Analysis
-
max time kernel
171s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 19:58
Behavioral task
behavioral1
Sample
NEAS.a7c7c20f713e94d6bb608e58da979de0.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a7c7c20f713e94d6bb608e58da979de0.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a7c7c20f713e94d6bb608e58da979de0.exe
-
Size
123KB
-
MD5
a7c7c20f713e94d6bb608e58da979de0
-
SHA1
34da76d75b49c5a21154dca5f8d5a411172e09bb
-
SHA256
ff51f604514b5c460aedb9987c4f2ac7465d03c0d2fd844ca75543f6b80d8211
-
SHA512
34381b48d7350394183a896d229e8ba18496ae36b7e116cad25226a0814b3161e07993f8f81b6890b947c755f850e47e531f4127943da11864f71b6c14b354e0
-
SSDEEP
3072:3XcBVwTMetYfMwvuicfxj+AUMOlRYSa9rR85DEn5k7r8:cBnetWBuicfxj+qOl4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcfpmlll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjohbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjbiac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcmjfiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcgnfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlifjjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcfdmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iniglajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgdijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjilmejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhljpmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbgmah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonlkcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikfffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbbbed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbnpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okbapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edbonh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjnbmlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldmaijdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naokbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpckee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okecak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbphgpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nehjmppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glefpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbjeao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moflkfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhcgjkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgpjdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcdlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kapbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjkgfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickaaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaqnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlmmdga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioeclg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aahkhgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glefpd32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2688-0-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/memory/2688-6-0x0000000000220000-0x0000000000268000-memory.dmp family_berbew behavioral1/files/0x00080000000120bd-5.dat family_berbew behavioral1/files/0x00080000000120bd-12.dat family_berbew behavioral1/files/0x00080000000120bd-9.dat family_berbew behavioral1/files/0x00080000000120bd-8.dat family_berbew behavioral1/files/0x00080000000120bd-13.dat family_berbew behavioral1/files/0x0008000000015c56-21.dat family_berbew behavioral1/memory/2376-32-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0008000000015c56-27.dat family_berbew behavioral1/files/0x0008000000015c56-26.dat family_berbew behavioral1/files/0x0008000000015c56-24.dat family_berbew behavioral1/memory/2640-20-0x0000000000220000-0x0000000000268000-memory.dmp family_berbew behavioral1/files/0x0008000000015c56-18.dat family_berbew behavioral1/files/0x0007000000015c7d-33.dat family_berbew behavioral1/files/0x0007000000015c7d-36.dat family_berbew behavioral1/memory/2624-45-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0007000000015c7d-40.dat family_berbew behavioral1/files/0x0007000000015c7d-39.dat family_berbew behavioral1/files/0x0007000000015c7d-35.dat family_berbew behavioral1/files/0x0008000000015c9f-46.dat family_berbew behavioral1/files/0x0008000000015c9f-52.dat family_berbew behavioral1/files/0x0008000000015c9f-49.dat family_berbew behavioral1/files/0x0008000000015c9f-48.dat family_berbew behavioral1/memory/2688-59-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0008000000015c9f-54.dat family_berbew behavioral1/memory/2520-53-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0007000000015ea7-60.dat family_berbew behavioral1/files/0x0007000000015ea7-62.dat family_berbew behavioral1/files/0x0007000000015ea7-63.dat family_berbew behavioral1/files/0x0007000000015ea7-66.dat family_berbew behavioral1/files/0x0007000000015ea7-68.dat family_berbew behavioral1/memory/2640-67-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/memory/1964-73-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x000600000001604e-80.dat family_berbew behavioral1/files/0x000600000001604e-77.dat family_berbew behavioral1/files/0x000600000001604e-76.dat family_berbew behavioral1/files/0x000600000001604e-74.dat family_berbew behavioral1/memory/2528-81-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x000600000001604e-82.dat family_berbew behavioral1/files/0x000600000001625a-87.dat family_berbew behavioral1/files/0x000600000001625a-90.dat family_berbew behavioral1/files/0x000600000001625a-94.dat family_berbew behavioral1/memory/2520-96-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/memory/1640-101-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x000600000001625a-95.dat family_berbew behavioral1/memory/2624-93-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x000600000001625a-89.dat family_berbew behavioral1/files/0x000600000001644c-102.dat family_berbew behavioral1/files/0x000600000001644c-108.dat family_berbew behavioral1/files/0x000600000001644c-109.dat family_berbew behavioral1/files/0x000600000001644c-105.dat family_berbew behavioral1/files/0x000600000001644c-104.dat family_berbew behavioral1/memory/1980-114-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0006000000016611-122.dat family_berbew behavioral1/files/0x0006000000016611-123.dat family_berbew behavioral1/files/0x0006000000016611-119.dat family_berbew behavioral1/files/0x0006000000016611-118.dat family_berbew behavioral1/memory/1980-117-0x00000000002F0000-0x0000000000338000-memory.dmp family_berbew behavioral1/files/0x0006000000016611-115.dat family_berbew behavioral1/files/0x0032000000015c21-131.dat family_berbew behavioral1/files/0x0032000000015c21-135.dat family_berbew behavioral1/memory/2588-137-0x0000000000400000-0x0000000000448000-memory.dmp family_berbew behavioral1/files/0x0006000000016ba2-142.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2640 Dboeco32.exe 2376 Dcbnpgkh.exe 2624 Dafoikjb.exe 2520 Djocbqpb.exe 1964 Dhbdleol.exe 2528 Eakhdj32.exe 1640 Eldiehbk.exe 1980 Edlafebn.exe 2792 Epbbkf32.exe 2588 Ehnfpifm.exe 588 Eafkhn32.exe 1648 Eojlbb32.exe 1240 Folhgbid.exe 2196 Fdiqpigl.exe 312 Fdkmeiei.exe 276 Fpbnjjkm.exe 700 Fkhbgbkc.exe 1348 Fdpgph32.exe 2104 Ggapbcne.exe 560 Goldfelp.exe 2208 Gcjmmdbf.exe 1848 Gglbfg32.exe 2012 Hgnokgcc.exe 2216 Hklhae32.exe 1708 Hqiqjlga.exe 2620 Hqkmplen.exe 2720 Hoqjqhjf.exe 2492 Ieponofk.exe 2252 Ioeclg32.exe 2836 Igqhpj32.exe 2788 Ijaaae32.exe 1716 Iegeonpc.exe 2476 Igebkiof.exe 576 Ieibdnnp.exe 568 Jmdgipkk.exe 456 Jfmkbebl.exe 1832 Jikhnaao.exe 2080 Jpepkk32.exe 1996 Jbfilffm.exe 1704 Jnofgg32.exe 1860 Kambcbhb.exe 2372 Khgkpl32.exe 1820 Kekkiq32.exe 1068 Kdphjm32.exe 772 Kipmhc32.exe 856 Mdendpbg.exe 1516 Mjilmejf.exe 1608 Akadpn32.exe 2596 Iqhfnifq.exe 2516 Ijqjgo32.exe 2536 Iickckcl.exe 2996 Iejkhlip.exe 2840 Jkdcdf32.exe 2108 Jnbpqb32.exe 1696 Jfjhbo32.exe 1956 Jihdnk32.exe 472 Joblkegc.exe 1656 Jbphgpfg.exe 2160 Jijacjnc.exe 1460 Jkimpfmg.exe 1276 Jngilalk.exe 364 Jbcelp32.exe 1560 Kiofnm32.exe 1548 Lbgkfbbj.exe -
Loads dropped DLL 64 IoCs
pid Process 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 2640 Dboeco32.exe 2640 Dboeco32.exe 2376 Dcbnpgkh.exe 2376 Dcbnpgkh.exe 2624 Dafoikjb.exe 2624 Dafoikjb.exe 2520 Djocbqpb.exe 2520 Djocbqpb.exe 1964 Dhbdleol.exe 1964 Dhbdleol.exe 2528 Eakhdj32.exe 2528 Eakhdj32.exe 1640 Eldiehbk.exe 1640 Eldiehbk.exe 1980 Edlafebn.exe 1980 Edlafebn.exe 2792 Epbbkf32.exe 2792 Epbbkf32.exe 2588 Ehnfpifm.exe 2588 Ehnfpifm.exe 588 Eafkhn32.exe 588 Eafkhn32.exe 1648 Eojlbb32.exe 1648 Eojlbb32.exe 1240 Folhgbid.exe 1240 Folhgbid.exe 2196 Fdiqpigl.exe 2196 Fdiqpigl.exe 312 Fdkmeiei.exe 312 Fdkmeiei.exe 276 Fpbnjjkm.exe 276 Fpbnjjkm.exe 700 Fkhbgbkc.exe 700 Fkhbgbkc.exe 1348 Fdpgph32.exe 1348 Fdpgph32.exe 2104 Ggapbcne.exe 2104 Ggapbcne.exe 560 Goldfelp.exe 560 Goldfelp.exe 2208 Gcjmmdbf.exe 2208 Gcjmmdbf.exe 1848 Gglbfg32.exe 1848 Gglbfg32.exe 2012 Hgnokgcc.exe 2012 Hgnokgcc.exe 2216 Hklhae32.exe 2216 Hklhae32.exe 1708 Hqiqjlga.exe 1708 Hqiqjlga.exe 2620 Hqkmplen.exe 2620 Hqkmplen.exe 2720 Hoqjqhjf.exe 2720 Hoqjqhjf.exe 2492 Ieponofk.exe 2492 Ieponofk.exe 2252 Ioeclg32.exe 2252 Ioeclg32.exe 2836 Igqhpj32.exe 2836 Igqhpj32.exe 2788 Ijaaae32.exe 2788 Ijaaae32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgofgcik.dll Icjmpd32.exe File opened for modification C:\Windows\SysWOW64\Pbohmh32.exe Pmbpda32.exe File created C:\Windows\SysWOW64\Pdijjmef.dll Chghodgj.exe File created C:\Windows\SysWOW64\Lfedlb32.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Cggioi32.dll Fdkmeiei.exe File created C:\Windows\SysWOW64\Jpepkk32.exe Jikhnaao.exe File created C:\Windows\SysWOW64\Eaakbg32.dll Llkbcl32.exe File opened for modification C:\Windows\SysWOW64\Pcdldknm.exe Pmkdhq32.exe File opened for modification C:\Windows\SysWOW64\Dmgmbj32.exe Ddnhidmm.exe File created C:\Windows\SysWOW64\Keehmobp.exe Kbflqccl.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Gmgenh32.exe Gjiibm32.exe File created C:\Windows\SysWOW64\Jdmfdgbj.exe Jigagocd.exe File created C:\Windows\SysWOW64\Jjebph32.dll Jilkbn32.exe File created C:\Windows\SysWOW64\Mcknjidn.exe Mmafmo32.exe File created C:\Windows\SysWOW64\Kiofnm32.exe Jbcelp32.exe File opened for modification C:\Windows\SysWOW64\Kgmkef32.exe Kapbmo32.exe File created C:\Windows\SysWOW64\Eddlcgjb.exe Enjcfm32.exe File created C:\Windows\SysWOW64\Gnhlgoia.exe Ghndjd32.exe File opened for modification C:\Windows\SysWOW64\Jnbpqb32.exe Jkdcdf32.exe File created C:\Windows\SysWOW64\Gjiibm32.exe Fhnjdfcl.exe File created C:\Windows\SysWOW64\Imcaijia.exe Ifiilp32.exe File created C:\Windows\SysWOW64\Kgfblqne.dll Fbjeao32.exe File opened for modification C:\Windows\SysWOW64\Hqkmplen.exe Hqiqjlga.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Goodpb32.exe Gdjpcj32.exe File created C:\Windows\SysWOW64\Pgpjpnhk.exe Pbcahgjd.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Dbaflm32.exe File created C:\Windows\SysWOW64\Idoaigpm.dll Iaqnbb32.exe File opened for modification C:\Windows\SysWOW64\Ekcmkamj.exe Eqninhmc.exe File created C:\Windows\SysWOW64\Pcdapknb.dll Kambcbhb.exe File created C:\Windows\SysWOW64\Odflmp32.exe Onldqejb.exe File created C:\Windows\SysWOW64\Eihdakqq.dll Hgjieedg.exe File opened for modification C:\Windows\SysWOW64\Hminbkql.exe Hjkbfpah.exe File created C:\Windows\SysWOW64\Hbfein32.dll Mcknjidn.exe File created C:\Windows\SysWOW64\Lenapcbd.dll Nfbmlckg.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Pmkdhq32.exe File opened for modification C:\Windows\SysWOW64\Fadagl32.exe Eghdanac.exe File created C:\Windows\SysWOW64\Infjfblm.exe Iijbnkne.exe File created C:\Windows\SysWOW64\Iphgeipb.dll Jgaikb32.exe File created C:\Windows\SysWOW64\Elllck32.dll Iejkhlip.exe File created C:\Windows\SysWOW64\Mfdedcim.dll Ckjnfobi.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Miocmq32.exe File created C:\Windows\SysWOW64\Gfpjgn32.exe Gofajcog.exe File created C:\Windows\SysWOW64\Jffhec32.exe Ieelnkpd.exe File opened for modification C:\Windows\SysWOW64\Kgkokjjd.exe Kaagnp32.exe File created C:\Windows\SysWOW64\Chkgnh32.dll Nimaic32.exe File created C:\Windows\SysWOW64\Poialihj.dll Jlmddi32.exe File created C:\Windows\SysWOW64\Eeekfj32.dll Mlfgkleh.exe File created C:\Windows\SysWOW64\Bimbbhgh.exe Bfoffmhd.exe File created C:\Windows\SysWOW64\Imcafcpf.dll Enajgllm.exe File created C:\Windows\SysWOW64\Goldfelp.exe Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Iejkhlip.exe Iickckcl.exe File created C:\Windows\SysWOW64\Jilkbn32.exe Jbbbed32.exe File created C:\Windows\SysWOW64\Cmoade32.dll Jmfoon32.exe File opened for modification C:\Windows\SysWOW64\Kaagnp32.exe Kjgoaflj.exe File opened for modification C:\Windows\SysWOW64\Egchocif.exe Eddlcgjb.exe File opened for modification C:\Windows\SysWOW64\Fqbbig32.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Apnmpn32.dll Dhbdleol.exe File created C:\Windows\SysWOW64\Iiaaooka.dll Ijphqbpo.exe File opened for modification C:\Windows\SysWOW64\Nnnbqeib.exe Nhdjdk32.exe File created C:\Windows\SysWOW64\Jdmfmc32.dll Iackhb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hemggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imcaijia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Henjnica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndagjbio.dll" Ldokhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okgpfjbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjkim32.dll" Lpjiik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmjqhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nijdcdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnjbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igeljknl.dll" Kgkokjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckjnfobi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoefea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdnoa32.dll" Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijeinphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikfffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgaoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfgaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljjkgfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jojaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimmcm32.dll" Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfpehbh.dll" Jdmfdgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nehjmppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnofbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpohfljj.dll" Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdmbl32.dll" Ifiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihaldgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keehmobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blkoocfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhemaec.dll" Eghdanac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlgk32.dll" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcfgfack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfcnkcn.dll" Clnkdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Impblnna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgbcfdmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffhqa32.dll" Cclmlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okecak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bimbbhgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knbjgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncbdjhnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oqaliabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkao32.dll" Mhmhpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkmhq32.dll" Lcbppk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onldqejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moonqphf.dll" Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecpipck.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2640 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 30 PID 2688 wrote to memory of 2640 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 30 PID 2688 wrote to memory of 2640 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 30 PID 2688 wrote to memory of 2640 2688 NEAS.a7c7c20f713e94d6bb608e58da979de0.exe 30 PID 2640 wrote to memory of 2376 2640 Dboeco32.exe 31 PID 2640 wrote to memory of 2376 2640 Dboeco32.exe 31 PID 2640 wrote to memory of 2376 2640 Dboeco32.exe 31 PID 2640 wrote to memory of 2376 2640 Dboeco32.exe 31 PID 2376 wrote to memory of 2624 2376 Dcbnpgkh.exe 32 PID 2376 wrote to memory of 2624 2376 Dcbnpgkh.exe 32 PID 2376 wrote to memory of 2624 2376 Dcbnpgkh.exe 32 PID 2376 wrote to memory of 2624 2376 Dcbnpgkh.exe 32 PID 2624 wrote to memory of 2520 2624 Dafoikjb.exe 33 PID 2624 wrote to memory of 2520 2624 Dafoikjb.exe 33 PID 2624 wrote to memory of 2520 2624 Dafoikjb.exe 33 PID 2624 wrote to memory of 2520 2624 Dafoikjb.exe 33 PID 2520 wrote to memory of 1964 2520 Djocbqpb.exe 34 PID 2520 wrote to memory of 1964 2520 Djocbqpb.exe 34 PID 2520 wrote to memory of 1964 2520 Djocbqpb.exe 34 PID 2520 wrote to memory of 1964 2520 Djocbqpb.exe 34 PID 1964 wrote to memory of 2528 1964 Dhbdleol.exe 35 PID 1964 wrote to memory of 2528 1964 Dhbdleol.exe 35 PID 1964 wrote to memory of 2528 1964 Dhbdleol.exe 35 PID 1964 wrote to memory of 2528 1964 Dhbdleol.exe 35 PID 2528 wrote to memory of 1640 2528 Eakhdj32.exe 36 PID 2528 wrote to memory of 1640 2528 Eakhdj32.exe 36 PID 2528 wrote to memory of 1640 2528 Eakhdj32.exe 36 PID 2528 wrote to memory of 1640 2528 Eakhdj32.exe 36 PID 1640 wrote to memory of 1980 1640 Eldiehbk.exe 37 PID 1640 wrote to memory of 1980 1640 Eldiehbk.exe 37 PID 1640 wrote to memory of 1980 1640 Eldiehbk.exe 37 PID 1640 wrote to memory of 1980 1640 Eldiehbk.exe 37 PID 1980 wrote to memory of 2792 1980 Edlafebn.exe 38 PID 1980 wrote to memory of 2792 1980 Edlafebn.exe 38 PID 1980 wrote to memory of 2792 1980 Edlafebn.exe 38 PID 1980 wrote to memory of 2792 1980 Edlafebn.exe 38 PID 2792 wrote to memory of 2588 2792 Epbbkf32.exe 39 PID 2792 wrote to memory of 2588 2792 Epbbkf32.exe 39 PID 2792 wrote to memory of 2588 2792 Epbbkf32.exe 39 PID 2792 wrote to memory of 2588 2792 Epbbkf32.exe 39 PID 2588 wrote to memory of 588 2588 Ehnfpifm.exe 40 PID 2588 wrote to memory of 588 2588 Ehnfpifm.exe 40 PID 2588 wrote to memory of 588 2588 Ehnfpifm.exe 40 PID 2588 wrote to memory of 588 2588 Ehnfpifm.exe 40 PID 588 wrote to memory of 1648 588 Eafkhn32.exe 43 PID 588 wrote to memory of 1648 588 Eafkhn32.exe 43 PID 588 wrote to memory of 1648 588 Eafkhn32.exe 43 PID 588 wrote to memory of 1648 588 Eafkhn32.exe 43 PID 1648 wrote to memory of 1240 1648 Eojlbb32.exe 42 PID 1648 wrote to memory of 1240 1648 Eojlbb32.exe 42 PID 1648 wrote to memory of 1240 1648 Eojlbb32.exe 42 PID 1648 wrote to memory of 1240 1648 Eojlbb32.exe 42 PID 1240 wrote to memory of 2196 1240 Folhgbid.exe 41 PID 1240 wrote to memory of 2196 1240 Folhgbid.exe 41 PID 1240 wrote to memory of 2196 1240 Folhgbid.exe 41 PID 1240 wrote to memory of 2196 1240 Folhgbid.exe 41 PID 2196 wrote to memory of 312 2196 Fdiqpigl.exe 44 PID 2196 wrote to memory of 312 2196 Fdiqpigl.exe 44 PID 2196 wrote to memory of 312 2196 Fdiqpigl.exe 44 PID 2196 wrote to memory of 312 2196 Fdiqpigl.exe 44 PID 312 wrote to memory of 276 312 Fdkmeiei.exe 45 PID 312 wrote to memory of 276 312 Fdkmeiei.exe 45 PID 312 wrote to memory of 276 312 Fdkmeiei.exe 45 PID 312 wrote to memory of 276 312 Fdkmeiei.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a7c7c20f713e94d6bb608e58da979de0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a7c7c20f713e94d6bb608e58da979de0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe19⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe20⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe22⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe23⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe26⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe29⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe31⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe32⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe33⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe35⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe36⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe37⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe41⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe42⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe43⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe44⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe46⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe47⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe48⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:364 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe50⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Lbgkfbbj.exeC:\Windows\system32\Lbgkfbbj.exe51⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe53⤵PID:968
-
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe54⤵PID:1364
-
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe55⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ldmaijdc.exeC:\Windows\system32\Ldmaijdc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe57⤵PID:2424
-
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe58⤵PID:1620
-
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe59⤵PID:2728
-
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe60⤵PID:2904
-
C:\Windows\SysWOW64\Llkbcl32.exeC:\Windows\system32\Llkbcl32.exe61⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe62⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe63⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe64⤵PID:1252
-
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe66⤵PID:2784
-
C:\Windows\SysWOW64\Omhkcnfg.exeC:\Windows\system32\Omhkcnfg.exe67⤵PID:1304
-
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Odflmp32.exeC:\Windows\system32\Odflmp32.exe69⤵PID:2264
-
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe70⤵PID:1940
-
C:\Windows\SysWOW64\Onoqfehp.exeC:\Windows\system32\Onoqfehp.exe71⤵PID:2344
-
C:\Windows\SysWOW64\Oehicoom.exeC:\Windows\system32\Oehicoom.exe72⤵PID:1544
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:936 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe74⤵PID:2128
-
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe75⤵PID:2420
-
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe76⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe77⤵PID:2984
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe78⤵PID:2044
-
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe79⤵PID:2920
-
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe80⤵PID:2524
-
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe81⤵PID:2500
-
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe82⤵PID:3004
-
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe83⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe84⤵PID:1636
-
C:\Windows\SysWOW64\Pfchqf32.exeC:\Windows\system32\Pfchqf32.exe85⤵PID:1916
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe86⤵PID:1508
-
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe88⤵PID:2368
-
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe89⤵PID:1300
-
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe90⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe91⤵PID:484
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe92⤵PID:1272
-
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe94⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Fhnjdfcl.exeC:\Windows\system32\Fhnjdfcl.exe95⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe97⤵PID:2584
-
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe98⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe99⤵PID:2072
-
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe100⤵PID:1972
-
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe101⤵PID:2284
-
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe102⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe104⤵PID:2848
-
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe105⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe106⤵PID:1860
-
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe108⤵PID:2840
-
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe110⤵PID:2956
-
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe112⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe113⤵PID:1028
-
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe114⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe115⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe116⤵PID:2844
-
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe117⤵PID:1720
-
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe118⤵PID:108
-
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe119⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe120⤵PID:1540
-
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe121⤵PID:2952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-