Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 02:05
Behavioral task
behavioral1
Sample
NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe
-
Size
85KB
-
MD5
dae1ca6aced64c15f68035ec1b2fe420
-
SHA1
29f44ba91f2c66fb661da41f0042647dbcc711b9
-
SHA256
f010ea2d21c6aab662435b9c6e77cfe4335d9569e64469b83e10c85000e76bdd
-
SHA512
8decb4a6ec28cf0a5866470a59b1f4ad563fcf057ee39b28eeb5490ea86a7d2b97473d755a1981165fde383291e31599758c7cee122a6fd89fc8061afac351ae
-
SSDEEP
1536:1pCF3Tr3i9bAkb2GU/yrLH64/G5gMxXJ6tHI2LHDMQ262AjCsQ2PCZZrqOlNfVSc:1pCxTji9bAk3U/yrLH6gMJJ6HZHDMQHI
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfefkkqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmpqfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklinohd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjmekgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djklmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjmhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncaklhdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjhkmbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgocgjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhkjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolhkh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnfooe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncofplba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmladbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihphkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepleocn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maodigil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlalkmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjjeieh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffcmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllbaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apeknk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklfjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoifflkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfkhmdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lebijnak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecmhlhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkhog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfnoqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joahqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkbkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanbhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpdin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbnnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggeboaob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbaclegm.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4896-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4896-5-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0008000000022e23-7.dat family_berbew behavioral2/files/0x0008000000022e23-9.dat family_berbew behavioral2/memory/4056-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3e-16.dat family_berbew behavioral2/memory/2952-17-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e40-23.dat family_berbew behavioral2/files/0x0006000000022e3e-15.dat family_berbew behavioral2/files/0x0006000000022e40-24.dat family_berbew behavioral2/memory/4848-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-30.dat family_berbew behavioral2/memory/2840-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e42-33.dat family_berbew behavioral2/memory/4896-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2860-42-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0007000000022e3b-41.dat family_berbew behavioral2/files/0x0007000000022e3b-39.dat family_berbew behavioral2/files/0x0006000000022e48-48.dat family_berbew behavioral2/memory/4560-49-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e48-50.dat family_berbew behavioral2/files/0x0006000000022e4a-56.dat family_berbew behavioral2/memory/4056-57-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4a-58.dat family_berbew behavioral2/memory/1164-63-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2952-66-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4d-65.dat family_berbew behavioral2/files/0x0006000000022e4d-67.dat family_berbew behavioral2/memory/4848-76-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e52-83.dat family_berbew behavioral2/memory/4660-84-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e52-82.dat family_berbew behavioral2/memory/2948-89-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e50-75.dat family_berbew behavioral2/memory/2840-93-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e56-99.dat family_berbew behavioral2/memory/3104-106-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4448-101-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e56-100.dat family_berbew behavioral2/memory/3320-109-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e58-108.dat family_berbew behavioral2/files/0x0006000000022e58-110.dat family_berbew behavioral2/files/0x0006000000022e54-92.dat family_berbew behavioral2/files/0x0006000000022e54-91.dat family_berbew behavioral2/memory/228-68-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e50-74.dat family_berbew behavioral2/memory/4404-117-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5a-116.dat family_berbew behavioral2/files/0x0006000000022e5a-118.dat family_berbew behavioral2/files/0x0006000000022e5c-124.dat family_berbew behavioral2/memory/880-130-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5c-125.dat family_berbew behavioral2/files/0x0006000000022e5e-132.dat family_berbew behavioral2/memory/2860-133-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5e-134.dat family_berbew behavioral2/memory/3376-135-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e60-141.dat family_berbew behavioral2/files/0x0006000000022e60-142.dat family_berbew behavioral2/files/0x0006000000022e62-149.dat family_berbew behavioral2/files/0x0006000000022e62-150.dat family_berbew behavioral2/memory/4560-148-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3672-155-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1164-159-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/2180-169-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4056 Ggeboaob.exe 2952 Hnoklk32.exe 4848 Hffcmh32.exe 2840 Hoogfnnb.exe 2860 Oebflhaf.exe 4560 Poaqemao.exe 1164 Podmkm32.exe 228 Pgkelj32.exe 4660 Pofjpl32.exe 2948 Qjlnnemp.exe 4448 Qoifflkg.exe 3104 Qfbobf32.exe 3320 Qlmgopjq.exe 4404 Amodep32.exe 880 Amaqjp32.exe 3376 Aopmfk32.exe 3672 Ajeadd32.exe 2568 Aobilkcl.exe 2180 Ajhniccb.exe 1332 Acpbbi32.exe 4676 Ajjjocap.exe 440 Bogcgj32.exe 1276 Bjlgdc32.exe 464 Boipmj32.exe 4248 Bgpgng32.exe 3012 Bjodjb32.exe 4412 Bmmpfn32.exe 1348 Bjaqpbkh.exe 1476 Bciehh32.exe 4784 Bmbiamhi.exe 4292 Bihjfnmm.exe 2332 Cpbbch32.exe 1108 Cikglnkj.exe 1800 Cabomkll.exe 1196 Cglgjeci.exe 4168 Cfadkb32.exe 4892 Caghhk32.exe 4068 Cjomap32.exe 4940 Cpleig32.exe 2544 Cidjbmcp.exe 4440 Dfjgaq32.exe 3456 Dmdonkgc.exe 1552 Dapkni32.exe 4952 Dcogje32.exe 3504 Djhpgofm.exe 4256 Ddadpdmn.exe 4108 Djklmo32.exe 208 Dpgeee32.exe 3896 Emlenj32.exe 2132 Epjajeqo.exe 1168 Ejpfhnpe.exe 1228 Edhjqc32.exe 844 Eidbij32.exe 1668 Ealkjh32.exe 3892 Eigonjcj.exe 2336 Ehhpla32.exe 1636 Fkihnmhj.exe 2172 Fpeafcfa.exe 4868 Fineoi32.exe 684 Fgbfhmll.exe 3940 Fgdbnmji.exe 4160 Fielph32.exe 4708 Ggilil32.exe 2432 Gpaqbbld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljaoeini.exe Lddgmbpb.exe File opened for modification C:\Windows\SysWOW64\Bbdpad32.exe Bpedeiff.exe File created C:\Windows\SysWOW64\Phdpmbnc.dll Kdigadjo.exe File created C:\Windows\SysWOW64\Hleoiomo.dll Kggcnoic.exe File opened for modification C:\Windows\SysWOW64\Ooqqdi32.exe Oidhlb32.exe File opened for modification C:\Windows\SysWOW64\Dodjjimm.exe Ddnfmqng.exe File created C:\Windows\SysWOW64\Aogbfi32.exe Afpjel32.exe File created C:\Windows\SysWOW64\Fbbojb32.dll Khfkfedn.exe File created C:\Windows\SysWOW64\Hifpcjin.dll Fkihnmhj.exe File opened for modification C:\Windows\SysWOW64\Oidhlb32.exe Oondnini.exe File created C:\Windows\SysWOW64\Bdagpnbk.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Eomffaag.exe Egened32.exe File created C:\Windows\SysWOW64\Qglmjp32.dll Eclmamod.exe File created C:\Windows\SysWOW64\Jpfepf32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Bffcpg32.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Mhcmcm32.dll Dfglfdkb.exe File created C:\Windows\SysWOW64\Chflphjh.dll Ibhkfm32.exe File opened for modification C:\Windows\SysWOW64\Geoapenf.exe Gacepg32.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Edfknb32.exe File created C:\Windows\SysWOW64\Fcneeo32.exe Fqphic32.exe File opened for modification C:\Windows\SysWOW64\Bjaqpbkh.exe Bmmpfn32.exe File created C:\Windows\SysWOW64\Dakdmb32.dll Gbmingjo.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jlfpdh32.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Adfgdpmi.exe File created C:\Windows\SysWOW64\Glllagck.dll Lchfib32.exe File created C:\Windows\SysWOW64\Okkbgpmc.dll Fcneeo32.exe File created C:\Windows\SysWOW64\Fcpakn32.exe Fqbeoc32.exe File created C:\Windows\SysWOW64\Aobbbd32.dll Ingpmmgm.exe File created C:\Windows\SysWOW64\Iggjga32.exe Ilafiihp.exe File created C:\Windows\SysWOW64\Qmgelf32.exe Qhjmdp32.exe File created C:\Windows\SysWOW64\Libmeq32.dll Gghdaa32.exe File created C:\Windows\SysWOW64\Opbean32.exe Omdieb32.exe File opened for modification C:\Windows\SysWOW64\Egpnooan.exe Edaaccbj.exe File opened for modification C:\Windows\SysWOW64\Kjhcjq32.exe Kqpoakco.exe File opened for modification C:\Windows\SysWOW64\Iidphgcn.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Bkmmaeap.exe Bfpdin32.exe File created C:\Windows\SysWOW64\Qmhlgmmm.exe Qdphngfl.exe File created C:\Windows\SysWOW64\Alpbecod.exe Aefjii32.exe File opened for modification C:\Windows\SysWOW64\Ifmqfm32.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Odaodc32.dll Geoapenf.exe File created C:\Windows\SysWOW64\Mkddhfnh.dll Bdeiqgkj.exe File opened for modification C:\Windows\SysWOW64\Dfjgaq32.exe Cidjbmcp.exe File created C:\Windows\SysWOW64\Ejpfhnpe.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Acccdj32.exe Acqgojmb.exe File created C:\Windows\SysWOW64\Igjbci32.exe Ielfgmnj.exe File created C:\Windows\SysWOW64\Hoogfnnb.exe Hffcmh32.exe File created C:\Windows\SysWOW64\Ohfami32.exe Oeheqm32.exe File created C:\Windows\SysWOW64\Mnhkbfme.exe Mccfdmmo.exe File created C:\Windows\SysWOW64\Igfclkdj.exe Imnocf32.exe File created C:\Windows\SysWOW64\Laiipofp.exe Lojmcdgl.exe File created C:\Windows\SysWOW64\Ipmgkhgl.dll Jlkafdco.exe File created C:\Windows\SysWOW64\Mhdckaeo.exe Mbgjbkfg.exe File created C:\Windows\SysWOW64\Cjmhfb32.dll Oaajed32.exe File opened for modification C:\Windows\SysWOW64\Qhjmdp32.exe Pdmdnadc.exe File created C:\Windows\SysWOW64\Hkjohi32.exe Hgocgjgk.exe File opened for modification C:\Windows\SysWOW64\Moefdljc.exe Mkjjdmaj.exe File created C:\Windows\SysWOW64\Jbkeki32.dll Mhnjna32.exe File created C:\Windows\SysWOW64\Mknjbg32.dll Hmbfbn32.exe File created C:\Windows\SysWOW64\Gmfmgg32.dll Kmdlffhj.exe File created C:\Windows\SysWOW64\Hoeieolb.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Phcgcqab.exe File opened for modification C:\Windows\SysWOW64\Mbibfm32.exe Mqhfoebo.exe File opened for modification C:\Windows\SysWOW64\Ndpjnq32.exe Nconfh32.exe File created C:\Windows\SysWOW64\Ibknda32.dll Blielbfi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpfn32.dll" Hcpojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feoodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnilk32.dll" Cfadkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooqqdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklajcmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll" Ijkled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejcdfahd.dll" Aealll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enfckp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfbbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpakn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepnaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfmgg32.dll" Kmdlffhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijiopd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhkljfok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll" Lacijjgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phaahggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Igfclkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkmjjaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbekii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaiqcnhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpjoloh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkmlnimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaiimadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Ldipha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micgbemj.dll" Clgbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjgd32.dll" Dakikoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll" Jnpjlajn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbfhmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbdlk32.dll" Aleckinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcogje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfnpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmedh32.dll" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgmmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgklkoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeolckne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll" Kbjbnnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mekdffee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjgaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofbdcmb.dll" Plndcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhldm32.dll" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgklkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fliabjbh.dll" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggmhj32.dll" Eigonjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cppnfc32.dll" Gpaqbbld.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4056 4896 NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe 86 PID 4896 wrote to memory of 4056 4896 NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe 86 PID 4896 wrote to memory of 4056 4896 NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe 86 PID 4056 wrote to memory of 2952 4056 Ggeboaob.exe 87 PID 4056 wrote to memory of 2952 4056 Ggeboaob.exe 87 PID 4056 wrote to memory of 2952 4056 Ggeboaob.exe 87 PID 2952 wrote to memory of 4848 2952 Hnoklk32.exe 88 PID 2952 wrote to memory of 4848 2952 Hnoklk32.exe 88 PID 2952 wrote to memory of 4848 2952 Hnoklk32.exe 88 PID 4848 wrote to memory of 2840 4848 Hffcmh32.exe 90 PID 4848 wrote to memory of 2840 4848 Hffcmh32.exe 90 PID 4848 wrote to memory of 2840 4848 Hffcmh32.exe 90 PID 2840 wrote to memory of 2860 2840 Hoogfnnb.exe 92 PID 2840 wrote to memory of 2860 2840 Hoogfnnb.exe 92 PID 2840 wrote to memory of 2860 2840 Hoogfnnb.exe 92 PID 2860 wrote to memory of 4560 2860 Oebflhaf.exe 93 PID 2860 wrote to memory of 4560 2860 Oebflhaf.exe 93 PID 2860 wrote to memory of 4560 2860 Oebflhaf.exe 93 PID 4560 wrote to memory of 1164 4560 Poaqemao.exe 94 PID 4560 wrote to memory of 1164 4560 Poaqemao.exe 94 PID 4560 wrote to memory of 1164 4560 Poaqemao.exe 94 PID 1164 wrote to memory of 228 1164 Podmkm32.exe 95 PID 1164 wrote to memory of 228 1164 Podmkm32.exe 95 PID 1164 wrote to memory of 228 1164 Podmkm32.exe 95 PID 228 wrote to memory of 4660 228 Pgkelj32.exe 96 PID 228 wrote to memory of 4660 228 Pgkelj32.exe 96 PID 228 wrote to memory of 4660 228 Pgkelj32.exe 96 PID 4660 wrote to memory of 2948 4660 Pofjpl32.exe 97 PID 4660 wrote to memory of 2948 4660 Pofjpl32.exe 97 PID 4660 wrote to memory of 2948 4660 Pofjpl32.exe 97 PID 2948 wrote to memory of 4448 2948 Qjlnnemp.exe 98 PID 2948 wrote to memory of 4448 2948 Qjlnnemp.exe 98 PID 2948 wrote to memory of 4448 2948 Qjlnnemp.exe 98 PID 4448 wrote to memory of 3104 4448 Qoifflkg.exe 100 PID 4448 wrote to memory of 3104 4448 Qoifflkg.exe 100 PID 4448 wrote to memory of 3104 4448 Qoifflkg.exe 100 PID 3104 wrote to memory of 3320 3104 Qfbobf32.exe 99 PID 3104 wrote to memory of 3320 3104 Qfbobf32.exe 99 PID 3104 wrote to memory of 3320 3104 Qfbobf32.exe 99 PID 3320 wrote to memory of 4404 3320 Qlmgopjq.exe 102 PID 3320 wrote to memory of 4404 3320 Qlmgopjq.exe 102 PID 3320 wrote to memory of 4404 3320 Qlmgopjq.exe 102 PID 4404 wrote to memory of 880 4404 Amodep32.exe 103 PID 4404 wrote to memory of 880 4404 Amodep32.exe 103 PID 4404 wrote to memory of 880 4404 Amodep32.exe 103 PID 880 wrote to memory of 3376 880 Amaqjp32.exe 104 PID 880 wrote to memory of 3376 880 Amaqjp32.exe 104 PID 880 wrote to memory of 3376 880 Amaqjp32.exe 104 PID 3376 wrote to memory of 3672 3376 Aopmfk32.exe 105 PID 3376 wrote to memory of 3672 3376 Aopmfk32.exe 105 PID 3376 wrote to memory of 3672 3376 Aopmfk32.exe 105 PID 3672 wrote to memory of 2568 3672 Ajeadd32.exe 106 PID 3672 wrote to memory of 2568 3672 Ajeadd32.exe 106 PID 3672 wrote to memory of 2568 3672 Ajeadd32.exe 106 PID 2568 wrote to memory of 2180 2568 Aobilkcl.exe 107 PID 2568 wrote to memory of 2180 2568 Aobilkcl.exe 107 PID 2568 wrote to memory of 2180 2568 Aobilkcl.exe 107 PID 2180 wrote to memory of 1332 2180 Ajhniccb.exe 108 PID 2180 wrote to memory of 1332 2180 Ajhniccb.exe 108 PID 2180 wrote to memory of 1332 2180 Ajhniccb.exe 108 PID 1332 wrote to memory of 4676 1332 Acpbbi32.exe 109 PID 1332 wrote to memory of 4676 1332 Acpbbi32.exe 109 PID 1332 wrote to memory of 4676 1332 Acpbbi32.exe 109 PID 4676 wrote to memory of 440 4676 Ajjjocap.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dae1ca6aced64c15f68035ec1b2fe420.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Oebflhaf.exeC:\Windows\system32\Oebflhaf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Qjlnnemp.exeC:\Windows\system32\Qjlnnemp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\Aobilkcl.exeC:\Windows\system32\Aobilkcl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe10⤵
- Executes dropped EXE
PID:440
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe1⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe2⤵
- Executes dropped EXE
PID:4248
-
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4412 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe2⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe3⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe4⤵
- Executes dropped EXE
- Modifies registry class
PID:4784 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe5⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe6⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe7⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe8⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe9⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe10⤵
- Executes dropped EXE
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe11⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe12⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe13⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe15⤵
- Executes dropped EXE
- Modifies registry class
PID:4440 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe16⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe17⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe20⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe22⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe25⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe26⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe27⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe28⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe30⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe32⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe33⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe35⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe36⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe37⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe39⤵PID:1448
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe40⤵PID:1372
-
C:\Windows\SysWOW64\Ghkeio32.exeC:\Windows\system32\Ghkeio32.exe41⤵PID:3468
-
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe42⤵PID:1924
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe43⤵PID:1912
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe44⤵PID:2836
-
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe45⤵PID:3956
-
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe46⤵PID:1596
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe47⤵PID:3476
-
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe48⤵PID:3888
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe49⤵PID:5104
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe50⤵PID:3744
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe51⤵PID:4228
-
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe52⤵PID:3728
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe53⤵PID:5160
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe54⤵PID:5224
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe55⤵PID:5284
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5340 -
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe57⤵PID:5376
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe58⤵PID:5432
-
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe59⤵PID:5488
-
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5528 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe61⤵PID:5580
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe62⤵PID:5628
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe63⤵PID:5680
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe64⤵PID:5724
-
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe65⤵PID:5768
-
C:\Windows\SysWOW64\Ihgnkkbd.exeC:\Windows\system32\Ihgnkkbd.exe66⤵PID:5812
-
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe67⤵PID:5852
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe68⤵PID:5892
-
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe69⤵PID:5936
-
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe70⤵PID:5976
-
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe71⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe72⤵PID:6064
-
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6108 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe74⤵PID:5136
-
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe75⤵PID:5220
-
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe76⤵PID:5336
-
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe77⤵PID:5388
-
C:\Windows\SysWOW64\Kqpoakco.exeC:\Windows\system32\Kqpoakco.exe78⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe80⤵PID:5624
-
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe81⤵PID:5692
-
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe82⤵PID:5756
-
C:\Windows\SysWOW64\Kageaj32.exeC:\Windows\system32\Kageaj32.exe83⤵PID:5848
-
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe84⤵PID:5904
-
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe85⤵PID:5984
-
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe86⤵PID:6048
-
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe87⤵PID:6136
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe88⤵PID:5204
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe89⤵PID:5364
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe90⤵PID:5440
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe91⤵PID:5592
-
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe92⤵PID:1804
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe93⤵PID:5780
-
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe94⤵PID:5960
-
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe95⤵PID:6056
-
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe96⤵PID:5180
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe97⤵
- Drops file in System32 directory
PID:3908 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe98⤵PID:5588
-
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe99⤵PID:5720
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe100⤵PID:5944
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe101⤵PID:6096
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe103⤵PID:5676
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe104⤵PID:5964
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe105⤵PID:5324
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe106⤵PID:5760
-
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe107⤵PID:5240
-
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe108⤵PID:6116
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe109⤵PID:5128
-
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe110⤵PID:1592
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe111⤵PID:6188
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe112⤵PID:6232
-
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe113⤵
- Drops file in System32 directory
PID:6276 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:6320 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe115⤵
- Modifies registry class
PID:6364 -
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe116⤵PID:6408
-
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe117⤵PID:6452
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe118⤵
- Drops file in System32 directory
PID:6500 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe119⤵PID:6544
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe120⤵PID:6580
-
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe121⤵PID:6744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-