Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 13:53
Behavioral task
behavioral1
Sample
NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe
-
Size
197KB
-
MD5
498e07fa45bb1c4f790de6b1ee68b9d0
-
SHA1
a8c53ba73e0a044c90249161ef460031e33a7e55
-
SHA256
73c9e08b90325642185b613faad09395288c70b4011da0b4fccd6d59f5392a4d
-
SHA512
eaa33fa3d2e219173251570a148baf05887eaa679639318a8f20487073191278bacfe05a0c686e48638dcd10f47c16fe6be1bc7b9b4365b6a2dd9ffa7e47130a
-
SSDEEP
6144:5UOadp4Rg4fQkjxqvak+PH/RARMHGb3fJt4X:zG+K4IyxqCfRARR6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklikejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbkbgjcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khiccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeecekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcckcbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgncfcaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnpeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkebjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imahkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkgippgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddfdejn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpnhdfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdaheq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlkgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjlaplk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncmmmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdjgoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfoin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becnhgmg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1264-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/memory/1264-6-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0008000000015c95-15.dat family_berbew behavioral1/files/0x0009000000012024-14.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x0008000000015c95-21.dat family_berbew behavioral1/files/0x0008000000015c95-19.dat family_berbew behavioral1/files/0x0008000000015c95-25.dat family_berbew behavioral1/files/0x0008000000015c95-26.dat family_berbew behavioral1/memory/2764-33-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015cb3-40.dat family_berbew behavioral1/files/0x0007000000015cb3-37.dat family_berbew behavioral1/files/0x0007000000015cb3-36.dat family_berbew behavioral1/files/0x0007000000015cb3-34.dat family_berbew behavioral1/files/0x0007000000015cb3-42.dat family_berbew behavioral1/memory/2848-41-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000015db8-48.dat family_berbew behavioral1/memory/2848-50-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/memory/2128-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000015db8-51.dat family_berbew behavioral1/files/0x0009000000015db8-55.dat family_berbew behavioral1/files/0x0009000000015db8-56.dat family_berbew behavioral1/files/0x0007000000015ec8-61.dat family_berbew behavioral1/files/0x0009000000015db8-52.dat family_berbew behavioral1/files/0x0007000000015ec8-63.dat family_berbew behavioral1/files/0x0007000000015ec8-64.dat family_berbew behavioral1/memory/2508-68-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015ec8-67.dat family_berbew behavioral1/files/0x0007000000015ec8-69.dat family_berbew behavioral1/files/0x000600000001626a-74.dat family_berbew behavioral1/memory/1264-76-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001626a-83.dat family_berbew behavioral1/files/0x000600000001626a-81.dat family_berbew behavioral1/files/0x000600000001626a-78.dat family_berbew behavioral1/files/0x000600000001626a-77.dat family_berbew behavioral1/files/0x00060000000162e3-88.dat family_berbew behavioral1/files/0x000600000001659c-97.dat family_berbew behavioral1/files/0x00060000000167f7-117.dat family_berbew behavioral1/files/0x0006000000016baa-123.dat family_berbew behavioral1/files/0x0006000000016baa-129.dat family_berbew behavioral1/files/0x0006000000016baa-127.dat family_berbew behavioral1/files/0x00060000000167f7-122.dat family_berbew behavioral1/memory/2844-121-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000167f7-120.dat family_berbew behavioral1/memory/1564-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001659c-108.dat family_berbew behavioral1/files/0x0006000000016c2c-141.dat family_berbew behavioral1/memory/1652-140-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1772-139-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016baa-134.dat family_berbew behavioral1/files/0x0006000000016baa-133.dat family_berbew behavioral1/files/0x000600000001659c-107.dat family_berbew behavioral1/files/0x00060000000167f7-116.dat family_berbew behavioral1/files/0x00060000000167f7-114.dat family_berbew behavioral1/files/0x000600000001659c-103.dat family_berbew behavioral1/files/0x000600000001659c-101.dat family_berbew behavioral1/files/0x00060000000162e3-96.dat family_berbew behavioral1/memory/3048-95-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000162e3-94.dat family_berbew behavioral1/files/0x00060000000162e3-91.dat family_berbew behavioral1/files/0x00060000000162e3-90.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2128 Kgcpjmcb.exe 2764 Lfpclh32.exe 2848 Ljkomfjl.exe 2592 Lbiqfied.exe 2508 Mlaeonld.exe 3048 Meijhc32.exe 1564 Mdacop32.exe 2844 Mofglh32.exe 1772 Mdcpdp32.exe 1652 Moidahcn.exe 1588 Ngdifkpi.exe 2480 Nmpnhdfc.exe 3036 Ncmfqkdj.exe 1356 Nmbknddp.exe 2460 Npagjpcd.exe 2968 Nadpgggp.exe 2004 Okoafmkm.exe 1900 Oeeecekc.exe 1368 Oegbheiq.exe 1756 Okdkal32.exe 2316 Odlojanh.exe 2412 Oappcfmb.exe 2648 Pjldghjm.exe 1816 Pdaheq32.exe 1708 Pmlmic32.exe 2288 Pjpnbg32.exe 2720 Pbkbgjcc.exe 2572 Poocpnbm.exe 2796 Pkfceo32.exe 2740 Qflhbhgg.exe 2644 Qqeicede.exe 2656 Abeemhkh.exe 3032 Aganeoip.exe 524 Becnhgmg.exe 1808 Bphbeplm.exe 1640 Bajomhbl.exe 1516 Cbdnko32.exe 1624 Cophko32.exe 1676 Cielhh32.exe 1680 Chhldeho.exe 2084 Dkgippgb.exe 1576 Ddomif32.exe 996 Dacnbjml.exe 1776 Dkkbkp32.exe 1744 Dddfdejn.exe 872 Djqoll32.exe 2436 Dgdpfp32.exe 2260 Dpmdofno.exe 1336 Ecnmpa32.exe 2712 Elfaifaq.exe 2784 Efnfbl32.exe 2672 Eogjka32.exe 2820 Edccch32.exe 2596 Emkkdf32.exe 3052 Egdlec32.exe 108 Fqmpni32.exe 700 Fnqqgm32.exe 1616 Fgiepced.exe 2920 Fncmmmma.exe 2484 Fjlkgn32.exe 1660 Fpicodoj.exe 1636 Ffcllo32.exe 1812 Gmmdiind.exe 1244 Gbjlaplk.exe -
Loads dropped DLL 64 IoCs
pid Process 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 2128 Kgcpjmcb.exe 2128 Kgcpjmcb.exe 2764 Lfpclh32.exe 2764 Lfpclh32.exe 2848 Ljkomfjl.exe 2848 Ljkomfjl.exe 2592 Lbiqfied.exe 2592 Lbiqfied.exe 2508 Mlaeonld.exe 2508 Mlaeonld.exe 3048 Meijhc32.exe 3048 Meijhc32.exe 1564 Mdacop32.exe 1564 Mdacop32.exe 2844 Mofglh32.exe 2844 Mofglh32.exe 1772 Mdcpdp32.exe 1772 Mdcpdp32.exe 1652 Moidahcn.exe 1652 Moidahcn.exe 1588 Ngdifkpi.exe 1588 Ngdifkpi.exe 2480 Nmpnhdfc.exe 2480 Nmpnhdfc.exe 3036 Ncmfqkdj.exe 3036 Ncmfqkdj.exe 1356 Nmbknddp.exe 1356 Nmbknddp.exe 2460 Npagjpcd.exe 2460 Npagjpcd.exe 2968 Nadpgggp.exe 2968 Nadpgggp.exe 2004 Okoafmkm.exe 2004 Okoafmkm.exe 1900 Oeeecekc.exe 1900 Oeeecekc.exe 1368 Oegbheiq.exe 1368 Oegbheiq.exe 1756 Okdkal32.exe 1756 Okdkal32.exe 2316 Odlojanh.exe 2316 Odlojanh.exe 2412 Oappcfmb.exe 2412 Oappcfmb.exe 2648 Pjldghjm.exe 2648 Pjldghjm.exe 1816 Pdaheq32.exe 1816 Pdaheq32.exe 1708 Pmlmic32.exe 1708 Pmlmic32.exe 2288 Pjpnbg32.exe 2288 Pjpnbg32.exe 2720 Pbkbgjcc.exe 2720 Pbkbgjcc.exe 2572 Poocpnbm.exe 2572 Poocpnbm.exe 2796 Pkfceo32.exe 2796 Pkfceo32.exe 2740 Qflhbhgg.exe 2740 Qflhbhgg.exe 2644 Qqeicede.exe 2644 Qqeicede.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aganeoip.exe Abeemhkh.exe File created C:\Windows\SysWOW64\Ilicig32.exe Heokmmgb.exe File opened for modification C:\Windows\SysWOW64\Gmpcgace.exe Golbnm32.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Neknki32.exe File created C:\Windows\SysWOW64\Onfoin32.exe Ndqkleln.exe File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe Onfoin32.exe File created C:\Windows\SysWOW64\Egfokakc.dll Akabgebj.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Ccofjipn.dll Ccjoli32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Aejiak32.dll Gbjlaplk.exe File created C:\Windows\SysWOW64\Oegkqmai.dll Jlpeij32.exe File created C:\Windows\SysWOW64\Jeafjiop.exe Jliaac32.exe File created C:\Windows\SysWOW64\Mmmjebjg.dll Lpnmgdli.exe File created C:\Windows\SysWOW64\Ekndacia.dll Alihaioe.exe File created C:\Windows\SysWOW64\Lbnooiab.dll Hkiicmdh.exe File opened for modification C:\Windows\SysWOW64\Ooabmbbe.exe Ompefj32.exe File opened for modification C:\Windows\SysWOW64\Pojecajj.exe Pdeqfhjd.exe File created C:\Windows\SysWOW64\Okoafmkm.exe Nadpgggp.exe File created C:\Windows\SysWOW64\Dmjqpdje.exe Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Ehmdgp32.exe Elfcbo32.exe File created C:\Windows\SysWOW64\Dofphfof.dll Fgdnnl32.exe File opened for modification C:\Windows\SysWOW64\Pdgmlhha.exe Paiaplin.exe File created C:\Windows\SysWOW64\Daekko32.dll Okdkal32.exe File created C:\Windows\SysWOW64\Pbkbgjcc.exe Pjpnbg32.exe File opened for modification C:\Windows\SysWOW64\Dkkbkp32.exe Dacnbjml.exe File created C:\Windows\SysWOW64\Fqmpni32.exe Egdlec32.exe File opened for modification C:\Windows\SysWOW64\Fpicodoj.exe Fjlkgn32.exe File created C:\Windows\SysWOW64\Hahmbk32.dll Ihbqdh32.exe File created C:\Windows\SysWOW64\Flfpabkp.exe Fkecij32.exe File opened for modification C:\Windows\SysWOW64\Lpnmgdli.exe Lfhhjklc.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Phnpagdp.exe File created C:\Windows\SysWOW64\Adpqglen.dll Ahbekjcf.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Eebghjja.dll Odlojanh.exe File created C:\Windows\SysWOW64\Iomhdbkn.dll Bflbigdb.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Flfpabkp.exe File created C:\Windows\SysWOW64\Bifbbocj.dll Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Akaneplm.dll Ilicig32.exe File created C:\Windows\SysWOW64\Idppjg32.dll Diaaeepi.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Ihniaa32.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hqfaldbo.exe File created C:\Windows\SysWOW64\Hldlga32.exe Hjcppidk.exe File created C:\Windows\SysWOW64\Akkggpci.dll Bmlael32.exe File created C:\Windows\SysWOW64\Oeeecekc.exe Okoafmkm.exe File created C:\Windows\SysWOW64\Pkfceo32.exe Poocpnbm.exe File opened for modification C:\Windows\SysWOW64\Iimcclni.exe Ilicig32.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Fajbke32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Imahkg32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Dacnbjml.exe Ddomif32.exe File created C:\Windows\SysWOW64\Jdkjnl32.exe Jblnaq32.exe File created C:\Windows\SysWOW64\Cmdcjbei.dll Fpoolael.exe File created C:\Windows\SysWOW64\Oefmcdfq.dll Hlgimqhf.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Kcgphp32.exe File created C:\Windows\SysWOW64\Edobgb32.dll Oegbheiq.exe File created C:\Windows\SysWOW64\Eadecdpk.dll Gihniioc.exe File created C:\Windows\SysWOW64\Gafalh32.dll Ddfebnoo.exe File created C:\Windows\SysWOW64\Fnflke32.exe Fcphnm32.exe File created C:\Windows\SysWOW64\Hhhgcm32.dll Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Lpnmgdli.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3860 344 WerFault.exe 281 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkkdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Nncbdomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cophko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Hpnkbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjlhcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncmmmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hldjnhce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liihgqil.dll" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmqbcm32.dll" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnldoho.dll" Dgdpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnqqgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihniioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinic32.dll" Fpicodoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdocq32.dll" Dddfdejn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgnma32.dll" Jgncfcaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" Pohhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boljgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmoqnhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgigbp32.dll" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeafjiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll" Pbkbgjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjlkgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejonffm.dll" Gifaciae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciaefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll" Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahgofi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjdkjpkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 2128 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 28 PID 1264 wrote to memory of 2128 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 28 PID 1264 wrote to memory of 2128 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 28 PID 1264 wrote to memory of 2128 1264 NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe 28 PID 2128 wrote to memory of 2764 2128 Kgcpjmcb.exe 29 PID 2128 wrote to memory of 2764 2128 Kgcpjmcb.exe 29 PID 2128 wrote to memory of 2764 2128 Kgcpjmcb.exe 29 PID 2128 wrote to memory of 2764 2128 Kgcpjmcb.exe 29 PID 2764 wrote to memory of 2848 2764 Lfpclh32.exe 30 PID 2764 wrote to memory of 2848 2764 Lfpclh32.exe 30 PID 2764 wrote to memory of 2848 2764 Lfpclh32.exe 30 PID 2764 wrote to memory of 2848 2764 Lfpclh32.exe 30 PID 2848 wrote to memory of 2592 2848 Ljkomfjl.exe 31 PID 2848 wrote to memory of 2592 2848 Ljkomfjl.exe 31 PID 2848 wrote to memory of 2592 2848 Ljkomfjl.exe 31 PID 2848 wrote to memory of 2592 2848 Ljkomfjl.exe 31 PID 2592 wrote to memory of 2508 2592 Lbiqfied.exe 32 PID 2592 wrote to memory of 2508 2592 Lbiqfied.exe 32 PID 2592 wrote to memory of 2508 2592 Lbiqfied.exe 32 PID 2592 wrote to memory of 2508 2592 Lbiqfied.exe 32 PID 2508 wrote to memory of 3048 2508 Mlaeonld.exe 33 PID 2508 wrote to memory of 3048 2508 Mlaeonld.exe 33 PID 2508 wrote to memory of 3048 2508 Mlaeonld.exe 33 PID 2508 wrote to memory of 3048 2508 Mlaeonld.exe 33 PID 3048 wrote to memory of 1564 3048 Meijhc32.exe 34 PID 3048 wrote to memory of 1564 3048 Meijhc32.exe 34 PID 3048 wrote to memory of 1564 3048 Meijhc32.exe 34 PID 3048 wrote to memory of 1564 3048 Meijhc32.exe 34 PID 1564 wrote to memory of 2844 1564 Mdacop32.exe 38 PID 1564 wrote to memory of 2844 1564 Mdacop32.exe 38 PID 1564 wrote to memory of 2844 1564 Mdacop32.exe 38 PID 1564 wrote to memory of 2844 1564 Mdacop32.exe 38 PID 2844 wrote to memory of 1772 2844 Mofglh32.exe 37 PID 2844 wrote to memory of 1772 2844 Mofglh32.exe 37 PID 2844 wrote to memory of 1772 2844 Mofglh32.exe 37 PID 2844 wrote to memory of 1772 2844 Mofglh32.exe 37 PID 1772 wrote to memory of 1652 1772 Mdcpdp32.exe 36 PID 1772 wrote to memory of 1652 1772 Mdcpdp32.exe 36 PID 1772 wrote to memory of 1652 1772 Mdcpdp32.exe 36 PID 1772 wrote to memory of 1652 1772 Mdcpdp32.exe 36 PID 1652 wrote to memory of 1588 1652 Moidahcn.exe 35 PID 1652 wrote to memory of 1588 1652 Moidahcn.exe 35 PID 1652 wrote to memory of 1588 1652 Moidahcn.exe 35 PID 1652 wrote to memory of 1588 1652 Moidahcn.exe 35 PID 1588 wrote to memory of 2480 1588 Ngdifkpi.exe 39 PID 1588 wrote to memory of 2480 1588 Ngdifkpi.exe 39 PID 1588 wrote to memory of 2480 1588 Ngdifkpi.exe 39 PID 1588 wrote to memory of 2480 1588 Ngdifkpi.exe 39 PID 2480 wrote to memory of 3036 2480 Nmpnhdfc.exe 40 PID 2480 wrote to memory of 3036 2480 Nmpnhdfc.exe 40 PID 2480 wrote to memory of 3036 2480 Nmpnhdfc.exe 40 PID 2480 wrote to memory of 3036 2480 Nmpnhdfc.exe 40 PID 3036 wrote to memory of 1356 3036 Ncmfqkdj.exe 41 PID 3036 wrote to memory of 1356 3036 Ncmfqkdj.exe 41 PID 3036 wrote to memory of 1356 3036 Ncmfqkdj.exe 41 PID 3036 wrote to memory of 1356 3036 Ncmfqkdj.exe 41 PID 1356 wrote to memory of 2460 1356 Nmbknddp.exe 42 PID 1356 wrote to memory of 2460 1356 Nmbknddp.exe 42 PID 1356 wrote to memory of 2460 1356 Nmbknddp.exe 42 PID 1356 wrote to memory of 2460 1356 Nmbknddp.exe 42 PID 2460 wrote to memory of 2968 2460 Npagjpcd.exe 43 PID 2460 wrote to memory of 2968 2460 Npagjpcd.exe 43 PID 2460 wrote to memory of 2968 2460 Npagjpcd.exe 43 PID 2460 wrote to memory of 2968 2460 Npagjpcd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.498e07fa45bb1c4f790de6b1ee68b9d0.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe23⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:524 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe27⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe29⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe30⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe34⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe36⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe38⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe39⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe40⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe41⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe43⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe46⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe53⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe55⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe56⤵PID:1372
-
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe57⤵
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe58⤵PID:556
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe59⤵
- Drops file in System32 directory
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe60⤵PID:2752
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe61⤵PID:2856
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe62⤵PID:2948
-
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe63⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe64⤵PID:1836
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe65⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe66⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe67⤵PID:268
-
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe68⤵PID:2904
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe69⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe71⤵PID:1032
-
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe73⤵
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe74⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe76⤵PID:1748
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe78⤵PID:1608
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe79⤵PID:2008
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe81⤵PID:2716
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe82⤵PID:2756
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe83⤵PID:2560
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe85⤵PID:2912
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe86⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe87⤵PID:320
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe88⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe89⤵PID:1648
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe91⤵PID:1728
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe92⤵PID:544
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe93⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe94⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe95⤵PID:1944
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe96⤵PID:1988
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe97⤵PID:2936
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe98⤵PID:3012
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe99⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe100⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe101⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe104⤵
- Drops file in System32 directory
PID:740 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe105⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe107⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe108⤵
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe109⤵
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe110⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe111⤵PID:1320
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe112⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe113⤵PID:1764
-
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe114⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe115⤵PID:2832
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe117⤵PID:2268
-
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe120⤵
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe121⤵PID:2032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-