Analysis
-
max time kernel
145s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28-10-2023 18:03
Behavioral task
behavioral1
Sample
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe
-
Size
133KB
-
MD5
1c4d3ae1ef74fc93ed1eb52ea42afed0
-
SHA1
a58259616e7ad7c4acc784919e030890a3be6992
-
SHA256
33ab1b879bf0f1709f88d6c649ea73bb0d2fe090fdabd4ac978bb83de3370f83
-
SHA512
0d1e30b3bb333e205fa5d8c6f683c925532af96a1f77655a7596794dabd4ea3557d0bebe407e7c645c9f8877fa6b5c76f0a42c0a0027bd8e0f88ba9061edf49b
-
SSDEEP
3072:wkxD/akwbHJ7fKG7UDd0pCrQIFdFtLwzTa:7D/avhiG7Ux0ocIPF9wzG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idekbgji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohlnkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emqaaabg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcifdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgckoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpkfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giikkehc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklfll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnlnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipkfkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpnpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbioilj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdknfiea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfagemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmoeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fillabde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkcem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommdqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heokmmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegmhhie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhfdffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glckihcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjqqianh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfieec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhqdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlopkmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclgjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enijcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docopbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjabn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhkiae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjdacik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfiabjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelgcg32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0008000000012027-5.dat family_berbew behavioral1/files/0x0008000000012027-8.dat family_berbew behavioral1/files/0x0008000000012027-9.dat family_berbew behavioral1/files/0x0008000000012027-12.dat family_berbew behavioral1/files/0x0008000000012027-13.dat family_berbew behavioral1/files/0x0037000000015dc0-26.dat family_berbew behavioral1/files/0x0037000000015dc0-25.dat family_berbew behavioral1/files/0x0037000000015dc0-23.dat family_berbew behavioral1/files/0x0037000000015dc0-20.dat family_berbew behavioral1/files/0x0037000000015dc0-18.dat family_berbew behavioral1/files/0x000700000001625a-35.dat family_berbew behavioral1/files/0x000700000001644c-52.dat family_berbew behavioral1/files/0x0006000000016c9c-72.dat family_berbew behavioral1/files/0x0008000000016611-65.dat family_berbew behavioral1/files/0x0008000000016611-67.dat family_berbew behavioral1/files/0x0006000000016c9c-78.dat family_berbew behavioral1/files/0x0006000000016c9c-75.dat family_berbew behavioral1/files/0x0006000000016c9c-80.dat family_berbew behavioral1/files/0x0006000000016c9c-74.dat family_berbew behavioral1/files/0x0008000000016611-61.dat family_berbew behavioral1/files/0x0008000000016611-58.dat family_berbew behavioral1/files/0x0008000000016611-54.dat family_berbew behavioral1/files/0x000700000001644c-53.dat family_berbew behavioral1/files/0x000700000001625a-39.dat family_berbew behavioral1/files/0x000700000001625a-38.dat family_berbew behavioral1/files/0x000700000001644c-48.dat family_berbew behavioral1/files/0x000700000001644c-47.dat family_berbew behavioral1/files/0x000700000001625a-34.dat family_berbew behavioral1/memory/2540-91-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/files/0x0006000000016cd8-88.dat family_berbew behavioral1/files/0x0006000000016cd8-93.dat family_berbew behavioral1/files/0x0006000000016cd8-92.dat family_berbew behavioral1/files/0x0006000000016cd8-87.dat family_berbew behavioral1/files/0x0006000000016cd8-85.dat family_berbew behavioral1/files/0x000700000001625a-32.dat family_berbew behavioral1/files/0x0006000000016cec-99.dat family_berbew behavioral1/files/0x0006000000016cec-103.dat family_berbew behavioral1/files/0x0006000000016cfd-108.dat family_berbew behavioral1/files/0x0006000000016cfd-119.dat family_berbew behavioral1/files/0x0006000000016cfd-120.dat family_berbew behavioral1/files/0x0006000000016d20-132.dat family_berbew behavioral1/files/0x0006000000016d20-129.dat family_berbew behavioral1/files/0x0006000000016d20-128.dat family_berbew behavioral1/files/0x0006000000016d20-126.dat family_berbew behavioral1/files/0x0006000000016cfd-114.dat family_berbew behavioral1/files/0x0006000000016cfd-112.dat family_berbew behavioral1/files/0x0006000000016cec-107.dat family_berbew behavioral1/files/0x0006000000016cec-106.dat family_berbew behavioral1/files/0x0006000000016cec-102.dat family_berbew behavioral1/memory/1964-136-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/files/0x000700000001644c-45.dat family_berbew behavioral1/files/0x0006000000016d20-137.dat family_berbew behavioral1/files/0x0035000000015e04-142.dat family_berbew behavioral1/files/0x0035000000015e04-144.dat family_berbew behavioral1/files/0x0035000000015e04-145.dat family_berbew behavioral1/files/0x0035000000015e04-149.dat family_berbew behavioral1/files/0x0035000000015e04-148.dat family_berbew behavioral1/files/0x0006000000016d53-155.dat family_berbew behavioral1/files/0x0006000000016d53-157.dat family_berbew behavioral1/files/0x0006000000016d53-158.dat family_berbew behavioral1/files/0x0006000000016d53-161.dat family_berbew behavioral1/files/0x0006000000016d53-163.dat family_berbew behavioral1/files/0x0006000000016d70-168.dat family_berbew behavioral1/files/0x0006000000016d70-172.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2736 Qiladcdh.exe 2616 Agdjkogm.exe 2592 Amqccfed.exe 2648 Agfgqo32.exe 2656 Aaolidlk.exe 2540 Ajgpbj32.exe 2228 Acpdko32.exe 2888 Blkioa32.exe 1964 Bfpnmj32.exe 1872 Bphbeplm.exe 1012 Bhfcpb32.exe 1356 Bmclhi32.exe 588 Bfkpqn32.exe 1612 Cpceidcn.exe 2584 Cilibi32.exe 1660 Cklfll32.exe 2292 Cddjebgb.exe 2100 Clooiddm.exe 1068 Cegcbjkn.exe 840 Cpmhpbkc.exe 1292 Chhldeho.exe 1940 Delmmigh.exe 2680 Dkiefp32.exe 2440 Dhmfod32.exe 2956 Dddfdejn.exe 2180 Ddfcje32.exe 2112 Dlahng32.exe 2900 Ejehgkdp.exe 856 Egiiapci.exe 2640 Ecpjfq32.exe 2588 Ejjbbkpj.exe 2708 Ebefgm32.exe 2668 Eknkpbdf.exe 2040 Ehakigbo.exe 2856 Fbjpblip.exe 2812 Fjeefofk.exe 2556 Fblmglgm.exe 2252 Fcmiod32.exe 800 Fjgalndh.exe 1512 Femeig32.exe 1572 Ffnbaojm.exe 1552 Fqcfnhjb.exe 2328 Fgnokb32.exe 2936 Fafcdh32.exe 1988 Fcdopc32.exe 2332 Gjngmmnp.exe 2384 Glpdde32.exe 1568 Hafock32.exe 1432 Hnjplo32.exe 3040 Hdfhdfgl.exe 2196 Hjqqap32.exe 1412 Hajinjff.exe 1484 Hfgafadm.exe 2984 Hldjnhce.exe 2924 Hfjnla32.exe 2880 Hmcfhkjg.exe 2216 Hoebpc32.exe 2532 Heokmmgb.exe 2504 Ilicig32.exe 2036 Iogoec32.exe 592 Ieagbm32.exe 3068 Ilkpogmm.exe 1104 Ibehla32.exe 1500 Iecdhm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 2736 Qiladcdh.exe 2736 Qiladcdh.exe 2616 Agdjkogm.exe 2616 Agdjkogm.exe 2592 Amqccfed.exe 2592 Amqccfed.exe 2648 Agfgqo32.exe 2648 Agfgqo32.exe 2656 Aaolidlk.exe 2656 Aaolidlk.exe 2540 Ajgpbj32.exe 2540 Ajgpbj32.exe 2228 Acpdko32.exe 2228 Acpdko32.exe 2888 Blkioa32.exe 2888 Blkioa32.exe 1964 Bfpnmj32.exe 1964 Bfpnmj32.exe 1872 Bphbeplm.exe 1872 Bphbeplm.exe 1012 Bhfcpb32.exe 1012 Bhfcpb32.exe 1356 Bmclhi32.exe 1356 Bmclhi32.exe 588 Bfkpqn32.exe 588 Bfkpqn32.exe 1612 Cpceidcn.exe 1612 Cpceidcn.exe 2584 Cilibi32.exe 2584 Cilibi32.exe 1660 Cklfll32.exe 1660 Cklfll32.exe 2292 Cddjebgb.exe 2292 Cddjebgb.exe 2100 Clooiddm.exe 2100 Clooiddm.exe 1068 Cegcbjkn.exe 1068 Cegcbjkn.exe 840 Cpmhpbkc.exe 840 Cpmhpbkc.exe 1292 Chhldeho.exe 1292 Chhldeho.exe 1940 Delmmigh.exe 1940 Delmmigh.exe 2680 Dkiefp32.exe 2680 Dkiefp32.exe 2440 Dhmfod32.exe 2440 Dhmfod32.exe 2956 Dddfdejn.exe 2956 Dddfdejn.exe 2180 Ddfcje32.exe 2180 Ddfcje32.exe 2112 Dlahng32.exe 2112 Dlahng32.exe 2900 Ejehgkdp.exe 2900 Ejehgkdp.exe 856 Egiiapci.exe 856 Egiiapci.exe 2640 Ecpjfq32.exe 2640 Ecpjfq32.exe 2588 Ejjbbkpj.exe 2588 Ejjbbkpj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fjaoplho.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Eiajmgka.dll Epmahmcm.exe File opened for modification C:\Windows\SysWOW64\Iihgadhl.exe Ifikehii.exe File opened for modification C:\Windows\SysWOW64\Ggfbpaeo.exe Gdhfdffl.exe File created C:\Windows\SysWOW64\Cjqkgfdn.dll Hmijajbd.exe File created C:\Windows\SysWOW64\Acfonhgd.exe Anfjpa32.exe File opened for modification C:\Windows\SysWOW64\Hecebm32.exe Hoimecmb.exe File created C:\Windows\SysWOW64\Kgocid32.exe Klhbdclg.exe File created C:\Windows\SysWOW64\Hgmhcm32.exe Happkf32.exe File opened for modification C:\Windows\SysWOW64\Clooiddm.exe Cddjebgb.exe File opened for modification C:\Windows\SysWOW64\Lnjafd32.exe Lgpiij32.exe File created C:\Windows\SysWOW64\Fplkghjl.dll Hkpnjd32.exe File opened for modification C:\Windows\SysWOW64\Gfabkl32.exe Gdcfoq32.exe File created C:\Windows\SysWOW64\Aopnanlf.dll Hibgkjee.exe File created C:\Windows\SysWOW64\Gpqlnhfp.dll Jinfli32.exe File opened for modification C:\Windows\SysWOW64\Pkjmoj32.exe Ocllehcj.exe File created C:\Windows\SysWOW64\Djngjb32.dll Dmgokcja.exe File created C:\Windows\SysWOW64\Majdkifd.exe Mkplnp32.exe File created C:\Windows\SysWOW64\Floeof32.exe Fiqibj32.exe File created C:\Windows\SysWOW64\Loofjg32.exe Fagnmkjm.exe File opened for modification C:\Windows\SysWOW64\Akmgoehg.exe Acfonhgd.exe File opened for modification C:\Windows\SysWOW64\Deimaa32.exe Dbkaee32.exe File created C:\Windows\SysWOW64\Alpokdmi.dll Ejpkho32.exe File created C:\Windows\SysWOW64\Jnfomn32.exe Jkgcab32.exe File opened for modification C:\Windows\SysWOW64\Cjfjjd32.exe Cdjabn32.exe File created C:\Windows\SysWOW64\Fbbcdh32.exe Fofhdidp.exe File created C:\Windows\SysWOW64\Knijji32.dll Meojkide.exe File opened for modification C:\Windows\SysWOW64\Jmcpqfba.exe Ibeeeijg.exe File created C:\Windows\SysWOW64\Aeokdn32.exe Aflkiapg.exe File created C:\Windows\SysWOW64\Lgeajlgp.dll Jnfomn32.exe File created C:\Windows\SysWOW64\Bmcfln32.dll Jolepe32.exe File created C:\Windows\SysWOW64\Inkcem32.exe Iklfia32.exe File created C:\Windows\SysWOW64\Lendnaic.dll Lpodmb32.exe File created C:\Windows\SysWOW64\Ggpiikml.dll Omhjejai.exe File created C:\Windows\SysWOW64\Bnmjpi32.dll Chhldeho.exe File created C:\Windows\SysWOW64\Linfkk32.dll Ndpicm32.exe File created C:\Windows\SysWOW64\Lpfagd32.exe Koeeoljm.exe File opened for modification C:\Windows\SysWOW64\Nqamaeii.exe Nlfaag32.exe File created C:\Windows\SysWOW64\Jlfhkenj.dll Adnomfqc.exe File opened for modification C:\Windows\SysWOW64\Docopbaf.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Kghmhegc.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Efglmpbn.exe Epmcqf32.exe File created C:\Windows\SysWOW64\Chjmebna.dll Hafock32.exe File opened for modification C:\Windows\SysWOW64\Chlgid32.exe Cdqkifmb.exe File created C:\Windows\SysWOW64\Docopbaf.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Lmphha32.dll Gpgjnbnl.exe File opened for modification C:\Windows\SysWOW64\Bjgmka32.exe Bfkakbpp.exe File created C:\Windows\SysWOW64\Joceen32.dll Lpmhgc32.exe File created C:\Windows\SysWOW64\Qechqj32.exe Pnjpdphd.exe File opened for modification C:\Windows\SysWOW64\Fjgalndh.exe Fcmiod32.exe File created C:\Windows\SysWOW64\Jfhjbobc.exe Jcjnfdbp.exe File created C:\Windows\SysWOW64\Gbgffb32.dll Kbcdbp32.exe File created C:\Windows\SysWOW64\Ankckagj.exe Akmgoehg.exe File opened for modification C:\Windows\SysWOW64\Obniel32.exe Okdahbmm.exe File created C:\Windows\SysWOW64\Ocpfmd32.exe Oqajqi32.exe File created C:\Windows\SysWOW64\Lmmqln32.dll Cdqkifmb.exe File created C:\Windows\SysWOW64\Jjijkmbi.exe Jcoanb32.exe File created C:\Windows\SysWOW64\Gnaaicgh.dll Gheola32.exe File created C:\Windows\SysWOW64\Kgmobc32.dll Lhkiae32.exe File opened for modification C:\Windows\SysWOW64\Fdnjkh32.exe Fihfnp32.exe File created C:\Windows\SysWOW64\Himgihno.dll Glongpao.exe File created C:\Windows\SysWOW64\Lbpbbd32.dll Dfinam32.exe File opened for modification C:\Windows\SysWOW64\Fefcmehe.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Jkbfdfbm.exe Jhdihkcj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfgdmjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmjpi32.dll" Chhldeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqobnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpjjl32.dll" Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khbcbcmo.dll" Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelinm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkhak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieohfemq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmcpqfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkjfq32.dll" Fjnkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihgclgo.dll" Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibkmgcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdkfk32.dll" Ggdekbgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnapncmc.dll" Gpacogjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcoanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egaoldnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpcpdfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkohjbah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefjafkp.dll" Mgglcqdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibbgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjghbbmo.dll" Imogcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpgjhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbcdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabcho32.dll" Iianmlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jllaig32.dll" Ihiabfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakehc32.dll" Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgjdk32.dll" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefamlak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkaenpg.dll" Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkpnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhac32.dll" Cbihpbpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpgjhbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokgpgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfbqgldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfejnkfa.dll" Bkmcni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hafock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmnad32.dll" Dqobnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napdqm32.dll" Epakcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaaicgh.dll" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjqqap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apllml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndbeeo.dll" Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffbcq32.dll" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meiapfab.dll" Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpdqdkie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnogfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpblho32.dll" Pnjfae32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2736 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 28 PID 2188 wrote to memory of 2736 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 28 PID 2188 wrote to memory of 2736 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 28 PID 2188 wrote to memory of 2736 2188 NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe 28 PID 2736 wrote to memory of 2616 2736 Qiladcdh.exe 29 PID 2736 wrote to memory of 2616 2736 Qiladcdh.exe 29 PID 2736 wrote to memory of 2616 2736 Qiladcdh.exe 29 PID 2736 wrote to memory of 2616 2736 Qiladcdh.exe 29 PID 2616 wrote to memory of 2592 2616 Agdjkogm.exe 30 PID 2616 wrote to memory of 2592 2616 Agdjkogm.exe 30 PID 2616 wrote to memory of 2592 2616 Agdjkogm.exe 30 PID 2616 wrote to memory of 2592 2616 Agdjkogm.exe 30 PID 2592 wrote to memory of 2648 2592 Amqccfed.exe 37 PID 2592 wrote to memory of 2648 2592 Amqccfed.exe 37 PID 2592 wrote to memory of 2648 2592 Amqccfed.exe 37 PID 2592 wrote to memory of 2648 2592 Amqccfed.exe 37 PID 2648 wrote to memory of 2656 2648 Agfgqo32.exe 32 PID 2648 wrote to memory of 2656 2648 Agfgqo32.exe 32 PID 2648 wrote to memory of 2656 2648 Agfgqo32.exe 32 PID 2648 wrote to memory of 2656 2648 Agfgqo32.exe 32 PID 2656 wrote to memory of 2540 2656 Aaolidlk.exe 31 PID 2656 wrote to memory of 2540 2656 Aaolidlk.exe 31 PID 2656 wrote to memory of 2540 2656 Aaolidlk.exe 31 PID 2656 wrote to memory of 2540 2656 Aaolidlk.exe 31 PID 2540 wrote to memory of 2228 2540 Ajgpbj32.exe 33 PID 2540 wrote to memory of 2228 2540 Ajgpbj32.exe 33 PID 2540 wrote to memory of 2228 2540 Ajgpbj32.exe 33 PID 2540 wrote to memory of 2228 2540 Ajgpbj32.exe 33 PID 2228 wrote to memory of 2888 2228 Acpdko32.exe 34 PID 2228 wrote to memory of 2888 2228 Acpdko32.exe 34 PID 2228 wrote to memory of 2888 2228 Acpdko32.exe 34 PID 2228 wrote to memory of 2888 2228 Acpdko32.exe 34 PID 2888 wrote to memory of 1964 2888 Blkioa32.exe 36 PID 2888 wrote to memory of 1964 2888 Blkioa32.exe 36 PID 2888 wrote to memory of 1964 2888 Blkioa32.exe 36 PID 2888 wrote to memory of 1964 2888 Blkioa32.exe 36 PID 1964 wrote to memory of 1872 1964 Bfpnmj32.exe 35 PID 1964 wrote to memory of 1872 1964 Bfpnmj32.exe 35 PID 1964 wrote to memory of 1872 1964 Bfpnmj32.exe 35 PID 1964 wrote to memory of 1872 1964 Bfpnmj32.exe 35 PID 1872 wrote to memory of 1012 1872 Bphbeplm.exe 38 PID 1872 wrote to memory of 1012 1872 Bphbeplm.exe 38 PID 1872 wrote to memory of 1012 1872 Bphbeplm.exe 38 PID 1872 wrote to memory of 1012 1872 Bphbeplm.exe 38 PID 1012 wrote to memory of 1356 1012 Bhfcpb32.exe 39 PID 1012 wrote to memory of 1356 1012 Bhfcpb32.exe 39 PID 1012 wrote to memory of 1356 1012 Bhfcpb32.exe 39 PID 1012 wrote to memory of 1356 1012 Bhfcpb32.exe 39 PID 1356 wrote to memory of 588 1356 Bmclhi32.exe 40 PID 1356 wrote to memory of 588 1356 Bmclhi32.exe 40 PID 1356 wrote to memory of 588 1356 Bmclhi32.exe 40 PID 1356 wrote to memory of 588 1356 Bmclhi32.exe 40 PID 588 wrote to memory of 1612 588 Bfkpqn32.exe 41 PID 588 wrote to memory of 1612 588 Bfkpqn32.exe 41 PID 588 wrote to memory of 1612 588 Bfkpqn32.exe 41 PID 588 wrote to memory of 1612 588 Bfkpqn32.exe 41 PID 1612 wrote to memory of 2584 1612 Cpceidcn.exe 42 PID 1612 wrote to memory of 2584 1612 Cpceidcn.exe 42 PID 1612 wrote to memory of 2584 1612 Cpceidcn.exe 42 PID 1612 wrote to memory of 2584 1612 Cpceidcn.exe 42 PID 2584 wrote to memory of 1660 2584 Cilibi32.exe 43 PID 2584 wrote to memory of 1660 2584 Cilibi32.exe 43 PID 2584 wrote to memory of 1660 2584 Cilibi32.exe 43 PID 2584 wrote to memory of 1660 2584 Cilibi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1c4d3ae1ef74fc93ed1eb52ea42afed0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648
-
-
-
-
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
-
-
-
-
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
-
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe23⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe24⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe25⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe26⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe27⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe28⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe30⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe31⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe32⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe33⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe34⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe35⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe36⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe37⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe38⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe40⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe41⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe43⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe44⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe45⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe46⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe47⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe48⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe50⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe51⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe52⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe53⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe54⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe56⤵PID:2824
-
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe57⤵PID:1692
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe58⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe59⤵PID:1672
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe60⤵PID:1168
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe61⤵PID:2388
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe62⤵PID:960
-
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe63⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe64⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe65⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe67⤵PID:1708
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe68⤵PID:1724
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe69⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe70⤵PID:2760
-
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe71⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe72⤵PID:2996
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe73⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe74⤵PID:2848
-
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe75⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe76⤵PID:2184
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe78⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe79⤵PID:1632
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe80⤵PID:320
-
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe81⤵PID:1340
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe82⤵PID:828
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe83⤵PID:1748
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe85⤵PID:2124
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe86⤵PID:2356
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe87⤵PID:1908
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe88⤵PID:2192
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe89⤵PID:2372
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe90⤵PID:880
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe91⤵PID:1420
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe92⤵PID:2580
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe93⤵PID:2596
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe95⤵PID:2756
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe97⤵PID:2832
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe98⤵PID:2968
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe99⤵PID:1492
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe100⤵PID:752
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe101⤵PID:2368
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe102⤵PID:1556
-
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe103⤵PID:2876
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe104⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe105⤵PID:2136
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe106⤵PID:2380
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe107⤵PID:2132
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe109⤵PID:2424
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe110⤵PID:1528
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe111⤵PID:1532
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe112⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe113⤵PID:2612
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe114⤵PID:2512
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe117⤵PID:2016
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe118⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe120⤵PID:1712
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe121⤵PID:2304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-