Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 01:17
Behavioral task
behavioral1
Sample
NEAS.ee0bdba9ff028586528faecd5f17d240.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ee0bdba9ff028586528faecd5f17d240.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ee0bdba9ff028586528faecd5f17d240.exe
-
Size
98KB
-
MD5
ee0bdba9ff028586528faecd5f17d240
-
SHA1
c6f032814f968fd3b654ad74a1d1d538f7fd9705
-
SHA256
6668326d512d126eb0336e6aeb8e36a36205b07b02d1b2387ae5d47dc87c9273
-
SHA512
9ead21630ac980f2c2b7112c264a70b1ec1be9594bace1cde0ec80b8bdd59e13f6220c15e516b6edccb66ab4f592fe9e5132f27a1124b3013cc5056c82c05ef7
-
SSDEEP
3072:xGbmlUEpHf+RttHd9vyVSUhleI6a7SlO6XtQrhqurZpyebVL:0b8/f+3ZHaoUKBlnXtQLrry0
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngodlgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hahokfag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdime32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhihkjfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Digmqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphbpehj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmanljfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbmgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pddokabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbnmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djlkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jkkbnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqlbqlmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apngjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcjmhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbbimih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbkbbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjaioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iaokdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiimejap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqiiamjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gogjflhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgiiclkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Canocm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioahn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.ee0bdba9ff028586528faecd5f17d240.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apngjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijngkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcmkjeko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhell32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoaopnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkkaiphj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppepkmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gglpgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgjbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkchna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ioclnblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Koggehff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdagbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjehok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecpomiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lggeej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hgebnc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeccm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcegkamd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkabind.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/208-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd5-6.dat family_berbew behavioral2/files/0x0007000000022cd5-7.dat family_berbew behavioral2/memory/3744-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce6-14.dat family_berbew behavioral2/memory/2808-15-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce6-16.dat family_berbew behavioral2/files/0x0006000000022ce9-23.dat family_berbew behavioral2/memory/4600-28-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce9-22.dat family_berbew behavioral2/files/0x0006000000022cec-30.dat family_berbew behavioral2/files/0x0006000000022cec-31.dat family_berbew behavioral2/memory/3080-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022cde-38.dat family_berbew behavioral2/memory/792-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0009000000022cde-39.dat family_berbew behavioral2/files/0x0008000000022ce3-46.dat family_berbew behavioral2/files/0x0008000000022ce3-48.dat family_berbew behavioral2/memory/4152-47-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce5-54.dat family_berbew behavioral2/memory/1496-55-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022ce5-56.dat family_berbew behavioral2/files/0x0008000000022cee-62.dat family_berbew behavioral2/files/0x0008000000022cee-64.dat family_berbew behavioral2/memory/208-63-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4616-69-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-72.dat family_berbew behavioral2/memory/4092-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf0-71.dat family_berbew behavioral2/files/0x0006000000022cf2-79.dat family_berbew behavioral2/files/0x0006000000022cf2-81.dat family_berbew behavioral2/memory/1048-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-82.dat family_berbew behavioral2/files/0x0006000000022cf5-87.dat family_berbew behavioral2/memory/3744-88-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3028-90-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-89.dat family_berbew behavioral2/files/0x0006000000022cf7-96.dat family_berbew behavioral2/files/0x0006000000022cf7-98.dat family_berbew behavioral2/memory/4936-99-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2808-97-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf9-105.dat family_berbew behavioral2/files/0x0006000000022cf9-107.dat family_berbew behavioral2/memory/4184-106-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3080-114-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-113.dat family_berbew behavioral2/files/0x0006000000022cfb-115.dat family_berbew behavioral2/files/0x0006000000022d00-123.dat family_berbew behavioral2/files/0x0006000000022d00-122.dat family_berbew behavioral2/memory/2520-116-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/792-124-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1488-129-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d02-131.dat family_berbew behavioral2/files/0x0006000000022d02-133.dat family_berbew behavioral2/memory/3312-134-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4152-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022d04-142.dat family_berbew behavioral2/memory/2624-147-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1496-141-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4616-150-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022c0c-151.dat family_berbew behavioral2/memory/3184-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022c0c-149.dat family_berbew behavioral2/files/0x0006000000022d04-140.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3744 Mjcngpjh.exe 2808 Nfaemp32.exe 4600 Ojomcopk.exe 3080 Ocgbld32.exe 792 Opnbae32.exe 4152 Oanokhdb.exe 1496 Oaplqh32.exe 4616 Ojhpimhp.exe 4092 Ohlqcagj.exe 1048 Pfandnla.exe 3028 Pjpfjl32.exe 4936 Pffgom32.exe 4184 Pfiddm32.exe 2520 Qpcecb32.exe 1488 Akkffkhk.exe 3312 Aphnnafb.exe 2624 Adfgdpmi.exe 3184 Aonhghjl.exe 1172 Agimkk32.exe 2696 Bkgeainn.exe 5080 Bdojjo32.exe 980 Bpfkpp32.exe 3928 Bnlhncgi.exe 4584 Bkphhgfc.exe 4408 Cggimh32.exe 2892 Cgifbhid.exe 4472 Cdmfllhn.exe 2792 Cgnomg32.exe 464 Cpfcfmlp.exe 3024 Dddllkbf.exe 4416 Dojqjdbl.exe 3876 Dqnjgl32.exe 2672 Doojec32.exe 3040 Ddkbmj32.exe 4548 Ehpadhll.exe 1680 Edgbii32.exe 932 Ebkbbmqj.exe 4320 Fbmohmoh.exe 2232 Fndpmndl.exe 5016 Feqeog32.exe 3472 Fqgedh32.exe 3972 Fohfbpgi.exe 3444 Fkofga32.exe 4252 Gicgpelg.exe 2072 Gpmomo32.exe 2804 Giecfejd.exe 4448 Gbnhoj32.exe 4324 Glfmgp32.exe 2092 Geoapenf.exe 3944 Gbbajjlp.exe 3252 Hlkfbocp.exe 4436 Hahokfag.exe 3784 Hnlodjpa.exe 1908 Hpkknmgd.exe 4564 Halhfe32.exe 4668 Hbldphde.exe 4168 Hihibbjo.exe 840 Ilibdmgp.exe 32 Ieccbbkn.exe 512 Iajdgcab.exe 3576 Jhgiim32.exe 4284 Jbojlfdp.exe 2824 Jhkbdmbg.exe 2852 Jhnojl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Klmnkdal.exe Jjnaaa32.exe File created C:\Windows\SysWOW64\Nfcnnnil.dll Clbdpc32.exe File opened for modification C:\Windows\SysWOW64\Hfeoijbi.exe Hokgmpkl.exe File created C:\Windows\SysWOW64\Cpiinc32.dll Pncanhaf.exe File created C:\Windows\SysWOW64\Kpjlgn32.dll Inagpm32.exe File created C:\Windows\SysWOW64\Lcepik32.dll Jgekdq32.exe File created C:\Windows\SysWOW64\Mjdbda32.exe Malnklgg.exe File created C:\Windows\SysWOW64\Alhpkldp.exe Acpkbf32.exe File created C:\Windows\SysWOW64\Ddjnng32.dll Hhbnqi32.exe File created C:\Windows\SysWOW64\Lambibap.dll Gnmbao32.exe File created C:\Windows\SysWOW64\Ilfodgeg.exe Hcljmj32.exe File created C:\Windows\SysWOW64\Nhfoocaa.exe Nalgbi32.exe File created C:\Windows\SysWOW64\Pfenga32.exe Oianmm32.exe File created C:\Windows\SysWOW64\Ccendc32.exe Cnhell32.exe File created C:\Windows\SysWOW64\Pfoamp32.exe Ppeipfdm.exe File created C:\Windows\SysWOW64\Mhgkfkhl.exe Mnaghb32.exe File created C:\Windows\SysWOW64\Kplmliko.exe Kbhmbdle.exe File created C:\Windows\SysWOW64\Ijkled32.exe Iabglnco.exe File created C:\Windows\SysWOW64\Oanokhdb.exe Opnbae32.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Lahbei32.exe File created C:\Windows\SysWOW64\Hhpheo32.exe Hohcmjic.exe File opened for modification C:\Windows\SysWOW64\Cjlbag32.exe Ccajdmin.exe File opened for modification C:\Windows\SysWOW64\Nfknmd32.exe Nkeipk32.exe File created C:\Windows\SysWOW64\Obkahddl.exe Oomelheh.exe File created C:\Windows\SysWOW64\Gheodg32.exe Gpjjpe32.exe File opened for modification C:\Windows\SysWOW64\Pjoknhbe.exe Pkgaglpp.exe File opened for modification C:\Windows\SysWOW64\Jefgak32.exe Jkqccbkf.exe File created C:\Windows\SysWOW64\Nejbaqgo.exe Npmjij32.exe File created C:\Windows\SysWOW64\Jeioiboe.dll Aghdco32.exe File created C:\Windows\SysWOW64\Anlkidnm.dll Efjbne32.exe File created C:\Windows\SysWOW64\Fhgccijm.exe Fgffka32.exe File created C:\Windows\SysWOW64\Okndkohj.dll Icdoolge.exe File opened for modification C:\Windows\SysWOW64\Mmdlflki.exe Mdlgmgdh.exe File created C:\Windows\SysWOW64\Decnea32.dll Cnhell32.exe File created C:\Windows\SysWOW64\Opbcdieb.exe Oemofpel.exe File created C:\Windows\SysWOW64\Khiofk32.exe Kplmliko.exe File opened for modification C:\Windows\SysWOW64\Loacdc32.exe Lplfcf32.exe File created C:\Windows\SysWOW64\Nhlfoodc.exe Nkhfek32.exe File created C:\Windows\SysWOW64\Ljeeki32.dll Ndhgie32.exe File opened for modification C:\Windows\SysWOW64\Bjcfeola.exe Bcinie32.exe File created C:\Windows\SysWOW64\Ndnoffic.dll Klmnkdal.exe File opened for modification C:\Windows\SysWOW64\Ocmjhfjl.exe Odljjo32.exe File created C:\Windows\SysWOW64\Beaohcmf.exe Beobcdoi.exe File created C:\Windows\SysWOW64\Nehekq32.exe Npkmcj32.exe File created C:\Windows\SysWOW64\Dknnoofg.exe Dkkaiphj.exe File created C:\Windows\SysWOW64\Ocmjhfjl.exe Odljjo32.exe File created C:\Windows\SysWOW64\Ibnoch32.dll Bipnihgi.exe File created C:\Windows\SysWOW64\Hmpfjpko.dll Pfbfjk32.exe File created C:\Windows\SysWOW64\Acpkbf32.exe Anccjp32.exe File created C:\Windows\SysWOW64\Fikmbibc.dll Cfglahbj.exe File created C:\Windows\SysWOW64\Kjlmbnof.exe Kmhlijpm.exe File created C:\Windows\SysWOW64\Apfhajjf.exe Akipic32.exe File opened for modification C:\Windows\SysWOW64\Emioab32.exe Epeohn32.exe File created C:\Windows\SysWOW64\Mkgfdgpq.exe Mejnlpai.exe File opened for modification C:\Windows\SysWOW64\Moglpedd.exe Mdagbl32.exe File created C:\Windows\SysWOW64\Clbmfm32.exe Cehdib32.exe File opened for modification C:\Windows\SysWOW64\Efhjjcpo.exe Dlbfmjqi.exe File opened for modification C:\Windows\SysWOW64\Naqqmieo.exe Nkghqo32.exe File opened for modification C:\Windows\SysWOW64\Hqkjaifk.exe Hfefdpfe.exe File opened for modification C:\Windows\SysWOW64\Jgedjjki.exe Jmopmalc.exe File created C:\Windows\SysWOW64\Omfigmch.dll Nejbaqgo.exe File created C:\Windows\SysWOW64\Fdhpoegg.dll Djgbmffn.exe File created C:\Windows\SysWOW64\Pcacpg32.dll Fjoadbbc.exe File opened for modification C:\Windows\SysWOW64\Ifipmo32.exe Ialhdh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2400 9556 WerFault.exe 956 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eegoch32.dll" Neeifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbdijpjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 NEAS.ee0bdba9ff028586528faecd5f17d240.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnpgdmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lkgkqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkkif32.dll" Nqlbqlmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkhfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll" Pdngpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effjdd32.dll" Hchihhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnbjpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gkbnkfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neaglfck.dll" Jqmicpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ajhndgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbnhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cehdib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnaghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioclnblj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbhildae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fqbeoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkapelka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dheiop32.dll" Gheodg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpbokjho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mikepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcacpg32.dll" Fjoadbbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdpqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehblpall.dll" Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnlodjpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moglpedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalmid32.dll" Flghognq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difici32.dll" Qdflaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpjlj32.dll" Imabnofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moajmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jeolckne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkeipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pddokabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onjmjegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdmcm32.dll" Emhdeoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjpkd32.dll" Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Moeoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clbmfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgbhdkml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajkfn32.dll" Aqpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekijfnm.dll" Lopkkdgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdaol32.dll" Obhlkjaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olqqdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcinie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qlnfkgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Odgqopeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 208 wrote to memory of 3744 208 NEAS.ee0bdba9ff028586528faecd5f17d240.exe 90 PID 208 wrote to memory of 3744 208 NEAS.ee0bdba9ff028586528faecd5f17d240.exe 90 PID 208 wrote to memory of 3744 208 NEAS.ee0bdba9ff028586528faecd5f17d240.exe 90 PID 3744 wrote to memory of 2808 3744 Mjcngpjh.exe 92 PID 3744 wrote to memory of 2808 3744 Mjcngpjh.exe 92 PID 3744 wrote to memory of 2808 3744 Mjcngpjh.exe 92 PID 2808 wrote to memory of 4600 2808 Nfaemp32.exe 93 PID 2808 wrote to memory of 4600 2808 Nfaemp32.exe 93 PID 2808 wrote to memory of 4600 2808 Nfaemp32.exe 93 PID 4600 wrote to memory of 3080 4600 Ojomcopk.exe 94 PID 4600 wrote to memory of 3080 4600 Ojomcopk.exe 94 PID 4600 wrote to memory of 3080 4600 Ojomcopk.exe 94 PID 3080 wrote to memory of 792 3080 Ocgbld32.exe 95 PID 3080 wrote to memory of 792 3080 Ocgbld32.exe 95 PID 3080 wrote to memory of 792 3080 Ocgbld32.exe 95 PID 792 wrote to memory of 4152 792 Opnbae32.exe 96 PID 792 wrote to memory of 4152 792 Opnbae32.exe 96 PID 792 wrote to memory of 4152 792 Opnbae32.exe 96 PID 4152 wrote to memory of 1496 4152 Oanokhdb.exe 97 PID 4152 wrote to memory of 1496 4152 Oanokhdb.exe 97 PID 4152 wrote to memory of 1496 4152 Oanokhdb.exe 97 PID 1496 wrote to memory of 4616 1496 Oaplqh32.exe 98 PID 1496 wrote to memory of 4616 1496 Oaplqh32.exe 98 PID 1496 wrote to memory of 4616 1496 Oaplqh32.exe 98 PID 4616 wrote to memory of 4092 4616 Ojhpimhp.exe 99 PID 4616 wrote to memory of 4092 4616 Ojhpimhp.exe 99 PID 4616 wrote to memory of 4092 4616 Ojhpimhp.exe 99 PID 4092 wrote to memory of 1048 4092 Ohlqcagj.exe 100 PID 4092 wrote to memory of 1048 4092 Ohlqcagj.exe 100 PID 4092 wrote to memory of 1048 4092 Ohlqcagj.exe 100 PID 1048 wrote to memory of 3028 1048 Pfandnla.exe 101 PID 1048 wrote to memory of 3028 1048 Pfandnla.exe 101 PID 1048 wrote to memory of 3028 1048 Pfandnla.exe 101 PID 3028 wrote to memory of 4936 3028 Pjpfjl32.exe 102 PID 3028 wrote to memory of 4936 3028 Pjpfjl32.exe 102 PID 3028 wrote to memory of 4936 3028 Pjpfjl32.exe 102 PID 4936 wrote to memory of 4184 4936 Pffgom32.exe 103 PID 4936 wrote to memory of 4184 4936 Pffgom32.exe 103 PID 4936 wrote to memory of 4184 4936 Pffgom32.exe 103 PID 4184 wrote to memory of 2520 4184 Pfiddm32.exe 104 PID 4184 wrote to memory of 2520 4184 Pfiddm32.exe 104 PID 4184 wrote to memory of 2520 4184 Pfiddm32.exe 104 PID 2520 wrote to memory of 1488 2520 Qpcecb32.exe 105 PID 2520 wrote to memory of 1488 2520 Qpcecb32.exe 105 PID 2520 wrote to memory of 1488 2520 Qpcecb32.exe 105 PID 1488 wrote to memory of 3312 1488 Akkffkhk.exe 106 PID 1488 wrote to memory of 3312 1488 Akkffkhk.exe 106 PID 1488 wrote to memory of 3312 1488 Akkffkhk.exe 106 PID 3312 wrote to memory of 2624 3312 Aphnnafb.exe 107 PID 3312 wrote to memory of 2624 3312 Aphnnafb.exe 107 PID 3312 wrote to memory of 2624 3312 Aphnnafb.exe 107 PID 2624 wrote to memory of 3184 2624 Adfgdpmi.exe 108 PID 2624 wrote to memory of 3184 2624 Adfgdpmi.exe 108 PID 2624 wrote to memory of 3184 2624 Adfgdpmi.exe 108 PID 3184 wrote to memory of 1172 3184 Aonhghjl.exe 109 PID 3184 wrote to memory of 1172 3184 Aonhghjl.exe 109 PID 3184 wrote to memory of 1172 3184 Aonhghjl.exe 109 PID 1172 wrote to memory of 2696 1172 Agimkk32.exe 110 PID 1172 wrote to memory of 2696 1172 Agimkk32.exe 110 PID 1172 wrote to memory of 2696 1172 Agimkk32.exe 110 PID 2696 wrote to memory of 5080 2696 Bkgeainn.exe 112 PID 2696 wrote to memory of 5080 2696 Bkgeainn.exe 112 PID 2696 wrote to memory of 5080 2696 Bkgeainn.exe 112 PID 5080 wrote to memory of 980 5080 Bdojjo32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ee0bdba9ff028586528faecd5f17d240.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ee0bdba9ff028586528faecd5f17d240.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Mjcngpjh.exeC:\Windows\system32\Mjcngpjh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Oanokhdb.exeC:\Windows\system32\Oanokhdb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Oaplqh32.exeC:\Windows\system32\Oaplqh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Pjpfjl32.exeC:\Windows\system32\Pjpfjl32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Akkffkhk.exeC:\Windows\system32\Akkffkhk.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Adfgdpmi.exeC:\Windows\system32\Adfgdpmi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bpfkpp32.exeC:\Windows\system32\Bpfkpp32.exe1⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bnlhncgi.exeC:\Windows\system32\Bnlhncgi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Bkphhgfc.exeC:\Windows\system32\Bkphhgfc.exe3⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe4⤵
- Executes dropped EXE
PID:4408
-
-
-
-
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe1⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe2⤵
- Executes dropped EXE
- Modifies registry class
PID:2792
-
-
C:\Windows\SysWOW64\Cpfcfmlp.exeC:\Windows\system32\Cpfcfmlp.exe1⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe2⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Dojqjdbl.exeC:\Windows\system32\Dojqjdbl.exe3⤵
- Executes dropped EXE
- Modifies registry class
PID:4416 -
C:\Windows\SysWOW64\Dqnjgl32.exeC:\Windows\system32\Dqnjgl32.exe4⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe6⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe7⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe8⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe9⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe10⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Fndpmndl.exeC:\Windows\system32\Fndpmndl.exe11⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe12⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe13⤵
- Executes dropped EXE
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe15⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe16⤵
- Executes dropped EXE
PID:4252 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe17⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe18⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:4448 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe20⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe21⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe22⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Hlkfbocp.exeC:\Windows\system32\Hlkfbocp.exe23⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3784 -
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe26⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe27⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe28⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Hihibbjo.exeC:\Windows\system32\Hihibbjo.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Ilibdmgp.exeC:\Windows\system32\Ilibdmgp.exe30⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ieccbbkn.exeC:\Windows\system32\Ieccbbkn.exe31⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Iajdgcab.exeC:\Windows\system32\Iajdgcab.exe32⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Jhgiim32.exeC:\Windows\system32\Jhgiim32.exe33⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Jbojlfdp.exeC:\Windows\system32\Jbojlfdp.exe34⤵
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe35⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Jhnojl32.exeC:\Windows\system32\Jhnojl32.exe36⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Jllhpkfk.exeC:\Windows\system32\Jllhpkfk.exe37⤵PID:4952
-
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe38⤵PID:4432
-
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe39⤵
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe40⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Khiofk32.exeC:\Windows\system32\Khiofk32.exe41⤵PID:4756
-
C:\Windows\SysWOW64\Lepleocn.exeC:\Windows\system32\Lepleocn.exe42⤵PID:5000
-
C:\Windows\SysWOW64\Lindkm32.exeC:\Windows\system32\Lindkm32.exe43⤵PID:5140
-
C:\Windows\SysWOW64\Lpjjmg32.exeC:\Windows\system32\Lpjjmg32.exe44⤵PID:5184
-
C:\Windows\SysWOW64\Lplfcf32.exeC:\Windows\system32\Lplfcf32.exe45⤵
- Drops file in System32 directory
PID:5228 -
C:\Windows\SysWOW64\Loacdc32.exeC:\Windows\system32\Loacdc32.exe46⤵PID:5308
-
C:\Windows\SysWOW64\Modpib32.exeC:\Windows\system32\Modpib32.exe47⤵PID:5368
-
C:\Windows\SysWOW64\Mfnhfm32.exeC:\Windows\system32\Mfnhfm32.exe48⤵PID:5436
-
C:\Windows\SysWOW64\Mcdeeq32.exeC:\Windows\system32\Mcdeeq32.exe49⤵PID:5484
-
C:\Windows\SysWOW64\Ncpeaoih.exeC:\Windows\system32\Ncpeaoih.exe50⤵PID:5532
-
C:\Windows\SysWOW64\Nbebbk32.exeC:\Windows\system32\Nbebbk32.exe51⤵PID:5580
-
C:\Windows\SysWOW64\Oifppdpd.exeC:\Windows\system32\Oifppdpd.exe52⤵PID:5632
-
C:\Windows\SysWOW64\Ocnabm32.exeC:\Windows\system32\Ocnabm32.exe53⤵PID:5676
-
C:\Windows\SysWOW64\Pqbala32.exeC:\Windows\system32\Pqbala32.exe54⤵PID:5724
-
C:\Windows\SysWOW64\Ppgomnai.exeC:\Windows\system32\Ppgomnai.exe55⤵PID:5768
-
C:\Windows\SysWOW64\Pjlcjf32.exeC:\Windows\system32\Pjlcjf32.exe56⤵PID:5812
-
C:\Windows\SysWOW64\Pcegclgp.exeC:\Windows\system32\Pcegclgp.exe57⤵PID:5856
-
C:\Windows\SysWOW64\Pjoppf32.exeC:\Windows\system32\Pjoppf32.exe58⤵PID:5896
-
C:\Windows\SysWOW64\Paihlpfi.exeC:\Windows\system32\Paihlpfi.exe59⤵PID:5936
-
C:\Windows\SysWOW64\Pcgdhkem.exeC:\Windows\system32\Pcgdhkem.exe60⤵PID:5984
-
C:\Windows\SysWOW64\Pciqnk32.exeC:\Windows\system32\Pciqnk32.exe61⤵PID:6024
-
C:\Windows\SysWOW64\Pfhmjf32.exeC:\Windows\system32\Pfhmjf32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6068 -
C:\Windows\SysWOW64\Qamago32.exeC:\Windows\system32\Qamago32.exe63⤵PID:6108
-
C:\Windows\SysWOW64\Qbonoghb.exeC:\Windows\system32\Qbonoghb.exe64⤵PID:2036
-
C:\Windows\SysWOW64\Qjffpe32.exeC:\Windows\system32\Qjffpe32.exe65⤵PID:5240
-
C:\Windows\SysWOW64\Qcnjijoe.exeC:\Windows\system32\Qcnjijoe.exe66⤵PID:5356
-
C:\Windows\SysWOW64\Qjhbfd32.exeC:\Windows\system32\Qjhbfd32.exe67⤵PID:5468
-
C:\Windows\SysWOW64\Aabkbono.exeC:\Windows\system32\Aabkbono.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3820 -
C:\Windows\SysWOW64\Abcgjg32.exeC:\Windows\system32\Abcgjg32.exe69⤵
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Aimogakj.exeC:\Windows\system32\Aimogakj.exe70⤵PID:5520
-
C:\Windows\SysWOW64\Ajmladbl.exeC:\Windows\system32\Ajmladbl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Aagdnn32.exeC:\Windows\system32\Aagdnn32.exe72⤵PID:5672
-
C:\Windows\SysWOW64\Afcmfe32.exeC:\Windows\system32\Afcmfe32.exe73⤵PID:5752
-
C:\Windows\SysWOW64\Adgmoigj.exeC:\Windows\system32\Adgmoigj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5820 -
C:\Windows\SysWOW64\Ajdbac32.exeC:\Windows\system32\Ajdbac32.exe75⤵PID:5884
-
C:\Windows\SysWOW64\Bjhkmbho.exeC:\Windows\system32\Bjhkmbho.exe76⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Bpedeiff.exeC:\Windows\system32\Bpedeiff.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5992 -
C:\Windows\SysWOW64\Bmidnm32.exeC:\Windows\system32\Bmidnm32.exe78⤵PID:6088
-
C:\Windows\SysWOW64\Bfaigclq.exeC:\Windows\system32\Bfaigclq.exe79⤵PID:4024
-
C:\Windows\SysWOW64\Bmladm32.exeC:\Windows\system32\Bmladm32.exe80⤵PID:5288
-
C:\Windows\SysWOW64\Bbhildae.exeC:\Windows\system32\Bbhildae.exe81⤵
- Modifies registry class
PID:4576 -
C:\Windows\SysWOW64\Cibain32.exeC:\Windows\system32\Cibain32.exe82⤵PID:3740
-
C:\Windows\SysWOW64\Cbkfbcpb.exeC:\Windows\system32\Cbkfbcpb.exe83⤵PID:5568
-
C:\Windows\SysWOW64\Cancekeo.exeC:\Windows\system32\Cancekeo.exe84⤵PID:5648
-
C:\Windows\SysWOW64\Ccppmc32.exeC:\Windows\system32\Ccppmc32.exe85⤵PID:5796
-
C:\Windows\SysWOW64\Cildom32.exeC:\Windows\system32\Cildom32.exe86⤵PID:5868
-
C:\Windows\SysWOW64\Cpfmlghd.exeC:\Windows\system32\Cpfmlghd.exe87⤵PID:6032
-
C:\Windows\SysWOW64\Dkkaiphj.exeC:\Windows\system32\Dkkaiphj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6140 -
C:\Windows\SysWOW64\Dknnoofg.exeC:\Windows\system32\Dknnoofg.exe89⤵PID:5400
-
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe90⤵PID:2280
-
C:\Windows\SysWOW64\Dpalgenf.exeC:\Windows\system32\Dpalgenf.exe91⤵PID:5600
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5708 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe93⤵PID:5964
-
C:\Windows\SysWOW64\Ekljpm32.exeC:\Windows\system32\Ekljpm32.exe94⤵PID:6128
-
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe95⤵PID:2880
-
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe96⤵PID:5736
-
C:\Windows\SysWOW64\Eqmlccdi.exeC:\Windows\system32\Eqmlccdi.exe97⤵PID:3368
-
C:\Windows\SysWOW64\Fjeplijj.exeC:\Windows\system32\Fjeplijj.exe98⤵PID:6080
-
C:\Windows\SysWOW64\Fqphic32.exeC:\Windows\system32\Fqphic32.exe99⤵PID:5500
-
C:\Windows\SysWOW64\Fjhmbihg.exeC:\Windows\system32\Fjhmbihg.exe100⤵PID:6096
-
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe101⤵
- Modifies registry class
PID:6172 -
C:\Windows\SysWOW64\Fqfojblo.exeC:\Windows\system32\Fqfojblo.exe102⤵PID:6216
-
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe103⤵PID:6260
-
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe104⤵PID:6304
-
C:\Windows\SysWOW64\Gqkhda32.exeC:\Windows\system32\Gqkhda32.exe105⤵PID:6348
-
C:\Windows\SysWOW64\Gjcmngnj.exeC:\Windows\system32\Gjcmngnj.exe106⤵PID:6392
-
C:\Windows\SysWOW64\Gkcigjel.exeC:\Windows\system32\Gkcigjel.exe107⤵PID:6432
-
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe108⤵PID:6468
-
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe109⤵PID:6516
-
C:\Windows\SysWOW64\Gkhbbi32.exeC:\Windows\system32\Gkhbbi32.exe110⤵PID:6560
-
C:\Windows\SysWOW64\Gbbkocid.exeC:\Windows\system32\Gbbkocid.exe111⤵PID:6604
-
C:\Windows\SysWOW64\Hgocgjgk.exeC:\Windows\system32\Hgocgjgk.exe112⤵PID:6648
-
C:\Windows\SysWOW64\Hebcao32.exeC:\Windows\system32\Hebcao32.exe113⤵PID:6692
-
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe114⤵PID:6736
-
C:\Windows\SysWOW64\Hjaioe32.exeC:\Windows\system32\Hjaioe32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6780 -
C:\Windows\SysWOW64\Hcjmhk32.exeC:\Windows\system32\Hcjmhk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6824 -
C:\Windows\SysWOW64\Hcljmj32.exeC:\Windows\system32\Hcljmj32.exe117⤵
- Drops file in System32 directory
PID:6868 -
C:\Windows\SysWOW64\Ilfodgeg.exeC:\Windows\system32\Ilfodgeg.exe118⤵PID:6912
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe119⤵
- Drops file in System32 directory
PID:6960 -
C:\Windows\SysWOW64\Ijkled32.exeC:\Windows\system32\Ijkled32.exe120⤵PID:7016
-
C:\Windows\SysWOW64\Ieqpbm32.exeC:\Windows\system32\Ieqpbm32.exe121⤵PID:7060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-