Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
02/11/2023, 16:46
Behavioral task
behavioral1
Sample
NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe
-
Size
112KB
-
MD5
9d370805b77c0ddb6de933e42e1c03e0
-
SHA1
5e3d22973bdb7a3766aa63073d3ba22eb29e2466
-
SHA256
9583eb5e86e1c94d6846e0d8a735d20418fcb8679d2e612b403f741c27dabebf
-
SHA512
4972ff3d6148b34c94b496bd3bf9c400815a6a4f166ca04c77970f61e7cf2dba0d7b8bbbaef9323005ef3472f4d8d8cabbc40ab8dc2707daaf4bcf47c63eb177
-
SSDEEP
3072:GkDMakNQHuMQH2qC7ZQOlzSLUK6MwGsGnDc9o:pvkNQHuMQWfdQOhwJ6MwGsw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepbmhpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgkfbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnblhddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edmkei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeanhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcnonob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqmid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odqlhjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meppiblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdkcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chgnneiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjddgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnmialh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogdap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odqlhjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkiebib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfaeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phledp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnghfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiakgcnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeoeclek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqjhcfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedhgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecbfkpfk.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1824-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/memory/1824-6-0x00000000003A0000-0x00000000003E1000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-14.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0008000000014123-26.dat family_berbew behavioral1/files/0x0008000000014123-23.dat family_berbew behavioral1/files/0x0008000000014123-22.dat family_berbew behavioral1/memory/2788-21-0x00000000002C0000-0x0000000000301000-memory.dmp family_berbew behavioral1/files/0x0008000000014123-19.dat family_berbew behavioral1/memory/2788-31-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0008000000014123-27.dat family_berbew behavioral1/files/0x0007000000014144-34.dat family_berbew behavioral1/memory/2656-36-0x00000000002D0000-0x0000000000311000-memory.dmp family_berbew behavioral1/files/0x0007000000014144-38.dat family_berbew behavioral1/files/0x0007000000014144-37.dat family_berbew behavioral1/files/0x0007000000014144-41.dat family_berbew behavioral1/files/0x0007000000014144-42.dat family_berbew behavioral1/files/0x000700000001421b-49.dat family_berbew behavioral1/files/0x000700000001421b-47.dat family_berbew behavioral1/files/0x000700000001421b-53.dat family_berbew behavioral1/memory/2772-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000700000001421b-50.dat family_berbew behavioral1/files/0x000700000001421b-55.dat family_berbew behavioral1/files/0x0009000000014482-64.dat family_berbew behavioral1/memory/2772-67-0x0000000000270000-0x00000000002B1000-memory.dmp family_berbew behavioral1/files/0x0009000000014482-69.dat family_berbew behavioral1/files/0x0009000000014482-68.dat family_berbew behavioral1/files/0x0009000000014482-63.dat family_berbew behavioral1/memory/1824-62-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000014482-60.dat family_berbew behavioral1/files/0x0006000000014490-74.dat family_berbew behavioral1/memory/2676-87-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000600000001463e-88.dat family_berbew behavioral1/files/0x0006000000014490-82.dat family_berbew behavioral1/files/0x0006000000014490-81.dat family_berbew behavioral1/files/0x0006000000014490-77.dat family_berbew behavioral1/files/0x0006000000014490-76.dat family_berbew behavioral1/files/0x000600000001463e-91.dat family_berbew behavioral1/files/0x000600000001463e-96.dat family_berbew behavioral1/memory/2656-103-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000146ce-105.dat family_berbew behavioral1/files/0x00060000000146ce-110.dat family_berbew behavioral1/memory/2892-115-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014958-116.dat family_berbew behavioral1/files/0x00060000000146ce-109.dat family_berbew behavioral1/memory/2492-108-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000146ce-104.dat family_berbew behavioral1/files/0x00060000000146ce-101.dat family_berbew behavioral1/memory/2580-95-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014958-119.dat family_berbew behavioral1/memory/1872-127-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014ad4-125.dat family_berbew behavioral1/files/0x0006000000014958-123.dat family_berbew behavioral1/memory/1520-141-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014ad4-136.dat family_berbew behavioral1/files/0x0006000000014ad4-135.dat family_berbew behavioral1/files/0x0006000000014ad4-131.dat family_berbew behavioral1/files/0x0006000000014ad4-129.dat family_berbew behavioral1/files/0x0006000000014958-122.dat family_berbew behavioral1/files/0x0006000000014958-118.dat family_berbew behavioral1/files/0x000600000001463e-90.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2788 Jnicmdli.exe 2656 Jkoplhip.exe 2320 Jgfqaiod.exe 2772 Jghmfhmb.exe 2676 Kmefooki.exe 2580 Kfmjgeaj.exe 2492 Kkjcplpa.exe 2892 Kincipnk.exe 1872 Keednado.exe 1520 Knmhgf32.exe 1928 Kegqdqbl.exe 2844 Lclnemgd.exe 1648 Ljffag32.exe 1768 Lcojjmea.exe 564 Lpekon32.exe 1268 Lmikibio.exe 628 Lphhenhc.exe 2036 Ljmlbfhi.exe 2236 Legmbd32.exe 2452 Mlaeonld.exe 1812 Mffimglk.exe 932 Moanaiie.exe 2324 Mhjbjopf.exe 548 Modkfi32.exe 2108 Mabgcd32.exe 1596 Meppiblm.exe 2172 Magqncba.exe 2216 Nhaikn32.exe 2708 Nibebfpl.exe 2920 Nckjkl32.exe 2672 Nmpnhdfc.exe 2572 Ndjfeo32.exe 3008 Nmbknddp.exe 2864 Ngkogj32.exe 2980 Nhllob32.exe 1532 Npccpo32.exe 1560 Nadpgggp.exe 2808 Nilhhdga.exe 2860 Nkmdpm32.exe 1760 Odeiibdq.exe 1200 Okoafmkm.exe 2020 Oaiibg32.exe 1188 Ohcaoajg.exe 2012 Oalfhf32.exe 2084 Pcdipnqn.exe 1436 Pomfkndo.exe 440 Pkfceo32.exe 296 Aaheie32.exe 1324 Acfaeq32.exe 2016 Amnfnfgg.exe 868 Agdjkogm.exe 860 Agfgqo32.exe 2420 Ajecmj32.exe 2780 Abphal32.exe 2816 Amelne32.exe 3032 Abbeflpf.exe 2072 Bilmcf32.exe 1964 Bbdallnd.exe 2380 Bphbeplm.exe 2344 Bbgnak32.exe 1136 Biafnecn.exe 1936 Bonoflae.exe 324 Bbikgk32.exe 1344 Bdkgocpm.exe -
Loads dropped DLL 64 IoCs
pid Process 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 2788 Jnicmdli.exe 2788 Jnicmdli.exe 2656 Jkoplhip.exe 2656 Jkoplhip.exe 2320 Jgfqaiod.exe 2320 Jgfqaiod.exe 2772 Jghmfhmb.exe 2772 Jghmfhmb.exe 2676 Kmefooki.exe 2676 Kmefooki.exe 2580 Kfmjgeaj.exe 2580 Kfmjgeaj.exe 2492 Kkjcplpa.exe 2492 Kkjcplpa.exe 2892 Kincipnk.exe 2892 Kincipnk.exe 1872 Keednado.exe 1872 Keednado.exe 1520 Knmhgf32.exe 1520 Knmhgf32.exe 1928 Kegqdqbl.exe 1928 Kegqdqbl.exe 2844 Lclnemgd.exe 2844 Lclnemgd.exe 1648 Ljffag32.exe 1648 Ljffag32.exe 1768 Lcojjmea.exe 1768 Lcojjmea.exe 564 Lpekon32.exe 564 Lpekon32.exe 1268 Lmikibio.exe 1268 Lmikibio.exe 628 Lphhenhc.exe 628 Lphhenhc.exe 2036 Ljmlbfhi.exe 2036 Ljmlbfhi.exe 2236 Legmbd32.exe 2236 Legmbd32.exe 2452 Mlaeonld.exe 2452 Mlaeonld.exe 1812 Mffimglk.exe 1812 Mffimglk.exe 932 Moanaiie.exe 932 Moanaiie.exe 2324 Mhjbjopf.exe 2324 Mhjbjopf.exe 548 Modkfi32.exe 548 Modkfi32.exe 2108 Mabgcd32.exe 2108 Mabgcd32.exe 1596 Meppiblm.exe 1596 Meppiblm.exe 2172 Magqncba.exe 2172 Magqncba.exe 2216 Nhaikn32.exe 2216 Nhaikn32.exe 2708 Nibebfpl.exe 2708 Nibebfpl.exe 2920 Nckjkl32.exe 2920 Nckjkl32.exe 2672 Nmpnhdfc.exe 2672 Nmpnhdfc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hjleia32.dll Fijbco32.exe File opened for modification C:\Windows\SysWOW64\Elhnof32.exe Ejjbbkpj.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oococb32.exe File created C:\Windows\SysWOW64\Eaphjp32.exe Eoblnd32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Opihgfop.exe File created C:\Windows\SysWOW64\Eikfdl32.exe Ebqngb32.exe File created C:\Windows\SysWOW64\Kcadppco.dll Klecfkff.exe File created C:\Windows\SysWOW64\Leegbnan.exe Lbgkfbbj.exe File created C:\Windows\SysWOW64\Hjqqap32.exe Hhbdee32.exe File opened for modification C:\Windows\SysWOW64\Lmdkcl32.exe Kceqjhiq.exe File opened for modification C:\Windows\SysWOW64\Noljjglk.exe Nlnnnk32.exe File opened for modification C:\Windows\SysWOW64\Lnkege32.exe Lljipmdl.exe File created C:\Windows\SysWOW64\Mjkibehc.exe Mcaafk32.exe File created C:\Windows\SysWOW64\Aljjjb32.exe Aepbmhpl.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Bdkbmk32.dll Hoebpc32.exe File created C:\Windows\SysWOW64\Lhiddoph.exe Lekghdad.exe File created C:\Windows\SysWOW64\Jeaahk32.exe Jbcelp32.exe File opened for modification C:\Windows\SysWOW64\Nkaane32.exe Naimepkp.exe File opened for modification C:\Windows\SysWOW64\Occlcg32.exe Odqlhjbi.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nenkqi32.exe File created C:\Windows\SysWOW64\Peeoidik.exe Pmnghfhi.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jfjhbo32.exe File opened for modification C:\Windows\SysWOW64\Gmhkin32.exe Fccglehn.exe File created C:\Windows\SysWOW64\Jjhgbd32.exe Jgjkfi32.exe File created C:\Windows\SysWOW64\Efnodd32.dll Nojnql32.exe File opened for modification C:\Windows\SysWOW64\Enqfco32.exe Elpjkgip.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nnmlcp32.exe File created C:\Windows\SysWOW64\Cmmcpi32.exe Ciagojda.exe File opened for modification C:\Windows\SysWOW64\Dhbdleol.exe Dpklkgoj.exe File created C:\Windows\SysWOW64\Nbpqmfmd.exe Nndemg32.exe File created C:\Windows\SysWOW64\Pmnghfhi.exe Pllkpn32.exe File opened for modification C:\Windows\SysWOW64\Dcjaeamd.exe Cmqihg32.exe File created C:\Windows\SysWOW64\Kjbgng32.dll Nmpnhdfc.exe File opened for modification C:\Windows\SysWOW64\Pllkpn32.exe Pebbcdkn.exe File opened for modification C:\Windows\SysWOW64\Gnbjlpom.exe Gifaciae.exe File created C:\Windows\SysWOW64\Hmbndmkb.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Bqmpdioa.exe Bolcma32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Eppefg32.exe File opened for modification C:\Windows\SysWOW64\Mjkibehc.exe Mcaafk32.exe File created C:\Windows\SysWOW64\Anbmbi32.exe Alaqjaaa.exe File created C:\Windows\SysWOW64\Eomgdlji.dll Ejfbfo32.exe File created C:\Windows\SysWOW64\Fcbbjcif.exe Fmhjni32.exe File created C:\Windows\SysWOW64\Bhdbmf32.dll Qfonkfqd.exe File created C:\Windows\SysWOW64\Cadjgf32.exe Cpcnonob.exe File opened for modification C:\Windows\SysWOW64\Ofdeeb32.exe Ocfiif32.exe File created C:\Windows\SysWOW64\Opdnpmio.dll Ofgbkacb.exe File created C:\Windows\SysWOW64\Iakino32.exe Ijaaae32.exe File created C:\Windows\SysWOW64\Bdcnhk32.exe Beldao32.exe File created C:\Windows\SysWOW64\Foblaefj.exe Fmdpejgf.exe File opened for modification C:\Windows\SysWOW64\Ggbjag32.exe Gqhadmhc.exe File opened for modification C:\Windows\SysWOW64\Nlnnnk32.exe Medeaaej.exe File opened for modification C:\Windows\SysWOW64\Aeidgbaf.exe Aojojl32.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hffibceh.exe File opened for modification C:\Windows\SysWOW64\Qfikod32.exe Pegnglnm.exe File created C:\Windows\SysWOW64\Elpjkgip.exe Edhbjjhn.exe File created C:\Windows\SysWOW64\Ejgemkbm.exe Eobapbbg.exe File created C:\Windows\SysWOW64\Akafaiao.dll Nenkqi32.exe File opened for modification C:\Windows\SysWOW64\Mokdja32.exe Mhalngad.exe File created C:\Windows\SysWOW64\Ciagojda.exe Cbgobp32.exe File opened for modification C:\Windows\SysWOW64\Fggmldfp.exe Fakdcnhh.exe File created C:\Windows\SysWOW64\Nomkfk32.exe Nhbciaki.exe File created C:\Windows\SysWOW64\Mfhdke32.dll Pmqffonj.exe File created C:\Windows\SysWOW64\Oackeakj.dll Nhllob32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" Hgqlafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdkjmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kincipnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahmbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehcbd32.dll" Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fegjgkla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpcpnokb.dll" Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamipckp.dll" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihceebkc.dll" Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicdnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncgbkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnqfgce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnojacgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daeclf32.dll" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfqdk32.dll" Fakdcnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfgipmk.dll" Iianmlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjndlqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Nfdddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll" Bmlbaqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjgcb32.dll" Lnlnlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mghfdcdi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hffibceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaggak32.dll" Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll" Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeomnifk.dll" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedpgc32.dll" Dghjkpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjknmf32.dll" Bjmbqhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplgeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhkopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgiqf32.dll" Pclhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpjpn32.dll" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgcj32.dll" Deahcneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjoohi32.dll" Hhaanh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2788 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 28 PID 1824 wrote to memory of 2788 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 28 PID 1824 wrote to memory of 2788 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 28 PID 1824 wrote to memory of 2788 1824 NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe 28 PID 2788 wrote to memory of 2656 2788 Jnicmdli.exe 29 PID 2788 wrote to memory of 2656 2788 Jnicmdli.exe 29 PID 2788 wrote to memory of 2656 2788 Jnicmdli.exe 29 PID 2788 wrote to memory of 2656 2788 Jnicmdli.exe 29 PID 2656 wrote to memory of 2320 2656 Jkoplhip.exe 30 PID 2656 wrote to memory of 2320 2656 Jkoplhip.exe 30 PID 2656 wrote to memory of 2320 2656 Jkoplhip.exe 30 PID 2656 wrote to memory of 2320 2656 Jkoplhip.exe 30 PID 2320 wrote to memory of 2772 2320 Jgfqaiod.exe 31 PID 2320 wrote to memory of 2772 2320 Jgfqaiod.exe 31 PID 2320 wrote to memory of 2772 2320 Jgfqaiod.exe 31 PID 2320 wrote to memory of 2772 2320 Jgfqaiod.exe 31 PID 2772 wrote to memory of 2676 2772 Jghmfhmb.exe 32 PID 2772 wrote to memory of 2676 2772 Jghmfhmb.exe 32 PID 2772 wrote to memory of 2676 2772 Jghmfhmb.exe 32 PID 2772 wrote to memory of 2676 2772 Jghmfhmb.exe 32 PID 2676 wrote to memory of 2580 2676 Kmefooki.exe 34 PID 2676 wrote to memory of 2580 2676 Kmefooki.exe 34 PID 2676 wrote to memory of 2580 2676 Kmefooki.exe 34 PID 2676 wrote to memory of 2580 2676 Kmefooki.exe 34 PID 2580 wrote to memory of 2492 2580 Kfmjgeaj.exe 33 PID 2580 wrote to memory of 2492 2580 Kfmjgeaj.exe 33 PID 2580 wrote to memory of 2492 2580 Kfmjgeaj.exe 33 PID 2580 wrote to memory of 2492 2580 Kfmjgeaj.exe 33 PID 2492 wrote to memory of 2892 2492 Kkjcplpa.exe 37 PID 2492 wrote to memory of 2892 2492 Kkjcplpa.exe 37 PID 2492 wrote to memory of 2892 2492 Kkjcplpa.exe 37 PID 2492 wrote to memory of 2892 2492 Kkjcplpa.exe 37 PID 2892 wrote to memory of 1872 2892 Kincipnk.exe 35 PID 2892 wrote to memory of 1872 2892 Kincipnk.exe 35 PID 2892 wrote to memory of 1872 2892 Kincipnk.exe 35 PID 2892 wrote to memory of 1872 2892 Kincipnk.exe 35 PID 1872 wrote to memory of 1520 1872 Keednado.exe 36 PID 1872 wrote to memory of 1520 1872 Keednado.exe 36 PID 1872 wrote to memory of 1520 1872 Keednado.exe 36 PID 1872 wrote to memory of 1520 1872 Keednado.exe 36 PID 1520 wrote to memory of 1928 1520 Knmhgf32.exe 38 PID 1520 wrote to memory of 1928 1520 Knmhgf32.exe 38 PID 1520 wrote to memory of 1928 1520 Knmhgf32.exe 38 PID 1520 wrote to memory of 1928 1520 Knmhgf32.exe 38 PID 1928 wrote to memory of 2844 1928 Kegqdqbl.exe 39 PID 1928 wrote to memory of 2844 1928 Kegqdqbl.exe 39 PID 1928 wrote to memory of 2844 1928 Kegqdqbl.exe 39 PID 1928 wrote to memory of 2844 1928 Kegqdqbl.exe 39 PID 2844 wrote to memory of 1648 2844 Lclnemgd.exe 40 PID 2844 wrote to memory of 1648 2844 Lclnemgd.exe 40 PID 2844 wrote to memory of 1648 2844 Lclnemgd.exe 40 PID 2844 wrote to memory of 1648 2844 Lclnemgd.exe 40 PID 1648 wrote to memory of 1768 1648 Ljffag32.exe 41 PID 1648 wrote to memory of 1768 1648 Ljffag32.exe 41 PID 1648 wrote to memory of 1768 1648 Ljffag32.exe 41 PID 1648 wrote to memory of 1768 1648 Ljffag32.exe 41 PID 1768 wrote to memory of 564 1768 Lcojjmea.exe 42 PID 1768 wrote to memory of 564 1768 Lcojjmea.exe 42 PID 1768 wrote to memory of 564 1768 Lcojjmea.exe 42 PID 1768 wrote to memory of 564 1768 Lcojjmea.exe 42 PID 564 wrote to memory of 1268 564 Lpekon32.exe 45 PID 564 wrote to memory of 1268 564 Lpekon32.exe 45 PID 564 wrote to memory of 1268 564 Lpekon32.exe 45 PID 564 wrote to memory of 1268 564 Lpekon32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.9d370805b77c0ddb6de933e42e1c03e0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
-
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe15⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe16⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe17⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe19⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe20⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe21⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe22⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe23⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe24⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe25⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe26⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe27⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe28⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe29⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe31⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe33⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe34⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe35⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe36⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe37⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe38⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe39⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe40⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe41⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe42⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe43⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe44⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe45⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe46⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe48⤵PID:2120
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe49⤵PID:2952
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe51⤵PID:2984
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe52⤵PID:1180
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe53⤵PID:1448
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe54⤵PID:2212
-
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe55⤵PID:1728
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe56⤵PID:1288
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe57⤵PID:2588
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe58⤵PID:2636
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe59⤵PID:2760
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe60⤵PID:2092
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe61⤵PID:2524
-
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe62⤵PID:1580
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe63⤵PID:2796
-
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe64⤵PID:748
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe65⤵PID:112
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe66⤵PID:2044
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe67⤵PID:1076
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe68⤵PID:2356
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe69⤵PID:2128
-
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe70⤵PID:1924
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe71⤵PID:1808
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe72⤵PID:1548
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe73⤵PID:1676
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe74⤵PID:1668
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe75⤵PID:1688
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe76⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe77⤵PID:2612
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe78⤵PID:2536
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe79⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe80⤵PID:2884
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe82⤵PID:1720
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe83⤵PID:476
-
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe84⤵PID:2052
-
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe85⤵PID:1420
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe86⤵PID:2800
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe87⤵PID:2144
-
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe89⤵PID:2936
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe90⤵PID:1788
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe91⤵PID:604
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe93⤵PID:2312
-
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe94⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe95⤵PID:2728
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe96⤵PID:2748
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe97⤵PID:2504
-
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe98⤵PID:3024
-
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe99⤵PID:1864
-
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe100⤵PID:2568
-
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe101⤵PID:2836
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe102⤵
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe103⤵PID:2204
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe104⤵PID:1468
-
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe105⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe107⤵PID:560
-
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe108⤵PID:1540
-
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe109⤵PID:1312
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe110⤵PID:2652
-
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe111⤵PID:2896
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe112⤵PID:2628
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe113⤵
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe114⤵PID:2408
-
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe115⤵PID:2736
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe116⤵
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe117⤵PID:2332
-
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe118⤵PID:1472
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe119⤵PID:816
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe120⤵PID:1044
-
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe121⤵PID:1156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-