Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 11:39
Behavioral task
behavioral1
Sample
NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe
-
Size
133KB
-
MD5
7a21ee08952ec722a71f2fa1977aaf80
-
SHA1
d865a9ae07eda8a0c8337a38bbd3feca956119ab
-
SHA256
4ecff85e048da64b48fa900d127ada1ec242738ac54c76e4497c7347af0cf843
-
SHA512
58af6f0a6131e57a9640715ea363375f9289e7817e11419deffd4d3fa1f67feb881588bfb25f804ac4483db2174c0abd1abd486b094ea60c602b83198d539712
-
SSDEEP
3072:gWIj3mGKNri0oyf4/3oE2CKG7UDd0pCrQIFdFtLwzTa:QmGghQ/Y/G7Ux0ocIPF9wzG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diidjpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemhpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomnhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feggob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjipenda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaiobkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglmefcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiefffn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhoag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhfcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpkibo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnmbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joiappkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfbnddq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqphnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkpeake.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x00070000000120ca-5.dat family_berbew behavioral1/files/0x00070000000120ca-9.dat family_berbew behavioral1/files/0x00070000000120ca-12.dat family_berbew behavioral1/files/0x00070000000120ca-14.dat family_berbew behavioral1/files/0x00070000000120ca-8.dat family_berbew behavioral1/files/0x0027000000015ce1-19.dat family_berbew behavioral1/files/0x0027000000015ce1-28.dat family_berbew behavioral1/files/0x0027000000015ce1-26.dat family_berbew behavioral1/files/0x0027000000015ce1-23.dat family_berbew behavioral1/files/0x0007000000015ed7-33.dat family_berbew behavioral1/files/0x0027000000015ce1-22.dat family_berbew behavioral1/files/0x000900000001606a-42.dat family_berbew behavioral1/files/0x000600000001666b-65.dat family_berbew behavioral1/files/0x000900000001606a-53.dat family_berbew behavioral1/files/0x000900000001606a-52.dat family_berbew behavioral1/files/0x000600000001666b-62.dat family_berbew behavioral1/files/0x000600000001666b-59.dat family_berbew behavioral1/files/0x000900000001606a-48.dat family_berbew behavioral1/files/0x000900000001606a-46.dat family_berbew behavioral1/files/0x0007000000015ed7-41.dat family_berbew behavioral1/files/0x0006000000016c34-85.dat family_berbew behavioral1/files/0x0006000000016b9f-79.dat family_berbew behavioral1/files/0x0006000000016b9f-78.dat family_berbew behavioral1/files/0x0006000000016b9f-74.dat family_berbew behavioral1/files/0x0006000000016b9f-72.dat family_berbew behavioral1/files/0x000600000001666b-61.dat family_berbew behavioral1/files/0x0006000000016b9f-68.dat family_berbew behavioral1/files/0x000600000001666b-67.dat family_berbew behavioral1/files/0x0007000000015ed7-39.dat family_berbew behavioral1/files/0x0007000000015ed7-36.dat family_berbew behavioral1/files/0x0007000000015ed7-35.dat family_berbew behavioral1/files/0x0006000000016c7f-100.dat family_berbew behavioral1/files/0x0006000000016cdd-114.dat family_berbew behavioral1/files/0x0006000000016cdd-113.dat family_berbew behavioral1/files/0x0006000000016c7f-105.dat family_berbew behavioral1/files/0x0006000000016c7f-104.dat family_berbew behavioral1/files/0x0006000000016cdd-111.dat family_berbew behavioral1/files/0x0006000000016c7f-94.dat family_berbew behavioral1/files/0x0006000000016c34-93.dat family_berbew behavioral1/files/0x0006000000016cfa-120.dat family_berbew behavioral1/files/0x0006000000016cfa-126.dat family_berbew behavioral1/files/0x0006000000016d1d-140.dat family_berbew behavioral1/files/0x0006000000016d1d-139.dat family_berbew behavioral1/files/0x0006000000016d1d-144.dat family_berbew behavioral1/files/0x0009000000015cf0-157.dat family_berbew behavioral1/files/0x0009000000015cf0-156.dat family_berbew behavioral1/files/0x0006000000016cfa-131.dat family_berbew behavioral1/files/0x0006000000016d50-166.dat family_berbew behavioral1/files/0x0006000000016d50-165.dat family_berbew behavioral1/files/0x0006000000016d50-163.dat family_berbew behavioral1/files/0x0009000000015cf0-152.dat family_berbew behavioral1/files/0x0009000000015cf0-150.dat family_berbew behavioral1/files/0x0006000000016cfa-130.dat family_berbew behavioral1/files/0x0009000000015cf0-146.dat family_berbew behavioral1/files/0x0006000000016d1d-145.dat family_berbew behavioral1/files/0x0006000000016cfa-124.dat family_berbew behavioral1/files/0x0006000000016d1d-137.dat family_berbew behavioral1/files/0x0006000000016cdd-119.dat family_berbew behavioral1/files/0x0006000000016cdd-118.dat family_berbew behavioral1/files/0x0006000000016c34-92.dat family_berbew behavioral1/files/0x0006000000016c34-88.dat family_berbew behavioral1/files/0x0006000000016d50-171.dat family_berbew behavioral1/files/0x0006000000016d50-169.dat family_berbew behavioral1/files/0x0006000000016c7f-98.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2120 Pqphnp32.exe 2424 Qqbecp32.exe 2764 Qjkjle32.exe 2736 Aipfmane.exe 2684 Acekjjmk.exe 2628 Aibcba32.exe 2636 Abkhkgbb.exe 648 Anahqh32.exe 1168 Ancefgfd.exe 2848 Akhfoldn.exe 1888 Badnhbce.exe 1708 Bnhoag32.exe 2576 Bgqcjlhp.exe 1656 Baigca32.exe 3028 Chlfnp32.exe 584 Chnbcpmn.exe 2180 Chqoipkk.exe 2064 Chcloo32.exe 1372 Comdkipe.exe 1392 Cmbalfem.exe 1540 Ddliip32.exe 1292 Dmdnbecj.exe 988 Dcccpl32.exe 2956 Debplg32.exe 2960 Domqjm32.exe 1772 Elqaca32.exe 2084 Eeielfhk.exe 2700 Endjaief.exe 2608 Ejkkfjkj.exe 2656 Edqocbkp.exe 2912 Fgcejm32.exe 2916 Fbmfkkbm.exe 2192 Fmcjhdbc.exe 2492 Fbpbpkpj.exe 572 Fbbofjnh.exe 2300 Filgbdfd.exe 1900 Fdbhge32.exe 1752 Gjpqpl32.exe 1860 Ggcaiqhj.exe 2224 Gnmifk32.exe 1632 Ggfnopfg.exe 2412 Gmbfggdo.exe 3036 Gghkdp32.exe 2696 Gjfgqk32.exe 852 Hloiib32.exe 1536 Hlafnbal.exe 992 Hnbopmnm.exe 840 Hapklimq.exe 912 Hjipenda.exe 3048 Idadnd32.exe 3052 Iaeegh32.exe 2196 Ijmipn32.exe 2144 Iegjqk32.exe 1600 Ilabmedg.exe 1264 Ifffkncm.exe 2672 Ipokcdjn.exe 2828 Jlelhe32.exe 2676 Jodhdp32.exe 1104 Jkkija32.exe 532 Jaeafklf.exe 1092 Joiappkp.exe 1276 Jdejhfig.exe 1040 Jckgicnp.exe 1052 Jjdofm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 2120 Pqphnp32.exe 2120 Pqphnp32.exe 2424 Qqbecp32.exe 2424 Qqbecp32.exe 2764 Qjkjle32.exe 2764 Qjkjle32.exe 2736 Aipfmane.exe 2736 Aipfmane.exe 2684 Acekjjmk.exe 2684 Acekjjmk.exe 2628 Aibcba32.exe 2628 Aibcba32.exe 2636 Abkhkgbb.exe 2636 Abkhkgbb.exe 648 Anahqh32.exe 648 Anahqh32.exe 1168 Ancefgfd.exe 1168 Ancefgfd.exe 2848 Akhfoldn.exe 2848 Akhfoldn.exe 1888 Badnhbce.exe 1888 Badnhbce.exe 1708 Bnhoag32.exe 1708 Bnhoag32.exe 2576 Bgqcjlhp.exe 2576 Bgqcjlhp.exe 1656 Baigca32.exe 1656 Baigca32.exe 3028 Chlfnp32.exe 3028 Chlfnp32.exe 584 Chnbcpmn.exe 584 Chnbcpmn.exe 2180 Chqoipkk.exe 2180 Chqoipkk.exe 2064 Chcloo32.exe 2064 Chcloo32.exe 1372 Comdkipe.exe 1372 Comdkipe.exe 1392 Cmbalfem.exe 1392 Cmbalfem.exe 1540 Ddliip32.exe 1540 Ddliip32.exe 1292 Dmdnbecj.exe 1292 Dmdnbecj.exe 988 Dcccpl32.exe 988 Dcccpl32.exe 2956 Debplg32.exe 2956 Debplg32.exe 2960 Domqjm32.exe 2960 Domqjm32.exe 1772 Elqaca32.exe 1772 Elqaca32.exe 2084 Eeielfhk.exe 2084 Eeielfhk.exe 2700 Endjaief.exe 2700 Endjaief.exe 2608 Ejkkfjkj.exe 2608 Ejkkfjkj.exe 2656 Edqocbkp.exe 2656 Edqocbkp.exe 2912 Fgcejm32.exe 2912 Fgcejm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lghakg32.dll Mlkjne32.exe File opened for modification C:\Windows\SysWOW64\Jampjian.exe Fjaoplho.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Mclqqeaq.exe File created C:\Windows\SysWOW64\Pbagipfi.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Ciihklpj.exe Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Iegjqk32.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Nmlgfnal.exe Mlkjne32.exe File created C:\Windows\SysWOW64\Dphmloih.exe Lcdjpfgh.exe File opened for modification C:\Windows\SysWOW64\Ehpalp32.exe Eaeipfei.exe File opened for modification C:\Windows\SysWOW64\Knmdeioh.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Gfdkid32.dll Afcdpi32.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Fdqiiaih.exe File created C:\Windows\SysWOW64\Ibebjn32.dll Hlafnbal.exe File created C:\Windows\SysWOW64\Mbbfep32.exe Mgmahg32.exe File created C:\Windows\SysWOW64\Kikpibof.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Gkephn32.exe Gnaooi32.exe File created C:\Windows\SysWOW64\Deenjpcd.exe Dbfbnddq.exe File created C:\Windows\SysWOW64\Cjknmf32.dll Badnhbce.exe File created C:\Windows\SysWOW64\Anpmdf32.dll Hloiib32.exe File opened for modification C:\Windows\SysWOW64\Oonldcih.exe Oeehln32.exe File created C:\Windows\SysWOW64\Bblhki32.dll Mbbfep32.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Baojapfj.exe File created C:\Windows\SysWOW64\Cfcijf32.exe Cmjdaqgi.exe File created C:\Windows\SysWOW64\Kagflkia.dll Npjlhcmd.exe File created C:\Windows\SysWOW64\Klbgbj32.dll Efaiobkc.exe File created C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Gifhkpgk.exe File created C:\Windows\SysWOW64\Didlfg32.dll Ancefgfd.exe File created C:\Windows\SysWOW64\Endjaief.exe Eeielfhk.exe File created C:\Windows\SysWOW64\Nabkgh32.dll Gjpqpl32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kofaicon.exe File opened for modification C:\Windows\SysWOW64\Gbadjg32.exe Mhkfnlme.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Qekbgbpf.exe File created C:\Windows\SysWOW64\Fogibnha.exe Flhmfbim.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Mhkfnlme.exe File created C:\Windows\SysWOW64\Lfoojj32.exe Obhpad32.exe File created C:\Windows\SysWOW64\Dfkhndca.exe Danpemej.exe File created C:\Windows\SysWOW64\Pdoomf32.dll Fgcejm32.exe File created C:\Windows\SysWOW64\Edibhmml.exe Qncfphff.exe File opened for modification C:\Windows\SysWOW64\Domccejd.exe Dhckfkbh.exe File created C:\Windows\SysWOW64\Apidjmhc.dll Gjgiidkl.exe File opened for modification C:\Windows\SysWOW64\Ancefgfd.exe Anahqh32.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pcbncfjd.exe File opened for modification C:\Windows\SysWOW64\Pphkbj32.exe Pincfpoo.exe File created C:\Windows\SysWOW64\Moeinj32.dll Cacclpae.exe File created C:\Windows\SysWOW64\Ahpifj32.exe Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Cmfkfa32.exe Cjgoje32.exe File opened for modification C:\Windows\SysWOW64\Hcdnhoac.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Igiani32.dll Ggdcbi32.exe File created C:\Windows\SysWOW64\Njmoipaq.dll Process not Found File created C:\Windows\SysWOW64\Jjndlebb.dll Jkkija32.exe File opened for modification C:\Windows\SysWOW64\Kglehp32.exe Kaompi32.exe File opened for modification C:\Windows\SysWOW64\Cbiiog32.exe Cmmagpef.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nhgnaehm.exe File opened for modification C:\Windows\SysWOW64\Hgflflqg.exe Hbidne32.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe Gqahqd32.exe File created C:\Windows\SysWOW64\Jimbkh32.exe Lpdankjg.exe File created C:\Windows\SysWOW64\Lgqkbb32.exe Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lohccp32.exe File created C:\Windows\SysWOW64\Edcnakpa.exe Process not Found File created C:\Windows\SysWOW64\Cgkocj32.exe Cmfkfa32.exe File opened for modification C:\Windows\SysWOW64\Kgnbnpkp.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Ggagmjbq.exe Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqggnndf.dll" Nmlgfnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmnnh32.dll" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcfjmkg.dll" Bnhoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilfpqaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Fjaoplho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andgop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmiofbn.dll" Dacpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlpnk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnbcpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieabog32.dll" Niedqnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Ajpepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffgkhmc.dll" Dnhefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondii32.dll" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfhfjgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceldap.dll" Olkfmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imjmhkpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejgei32.dll" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfiaojk.dll" Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onffhdlh.dll" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fleifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmfalg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbagdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godaakic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onejdijo.dll" Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Nnafnopi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenkqi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2120 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 28 PID 2256 wrote to memory of 2120 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 28 PID 2256 wrote to memory of 2120 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 28 PID 2256 wrote to memory of 2120 2256 NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe 28 PID 2120 wrote to memory of 2424 2120 Pqphnp32.exe 29 PID 2120 wrote to memory of 2424 2120 Pqphnp32.exe 29 PID 2120 wrote to memory of 2424 2120 Pqphnp32.exe 29 PID 2120 wrote to memory of 2424 2120 Pqphnp32.exe 29 PID 2424 wrote to memory of 2764 2424 Qqbecp32.exe 30 PID 2424 wrote to memory of 2764 2424 Qqbecp32.exe 30 PID 2424 wrote to memory of 2764 2424 Qqbecp32.exe 30 PID 2424 wrote to memory of 2764 2424 Qqbecp32.exe 30 PID 2764 wrote to memory of 2736 2764 Qjkjle32.exe 35 PID 2764 wrote to memory of 2736 2764 Qjkjle32.exe 35 PID 2764 wrote to memory of 2736 2764 Qjkjle32.exe 35 PID 2764 wrote to memory of 2736 2764 Qjkjle32.exe 35 PID 2736 wrote to memory of 2684 2736 Aipfmane.exe 33 PID 2736 wrote to memory of 2684 2736 Aipfmane.exe 33 PID 2736 wrote to memory of 2684 2736 Aipfmane.exe 33 PID 2736 wrote to memory of 2684 2736 Aipfmane.exe 33 PID 2684 wrote to memory of 2628 2684 Acekjjmk.exe 32 PID 2684 wrote to memory of 2628 2684 Acekjjmk.exe 32 PID 2684 wrote to memory of 2628 2684 Acekjjmk.exe 32 PID 2684 wrote to memory of 2628 2684 Acekjjmk.exe 32 PID 2628 wrote to memory of 2636 2628 Aibcba32.exe 31 PID 2628 wrote to memory of 2636 2628 Aibcba32.exe 31 PID 2628 wrote to memory of 2636 2628 Aibcba32.exe 31 PID 2628 wrote to memory of 2636 2628 Aibcba32.exe 31 PID 2636 wrote to memory of 648 2636 Abkhkgbb.exe 34 PID 2636 wrote to memory of 648 2636 Abkhkgbb.exe 34 PID 2636 wrote to memory of 648 2636 Abkhkgbb.exe 34 PID 2636 wrote to memory of 648 2636 Abkhkgbb.exe 34 PID 648 wrote to memory of 1168 648 Anahqh32.exe 40 PID 648 wrote to memory of 1168 648 Anahqh32.exe 40 PID 648 wrote to memory of 1168 648 Anahqh32.exe 40 PID 648 wrote to memory of 1168 648 Anahqh32.exe 40 PID 1168 wrote to memory of 2848 1168 Ancefgfd.exe 36 PID 1168 wrote to memory of 2848 1168 Ancefgfd.exe 36 PID 1168 wrote to memory of 2848 1168 Ancefgfd.exe 36 PID 1168 wrote to memory of 2848 1168 Ancefgfd.exe 36 PID 2848 wrote to memory of 1888 2848 Akhfoldn.exe 39 PID 2848 wrote to memory of 1888 2848 Akhfoldn.exe 39 PID 2848 wrote to memory of 1888 2848 Akhfoldn.exe 39 PID 2848 wrote to memory of 1888 2848 Akhfoldn.exe 39 PID 1888 wrote to memory of 1708 1888 Badnhbce.exe 38 PID 1888 wrote to memory of 1708 1888 Badnhbce.exe 38 PID 1888 wrote to memory of 1708 1888 Badnhbce.exe 38 PID 1888 wrote to memory of 1708 1888 Badnhbce.exe 38 PID 1708 wrote to memory of 2576 1708 Bnhoag32.exe 37 PID 1708 wrote to memory of 2576 1708 Bnhoag32.exe 37 PID 1708 wrote to memory of 2576 1708 Bnhoag32.exe 37 PID 1708 wrote to memory of 2576 1708 Bnhoag32.exe 37 PID 2576 wrote to memory of 1656 2576 Bgqcjlhp.exe 41 PID 2576 wrote to memory of 1656 2576 Bgqcjlhp.exe 41 PID 2576 wrote to memory of 1656 2576 Bgqcjlhp.exe 41 PID 2576 wrote to memory of 1656 2576 Bgqcjlhp.exe 41 PID 1656 wrote to memory of 3028 1656 Baigca32.exe 42 PID 1656 wrote to memory of 3028 1656 Baigca32.exe 42 PID 1656 wrote to memory of 3028 1656 Baigca32.exe 42 PID 1656 wrote to memory of 3028 1656 Baigca32.exe 42 PID 3028 wrote to memory of 584 3028 Chlfnp32.exe 43 PID 3028 wrote to memory of 584 3028 Chlfnp32.exe 43 PID 3028 wrote to memory of 584 3028 Chlfnp32.exe 43 PID 3028 wrote to memory of 584 3028 Chlfnp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7a21ee08952ec722a71f2fa1977aaf80_JC.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
-
-
-
-
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe3⤵PID:1708
-
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe4⤵PID:5420
-
-
-
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168
-
-
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628
-
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888
-
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe20⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe21⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe22⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe23⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe24⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe25⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe27⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe28⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe29⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe31⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe32⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe35⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe36⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe38⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe39⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe41⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe42⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe43⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe44⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe45⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe46⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe48⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe50⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe51⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe53⤵PID:2868
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe54⤵PID:2420
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe55⤵
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe56⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe57⤵PID:1148
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe58⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe59⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe60⤵PID:1836
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe61⤵PID:776
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe62⤵PID:2232
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe63⤵PID:2252
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe64⤵PID:1604
-
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe66⤵PID:2812
-
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe68⤵PID:2572
-
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe70⤵PID:1176
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe72⤵PID:1452
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe73⤵PID:2584
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe74⤵PID:1824
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe75⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe76⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe78⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe79⤵PID:1776
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe82⤵PID:2428
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe83⤵PID:2016
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe84⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe85⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe86⤵PID:2552
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe87⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe88⤵PID:2992
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe89⤵PID:2816
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe91⤵PID:2204
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe92⤵PID:3040
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe93⤵PID:2364
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe96⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe97⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe98⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe99⤵PID:892
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2724 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe101⤵PID:2640
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe102⤵PID:2836
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe103⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe104⤵PID:2000
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe106⤵PID:2012
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe107⤵PID:280
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe108⤵PID:596
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe109⤵PID:1884
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe110⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe113⤵PID:1596
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe114⤵PID:2728
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe115⤵PID:2516
-
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe116⤵PID:796
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe117⤵PID:2800
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe118⤵PID:1760
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe119⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe120⤵PID:600
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe121⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-