Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 03:01
Behavioral task
behavioral1
Sample
NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe
-
Size
109KB
-
MD5
ed602e58544b96a97d4dcaf61d84b810
-
SHA1
5bffac9a342988892ec398ddea7fd946de9d7a96
-
SHA256
cbdebd60978060bbd24b9738834e476d7d03b9d4b72947983cc3a89fe0cce4fa
-
SHA512
c0ec33ce495cd885d87d865c75dbfc16d1b368e2ec1ad4d0d3054567f888c9accf46806ef56a75de90ef281b129e61056148cab8ee31868c889b9e5f4983ad97
-
SSDEEP
3072:th5XyXc1VCdUmBOJbZTSLGXr8fo3PXl9Z7S/yCsKh2EzZA/z:D5XyermBy9B7go35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmakmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgebdipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jajcdjca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqiaclhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmhkmki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbeoibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcdipnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbaamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanogipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edclib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmojocel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbdea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemqpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggcaiqhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npdfhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgqjdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeaedd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgkgeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpmiig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhoag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljddjj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2908-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0008000000012027-5.dat family_berbew behavioral1/memory/2908-6-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0008000000012027-9.dat family_berbew behavioral1/files/0x0008000000012027-8.dat family_berbew behavioral1/files/0x0008000000012027-12.dat family_berbew behavioral1/memory/1928-18-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0008000000012027-13.dat family_berbew behavioral1/files/0x0027000000015c7d-19.dat family_berbew behavioral1/memory/3020-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0027000000015c7d-27.dat family_berbew behavioral1/files/0x0027000000015c7d-26.dat family_berbew behavioral1/files/0x0008000000015e34-33.dat family_berbew behavioral1/files/0x0008000000015e34-39.dat family_berbew behavioral1/files/0x0008000000015e34-36.dat family_berbew behavioral1/files/0x0008000000015e34-35.dat family_berbew behavioral1/files/0x0027000000015c7d-22.dat family_berbew behavioral1/files/0x0027000000015c7d-21.dat family_berbew behavioral1/files/0x0008000000015e34-40.dat family_berbew behavioral1/files/0x000700000001604e-45.dat family_berbew behavioral1/files/0x000700000001604e-52.dat family_berbew behavioral1/files/0x000700000001604e-51.dat family_berbew behavioral1/files/0x000700000001604e-48.dat family_berbew behavioral1/files/0x000800000001625a-57.dat family_berbew behavioral1/files/0x000700000001604e-47.dat family_berbew behavioral1/files/0x000800000001625a-60.dat family_berbew behavioral1/files/0x000800000001625a-59.dat family_berbew behavioral1/files/0x000800000001625a-64.dat family_berbew behavioral1/files/0x000800000001625a-63.dat family_berbew behavioral1/files/0x0006000000016ba2-69.dat family_berbew behavioral1/files/0x0006000000016ba2-76.dat family_berbew behavioral1/files/0x0006000000016ba2-75.dat family_berbew behavioral1/files/0x0006000000016ba2-72.dat family_berbew behavioral1/files/0x0006000000016ba2-71.dat family_berbew behavioral1/files/0x0006000000016c24-81.dat family_berbew behavioral1/files/0x0006000000016c24-88.dat family_berbew behavioral1/files/0x0006000000016c24-87.dat family_berbew behavioral1/files/0x0006000000016c24-84.dat family_berbew behavioral1/files/0x0006000000016c24-83.dat family_berbew behavioral1/files/0x0006000000016cd8-111.dat family_berbew behavioral1/files/0x0006000000016cd8-108.dat family_berbew behavioral1/files/0x0006000000016cd8-107.dat family_berbew behavioral1/files/0x0006000000016cd8-105.dat family_berbew behavioral1/files/0x0006000000016c9c-97.dat family_berbew behavioral1/files/0x0006000000016c9c-95.dat family_berbew behavioral1/files/0x0006000000016c9c-93.dat family_berbew behavioral1/files/0x0006000000016cd8-112.dat family_berbew behavioral1/files/0x0006000000016c9c-100.dat family_berbew behavioral1/files/0x0006000000016c9c-99.dat family_berbew behavioral1/files/0x0006000000016cec-124.dat family_berbew behavioral1/files/0x0006000000016cec-123.dat family_berbew behavioral1/files/0x0006000000016cec-120.dat family_berbew behavioral1/files/0x0006000000016cec-119.dat family_berbew behavioral1/files/0x0027000000015cc4-131.dat family_berbew behavioral1/files/0x0027000000015cc4-129.dat family_berbew behavioral1/files/0x0006000000016cec-117.dat family_berbew behavioral1/files/0x0027000000015cc4-136.dat family_berbew behavioral1/files/0x0027000000015cc4-135.dat family_berbew behavioral1/files/0x0006000000016d20-148.dat family_berbew behavioral1/files/0x0006000000016d20-147.dat family_berbew behavioral1/files/0x0006000000016d40-153.dat family_berbew behavioral1/files/0x0006000000016d20-145.dat family_berbew behavioral1/files/0x0006000000016d20-143.dat family_berbew behavioral1/files/0x0006000000016d20-141.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1928 Meppiblm.exe 3020 Naimccpo.exe 2760 Nmpnhdfc.exe 2704 Npagjpcd.exe 2808 Ngkogj32.exe 2232 Ncbplk32.exe 2196 Nkmdpm32.exe 2476 Oagmmgdm.exe 464 Ollajp32.exe 1636 Ookmfk32.exe 1716 Ohendqhd.exe 1032 Oqacic32.exe 1952 Ojigbhlp.exe 2408 Ogmhkmki.exe 1628 Pmjqcc32.exe 2980 Pcdipnqn.exe 2892 Pcfefmnk.exe 2172 Pmojocel.exe 2592 Pcibkm32.exe 608 Pjbjhgde.exe 2344 Qbplbi32.exe 1048 Qeohnd32.exe 988 Qbbhgi32.exe 1368 Qeaedd32.exe 2384 Abeemhkh.exe 900 Acfaeq32.exe 700 Ajpjakhc.exe 1428 Aeenochi.exe 1052 Annbhi32.exe 564 Aaloddnn.exe 1248 Ackkppma.exe 1596 Afiglkle.exe 2864 Apalea32.exe 1948 Afkdakjb.exe 2640 Afnagk32.exe 2628 Bmhideol.exe 2612 Bnielm32.exe 2788 Biojif32.exe 2632 Bjbcfn32.exe 2616 Bbikgk32.exe 2968 Blaopqpo.exe 1384 Bmclhi32.exe 592 Bfkpqn32.exe 580 Bmeimhdj.exe 1940 Chkmkacq.exe 2024 Ckiigmcd.exe 2004 Cpfaocal.exe 544 Cgpjlnhh.exe 2108 Cmlong32.exe 1580 Cpkkjc32.exe 1764 Cophko32.exe 2280 Cejphiik.exe 2088 Dobdqo32.exe 2380 Delmmigh.exe 2152 Dkiefp32.exe 1772 Dacnbjml.exe 1680 Ddhpod32.exe 1624 Elcdcgcc.exe 1660 Ehjehh32.exe 636 Ecpjfq32.exe 2204 Edccch32.exe 2880 Edfpih32.exe 1420 Fdhlnhhc.exe 2972 Fjeefofk.exe -
Loads dropped DLL 64 IoCs
pid Process 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 1928 Meppiblm.exe 1928 Meppiblm.exe 3020 Naimccpo.exe 3020 Naimccpo.exe 2760 Nmpnhdfc.exe 2760 Nmpnhdfc.exe 2704 Npagjpcd.exe 2704 Npagjpcd.exe 2808 Ngkogj32.exe 2808 Ngkogj32.exe 2232 Ncbplk32.exe 2232 Ncbplk32.exe 2196 Nkmdpm32.exe 2196 Nkmdpm32.exe 2476 Oagmmgdm.exe 2476 Oagmmgdm.exe 464 Ollajp32.exe 464 Ollajp32.exe 1636 Ookmfk32.exe 1636 Ookmfk32.exe 1716 Ohendqhd.exe 1716 Ohendqhd.exe 1032 Oqacic32.exe 1032 Oqacic32.exe 1952 Ojigbhlp.exe 1952 Ojigbhlp.exe 2408 Ogmhkmki.exe 2408 Ogmhkmki.exe 1628 Pmjqcc32.exe 1628 Pmjqcc32.exe 2980 Pcdipnqn.exe 2980 Pcdipnqn.exe 2892 Pcfefmnk.exe 2892 Pcfefmnk.exe 2172 Pmojocel.exe 2172 Pmojocel.exe 2592 Pcibkm32.exe 2592 Pcibkm32.exe 608 Pjbjhgde.exe 608 Pjbjhgde.exe 2344 Qbplbi32.exe 2344 Qbplbi32.exe 1048 Qeohnd32.exe 1048 Qeohnd32.exe 988 Qbbhgi32.exe 988 Qbbhgi32.exe 1368 Qeaedd32.exe 1368 Qeaedd32.exe 2384 Abeemhkh.exe 2384 Abeemhkh.exe 900 Acfaeq32.exe 900 Acfaeq32.exe 700 Ajpjakhc.exe 700 Ajpjakhc.exe 1428 Aeenochi.exe 1428 Aeenochi.exe 1052 Annbhi32.exe 1052 Annbhi32.exe 564 Aaloddnn.exe 564 Aaloddnn.exe 1248 Ackkppma.exe 1248 Ackkppma.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hgokokhf.dll Pnalad32.exe File created C:\Windows\SysWOW64\Mahqjm32.dll Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Hpmiig32.exe Hajinjff.exe File created C:\Windows\SysWOW64\Kgfkcnlb.dll Bmeimhdj.exe File opened for modification C:\Windows\SysWOW64\Dchmkkkj.exe Dcfpel32.exe File created C:\Windows\SysWOW64\Cplpppdf.dll Mfdopp32.exe File opened for modification C:\Windows\SysWOW64\Mchoid32.exe Mmogmjmn.exe File created C:\Windows\SysWOW64\Bnihdemo.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Gmpcgace.exe Ghajacmo.exe File created C:\Windows\SysWOW64\Mcnbhb32.exe Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Neiaeiii.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Ojigbhlp.exe Oqacic32.exe File opened for modification C:\Windows\SysWOW64\Dkiefp32.exe Delmmigh.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hgpjhn32.exe File created C:\Windows\SysWOW64\Qjhmfekp.exe Qgjqjjll.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Folfoj32.exe File created C:\Windows\SysWOW64\Epkpbiah.dll Pgnjde32.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe Neiaeiii.exe File created C:\Windows\SysWOW64\Acfaeq32.exe Abeemhkh.exe File created C:\Windows\SysWOW64\Jjbbpmgo.exe Joiappkp.exe File created C:\Windows\SysWOW64\Ledibnco.exe Lfolaang.exe File created C:\Windows\SysWOW64\Odjoikgb.dll Affdle32.exe File created C:\Windows\SysWOW64\Hgdgodno.dll Clmdmm32.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Apalea32.exe File created C:\Windows\SysWOW64\Nkoielgg.dll Delmmigh.exe File created C:\Windows\SysWOW64\Qpebakpc.dll Cdjmcpnl.exe File created C:\Windows\SysWOW64\Dkabpebk.dll Mkddnf32.exe File created C:\Windows\SysWOW64\Oaccbmie.dll Kfkpknkq.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Anlhkbhq.exe File created C:\Windows\SysWOW64\Nlnpgd32.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Kblikadd.dll Phcilf32.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Akcomepg.exe File opened for modification C:\Windows\SysWOW64\Idknoi32.exe Imoilo32.exe File created C:\Windows\SysWOW64\Pbmkli32.dll Qndigd32.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qeaedd32.exe File created C:\Windows\SysWOW64\Dbjdoj32.dll Nplfdj32.exe File created C:\Windows\SysWOW64\Hibeif32.dll Oagmmgdm.exe File created C:\Windows\SysWOW64\Aaapnkij.dll Ookmfk32.exe File created C:\Windows\SysWOW64\Fcmiod32.exe Fjeefofk.exe File created C:\Windows\SysWOW64\Mdnfkg32.dll Fcdopc32.exe File opened for modification C:\Windows\SysWOW64\Imoilo32.exe Ikpmpc32.exe File opened for modification C:\Windows\SysWOW64\Edclib32.exe Ekjgpm32.exe File created C:\Windows\SysWOW64\Pabgjc32.dll Idcacc32.exe File created C:\Windows\SysWOW64\Ldmffpom.dll Afgmodel.exe File opened for modification C:\Windows\SysWOW64\Ojigbhlp.exe Oqacic32.exe File opened for modification C:\Windows\SysWOW64\Cejphiik.exe Cophko32.exe File opened for modification C:\Windows\SysWOW64\Namclbil.exe Nplfdj32.exe File opened for modification C:\Windows\SysWOW64\Poklngnf.exe Pecgea32.exe File opened for modification C:\Windows\SysWOW64\Jblnaq32.exe Jfcqgpfi.exe File created C:\Windows\SysWOW64\Lgkhdddo.exe Lnbdko32.exe File opened for modification C:\Windows\SysWOW64\Qdojgmfe.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bjebdfnn.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jmhnkfpa.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Binlfn32.dll Gejebk32.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Mkddnf32.exe File created C:\Windows\SysWOW64\Qeohnd32.exe Qbplbi32.exe File created C:\Windows\SysWOW64\Ilbnonio.dll Akhfoldn.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Bkhhhd32.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Qqfkln32.exe Qngopb32.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Loefnpnn.exe -
Program crash 1 IoCs
pid pid_target Process 2408 1396 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceobl32.dll" Pcdipnqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbknmg32.dll" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlionk32.dll" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenjk32.dll" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" Ajpjakhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckoelflc.dll" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmkilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll" Nkmdpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlphbbbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maojpk32.dll" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfdkoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmkeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlephdnl.dll" Nianhplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epnhci32.dll" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgccq32.dll" Aggiigmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbjlaplk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckabh32.dll" Ocllehcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgibpac.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlfacfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncehag32.dll" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmekc32.dll" Ifoqjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clmdmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loefnpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbjlaplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmfqgbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcighi32.dll" Jbjpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmkli32.dll" Qndigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdgodno.dll" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nahlmpdg.dll" Ljcbaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjebdfnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1928 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 28 PID 2908 wrote to memory of 1928 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 28 PID 2908 wrote to memory of 1928 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 28 PID 2908 wrote to memory of 1928 2908 NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe 28 PID 1928 wrote to memory of 3020 1928 Meppiblm.exe 29 PID 1928 wrote to memory of 3020 1928 Meppiblm.exe 29 PID 1928 wrote to memory of 3020 1928 Meppiblm.exe 29 PID 1928 wrote to memory of 3020 1928 Meppiblm.exe 29 PID 3020 wrote to memory of 2760 3020 Naimccpo.exe 30 PID 3020 wrote to memory of 2760 3020 Naimccpo.exe 30 PID 3020 wrote to memory of 2760 3020 Naimccpo.exe 30 PID 3020 wrote to memory of 2760 3020 Naimccpo.exe 30 PID 2760 wrote to memory of 2704 2760 Nmpnhdfc.exe 31 PID 2760 wrote to memory of 2704 2760 Nmpnhdfc.exe 31 PID 2760 wrote to memory of 2704 2760 Nmpnhdfc.exe 31 PID 2760 wrote to memory of 2704 2760 Nmpnhdfc.exe 31 PID 2704 wrote to memory of 2808 2704 Npagjpcd.exe 32 PID 2704 wrote to memory of 2808 2704 Npagjpcd.exe 32 PID 2704 wrote to memory of 2808 2704 Npagjpcd.exe 32 PID 2704 wrote to memory of 2808 2704 Npagjpcd.exe 32 PID 2808 wrote to memory of 2232 2808 Ngkogj32.exe 33 PID 2808 wrote to memory of 2232 2808 Ngkogj32.exe 33 PID 2808 wrote to memory of 2232 2808 Ngkogj32.exe 33 PID 2808 wrote to memory of 2232 2808 Ngkogj32.exe 33 PID 2232 wrote to memory of 2196 2232 Ncbplk32.exe 35 PID 2232 wrote to memory of 2196 2232 Ncbplk32.exe 35 PID 2232 wrote to memory of 2196 2232 Ncbplk32.exe 35 PID 2232 wrote to memory of 2196 2232 Ncbplk32.exe 35 PID 2196 wrote to memory of 2476 2196 Nkmdpm32.exe 34 PID 2196 wrote to memory of 2476 2196 Nkmdpm32.exe 34 PID 2196 wrote to memory of 2476 2196 Nkmdpm32.exe 34 PID 2196 wrote to memory of 2476 2196 Nkmdpm32.exe 34 PID 2476 wrote to memory of 464 2476 Oagmmgdm.exe 36 PID 2476 wrote to memory of 464 2476 Oagmmgdm.exe 36 PID 2476 wrote to memory of 464 2476 Oagmmgdm.exe 36 PID 2476 wrote to memory of 464 2476 Oagmmgdm.exe 36 PID 464 wrote to memory of 1636 464 Ollajp32.exe 37 PID 464 wrote to memory of 1636 464 Ollajp32.exe 37 PID 464 wrote to memory of 1636 464 Ollajp32.exe 37 PID 464 wrote to memory of 1636 464 Ollajp32.exe 37 PID 1636 wrote to memory of 1716 1636 Ookmfk32.exe 38 PID 1636 wrote to memory of 1716 1636 Ookmfk32.exe 38 PID 1636 wrote to memory of 1716 1636 Ookmfk32.exe 38 PID 1636 wrote to memory of 1716 1636 Ookmfk32.exe 38 PID 1716 wrote to memory of 1032 1716 Ohendqhd.exe 40 PID 1716 wrote to memory of 1032 1716 Ohendqhd.exe 40 PID 1716 wrote to memory of 1032 1716 Ohendqhd.exe 40 PID 1716 wrote to memory of 1032 1716 Ohendqhd.exe 40 PID 1032 wrote to memory of 1952 1032 Oqacic32.exe 39 PID 1032 wrote to memory of 1952 1032 Oqacic32.exe 39 PID 1032 wrote to memory of 1952 1032 Oqacic32.exe 39 PID 1032 wrote to memory of 1952 1032 Oqacic32.exe 39 PID 1952 wrote to memory of 2408 1952 Ojigbhlp.exe 41 PID 1952 wrote to memory of 2408 1952 Ojigbhlp.exe 41 PID 1952 wrote to memory of 2408 1952 Ojigbhlp.exe 41 PID 1952 wrote to memory of 2408 1952 Ojigbhlp.exe 41 PID 2408 wrote to memory of 1628 2408 Ogmhkmki.exe 42 PID 2408 wrote to memory of 1628 2408 Ogmhkmki.exe 42 PID 2408 wrote to memory of 1628 2408 Ogmhkmki.exe 42 PID 2408 wrote to memory of 1628 2408 Ogmhkmki.exe 42 PID 1628 wrote to memory of 2980 1628 Pmjqcc32.exe 43 PID 1628 wrote to memory of 2980 1628 Pmjqcc32.exe 43 PID 1628 wrote to memory of 2980 1628 Pmjqcc32.exe 43 PID 1628 wrote to memory of 2980 1628 Pmjqcc32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ed602e58544b96a97d4dcaf61d84b810_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032
-
-
-
-
-
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe20⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe22⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe23⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe24⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe26⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe27⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe28⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe29⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe31⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe33⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe34⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe36⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe37⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe38⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe40⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe41⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe43⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe44⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe46⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe47⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe48⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe49⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe51⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe53⤵PID:2328
-
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe54⤵PID:2636
-
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe55⤵PID:2740
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe56⤵PID:2292
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe57⤵PID:2584
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe58⤵PID:2496
-
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe59⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe60⤵PID:1088
-
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe61⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe62⤵PID:1812
-
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe63⤵
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe64⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe65⤵PID:2000
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe66⤵PID:2416
-
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe67⤵PID:1468
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe68⤵PID:1632
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe69⤵PID:2140
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe70⤵PID:1832
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe73⤵PID:2424
-
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe74⤵PID:1780
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe75⤵PID:1668
-
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe76⤵PID:2260
-
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe77⤵PID:1532
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe78⤵PID:2576
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe79⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe80⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe81⤵PID:2600
-
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe82⤵PID:2528
-
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe83⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe84⤵PID:2984
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe85⤵PID:1612
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe86⤵PID:288
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe87⤵PID:1944
-
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe89⤵PID:1988
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe90⤵PID:1820
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe91⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe93⤵PID:2040
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe95⤵PID:692
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe96⤵PID:948
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe97⤵PID:2900
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe98⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe99⤵PID:2028
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe101⤵PID:2776
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe104⤵PID:2660
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe105⤵PID:2944
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe106⤵PID:1064
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe107⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe110⤵PID:2812
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe111⤵PID:2268
-
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe112⤵PID:1824
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe113⤵PID:2468
-
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe114⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe115⤵PID:1720
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe116⤵PID:2064
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe117⤵PID:2444
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe118⤵PID:1600
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe119⤵PID:2764
-
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe120⤵PID:2488
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-