Analysis
-
max time kernel
31s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 08:52
Behavioral task
behavioral1
Sample
NEAS.3754f78d458d141314ccb72eff3a1b60.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.3754f78d458d141314ccb72eff3a1b60.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.3754f78d458d141314ccb72eff3a1b60.exe
-
Size
112KB
-
MD5
3754f78d458d141314ccb72eff3a1b60
-
SHA1
8457cefb541f012b0757c50bfa22ec2478649776
-
SHA256
78489afd30e0fcc6d54104df8703982df46485c2abdf814335eb43e77d4656bb
-
SHA512
6a8262626343d62a9c83ee080abcbf04fc5a1422d159a63df1cedce8d82b4f63de09e24d67a29615fb434e401d12888cd2ee1c33a4da5fc1f8fc9136d3e1f81e
-
SSDEEP
3072:4fIjmXWFfgd9Sy+vmhHSMQH2qC7ZQOlzSLUK6MwGsGnDc9o:cIjmGFobSyAmhHSMQWfdQOhwJ6MwGsw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgjodmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmhepko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljabkeaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbiipml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkape32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgkgeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnkpobc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalfhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcglec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flehkhai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnlbcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjnjjbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjaimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcahoqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcamjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhonngce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obdojcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diphbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjhmfekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimcclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbocjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jonbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfdhbld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljabkeaf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2116-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00070000000120b7-5.dat family_berbew behavioral1/memory/2116-6-0x00000000001B0000-0x00000000001F1000-memory.dmp family_berbew behavioral1/files/0x00070000000120b7-9.dat family_berbew behavioral1/files/0x00070000000120b7-12.dat family_berbew behavioral1/files/0x00070000000120b7-8.dat family_berbew behavioral1/files/0x00070000000120b7-13.dat family_berbew behavioral1/files/0x002d000000015047-25.dat family_berbew behavioral1/files/0x002d000000015047-27.dat family_berbew behavioral1/files/0x002d000000015047-22.dat family_berbew behavioral1/files/0x002d000000015047-21.dat family_berbew behavioral1/memory/2852-19-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew behavioral1/files/0x002d000000015047-18.dat family_berbew behavioral1/files/0x0007000000015618-39.dat family_berbew behavioral1/files/0x0007000000015618-36.dat family_berbew behavioral1/files/0x0007000000015618-35.dat family_berbew behavioral1/memory/2688-34-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000015618-32.dat family_berbew behavioral1/files/0x0007000000015c13-46.dat family_berbew behavioral1/memory/2664-45-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000015c13-41.dat family_berbew behavioral1/files/0x0007000000015618-40.dat family_berbew behavioral1/files/0x0007000000015c13-53.dat family_berbew behavioral1/files/0x0008000000015c3e-61.dat family_berbew behavioral1/files/0x0008000000015c3e-64.dat family_berbew behavioral1/files/0x0008000000015c3e-60.dat family_berbew behavioral1/files/0x0008000000015c3e-58.dat family_berbew behavioral1/files/0x0007000000015c13-52.dat family_berbew behavioral1/files/0x0007000000015c13-48.dat family_berbew behavioral1/files/0x0006000000015c94-67.dat family_berbew behavioral1/files/0x0008000000015c3e-66.dat family_berbew behavioral1/memory/2324-65-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2624-84-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015c94-79.dat family_berbew behavioral1/files/0x0006000000015c94-78.dat family_berbew behavioral1/memory/2724-77-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca9-85.dat family_berbew behavioral1/files/0x0006000000015ca9-91.dat family_berbew behavioral1/files/0x0006000000015ca9-88.dat family_berbew behavioral1/files/0x0006000000015ca9-87.dat family_berbew behavioral1/files/0x0006000000015c94-73.dat family_berbew behavioral1/files/0x0006000000015c94-71.dat family_berbew behavioral1/files/0x0006000000015ca9-92.dat family_berbew behavioral1/files/0x0006000000015ce6-97.dat family_berbew behavioral1/files/0x0006000000015ce6-99.dat family_berbew behavioral1/files/0x0006000000015ce6-100.dat family_berbew behavioral1/files/0x0006000000015ce6-104.dat family_berbew behavioral1/files/0x0006000000015ce6-103.dat family_berbew behavioral1/files/0x0006000000015e30-109.dat family_berbew behavioral1/files/0x0006000000015e30-112.dat family_berbew behavioral1/files/0x0006000000015e30-111.dat family_berbew behavioral1/files/0x0006000000015e30-116.dat family_berbew behavioral1/files/0x0006000000015e70-128.dat family_berbew behavioral1/files/0x0006000000015e70-127.dat family_berbew behavioral1/files/0x0006000000015e70-124.dat family_berbew behavioral1/files/0x0006000000015e70-123.dat family_berbew behavioral1/files/0x0006000000015e70-121.dat family_berbew behavioral1/files/0x0006000000015eca-139.dat family_berbew behavioral1/files/0x0006000000015eca-136.dat family_berbew behavioral1/files/0x0006000000015eca-135.dat family_berbew behavioral1/files/0x0006000000015eca-133.dat family_berbew behavioral1/files/0x0006000000015e30-115.dat family_berbew behavioral1/files/0x0006000000015eca-140.dat family_berbew behavioral1/files/0x0006000000016060-152.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2852 Dfmdho32.exe 2688 Dogefd32.exe 2664 Dlkepi32.exe 2324 Dhbfdjdp.exe 2724 Dbkknojp.exe 2624 Dookgcij.exe 2544 Egjpkffe.exe 2940 Ekhhadmk.exe 1660 Ejmebq32.exe 1940 Fidoim32.exe 2548 Fpngfgle.exe 564 Flehkhai.exe 2900 Fncdgcqm.exe 1580 Fenmdm32.exe 2176 Fpcqaf32.exe 2084 Fadminnn.exe 1948 Fbdjbaea.exe 832 Febfomdd.exe 592 Fmmkcoap.exe 2396 Gmpgio32.exe 2460 Ghelfg32.exe 2308 Gjdhbc32.exe 1316 Gmbdnn32.exe 1864 Gbomfe32.exe 2432 Gjfdhbld.exe 2456 Glgaok32.exe 1360 Gepehphc.exe 3004 Gljnej32.exe 1508 Gbcfadgl.exe 2640 Ginnnooi.exe 1212 Hojgfemq.exe 1440 Haiccald.exe 2668 Hkaglf32.exe 2712 Hbhomd32.exe 2780 Hlqdei32.exe 2732 Hdlhjl32.exe 2824 Hapicp32.exe 2556 Hhjapjmi.exe 1364 Hpefdl32.exe 2612 Ikkjbe32.exe 2896 Idcokkak.exe 1072 Igakgfpn.exe 2192 Iompkh32.exe 648 Iefhhbef.exe 992 Iheddndj.exe 1644 Ioolqh32.exe 860 Ifkacb32.exe 2404 Ihjnom32.exe 1224 Ikhjki32.exe 1676 Jhljdm32.exe 2936 Jofbag32.exe 3028 Jqgoiokm.exe 2424 Jbgkcb32.exe 2172 Jchhkjhn.exe 1124 Jqlhdo32.exe 836 Jgfqaiod.exe 1768 Jnpinc32.exe 876 Jmbiipml.exe 2360 Joaeeklp.exe 2112 Kqqboncb.exe 2124 Kfmjgeaj.exe 2228 Kicmdo32.exe 2512 Leimip32.exe 1980 Lmebnb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 2852 Dfmdho32.exe 2852 Dfmdho32.exe 2688 Dogefd32.exe 2688 Dogefd32.exe 2664 Dlkepi32.exe 2664 Dlkepi32.exe 2324 Dhbfdjdp.exe 2324 Dhbfdjdp.exe 2724 Dbkknojp.exe 2724 Dbkknojp.exe 2624 Dookgcij.exe 2624 Dookgcij.exe 2544 Egjpkffe.exe 2544 Egjpkffe.exe 2940 Ekhhadmk.exe 2940 Ekhhadmk.exe 1660 Ejmebq32.exe 1660 Ejmebq32.exe 1940 Fidoim32.exe 1940 Fidoim32.exe 2548 Fpngfgle.exe 2548 Fpngfgle.exe 564 Flehkhai.exe 564 Flehkhai.exe 2900 Fncdgcqm.exe 2900 Fncdgcqm.exe 1580 Fenmdm32.exe 1580 Fenmdm32.exe 2176 Fpcqaf32.exe 2176 Fpcqaf32.exe 2084 Fadminnn.exe 2084 Fadminnn.exe 1948 Fbdjbaea.exe 1948 Fbdjbaea.exe 832 Febfomdd.exe 832 Febfomdd.exe 592 Fmmkcoap.exe 592 Fmmkcoap.exe 2396 Gmpgio32.exe 2396 Gmpgio32.exe 2460 Ghelfg32.exe 2460 Ghelfg32.exe 2308 Gjdhbc32.exe 2308 Gjdhbc32.exe 1316 Gmbdnn32.exe 1316 Gmbdnn32.exe 1864 Gbomfe32.exe 1864 Gbomfe32.exe 2432 Gjfdhbld.exe 2432 Gjfdhbld.exe 2456 Glgaok32.exe 2456 Glgaok32.exe 1360 Gepehphc.exe 1360 Gepehphc.exe 3004 Gljnej32.exe 3004 Gljnej32.exe 1508 Gbcfadgl.exe 1508 Gbcfadgl.exe 2640 Ginnnooi.exe 2640 Ginnnooi.exe 1212 Hojgfemq.exe 1212 Hojgfemq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Npccpo32.exe Niikceid.exe File opened for modification C:\Windows\SysWOW64\Mjjdacik.exe Mikhgqbi.exe File created C:\Windows\SysWOW64\Fbmfkkbm.exe Fheabelm.exe File created C:\Windows\SysWOW64\Noafdi32.dll Kcamjb32.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Hhjapjmi.exe Hapicp32.exe File created C:\Windows\SysWOW64\Cjgheann.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Leimip32.exe Kicmdo32.exe File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Abillbab.dll Daacecfc.exe File created C:\Windows\SysWOW64\Emkkdf32.exe Ebefgm32.exe File created C:\Windows\SysWOW64\Pcnejk32.exe Pnalad32.exe File created C:\Windows\SysWOW64\Gpgmpikn.dll Hkaglf32.exe File created C:\Windows\SysWOW64\Obojmk32.dll Hbhomd32.exe File created C:\Windows\SysWOW64\Jkfalhjp.dll Kicmdo32.exe File created C:\Windows\SysWOW64\Ofljekhm.dll Fmhjni32.exe File created C:\Windows\SysWOW64\Eadecdpk.dll Hpkldg32.exe File created C:\Windows\SysWOW64\Klmbbhod.dll Iajemnia.exe File opened for modification C:\Windows\SysWOW64\Idmkdh32.exe Ipbocjlg.exe File created C:\Windows\SysWOW64\Jgqpkc32.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Hfqbqqjl.dll Hebdfind.exe File created C:\Windows\SysWOW64\Ddpobo32.exe Daacecfc.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Haiccald.exe File created C:\Windows\SysWOW64\Ipbocjlg.exe Incbgnmc.exe File opened for modification C:\Windows\SysWOW64\Kfkpknkq.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Ahqmla32.dll Kohnoc32.exe File created C:\Windows\SysWOW64\Epnlhaii.dll Mjpkqonj.exe File opened for modification C:\Windows\SysWOW64\Dlfgcl32.exe Ddpobo32.exe File opened for modification C:\Windows\SysWOW64\Gljnej32.exe Gepehphc.exe File created C:\Windows\SysWOW64\Piccpc32.dll Hojgfemq.exe File opened for modification C:\Windows\SysWOW64\Aeqabgoj.exe Apdhjq32.exe File opened for modification C:\Windows\SysWOW64\Hmmphlpp.exe Hddlof32.exe File created C:\Windows\SysWOW64\Eghgijfj.dll Ihmgiiff.exe File created C:\Windows\SysWOW64\Jjaimn32.exe Jajala32.exe File created C:\Windows\SysWOW64\Lepckd32.dll Bcjqdmla.exe File opened for modification C:\Windows\SysWOW64\Ekhkjm32.exe Egmojnlf.exe File opened for modification C:\Windows\SysWOW64\Ioooiack.exe Imnbbi32.exe File opened for modification C:\Windows\SysWOW64\Jgdfdbhk.exe Jkmeoa32.exe File created C:\Windows\SysWOW64\Kcopdb32.exe Knbhlkkc.exe File opened for modification C:\Windows\SysWOW64\Kpcqnf32.exe Kcopdb32.exe File created C:\Windows\SysWOW64\Ldllgiek.exe Lnbdko32.exe File created C:\Windows\SysWOW64\Qocjhb32.dll Joaeeklp.exe File created C:\Windows\SysWOW64\Oackeakj.dll Niikceid.exe File created C:\Windows\SysWOW64\Hddlof32.exe Hafock32.exe File opened for modification C:\Windows\SysWOW64\Idknoi32.exe Inafbooe.exe File created C:\Windows\SysWOW64\Chappo32.dll Diphbfdi.exe File opened for modification C:\Windows\SysWOW64\Ekcaonhe.exe Degiggjm.exe File created C:\Windows\SysWOW64\Fbbofjnh.exe Fkhgip32.exe File opened for modification C:\Windows\SysWOW64\Kcmcoblm.exe Jkbojpna.exe File created C:\Windows\SysWOW64\Qjhmfekp.exe Pcnejk32.exe File created C:\Windows\SysWOW64\Anahqh32.exe Aidphq32.exe File opened for modification C:\Windows\SysWOW64\Ckolek32.exe Cebcmdlg.exe File created C:\Windows\SysWOW64\Nbbbdcgi.exe Ndmecgba.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Qdaglmcb.exe File created C:\Windows\SysWOW64\Dgeaoinb.exe Dmmmfc32.exe File opened for modification C:\Windows\SysWOW64\Jchhkjhn.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Mmjjpnkn.dll Ebefgm32.exe File created C:\Windows\SysWOW64\Lbpjpn32.dll Anahqh32.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jkkija32.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Fbdjbaea.exe Fadminnn.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Hbhomd32.exe File opened for modification C:\Windows\SysWOW64\Fpicodoj.exe Fiokbjgn.exe File created C:\Windows\SysWOW64\Nmcmgm32.exe Nigafnck.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fenmdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fenmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagmmgdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpicodoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdnbdld.dll" Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okgjodmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpefdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhgkil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfdfdee.dll" Bnnaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID NEAS.3754f78d458d141314ccb72eff3a1b60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljddpfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfn32.dll" Gifaciae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkcam32.dll" Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmodql32.dll" Gjijqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblodoke.dll" Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfmdj32.dll" Oehklddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmqgqj32.dll" Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mbpgggol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkpeake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkgob32.dll" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgimglf.dll" Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbocjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljkaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapdeaa.dll" Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll" Nhaikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgeajlgp.dll" Jkgcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioolqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbchfi32.dll" Glbqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiijc32.dll" Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfplena.dll" Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgalkcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbicoamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkfeekif.dll" Gbcfadgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papnde32.dll" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnmdgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gghkdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieigfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjeanhe.dll" Ceeieced.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2852 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 28 PID 2116 wrote to memory of 2852 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 28 PID 2116 wrote to memory of 2852 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 28 PID 2116 wrote to memory of 2852 2116 NEAS.3754f78d458d141314ccb72eff3a1b60.exe 28 PID 2852 wrote to memory of 2688 2852 Dfmdho32.exe 29 PID 2852 wrote to memory of 2688 2852 Dfmdho32.exe 29 PID 2852 wrote to memory of 2688 2852 Dfmdho32.exe 29 PID 2852 wrote to memory of 2688 2852 Dfmdho32.exe 29 PID 2688 wrote to memory of 2664 2688 Dogefd32.exe 30 PID 2688 wrote to memory of 2664 2688 Dogefd32.exe 30 PID 2688 wrote to memory of 2664 2688 Dogefd32.exe 30 PID 2688 wrote to memory of 2664 2688 Dogefd32.exe 30 PID 2664 wrote to memory of 2324 2664 Dlkepi32.exe 31 PID 2664 wrote to memory of 2324 2664 Dlkepi32.exe 31 PID 2664 wrote to memory of 2324 2664 Dlkepi32.exe 31 PID 2664 wrote to memory of 2324 2664 Dlkepi32.exe 31 PID 2324 wrote to memory of 2724 2324 Dhbfdjdp.exe 32 PID 2324 wrote to memory of 2724 2324 Dhbfdjdp.exe 32 PID 2324 wrote to memory of 2724 2324 Dhbfdjdp.exe 32 PID 2324 wrote to memory of 2724 2324 Dhbfdjdp.exe 32 PID 2724 wrote to memory of 2624 2724 Dbkknojp.exe 33 PID 2724 wrote to memory of 2624 2724 Dbkknojp.exe 33 PID 2724 wrote to memory of 2624 2724 Dbkknojp.exe 33 PID 2724 wrote to memory of 2624 2724 Dbkknojp.exe 33 PID 2624 wrote to memory of 2544 2624 Dookgcij.exe 34 PID 2624 wrote to memory of 2544 2624 Dookgcij.exe 34 PID 2624 wrote to memory of 2544 2624 Dookgcij.exe 34 PID 2624 wrote to memory of 2544 2624 Dookgcij.exe 34 PID 2544 wrote to memory of 2940 2544 Egjpkffe.exe 35 PID 2544 wrote to memory of 2940 2544 Egjpkffe.exe 35 PID 2544 wrote to memory of 2940 2544 Egjpkffe.exe 35 PID 2544 wrote to memory of 2940 2544 Egjpkffe.exe 35 PID 2940 wrote to memory of 1660 2940 Ekhhadmk.exe 36 PID 2940 wrote to memory of 1660 2940 Ekhhadmk.exe 36 PID 2940 wrote to memory of 1660 2940 Ekhhadmk.exe 36 PID 2940 wrote to memory of 1660 2940 Ekhhadmk.exe 36 PID 1660 wrote to memory of 1940 1660 Ejmebq32.exe 37 PID 1660 wrote to memory of 1940 1660 Ejmebq32.exe 37 PID 1660 wrote to memory of 1940 1660 Ejmebq32.exe 37 PID 1660 wrote to memory of 1940 1660 Ejmebq32.exe 37 PID 1940 wrote to memory of 2548 1940 Fidoim32.exe 38 PID 1940 wrote to memory of 2548 1940 Fidoim32.exe 38 PID 1940 wrote to memory of 2548 1940 Fidoim32.exe 38 PID 1940 wrote to memory of 2548 1940 Fidoim32.exe 38 PID 2548 wrote to memory of 564 2548 Fpngfgle.exe 39 PID 2548 wrote to memory of 564 2548 Fpngfgle.exe 39 PID 2548 wrote to memory of 564 2548 Fpngfgle.exe 39 PID 2548 wrote to memory of 564 2548 Fpngfgle.exe 39 PID 564 wrote to memory of 2900 564 Flehkhai.exe 41 PID 564 wrote to memory of 2900 564 Flehkhai.exe 41 PID 564 wrote to memory of 2900 564 Flehkhai.exe 41 PID 564 wrote to memory of 2900 564 Flehkhai.exe 41 PID 2900 wrote to memory of 1580 2900 Fncdgcqm.exe 40 PID 2900 wrote to memory of 1580 2900 Fncdgcqm.exe 40 PID 2900 wrote to memory of 1580 2900 Fncdgcqm.exe 40 PID 2900 wrote to memory of 1580 2900 Fncdgcqm.exe 40 PID 1580 wrote to memory of 2176 1580 Fenmdm32.exe 42 PID 1580 wrote to memory of 2176 1580 Fenmdm32.exe 42 PID 1580 wrote to memory of 2176 1580 Fenmdm32.exe 42 PID 1580 wrote to memory of 2176 1580 Fenmdm32.exe 42 PID 2176 wrote to memory of 2084 2176 Fpcqaf32.exe 43 PID 2176 wrote to memory of 2084 2176 Fpcqaf32.exe 43 PID 2176 wrote to memory of 2084 2176 Fpcqaf32.exe 43 PID 2176 wrote to memory of 2084 2176 Fpcqaf32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.3754f78d458d141314ccb72eff3a1b60.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.3754f78d458d141314ccb72eff3a1b60.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe9⤵PID:3068
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe10⤵PID:5652
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe11⤵PID:2860
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe12⤵PID:5732
-
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe13⤵PID:2136
-
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe14⤵PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Febfomdd.exeC:\Windows\system32\Febfomdd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Gepehphc.exeC:\Windows\system32\Gepehphc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1212 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe22⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hdlhjl32.exeC:\Windows\system32\Hdlhjl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe27⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe28⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe30⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe32⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe34⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe35⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe36⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe38⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe39⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe41⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe42⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe44⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe47⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe50⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe51⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe52⤵PID:2300
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe53⤵PID:3008
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe54⤵PID:2588
-
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe55⤵PID:2924
-
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe56⤵PID:1944
-
C:\Windows\SysWOW64\Lccdel32.exeC:\Windows\system32\Lccdel32.exe57⤵PID:1204
-
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:656 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe59⤵PID:1664
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe60⤵PID:2168
-
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe61⤵PID:1468
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe62⤵PID:2856
-
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe63⤵PID:1084
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe65⤵PID:1240
-
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe66⤵PID:2416
-
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe67⤵PID:828
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe68⤵PID:2292
-
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe69⤵
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe70⤵PID:936
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe71⤵PID:888
-
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe72⤵PID:1456
-
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe73⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe74⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe75⤵PID:2040
-
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe76⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe77⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe78⤵PID:1968
-
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe79⤵PID:2768
-
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe81⤵PID:1500
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe82⤵PID:2876
-
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe83⤵PID:1188
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe84⤵PID:2028
-
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe85⤵PID:1780
-
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe86⤵PID:1044
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe87⤵PID:1412
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe88⤵PID:1728
-
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe89⤵PID:952
-
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe92⤵PID:2372
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe93⤵PID:1860
-
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe94⤵PID:688
-
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe95⤵PID:1928
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe96⤵PID:2212
-
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe97⤵PID:2016
-
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe98⤵PID:1192
-
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe99⤵PID:2788
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe100⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe101⤵PID:2148
-
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe102⤵PID:2032
-
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe103⤵PID:1960
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe105⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe106⤵
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe107⤵
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:544 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe110⤵PID:432
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe112⤵PID:556
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe113⤵PID:2036
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe114⤵PID:1760
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe115⤵PID:2008
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe116⤵PID:2888
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe117⤵PID:2836
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe118⤵PID:2400
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe119⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe120⤵PID:1052
-
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe121⤵
- Drops file in System32 directory
PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-