Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 14:04
Behavioral task
behavioral1
Sample
NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe
-
Size
276KB
-
MD5
02a863ab8f9b385aa43d5a95e6eb1740
-
SHA1
3f3d976f713fffc1f06bd29cd514372a98bb764d
-
SHA256
cc4d14ce2f0cd7a3f3420b640929d327ae14ba561215016bd27ac4e9154a7268
-
SHA512
2bc8bab68725cf11034b71f2bf388cde5312cc8fa44a41e6a0ef6fc46654254914bbf3ea12a2a71c2013cef4c5f13699b7e7db5bf95884bfdef8bad6985a5756
-
SSDEEP
6144:B0A3lnq/5dWZHEFJ7aWN1rtMsQBOSGaF+:B0AVG2HEGWN1RMs1S7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgjnbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpldjajo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iomaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igomfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gklkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnbjfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggppdpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enajgllm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhifmcfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclfccmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlpdifda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapfagno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbcaome.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmjjmbgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiodliep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidmniqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejpdai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbklnpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glckihcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnoiqpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cefpmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjljpjjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfjdchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppgcol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgoolln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bccoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmebcgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbbklnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpgjnbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpjlpclc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdjqinld.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2280-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0009000000012023-5.dat family_berbew behavioral1/memory/2280-6-0x00000000002A0000-0x00000000002E2000-memory.dmp family_berbew behavioral1/files/0x0009000000012023-8.dat family_berbew behavioral1/files/0x0009000000012023-11.dat family_berbew behavioral1/files/0x0009000000012023-13.dat family_berbew behavioral1/files/0x0009000000012023-12.dat family_berbew behavioral1/files/0x0033000000015ea6-20.dat family_berbew behavioral1/memory/2020-24-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/memory/2764-31-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0033000000015ea6-26.dat family_berbew behavioral1/files/0x0033000000015ea6-25.dat family_berbew behavioral1/files/0x0033000000015ea6-21.dat family_berbew behavioral1/files/0x0033000000015ea6-18.dat family_berbew behavioral1/files/0x0007000000016613-32.dat family_berbew behavioral1/files/0x0007000000016613-35.dat family_berbew behavioral1/files/0x0007000000016613-36.dat family_berbew behavioral1/files/0x0007000000016613-40.dat family_berbew behavioral1/files/0x0007000000016613-41.dat family_berbew behavioral1/memory/2764-33-0x0000000000340000-0x0000000000382000-memory.dmp family_berbew behavioral1/files/0x0009000000016ba2-53.dat family_berbew behavioral1/files/0x0009000000016ba2-50.dat family_berbew behavioral1/files/0x0009000000016ba2-49.dat family_berbew behavioral1/memory/2772-48-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0009000000016ba2-46.dat family_berbew behavioral1/memory/2464-55-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0009000000016ba2-56.dat family_berbew behavioral1/files/0x0008000000016cb7-61.dat family_berbew behavioral1/files/0x0008000000016cb7-64.dat family_berbew behavioral1/memory/2280-62-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0008000000016cb7-65.dat family_berbew behavioral1/memory/2464-68-0x0000000000270000-0x00000000002B2000-memory.dmp family_berbew behavioral1/files/0x0008000000016cb7-70.dat family_berbew behavioral1/files/0x0008000000016cb7-69.dat family_berbew behavioral1/files/0x0033000000015eba-75.dat family_berbew behavioral1/files/0x0033000000015eba-77.dat family_berbew behavioral1/files/0x0033000000015eba-78.dat family_berbew behavioral1/files/0x0033000000015eba-82.dat family_berbew behavioral1/memory/1356-88-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/memory/2576-89-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0033000000015eba-83.dat family_berbew behavioral1/files/0x0006000000016cec-90.dat family_berbew behavioral1/memory/2020-96-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000016cec-93.dat family_berbew behavioral1/files/0x0006000000016cec-98.dat family_berbew behavioral1/files/0x0006000000016cec-97.dat family_berbew behavioral1/memory/2804-103-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000016cfc-106.dat family_berbew behavioral1/files/0x0006000000016cfc-110.dat family_berbew behavioral1/files/0x0006000000016cfc-107.dat family_berbew behavioral1/memory/1876-111-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000016cfc-104.dat family_berbew behavioral1/files/0x0006000000016cec-92.dat family_berbew behavioral1/files/0x0006000000016cfc-112.dat family_berbew behavioral1/files/0x0006000000016d28-117.dat family_berbew behavioral1/files/0x0006000000016d28-120.dat family_berbew behavioral1/memory/2772-123-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000016d28-124.dat family_berbew behavioral1/memory/2464-126-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000016d28-125.dat family_berbew behavioral1/files/0x0006000000016d28-119.dat family_berbew behavioral1/files/0x0006000000016d40-134.dat family_berbew behavioral1/files/0x0006000000016d40-131.dat family_berbew behavioral1/files/0x0006000000016d40-140.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2020 Caidaeak.exe 2764 Dpqnhadq.exe 2772 Dlgnmb32.exe 2464 Dcccpl32.exe 2576 Dedlag32.exe 1356 Dakmfh32.exe 2804 Eeielfhk.exe 1876 Eapfagno.exe 1200 Enfgfh32.exe 2196 Edclib32.exe 2792 Ejpdai32.exe 1512 Flqmbd32.exe 1572 Foafdoag.exe 2272 Fmegncpp.exe 2988 Fqglggcp.exe 2208 Geeemeif.exe 2180 Gqnbhf32.exe 1576 Hifpke32.exe 1960 Iliebpfc.exe 2616 Mcodqkbi.exe 2260 Mqbejp32.exe 2964 Njmfhe32.exe 816 Ndggib32.exe 1956 Nomkfk32.exe 2680 Nbmdhfog.exe 2688 Nndemg32.exe 2832 Nqbaic32.exe 2708 Ojkeah32.exe 2724 Oepjoa32.exe 3056 Ofafgipc.exe 2880 Ogabql32.exe 1648 Oaigib32.exe 1944 Ojblbgdg.exe 1720 Obmpgjbb.exe 2848 Oighcd32.exe 996 Pbomli32.exe 1520 Ppcmfn32.exe 1796 Pljnkodm.exe 1664 Pllkpn32.exe 2924 Paiche32.exe 556 Phcleoho.exe 1804 Pnmdbi32.exe 1820 Ppopja32.exe 1160 Qigebglj.exe 1568 Qanmcdlm.exe 776 Qfkelkkd.exe 2672 Qiiahgjh.exe 384 Qdofep32.exe 2980 Afmbak32.exe 2116 Aljjjb32.exe 364 Afpogk32.exe 1536 Ahqkocmm.exe 1640 Aokckm32.exe 2756 Aedlhg32.exe 2692 Alodeacc.exe 2900 Aompambg.exe 2532 Aoomflpd.exe 2656 Aeiecfga.exe 2188 Agkako32.exe 3060 Andjgidl.exe 856 Bpcfcddp.exe 1740 Bgmnpn32.exe 2780 Bccoeo32.exe 992 Bkkgfm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 2020 Caidaeak.exe 2020 Caidaeak.exe 2764 Dpqnhadq.exe 2764 Dpqnhadq.exe 2772 Dlgnmb32.exe 2772 Dlgnmb32.exe 2464 Dcccpl32.exe 2464 Dcccpl32.exe 2576 Dedlag32.exe 2576 Dedlag32.exe 1356 Dakmfh32.exe 1356 Dakmfh32.exe 2804 Eeielfhk.exe 2804 Eeielfhk.exe 1876 Eapfagno.exe 1876 Eapfagno.exe 1200 Enfgfh32.exe 1200 Enfgfh32.exe 2196 Edclib32.exe 2196 Edclib32.exe 2792 Ejpdai32.exe 2792 Ejpdai32.exe 1512 Flqmbd32.exe 1512 Flqmbd32.exe 1572 Foafdoag.exe 1572 Foafdoag.exe 2272 Fmegncpp.exe 2272 Fmegncpp.exe 2988 Fqglggcp.exe 2988 Fqglggcp.exe 2208 Geeemeif.exe 2208 Geeemeif.exe 2180 Gqnbhf32.exe 2180 Gqnbhf32.exe 1576 Hifpke32.exe 1576 Hifpke32.exe 1960 Iliebpfc.exe 1960 Iliebpfc.exe 2616 Mcodqkbi.exe 2616 Mcodqkbi.exe 2260 Mqbejp32.exe 2260 Mqbejp32.exe 2964 Njmfhe32.exe 2964 Njmfhe32.exe 816 Ndggib32.exe 816 Ndggib32.exe 1956 Nomkfk32.exe 1956 Nomkfk32.exe 2680 Nbmdhfog.exe 2680 Nbmdhfog.exe 2688 Nndemg32.exe 2688 Nndemg32.exe 2832 Nqbaic32.exe 2832 Nqbaic32.exe 2708 Ojkeah32.exe 2708 Ojkeah32.exe 2724 Oepjoa32.exe 2724 Oepjoa32.exe 3056 Ofafgipc.exe 3056 Ofafgipc.exe 2880 Ogabql32.exe 2880 Ogabql32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogomoj32.dll Booiep32.exe File opened for modification C:\Windows\SysWOW64\Aiaqle32.exe Ajnqphhe.exe File opened for modification C:\Windows\SysWOW64\Cfghagio.exe Ckbccnji.exe File created C:\Windows\SysWOW64\Eifeam32.dll Baannfim.exe File created C:\Windows\SysWOW64\Ohjfni32.dll Fjmdgmnl.exe File opened for modification C:\Windows\SysWOW64\Afpogk32.exe Aljjjb32.exe File created C:\Windows\SysWOW64\Dmgoif32.exe Dbbklnpj.exe File created C:\Windows\SysWOW64\Jhibakgh.dll Cnflae32.exe File created C:\Windows\SysWOW64\Cfghagio.exe Ckbccnji.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Bhndnpnp.exe File opened for modification C:\Windows\SysWOW64\Blkmdodf.exe Beadgdli.exe File created C:\Windows\SysWOW64\Khqahnpk.dll Dlfina32.exe File opened for modification C:\Windows\SysWOW64\Fclmem32.exe Fhfihd32.exe File created C:\Windows\SysWOW64\Ojblbgdg.exe Oaigib32.exe File created C:\Windows\SysWOW64\Kolpjh32.dll Cfknhi32.exe File opened for modification C:\Windows\SysWOW64\Cbdkbjkl.exe Ckkcep32.exe File opened for modification C:\Windows\SysWOW64\Bklpjlmc.exe Bhndnpnp.exe File opened for modification C:\Windows\SysWOW64\Hlgodgnk.exe Hdlkpd32.exe File created C:\Windows\SysWOW64\Hiiqij32.dll Jookedhp.exe File created C:\Windows\SysWOW64\Hnomkloi.exe Hibebeqb.exe File created C:\Windows\SysWOW64\Pgmfph32.exe Pmhbbp32.exe File opened for modification C:\Windows\SysWOW64\Bdfahaaa.exe Bojipjcj.exe File opened for modification C:\Windows\SysWOW64\Ggppdpif.exe Gnhkkjbf.exe File opened for modification C:\Windows\SysWOW64\Hefibg32.exe Hqpjndio.exe File created C:\Windows\SysWOW64\Dldndf32.exe Dghekobe.exe File opened for modification C:\Windows\SysWOW64\Hifpke32.exe Gqnbhf32.exe File created C:\Windows\SysWOW64\Dakmfh32.exe Dedlag32.exe File opened for modification C:\Windows\SysWOW64\Ppopja32.exe Pnmdbi32.exe File opened for modification C:\Windows\SysWOW64\Djafaf32.exe Coladm32.exe File opened for modification C:\Windows\SysWOW64\Gfadeaho.exe Gepgni32.exe File created C:\Windows\SysWOW64\Kidncq32.dll Dghjkpck.exe File created C:\Windows\SysWOW64\Mgnedp32.dll Embkbdce.exe File created C:\Windows\SysWOW64\Pimlpcke.dll Dafchi32.exe File opened for modification C:\Windows\SysWOW64\Jchjqc32.exe Jlnadiko.exe File opened for modification C:\Windows\SysWOW64\Bhdjno32.exe Bnofaf32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Cccdjl32.exe File opened for modification C:\Windows\SysWOW64\Dlfina32.exe Dpphipbk.exe File created C:\Windows\SysWOW64\Ejpdai32.exe Edclib32.exe File created C:\Windows\SysWOW64\Lhjcpj32.dll Cngcll32.exe File created C:\Windows\SysWOW64\Eclejclg.exe Ebkibk32.exe File created C:\Windows\SysWOW64\Cbnlbf32.dll Ebknblho.exe File created C:\Windows\SysWOW64\Dnmada32.exe Dknehe32.exe File created C:\Windows\SysWOW64\Bdfeke32.dll Ghcmedmo.exe File created C:\Windows\SysWOW64\Allben32.dll Hqpjndio.exe File created C:\Windows\SysWOW64\Gncblo32.exe Gapbbk32.exe File created C:\Windows\SysWOW64\Ibfkoeao.dll Dlpdifda.exe File opened for modification C:\Windows\SysWOW64\Ebkibk32.exe Egedebgc.exe File created C:\Windows\SysWOW64\Aebljh32.dll Fqbbig32.exe File created C:\Windows\SysWOW64\Beojma32.dll Jlnadiko.exe File created C:\Windows\SysWOW64\Ppcmfn32.exe Pbomli32.exe File created C:\Windows\SysWOW64\Nhabgpel.dll Bjlnaghp.exe File created C:\Windows\SysWOW64\Immbmp32.dll Gdfmccfm.exe File created C:\Windows\SysWOW64\Cioohh32.exe Blkoocfl.exe File created C:\Windows\SysWOW64\Djmiha32.dll Cncmei32.exe File opened for modification C:\Windows\SysWOW64\Ghkbccdn.exe Gemfghek.exe File created C:\Windows\SysWOW64\Fnbahpke.dll Hidjml32.exe File created C:\Windows\SysWOW64\Aljjjb32.exe Afmbak32.exe File opened for modification C:\Windows\SysWOW64\Hpehje32.exe Hhnpih32.exe File opened for modification C:\Windows\SysWOW64\Ccmblnif.exe Chgnneiq.exe File created C:\Windows\SysWOW64\Jmflbo32.dll Hnbcaome.exe File created C:\Windows\SysWOW64\Dqknqleg.exe Dnmada32.exe File created C:\Windows\SysWOW64\Jookedhp.exe Jhebij32.exe File created C:\Windows\SysWOW64\Ieaiebmn.dll Dedlag32.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fmegncpp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdpg32.dll" Bmjjmbgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dafchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meieho32.dll" Hfmcapna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djffdk32.dll" Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbkjc32.dll" Baoahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dakmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdcdgpcj.dll" Aaflgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmiha32.dll" Cncmei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nagobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bllcnega.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihefej32.dll" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcodqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogbolep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hibebeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcddlail.dll" Igmppcpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceapl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dghekobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pficnc32.dll" Ehdpcahk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnckabmd.dll" Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blnpddeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iencdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onkoadhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqbejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afmbak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoeadlm.dll" Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gncblo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkbbinig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccmkee.dll" Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heglgdeb.dll" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habgan32.dll" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igpkhjlc.dll" Igjckcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhnoj32.dll" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenndm32.dll" Oggeokoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll" Bnofaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll" Cpdhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nagobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qilcoj32.dll" Paiche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll" Cglcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Docjpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Booiep32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2020 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 28 PID 2280 wrote to memory of 2020 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 28 PID 2280 wrote to memory of 2020 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 28 PID 2280 wrote to memory of 2020 2280 NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe 28 PID 2020 wrote to memory of 2764 2020 Caidaeak.exe 29 PID 2020 wrote to memory of 2764 2020 Caidaeak.exe 29 PID 2020 wrote to memory of 2764 2020 Caidaeak.exe 29 PID 2020 wrote to memory of 2764 2020 Caidaeak.exe 29 PID 2764 wrote to memory of 2772 2764 Dpqnhadq.exe 30 PID 2764 wrote to memory of 2772 2764 Dpqnhadq.exe 30 PID 2764 wrote to memory of 2772 2764 Dpqnhadq.exe 30 PID 2764 wrote to memory of 2772 2764 Dpqnhadq.exe 30 PID 2772 wrote to memory of 2464 2772 Dlgnmb32.exe 31 PID 2772 wrote to memory of 2464 2772 Dlgnmb32.exe 31 PID 2772 wrote to memory of 2464 2772 Dlgnmb32.exe 31 PID 2772 wrote to memory of 2464 2772 Dlgnmb32.exe 31 PID 2464 wrote to memory of 2576 2464 Dcccpl32.exe 32 PID 2464 wrote to memory of 2576 2464 Dcccpl32.exe 32 PID 2464 wrote to memory of 2576 2464 Dcccpl32.exe 32 PID 2464 wrote to memory of 2576 2464 Dcccpl32.exe 32 PID 2576 wrote to memory of 1356 2576 Dedlag32.exe 33 PID 2576 wrote to memory of 1356 2576 Dedlag32.exe 33 PID 2576 wrote to memory of 1356 2576 Dedlag32.exe 33 PID 2576 wrote to memory of 1356 2576 Dedlag32.exe 33 PID 1356 wrote to memory of 2804 1356 Dakmfh32.exe 34 PID 1356 wrote to memory of 2804 1356 Dakmfh32.exe 34 PID 1356 wrote to memory of 2804 1356 Dakmfh32.exe 34 PID 1356 wrote to memory of 2804 1356 Dakmfh32.exe 34 PID 2804 wrote to memory of 1876 2804 Eeielfhk.exe 35 PID 2804 wrote to memory of 1876 2804 Eeielfhk.exe 35 PID 2804 wrote to memory of 1876 2804 Eeielfhk.exe 35 PID 2804 wrote to memory of 1876 2804 Eeielfhk.exe 35 PID 1876 wrote to memory of 1200 1876 Eapfagno.exe 36 PID 1876 wrote to memory of 1200 1876 Eapfagno.exe 36 PID 1876 wrote to memory of 1200 1876 Eapfagno.exe 36 PID 1876 wrote to memory of 1200 1876 Eapfagno.exe 36 PID 1200 wrote to memory of 2196 1200 Enfgfh32.exe 37 PID 1200 wrote to memory of 2196 1200 Enfgfh32.exe 37 PID 1200 wrote to memory of 2196 1200 Enfgfh32.exe 37 PID 1200 wrote to memory of 2196 1200 Enfgfh32.exe 37 PID 2196 wrote to memory of 2792 2196 Edclib32.exe 38 PID 2196 wrote to memory of 2792 2196 Edclib32.exe 38 PID 2196 wrote to memory of 2792 2196 Edclib32.exe 38 PID 2196 wrote to memory of 2792 2196 Edclib32.exe 38 PID 2792 wrote to memory of 1512 2792 Ejpdai32.exe 39 PID 2792 wrote to memory of 1512 2792 Ejpdai32.exe 39 PID 2792 wrote to memory of 1512 2792 Ejpdai32.exe 39 PID 2792 wrote to memory of 1512 2792 Ejpdai32.exe 39 PID 1512 wrote to memory of 1572 1512 Flqmbd32.exe 40 PID 1512 wrote to memory of 1572 1512 Flqmbd32.exe 40 PID 1512 wrote to memory of 1572 1512 Flqmbd32.exe 40 PID 1512 wrote to memory of 1572 1512 Flqmbd32.exe 40 PID 1572 wrote to memory of 2272 1572 Foafdoag.exe 41 PID 1572 wrote to memory of 2272 1572 Foafdoag.exe 41 PID 1572 wrote to memory of 2272 1572 Foafdoag.exe 41 PID 1572 wrote to memory of 2272 1572 Foafdoag.exe 41 PID 2272 wrote to memory of 2988 2272 Fmegncpp.exe 42 PID 2272 wrote to memory of 2988 2272 Fmegncpp.exe 42 PID 2272 wrote to memory of 2988 2272 Fmegncpp.exe 42 PID 2272 wrote to memory of 2988 2272 Fmegncpp.exe 42 PID 2988 wrote to memory of 2208 2988 Fqglggcp.exe 43 PID 2988 wrote to memory of 2208 2988 Fqglggcp.exe 43 PID 2988 wrote to memory of 2208 2988 Fqglggcp.exe 43 PID 2988 wrote to memory of 2208 2988 Fqglggcp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.02a863ab8f9b385aa43d5a95e6eb1740.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe34⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe36⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:996 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe38⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe39⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe42⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe44⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe45⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe47⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe48⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe49⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe53⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe56⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe59⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe60⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe61⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe62⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe65⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe66⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe67⤵PID:1364
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe68⤵PID:1204
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe69⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe70⤵PID:2320
-
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe72⤵PID:852
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe73⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe74⤵PID:1984
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe75⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe76⤵PID:2764
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe77⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe78⤵PID:2224
-
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe79⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe80⤵PID:1176
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe81⤵PID:880
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe82⤵PID:2012
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe83⤵PID:2628
-
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe84⤵PID:2644
-
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe85⤵PID:2720
-
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe86⤵PID:2528
-
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe87⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe90⤵PID:3064
-
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe91⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe92⤵PID:268
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe93⤵PID:1380
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe94⤵PID:1544
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe96⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe97⤵PID:1168
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe98⤵PID:644
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe101⤵PID:2356
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe102⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe104⤵PID:2144
-
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe105⤵PID:1736
-
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe106⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe107⤵PID:2404
-
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe108⤵PID:2972
-
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe109⤵PID:3068
-
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe110⤵PID:2668
-
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe111⤵PID:2596
-
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe113⤵PID:2916
-
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe114⤵PID:2604
-
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe116⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe117⤵PID:1552
-
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe118⤵PID:2024
-
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe119⤵PID:1992
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe120⤵PID:2004
-
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe121⤵
- Drops file in System32 directory
PID:1628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-