd5-142.dat family_berbew behavioral1/memory/1172-148-0x0000000000220000-0x0000000000257000-memory.dmp family_berbew behavioral1/files/0x0006000000016cd5-145.dat family_berbew behavioral1/files/0x0006000000016cd5-144.dat family_berbew behavioral1/files/0x0006000000016cd5-151.dat family_berbew behavioral1/files/0x0006000000016cd5-149.dat family_berbew behavioral1/files/0x0006000000016ce9-157.dat family_berbew behavioral1/files/0x0006000000016ce9-163.dat family_berbew behavioral1/files/0x0006000000016ce9-165.dat family_berbew behavioral1/files/0x0006000000016ce9-160.dat family_berbew behavioral1/files/0x0006000000016ce9-159.dat family_berbew behavioral1/files/0x0006000000016cfb-170.dat family_berbew behavioral1/files/0x0006000000016cfb-178.dat family_berbew behavioral1/files/0x0006000000016cfb-177.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2620 Dboeco32.exe 860 Ggdekbgb.exe 796 Glfgnh32.exe 2660 Haemloni.exe 2552 Hcdifa32.exe 668 Hnbcaome.exe 2812 Ijlaloaf.exe 2028 Ikagogco.exe 2716 Jjlmkb32.exe 1172 Jmlfmn32.exe 2844 Jgbjjf32.exe 2020 Kpdeoh32.exe 2312 Khagijcd.exe 1868 Lpaehl32.exe 2240 Ldpnoj32.exe 972 Mclqqeaq.exe 2388 Nklopg32.exe 1548 Ngbpehpj.exe 960 Nlohmonb.exe 1352 Nckmpicl.exe 1200 Nobndj32.exe 340 Ofobgc32.exe 292 Onjgkf32.exe 1756 Qijdqp32.exe 2204 Jqfhqe32.exe 1588 Fkambhgf.exe 2688 Fmbjjp32.exe 2644 Fclbgj32.exe 2280 Fnafdc32.exe 3060 Gcchgini.exe 2512 Gnofng32.exe 764 Gapoob32.exe 2880 Hjhchg32.exe 1984 Hdqhambg.exe 2544 Hpghfn32.exe 588 Hipmoc32.exe 2852 Hpjeknfi.exe 2016 Hibidc32.exe 1644 Hbknmicj.exe 916 Hlcbfnjk.exe 2236 Ifhgcgjq.exe 2220 Imkeneja.exe 820 Ikoehj32.exe 1552 Ihcfan32.exe 1380 Jnpoie32.exe 1212 Jghcbjll.exe 2340 Jgkphj32.exe 2296 Kdgfpbaf.exe 2284 Knpkhhhg.exe 1364 Kkckblgq.exe 1680 Kgjlgm32.exe 1604 Kkhdml32.exe 2944 Kdqifajl.exe 2756 Lmlnjcgg.exe 2628 Lfdbcing.exe 2372 Lchclmla.exe 2076 Lfilnh32.exe 472 Lkfdfo32.exe 624 Lijepc32.exe 1616 Mjpkbk32.exe 1500 Mhckloge.exe 572 Mpoppadq.exe 1908 Mdmhfpkg.exe 2660 Mfkebkjk.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 2620 Dboeco32.exe 2620 Dboeco32.exe 860 Ggdekbgb.exe 860 Ggdekbgb.exe 796 Glfgnh32.exe 796 Glfgnh32.exe 2660 Haemloni.exe 2660 Haemloni.exe 2552 Hcdifa32.exe 2552 Hcdifa32.exe 668 Hnbcaome.exe 668 Hnbcaome.exe 2812 Ijlaloaf.exe 2812 Ijlaloaf.exe 2028 Ikagogco.exe 2028 Ikagogco.exe 2716 Jjlmkb32.exe 2716 Jjlmkb32.exe 1172 Jmlfmn32.exe 1172 Jmlfmn32.exe 2844 Jgbjjf32.exe 2844 Jgbjjf32.exe 2020 Kpdeoh32.exe 2020 Kpdeoh32.exe 2312 Khagijcd.exe 2312 Khagijcd.exe 1868 Lpaehl32.exe 1868 Lpaehl32.exe 2240 Ldpnoj32.exe 2240 Ldpnoj32.exe 972 Mclqqeaq.exe 972 Mclqqeaq.exe 2388 Nklopg32.exe 2388 Nklopg32.exe 1548 Ngbpehpj.exe 1548 Ngbpehpj.exe 960 Nlohmonb.exe 960 Nlohmonb.exe 1352 Nckmpicl.exe 1352 Nckmpicl.exe 1200 Nobndj32.exe 1200 Nobndj32.exe 340 Ofobgc32.exe 340 Ofobgc32.exe 292 Onjgkf32.exe 292 Onjgkf32.exe 1756 Qijdqp32.exe 1756 Qijdqp32.exe 2204 Jqfhqe32.exe 2204 Jqfhqe32.exe 1588 Fkambhgf.exe 1588 Fkambhgf.exe 2688 Fmbjjp32.exe 2688 Fmbjjp32.exe 2644 Fclbgj32.exe 2644 Fclbgj32.exe 2280 Fnafdc32.exe 2280 Fnafdc32.exe 3060 Gcchgini.exe 3060 Gcchgini.exe 2512 Gnofng32.exe 2512 Gnofng32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efdohq32.exe Eqhfoj32.exe File created C:\Windows\SysWOW64\Nlpmjdce.exe Hddoep32.exe File created C:\Windows\SysWOW64\Enijcn32.exe Emjnikpc.exe File created C:\Windows\SysWOW64\Iklchphj.dll Fnnpma32.exe File created C:\Windows\SysWOW64\Ifkecl32.exe Idligq32.exe File created C:\Windows\SysWOW64\Kjdmjiae.exe Kooimpao.exe File created C:\Windows\SysWOW64\Jpdepqif.dll Ggdekbgb.exe File opened for modification C:\Windows\SysWOW64\Nckmpicl.exe Nlohmonb.exe File created C:\Windows\SysWOW64\Blmnchmg.dll Enijcn32.exe File opened for modification C:\Windows\SysWOW64\Gpfbfh32.exe Gdobqgpn.exe File opened for modification C:\Windows\SysWOW64\Jqfhqe32.exe Qijdqp32.exe File created C:\Windows\SysWOW64\Lmlnjcgg.exe Kdqifajl.exe File created C:\Windows\SysWOW64\Oohokele.dll Ckboba32.exe File created C:\Windows\SysWOW64\Ikagogco.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Lchclmla.exe File created C:\Windows\SysWOW64\Cgmiba32.exe Clehoiam.exe File created C:\Windows\SysWOW64\Dnbdbomn.exe Dfgpnm32.exe File created C:\Windows\SysWOW64\Djiegp32.exe Dnbdbomn.exe File created C:\Windows\SysWOW64\Lnnocigg.dll Ejpkho32.exe File created C:\Windows\SysWOW64\Hbhjphla.dll Hgknffcp.exe File created C:\Windows\SysWOW64\Joomjp32.dll Nklopg32.exe File opened for modification C:\Windows\SysWOW64\Nobndj32.exe Nckmpicl.exe File opened for modification C:\Windows\SysWOW64\Gcchgini.exe Fnafdc32.exe File created C:\Windows\SysWOW64\Nplcgo32.dll Qfdpgd32.exe File created C:\Windows\SysWOW64\Iiopce32.dll Hfmfjh32.exe File created C:\Windows\SysWOW64\Hmomag32.dll Gbdobc32.exe File created C:\Windows\SysWOW64\Hjdhpg32.exe Hcjpcmjg.exe File created C:\Windows\SysWOW64\Nobndj32.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Jkenbb32.dll Plildb32.exe File created C:\Windows\SysWOW64\Jdocad32.dll Fbpihafp.exe File created C:\Windows\SysWOW64\Qjnaimap.dll Fhdhqg32.exe File created C:\Windows\SysWOW64\Gdobqgpn.exe Gmejdm32.exe File opened for modification C:\Windows\SysWOW64\Qmlknocg.exe Iejnna32.exe File created C:\Windows\SysWOW64\Imenpfap.exe Ifkecl32.exe File created C:\Windows\SysWOW64\Cblmfa32.dll Kdqifajl.exe File created C:\Windows\SysWOW64\Lkfdfo32.exe Lfilnh32.exe File opened for modification C:\Windows\SysWOW64\Enijcn32.exe Emjnikpc.exe File created C:\Windows\SysWOW64\Phkfglid.dll Fnafdc32.exe File created C:\Windows\SysWOW64\Bodhlane.exe Bigpdjpm.exe File created C:\Windows\SysWOW64\Ghfhkhhb.dll Efdohq32.exe File created C:\Windows\SysWOW64\Jqfhqe32.exe Qijdqp32.exe File opened for modification C:\Windows\SysWOW64\Plildb32.exe Mfkebkjk.exe File created C:\Windows\SysWOW64\Gaejddnk.dll Mpoppadq.exe File opened for modification C:\Windows\SysWOW64\Fnnpma32.exe Fhdhqg32.exe File created C:\Windows\SysWOW64\Hkifld32.exe Hpcbol32.exe File created C:\Windows\SysWOW64\Hdakej32.exe Hkifld32.exe File created C:\Windows\SysWOW64\Hpjeknfi.exe Hipmoc32.exe File opened for modification C:\Windows\SysWOW64\Efihcpqk.exe Eiehilaa.exe File opened for modification C:\Windows\SysWOW64\Idligq32.exe Ianmke32.exe File opened for modification C:\Windows\SysWOW64\Nlpmjdce.exe Hddoep32.exe File created C:\Windows\SysWOW64\Aelgdhei.exe Nlpmjdce.exe File created C:\Windows\SysWOW64\Bigpdjpm.exe Bgichoqj.exe File opened for modification C:\Windows\SysWOW64\Iejnna32.exe Hgbdge32.exe File created C:\Windows\SysWOW64\Biheek32.dll Nlohmonb.exe File created C:\Windows\SysWOW64\Afnakj32.dll Jqfhqe32.exe File opened for modification C:\Windows\SysWOW64\Hjhchg32.exe Gapoob32.exe File created C:\Windows\SysWOW64\Cfpofi32.dll Mfkebkjk.exe File opened for modification C:\Windows\SysWOW64\Iljjabfh.exe Ifmbilhq.exe File opened for modification C:\Windows\SysWOW64\Fnafdc32.exe Fclbgj32.exe File created C:\Windows\SysWOW64\Oemjii32.dll Cdejpg32.exe File opened for modification C:\Windows\SysWOW64\Dllnphkd.exe Dpenkgfq.exe File created C:\Windows\SysWOW64\Cffmoh32.dll Gpfbfh32.exe File created C:\Windows\SysWOW64\Gcchgini.exe Fnafdc32.exe File created C:\Windows\SysWOW64\Idjfdadn.dll Lkoidcaj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1696 2148 WerFault.exe 175 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cplkehnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efihcpqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbelhkp.dll" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioloaac.dll" Hdqhambg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lchclmla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhgimdld.dll" Jnpoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gamcglgp.dll" Bplofekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhlane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckboba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djiegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdakej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbqei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpdeoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpghfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieileaop.dll" Hipmoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpihafp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkckblgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpkdjmh.dll" Gnofng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkphj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhckloge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjagag32.dll" Dllnphkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgbdge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkndgnaf.dll" Jmlfmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplcgo32.dll" Qfdpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copblmbb.dll" Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijepc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epinic32.dll" Gdpfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfilnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnnpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdqhambg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaoiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joomjp32.dll" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgigok32.dll" Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplofekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionahd32.dll" Llefld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcchgini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biiljjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcfcgbp.dll" Gaoiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjlca32.dll" Idligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkicqkc.dll" Jgbjjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emjnikpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifhgcgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlnjcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdpfbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fngjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmejdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knpkhhhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2620 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 29 PID 2468 wrote to memory of 2620 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 29 PID 2468 wrote to memory of 2620 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 29 PID 2468 wrote to memory of 2620 2468 NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe 29 PID 2620 wrote to memory of 860 2620 Dboeco32.exe 30 PID 2620 wrote to memory of 860 2620 Dboeco32.exe 30 PID 2620 wrote to memory of 860 2620 Dboeco32.exe 30 PID 2620 wrote to memory of 860 2620 Dboeco32.exe 30 PID 860 wrote to memory of 796 860 Ggdekbgb.exe 31 PID 860 wrote to memory of 796 860 Ggdekbgb.exe 31 PID 860 wrote to memory of 796 860 Ggdekbgb.exe 31 PID 860 wrote to memory of 796 860 Ggdekbgb.exe 31 PID 796 wrote to memory of 2660 796 Glfgnh32.exe 32 PID 796 wrote to memory of 2660 796 Glfgnh32.exe 32 PID 796 wrote to memory of 2660 796 Glfgnh32.exe 32 PID 796 wrote to memory of 2660 796 Glfgnh32.exe 32 PID 2660 wrote to memory of 2552 2660 Haemloni.exe 33 PID 2660 wrote to memory of 2552 2660 Haemloni.exe 33 PID 2660 wrote to memory of 2552 2660 Haemloni.exe 33 PID 2660 wrote to memory of 2552 2660 Haemloni.exe 33 PID 2552 wrote to memory of 668 2552 Hcdifa32.exe 34 PID 2552 wrote to memory of 668 2552 Hcdifa32.exe 34 PID 2552 wrote to memory of 668 2552 Hcdifa32.exe 34 PID 2552 wrote to memory of 668 2552 Hcdifa32.exe 34 PID 668 wrote to memory of 2812 668 Hnbcaome.exe 35 PID 668 wrote to memory of 2812 668 Hnbcaome.exe 35 PID 668 wrote to memory of 2812 668 Hnbcaome.exe 35 PID 668 wrote to memory of 2812 668 Hnbcaome.exe 35 PID 2812 wrote to memory of 2028 2812 Ijlaloaf.exe 36 PID 2812 wrote to memory of 2028 2812 Ijlaloaf.exe 36 PID 2812 wrote to memory of 2028 2812 Ijlaloaf.exe 36 PID 2812 wrote to memory of 2028 2812 Ijlaloaf.exe 36 PID 2028 wrote to memory of 2716 2028 Ikagogco.exe 37 PID 2028 wrote to memory of 2716 2028 Ikagogco.exe 37 PID 2028 wrote to memory of 2716 2028 Ikagogco.exe 37 PID 2028 wrote to memory of 2716 2028 Ikagogco.exe 37 PID 2716 wrote to memory of 1172 2716 Jjlmkb32.exe 38 PID 2716 wrote to memory of 1172 2716 Jjlmkb32.exe 38 PID 2716 wrote to memory of 1172 2716 Jjlmkb32.exe 38 PID 2716 wrote to memory of 1172 2716 Jjlmkb32.exe 38 PID 1172 wrote to memory of 2844 1172 Jmlfmn32.exe 39 PID 1172 wrote to memory of 2844 1172 Jmlfmn32.exe 39 PID 1172 wrote to memory of 2844 1172 Jmlfmn32.exe 39 PID 1172 wrote to memory of 2844 1172 Jmlfmn32.exe 39 PID 2844 wrote to memory of 2020 2844 Jgbjjf32.exe 40 PID 2844 wrote to memory of 2020 2844 Jgbjjf32.exe 40 PID 2844 wrote to memory of 2020 2844 Jgbjjf32.exe 40 PID 2844 wrote to memory of 2020 2844 Jgbjjf32.exe 40 PID 2020 wrote to memory of 2312 2020 Kpdeoh32.exe 41 PID 2020 wrote to memory of 2312 2020 Kpdeoh32.exe 41 PID 2020 wrote to memory of 2312 2020 Kpdeoh32.exe 41 PID 2020 wrote to memory of 2312 2020 Kpdeoh32.exe 41 PID 2312 wrote to memory of 1868 2312 Khagijcd.exe 42 PID 2312 wrote to memory of 1868 2312 Khagijcd.exe 42 PID 2312 wrote to memory of 1868 2312 Khagijcd.exe 42 PID 2312 wrote to memory of 1868 2312 Khagijcd.exe 42 PID 1868 wrote to memory of 2240 1868 Lpaehl32.exe 43 PID 1868 wrote to memory of 2240 1868 Lpaehl32.exe 43 PID 1868 wrote to memory of 2240 1868 Lpaehl32.exe 43 PID 1868 wrote to memory of 2240 1868 Lpaehl32.exe 43 PID 2240 wrote to memory of 972 2240 Ldpnoj32.exe 44 PID 2240 wrote to memory of 972 2240 Ldpnoj32.exe 44 PID 2240 wrote to memory of 972 2240 Ldpnoj32.exe 44 PID 2240 wrote to memory of 972 2240 Ldpnoj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.6e77b2deb66b3516e55c9e3ee8c886e4_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Jqfhqe32.exeC:\Windows\system32\Jqfhqe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Hdqhambg.exeC:\Windows\system32\Hdqhambg.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe41⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe47⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Lfdbcing.exeC:\Windows\system32\Lfdbcing.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Lfilnh32.exeC:\Windows\system32\Lfilnh32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe59⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe61⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe64⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe66⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1340 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe71⤵
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe73⤵PID:1216
-
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe74⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe77⤵PID:2476
-
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe78⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe80⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe81⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe82⤵
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe83⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe85⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe86⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe88⤵PID:2764
-
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe89⤵PID:952
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe90⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe92⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe94⤵
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Dnbdbomn.exeC:\Windows\system32\Dnbdbomn.exe95⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe96⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Enijcn32.exeC:\Windows\system32\Enijcn32.exe99⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe100⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe102⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe103⤵
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe106⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Fhdhqg32.exeC:\Windows\system32\Fhdhqg32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe110⤵PID:2704
-
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe112⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe116⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Hgknffcp.exeC:\Windows\system32\Hgknffcp.exe118⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Hdakej32.exeC:\Windows\system32\Hdakej32.exe121⤵
- Modifies registry class
PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-