Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 00:20
Behavioral task
behavioral1
Sample
NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe
-
Size
112KB
-
MD5
1ac84dec606479d463ed92c277a494c0
-
SHA1
6b7bfc9941c869b1d61087d790d39fccb5ed5b7f
-
SHA256
7f2cb75011cf6ba191fbecbc060bd05e5294eb55b07b54d72dd6c67331fbef14
-
SHA512
3e95a53140b451c22de0668a0c4305b1da43ffd740153e7ed7e5b9454434f81384813567d7a3fc2391bc8b895839465602d4ec43d6961ed33f8def677f0ef755
-
SSDEEP
3072:liIxt2JRHk+dqz0FkklTHXMQH2qC7ZQOlzSLUK6MwGsGnDc9o:gIfKm4y0FkSTHXMQWfdQOhwJ6MwGsw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cimhlakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkhkflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmbdmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnennjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjifbpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppcfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beajnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloipmfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjhkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdigkjpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkkgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfemmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacahhib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkhfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnjan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfnkoia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgghoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahkffqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehice32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peajngoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglfibmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjldpdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeneidji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbmdnmdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogajid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgdlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eljchpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qghlmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhiaepfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peajngoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfkod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpmodg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmhlego.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maicmgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igajka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcdfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Negoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icedkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlckik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhmopp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjmob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhbmnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbekn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjocaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigoeagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golcak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpocciba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqclfaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbknnid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjqgpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkqliaki.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/32-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/32-1-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00090000000224ad-7.dat family_berbew behavioral2/memory/1176-8-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x00090000000224ad-9.dat family_berbew behavioral2/files/0x0008000000022e3e-15.dat family_berbew behavioral2/files/0x0008000000022e3e-16.dat family_berbew behavioral2/memory/3508-21-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/32-22-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1176-23-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/3508-25-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e59-27.dat family_berbew behavioral2/memory/1860-28-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e59-26.dat family_berbew behavioral2/files/0x0006000000022e5c-34.dat family_berbew behavioral2/files/0x0006000000022e5c-36.dat family_berbew behavioral2/memory/5096-35-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e5f-42.dat family_berbew behavioral2/files/0x0006000000022e5f-44.dat family_berbew behavioral2/memory/4520-43-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e61-50.dat family_berbew behavioral2/files/0x0006000000022e61-52.dat family_berbew behavioral2/memory/3552-51-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e63-53.dat family_berbew behavioral2/files/0x0006000000022e63-59.dat family_berbew behavioral2/files/0x0006000000022e63-58.dat family_berbew behavioral2/memory/1888-60-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e68-66.dat family_berbew behavioral2/memory/1860-68-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/1932-73-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e68-67.dat family_berbew behavioral2/files/0x0006000000022e6a-75.dat family_berbew behavioral2/memory/4848-76-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6a-77.dat family_berbew behavioral2/files/0x0006000000022e6d-83.dat family_berbew behavioral2/memory/4052-84-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6d-85.dat family_berbew behavioral2/files/0x0006000000022e6f-91.dat family_berbew behavioral2/memory/5096-93-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e6f-92.dat family_berbew behavioral2/memory/4064-98-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/memory/4092-101-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e71-100.dat family_berbew behavioral2/files/0x0006000000022e71-102.dat family_berbew behavioral2/files/0x0006000000022e73-103.dat family_berbew behavioral2/memory/4520-108-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e73-109.dat family_berbew behavioral2/memory/2988-115-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e73-110.dat family_berbew behavioral2/files/0x0006000000022e78-117.dat family_berbew behavioral2/files/0x0006000000022e7a-125.dat family_berbew behavioral2/memory/1668-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7c-134.dat family_berbew behavioral2/memory/2504-127-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e7a-126.dat family_berbew behavioral2/memory/3552-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e78-118.dat family_berbew behavioral2/memory/2132-136-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e80-151.dat family_berbew behavioral2/files/0x0006000000022e80-150.dat family_berbew behavioral2/memory/3464-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral2/files/0x0006000000022e85-165.dat family_berbew behavioral2/files/0x0006000000022e85-166.dat family_berbew behavioral2/files/0x0006000000022e82-159.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1176 Glgjlm32.exe 3508 Gmggfp32.exe 1860 Gdaociml.exe 5096 Jbepme32.exe 4520 Ofjqihnn.exe 3552 Aplaoj32.exe 1888 Dahfkimd.exe 1932 Fkemfl32.exe 4848 Fdmaoahm.exe 4052 Fqdbdbna.exe 4064 Fjmfmh32.exe 4092 Fbdnne32.exe 2988 Fbfkceca.exe 2504 Mhnjna32.exe 1668 Mohbjkgp.exe 2132 Mebkge32.exe 3464 Mkocol32.exe 2452 Mahklf32.exe 4372 Nhbciqln.exe 3696 Nkapelka.exe 4220 Nchhfild.exe 3744 Nbdkhe32.exe 2644 Ohncdobq.exe 5004 Odedipge.exe 4028 Ofdqcc32.exe 4676 Oloipmfd.exe 4568 Omaeem32.exe 2268 Obnnnc32.exe 2932 Qmanljfo.exe 3972 Bfoegm32.exe 3200 Bcbeqaia.exe 32 Cdebfago.exe 3092 Cmmgof32.exe 1108 Cemeoh32.exe 4392 Cpcila32.exe 2824 Clijablo.exe 3408 Dmifkecb.exe 4556 Dpgbgpbe.exe 2244 Dmkcpdao.exe 4528 Dgdgijhp.exe 3764 Deidjf32.exe 2052 Ddjehneg.exe 4084 Digmqe32.exe 556 Eleimp32.exe 2812 Egknji32.exe 2712 Epcbbohh.exe 1140 Eljchpnl.exe 2864 Egpgehnb.exe 4532 Emioab32.exe 2484 Ecfhji32.exe 1468 Eippgckc.exe 3316 Fgijkgeh.exe 940 Flfbcndo.exe 1904 Fgkfqgce.exe 4196 Fneoma32.exe 772 Fcbgfhii.exe 4624 Fljlom32.exe 4376 Fdadpk32.exe 4828 Gnjhhpgl.exe 332 Gfemmb32.exe 4020 Gqkajk32.exe 988 Gfgjbb32.exe 864 Glabolja.exe 2984 Gnanioad.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Caimachg.exe Cpgqik32.exe File created C:\Windows\SysWOW64\Lelajb32.exe Kjfmminc.exe File opened for modification C:\Windows\SysWOW64\Mbkfcabb.exe Mkangg32.exe File created C:\Windows\SysWOW64\Cpgqik32.exe Cimhlakl.exe File created C:\Windows\SysWOW64\Egbefc32.dll Kmegkp32.exe File created C:\Windows\SysWOW64\Nhokeolc.exe Nnfgmjfb.exe File opened for modification C:\Windows\SysWOW64\Afmmibga.exe Adoamfhn.exe File opened for modification C:\Windows\SysWOW64\Kpfggang.exe Khkbcopl.exe File opened for modification C:\Windows\SysWOW64\Jelhcd32.exe Jfkhfmdm.exe File created C:\Windows\SysWOW64\Djjnlhbk.dll Oeqagi32.exe File created C:\Windows\SysWOW64\Leomnbbm.dll Oqgkadod.exe File created C:\Windows\SysWOW64\Kdigkjpl.exe Kmaojl32.exe File created C:\Windows\SysWOW64\Bcomef32.dll Eiahhdee.exe File opened for modification C:\Windows\SysWOW64\Gnqflhcg.exe Gicndaep.exe File created C:\Windows\SysWOW64\Bechccgd.dll Dgdgijhp.exe File opened for modification C:\Windows\SysWOW64\Bcbeqaia.exe Bfoegm32.exe File created C:\Windows\SysWOW64\Ailghj32.dll Dofpqfof.exe File created C:\Windows\SysWOW64\Okhodbmd.dll Jpegfm32.exe File created C:\Windows\SysWOW64\Alpmdo32.dll Anaofa32.exe File opened for modification C:\Windows\SysWOW64\Fqdbdbna.exe Fdmaoahm.exe File created C:\Windows\SysWOW64\Gikbneio.exe Fbqiak32.exe File created C:\Windows\SysWOW64\Mnmmmbll.exe Mkoaagmh.exe File opened for modification C:\Windows\SysWOW64\Hbanfk32.exe Hapancai.exe File created C:\Windows\SysWOW64\Aoaebjii.dll Hbegakcb.exe File created C:\Windows\SysWOW64\Jaimko32.exe Jjoeoedo.exe File opened for modification C:\Windows\SysWOW64\Nmenmgab.exe Njfaalao.exe File created C:\Windows\SysWOW64\Aeaagoaj.exe Anjifbpg.exe File created C:\Windows\SysWOW64\Bfnnmg32.exe Bngfli32.exe File created C:\Windows\SysWOW64\Bndbjd32.dll Ekoddodi.exe File created C:\Windows\SysWOW64\Cpbbmc32.dll Baadbo32.exe File created C:\Windows\SysWOW64\Mknjgajl.exe Mddbjg32.exe File opened for modification C:\Windows\SysWOW64\Akmjdpac.exe Afpbkicl.exe File created C:\Windows\SysWOW64\Dbfjfc32.dll Okneldkf.exe File created C:\Windows\SysWOW64\Obgofmjb.exe Ophbja32.exe File opened for modification C:\Windows\SysWOW64\Ilepmjdo.exe Hifcqo32.exe File opened for modification C:\Windows\SysWOW64\Ofdqcc32.exe Odedipge.exe File created C:\Windows\SysWOW64\Faadgoom.dll Odfljp32.exe File created C:\Windows\SysWOW64\Lhdqml32.exe Laglkb32.exe File created C:\Windows\SysWOW64\Jdembk32.exe Jmkdeaee.exe File created C:\Windows\SysWOW64\Apkhfo32.exe Ahdpea32.exe File opened for modification C:\Windows\SysWOW64\Cdebfago.exe Bcbeqaia.exe File opened for modification C:\Windows\SysWOW64\Oendaipn.exe Okcccdkp.exe File created C:\Windows\SysWOW64\Onceji32.exe Ogjmnomi.exe File opened for modification C:\Windows\SysWOW64\Nhokeolc.exe Nnfgmjfb.exe File created C:\Windows\SysWOW64\Ndfpjh32.dll Ffgegh32.exe File created C:\Windows\SysWOW64\Fpiedd32.dll Fbdnne32.exe File created C:\Windows\SysWOW64\Fgiabhkn.dll Bfghlhmd.exe File created C:\Windows\SysWOW64\Eodlad32.exe Ehjdejkj.exe File created C:\Windows\SysWOW64\Igdmbh32.dll Lngmhm32.exe File opened for modification C:\Windows\SysWOW64\Qmanljfo.exe Obnnnc32.exe File created C:\Windows\SysWOW64\Nieggill.exe Nqnofkkj.exe File opened for modification C:\Windows\SysWOW64\Blenhmph.exe Bekfkc32.exe File created C:\Windows\SysWOW64\Kagimmol.exe Kipalpoj.exe File created C:\Windows\SysWOW64\Oqbagd32.exe Onceji32.exe File created C:\Windows\SysWOW64\Onhoehpp.exe Okjbimal.exe File created C:\Windows\SysWOW64\Cnokhonp.exe Ckaolcol.exe File opened for modification C:\Windows\SysWOW64\Ldpoinjq.exe Laacmbkm.exe File created C:\Windows\SysWOW64\Cpjmok32.exe Cipebqij.exe File created C:\Windows\SysWOW64\Ljaooodf.exe Lgccccec.exe File created C:\Windows\SysWOW64\Kloljf32.exe Kokkqbog.exe File created C:\Windows\SysWOW64\Moacbe32.exe Mdloelpc.exe File opened for modification C:\Windows\SysWOW64\Dpemjifi.exe Dhndil32.exe File created C:\Windows\SysWOW64\Abbbel32.dll Clijablo.exe File created C:\Windows\SysWOW64\Khnhkdjh.dll Mklkepal.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohicdia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flkemj32.dll" Cnfahn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gemkobia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqagkjne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glkkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clfofd32.dll" Hmolbene.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqfmcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabafkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkpej32.dll" Eijigg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkfcabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkdgqbag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbmpjkqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbecnipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdjfd32.dll" Jfkhfmdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gojgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benoof32.dll" Ifcpgiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icedkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igomeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjaal32.dll" Aabafkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll" Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdmngm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofmin32.dll" Gflapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjbjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpgbgpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdnmp32.dll" Nhjbjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnlmdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckghp32.dll" Cnokhonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chglkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfnnmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghdhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aikbpckb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohiajebm.dll" Cbofdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagcnpqi.dll" Fomohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naemmnec.dll" Ahbjij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loecgfjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpepmkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmhim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kloljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdamofii.dll" Ameipl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbdkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efnennjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idfaolpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phodlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icneeq32.dll" Nhheepbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pacojc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djojepof.dll" Fkemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdjhkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akogio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmffhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcdm32.dll" Kmobdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimhcbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhmjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deboiojb.dll" Kahpgcch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnqoldc.dll" Oiagcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dapcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidjh32.dll" Gcpaiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfbgp32.dll" Igcgpalj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oloipmfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkkmaalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kggcgeop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 32 wrote to memory of 1176 32 NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe 90 PID 32 wrote to memory of 1176 32 NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe 90 PID 32 wrote to memory of 1176 32 NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe 90 PID 1176 wrote to memory of 3508 1176 Glgjlm32.exe 91 PID 1176 wrote to memory of 3508 1176 Glgjlm32.exe 91 PID 1176 wrote to memory of 3508 1176 Glgjlm32.exe 91 PID 3508 wrote to memory of 1860 3508 Gmggfp32.exe 92 PID 3508 wrote to memory of 1860 3508 Gmggfp32.exe 92 PID 3508 wrote to memory of 1860 3508 Gmggfp32.exe 92 PID 1860 wrote to memory of 5096 1860 Gdaociml.exe 93 PID 1860 wrote to memory of 5096 1860 Gdaociml.exe 93 PID 1860 wrote to memory of 5096 1860 Gdaociml.exe 93 PID 5096 wrote to memory of 4520 5096 Jbepme32.exe 94 PID 5096 wrote to memory of 4520 5096 Jbepme32.exe 94 PID 5096 wrote to memory of 4520 5096 Jbepme32.exe 94 PID 4520 wrote to memory of 3552 4520 Ofjqihnn.exe 95 PID 4520 wrote to memory of 3552 4520 Ofjqihnn.exe 95 PID 4520 wrote to memory of 3552 4520 Ofjqihnn.exe 95 PID 3552 wrote to memory of 1888 3552 Aplaoj32.exe 97 PID 3552 wrote to memory of 1888 3552 Aplaoj32.exe 97 PID 3552 wrote to memory of 1888 3552 Aplaoj32.exe 97 PID 1888 wrote to memory of 1932 1888 Dahfkimd.exe 98 PID 1888 wrote to memory of 1932 1888 Dahfkimd.exe 98 PID 1888 wrote to memory of 1932 1888 Dahfkimd.exe 98 PID 1932 wrote to memory of 4848 1932 Fkemfl32.exe 99 PID 1932 wrote to memory of 4848 1932 Fkemfl32.exe 99 PID 1932 wrote to memory of 4848 1932 Fkemfl32.exe 99 PID 4848 wrote to memory of 4052 4848 Fdmaoahm.exe 101 PID 4848 wrote to memory of 4052 4848 Fdmaoahm.exe 101 PID 4848 wrote to memory of 4052 4848 Fdmaoahm.exe 101 PID 4052 wrote to memory of 4064 4052 Fqdbdbna.exe 103 PID 4052 wrote to memory of 4064 4052 Fqdbdbna.exe 103 PID 4052 wrote to memory of 4064 4052 Fqdbdbna.exe 103 PID 4064 wrote to memory of 4092 4064 Fjmfmh32.exe 104 PID 4064 wrote to memory of 4092 4064 Fjmfmh32.exe 104 PID 4064 wrote to memory of 4092 4064 Fjmfmh32.exe 104 PID 4092 wrote to memory of 2988 4092 Fbdnne32.exe 105 PID 4092 wrote to memory of 2988 4092 Fbdnne32.exe 105 PID 4092 wrote to memory of 2988 4092 Fbdnne32.exe 105 PID 2988 wrote to memory of 2504 2988 Fbfkceca.exe 106 PID 2988 wrote to memory of 2504 2988 Fbfkceca.exe 106 PID 2988 wrote to memory of 2504 2988 Fbfkceca.exe 106 PID 2504 wrote to memory of 1668 2504 Mhnjna32.exe 109 PID 2504 wrote to memory of 1668 2504 Mhnjna32.exe 109 PID 2504 wrote to memory of 1668 2504 Mhnjna32.exe 109 PID 1668 wrote to memory of 2132 1668 Mohbjkgp.exe 107 PID 1668 wrote to memory of 2132 1668 Mohbjkgp.exe 107 PID 1668 wrote to memory of 2132 1668 Mohbjkgp.exe 107 PID 2132 wrote to memory of 3464 2132 Mebkge32.exe 108 PID 2132 wrote to memory of 3464 2132 Mebkge32.exe 108 PID 2132 wrote to memory of 3464 2132 Mebkge32.exe 108 PID 3464 wrote to memory of 2452 3464 Mkocol32.exe 112 PID 3464 wrote to memory of 2452 3464 Mkocol32.exe 112 PID 3464 wrote to memory of 2452 3464 Mkocol32.exe 112 PID 2452 wrote to memory of 4372 2452 Mahklf32.exe 110 PID 2452 wrote to memory of 4372 2452 Mahklf32.exe 110 PID 2452 wrote to memory of 4372 2452 Mahklf32.exe 110 PID 4372 wrote to memory of 3696 4372 Nhbciqln.exe 111 PID 4372 wrote to memory of 3696 4372 Nhbciqln.exe 111 PID 4372 wrote to memory of 3696 4372 Nhbciqln.exe 111 PID 3696 wrote to memory of 4220 3696 Nkapelka.exe 113 PID 3696 wrote to memory of 4220 3696 Nkapelka.exe 113 PID 3696 wrote to memory of 4220 3696 Nkapelka.exe 113 PID 4220 wrote to memory of 3744 4220 Nchhfild.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1ac84dec606479d463ed92c277a494c0_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Ofjqihnn.exeC:\Windows\system32\Ofjqihnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Aplaoj32.exeC:\Windows\system32\Aplaoj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Fkemfl32.exeC:\Windows\system32\Fkemfl32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Fdmaoahm.exeC:\Windows\system32\Fdmaoahm.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Fqdbdbna.exeC:\Windows\system32\Fqdbdbna.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\Fjmfmh32.exeC:\Windows\system32\Fjmfmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Fbdnne32.exeC:\Windows\system32\Fbdnne32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mhnjna32.exeC:\Windows\system32\Mhnjna32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Mohbjkgp.exeC:\Windows\system32\Mohbjkgp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Mebkge32.exeC:\Windows\system32\Mebkge32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Mahklf32.exeC:\Windows\system32\Mahklf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452
-
-
-
C:\Windows\SysWOW64\Nhbciqln.exeC:\Windows\system32\Nhbciqln.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Nchhfild.exeC:\Windows\system32\Nchhfild.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe4⤵
- Executes dropped EXE
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Ohncdobq.exeC:\Windows\system32\Ohncdobq.exe5⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Ofdqcc32.exeC:\Windows\system32\Ofdqcc32.exe7⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe9⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe11⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3972 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe14⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe16⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe17⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe19⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe20⤵
- Executes dropped EXE
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Dmkcpdao.exeC:\Windows\system32\Dmkcpdao.exe21⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe23⤵
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe24⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe25⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe26⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe27⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe28⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Egpgehnb.exeC:\Windows\system32\Egpgehnb.exe30⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe31⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Ecfhji32.exeC:\Windows\system32\Ecfhji32.exe32⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe33⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe34⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe35⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe36⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fneoma32.exeC:\Windows\system32\Fneoma32.exe37⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe38⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe39⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe40⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe41⤵
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe43⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Gfgjbb32.exeC:\Windows\system32\Gfgjbb32.exe44⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe45⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Gnanioad.exeC:\Windows\system32\Gnanioad.exe46⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Gqokekph.exeC:\Windows\system32\Gqokekph.exe47⤵PID:3456
-
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe48⤵
- Modifies registry class
PID:4324 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4056 -
C:\Windows\SysWOW64\Hmhhpkcj.exeC:\Windows\system32\Hmhhpkcj.exe50⤵PID:3252
-
C:\Windows\SysWOW64\Hgnlmdcp.exeC:\Windows\system32\Hgnlmdcp.exe51⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe52⤵PID:3524
-
C:\Windows\SysWOW64\Hjoeoo32.exeC:\Windows\system32\Hjoeoo32.exe53⤵PID:5000
-
C:\Windows\SysWOW64\Hmpnqj32.exeC:\Windows\system32\Hmpnqj32.exe54⤵PID:4540
-
C:\Windows\SysWOW64\Hdicggla.exeC:\Windows\system32\Hdicggla.exe55⤵PID:5164
-
C:\Windows\SysWOW64\Icciccmd.exeC:\Windows\system32\Icciccmd.exe56⤵PID:5208
-
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe57⤵PID:5252
-
C:\Windows\SysWOW64\Inkjfk32.exeC:\Windows\system32\Inkjfk32.exe58⤵PID:5300
-
C:\Windows\SysWOW64\Icgbob32.exeC:\Windows\system32\Icgbob32.exe59⤵PID:5344
-
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe60⤵PID:5388
-
C:\Windows\SysWOW64\Jmpgghoo.exeC:\Windows\system32\Jmpgghoo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5432 -
C:\Windows\SysWOW64\Jcjodbgl.exeC:\Windows\system32\Jcjodbgl.exe62⤵PID:5488
-
C:\Windows\SysWOW64\Jmbdmg32.exeC:\Windows\system32\Jmbdmg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5532 -
C:\Windows\SysWOW64\Jfkhfmdm.exeC:\Windows\system32\Jfkhfmdm.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5576 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe65⤵PID:5624
-
C:\Windows\SysWOW64\Jfmekm32.exeC:\Windows\system32\Jfmekm32.exe66⤵PID:5672
-
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724 -
C:\Windows\SysWOW64\Jglaepim.exeC:\Windows\system32\Jglaepim.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Knifging.exeC:\Windows\system32\Knifging.exe69⤵PID:5808
-
C:\Windows\SysWOW64\Kceoppmo.exeC:\Windows\system32\Kceoppmo.exe70⤵PID:5848
-
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe71⤵PID:5892
-
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe72⤵PID:5932
-
C:\Windows\SysWOW64\Kallod32.exeC:\Windows\system32\Kallod32.exe73⤵PID:5976
-
C:\Windows\SysWOW64\Kdjhkp32.exeC:\Windows\system32\Kdjhkp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Kjdqhjpf.exeC:\Windows\system32\Kjdqhjpf.exe75⤵PID:6064
-
C:\Windows\SysWOW64\Kanidd32.exeC:\Windows\system32\Kanidd32.exe76⤵PID:6108
-
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe77⤵PID:5140
-
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe78⤵
- Drops file in System32 directory
PID:5196 -
C:\Windows\SysWOW64\Lelajb32.exeC:\Windows\system32\Lelajb32.exe79⤵PID:4428
-
C:\Windows\SysWOW64\Ljijci32.exeC:\Windows\system32\Ljijci32.exe80⤵PID:5324
-
C:\Windows\SysWOW64\Lacbpccn.exeC:\Windows\system32\Lacbpccn.exe81⤵PID:5396
-
C:\Windows\SysWOW64\Lhmjlm32.exeC:\Windows\system32\Lhmjlm32.exe82⤵
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Lmjcdd32.exeC:\Windows\system32\Lmjcdd32.exe83⤵PID:5552
-
C:\Windows\SysWOW64\Laglkb32.exeC:\Windows\system32\Laglkb32.exe84⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Lhdqml32.exeC:\Windows\system32\Lhdqml32.exe85⤵PID:5712
-
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe86⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Mhkgnkoj.exeC:\Windows\system32\Mhkgnkoj.exe87⤵PID:5856
-
C:\Windows\SysWOW64\Mackfa32.exeC:\Windows\system32\Mackfa32.exe88⤵PID:5940
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe89⤵PID:6004
-
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe90⤵PID:6100
-
C:\Windows\SysWOW64\Nmlhaa32.exeC:\Windows\system32\Nmlhaa32.exe91⤵PID:5192
-
C:\Windows\SysWOW64\Nhbmnj32.exeC:\Windows\system32\Nhbmnj32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe93⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Nehjmnei.exeC:\Windows\system32\Nehjmnei.exe94⤵PID:5500
-
C:\Windows\SysWOW64\Ngifef32.exeC:\Windows\system32\Ngifef32.exe95⤵PID:1692
-
C:\Windows\SysWOW64\Naokbokn.exeC:\Windows\system32\Naokbokn.exe96⤵PID:4476
-
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe97⤵PID:5564
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe98⤵PID:5680
-
C:\Windows\SysWOW64\Noehac32.exeC:\Windows\system32\Noehac32.exe99⤵PID:5756
-
C:\Windows\SysWOW64\Odbpij32.exeC:\Windows\system32\Odbpij32.exe100⤵PID:5868
-
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe101⤵PID:2684
-
C:\Windows\SysWOW64\Oogdfc32.exeC:\Windows\system32\Oogdfc32.exe102⤵PID:6136
-
C:\Windows\SysWOW64\Oafacn32.exeC:\Windows\system32\Oafacn32.exe103⤵PID:5260
-
C:\Windows\SysWOW64\Okneldkf.exeC:\Windows\system32\Okneldkf.exe104⤵
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Oediim32.exeC:\Windows\system32\Oediim32.exe105⤵PID:4504
-
C:\Windows\SysWOW64\Okqbac32.exeC:\Windows\system32\Okqbac32.exe106⤵PID:1284
-
C:\Windows\SysWOW64\Okcogc32.exeC:\Windows\system32\Okcogc32.exe107⤵PID:5748
-
C:\Windows\SysWOW64\Ohgopgfj.exeC:\Windows\system32\Ohgopgfj.exe108⤵PID:5988
-
C:\Windows\SysWOW64\Pndhhnda.exeC:\Windows\system32\Pndhhnda.exe109⤵PID:6128
-
C:\Windows\SysWOW64\Philfgdh.exeC:\Windows\system32\Philfgdh.exe110⤵PID:5320
-
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe111⤵PID:4976
-
C:\Windows\SysWOW64\Pdpmkhjl.exeC:\Windows\system32\Pdpmkhjl.exe112⤵PID:2560
-
C:\Windows\SysWOW64\Pnhacn32.exeC:\Windows\system32\Pnhacn32.exe113⤵
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe114⤵PID:5124
-
C:\Windows\SysWOW64\Pohnnqgo.exeC:\Windows\system32\Pohnnqgo.exe115⤵PID:2288
-
C:\Windows\SysWOW64\Pfbfjk32.exeC:\Windows\system32\Pfbfjk32.exe116⤵PID:5832
-
C:\Windows\SysWOW64\Pbifol32.exeC:\Windows\system32\Pbifol32.exe117⤵PID:5516
-
C:\Windows\SysWOW64\Pgeogb32.exeC:\Windows\system32\Pgeogb32.exe118⤵PID:5688
-
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe119⤵PID:5820
-
C:\Windows\SysWOW64\Qdipag32.exeC:\Windows\system32\Qdipag32.exe120⤵PID:5664
-
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6156
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-