Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2023, 15:58
Behavioral task
behavioral1
Sample
NEAS.ec800196611763e84fb8d9a13e6deb90.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.ec800196611763e84fb8d9a13e6deb90.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.ec800196611763e84fb8d9a13e6deb90.exe
-
Size
107KB
-
MD5
ec800196611763e84fb8d9a13e6deb90
-
SHA1
071afe2669482e78c767bc3e50a45e725aa5b5eb
-
SHA256
fa6f599c5d3584c530c2e751de0993e4db6b54d751ff3b7ad6845bdc1766188d
-
SHA512
327273d260991015e98411518be7718cc95f703c2d37e6ac2322a533ad14364a8e3f237a41fb9d7868c1d3f3404e9ef086b23e86bac03412a779a92903061ae6
-
SSDEEP
3072:WBRX3byG7V77888ZKKVUaMU7uihJ5233y:EXLyG7V77888QgUni5i3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqegecm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfennic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafmjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocihgnam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nciopppp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npmagine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baegibae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giljfddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlmfeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeokal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaagkcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajgkfio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pggbkagp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmklglpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggilil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjeljhd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekmnajj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodcdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgdai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oophlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjndbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclkgccf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmeede32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilibdmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcegclgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igchfiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpkflfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feqeog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbafoge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfckahdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgcakon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqklkbbi.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4964-0-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/4964-1-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e22-7.dat family_berbew behavioral2/files/0x0006000000022e22-9.dat family_berbew behavioral2/files/0x0006000000022e24-15.dat family_berbew behavioral2/memory/1864-8-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/4176-17-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-18.dat family_berbew behavioral2/files/0x0006000000022e24-16.dat family_berbew behavioral2/files/0x0006000000022e26-25.dat family_berbew behavioral2/memory/4708-24-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e28-31.dat family_berbew behavioral2/files/0x0006000000022e28-32.dat family_berbew behavioral2/memory/3644-33-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e26-23.dat family_berbew behavioral2/memory/2200-40-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-39.dat family_berbew behavioral2/files/0x0006000000022e2a-41.dat family_berbew behavioral2/files/0x0006000000022e2c-47.dat family_berbew behavioral2/files/0x0006000000022e2c-49.dat family_berbew behavioral2/memory/3140-48-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2f-55.dat family_berbew behavioral2/files/0x0006000000022e2f-57.dat family_berbew behavioral2/memory/4824-56-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-63.dat family_berbew behavioral2/memory/1440-65-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-64.dat family_berbew behavioral2/files/0x0006000000022e34-72.dat family_berbew behavioral2/memory/4964-73-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e34-71.dat family_berbew behavioral2/memory/4536-77-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/3780-81-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e36-80.dat family_berbew behavioral2/files/0x0006000000022e36-82.dat family_berbew behavioral2/memory/1864-89-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0007000000022e1f-88.dat family_berbew behavioral2/files/0x0007000000022e1f-90.dat family_berbew behavioral2/memory/4072-95-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/4176-98-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e39-97.dat family_berbew behavioral2/memory/4012-100-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e39-99.dat family_berbew behavioral2/files/0x0006000000022e3b-106.dat family_berbew behavioral2/files/0x0006000000022e3b-108.dat family_berbew behavioral2/memory/4708-107-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/3992-109-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-115.dat family_berbew behavioral2/memory/3644-116-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/4808-118-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3d-117.dat family_berbew behavioral2/memory/564-126-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/2200-125-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3f-124.dat family_berbew behavioral2/files/0x0006000000022e3f-127.dat family_berbew behavioral2/files/0x0006000000022e41-133.dat family_berbew behavioral2/memory/3140-134-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/1772-136-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e41-135.dat family_berbew behavioral2/files/0x0006000000022e43-142.dat family_berbew behavioral2/memory/4824-143-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e43-144.dat family_berbew behavioral2/memory/3572-145-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/memory/1440-152-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral2/files/0x0006000000022e45-153.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1864 Klljnp32.exe 4176 Kfankifm.exe 4708 Kmkfhc32.exe 3644 Kfckahdj.exe 2200 Kmncnb32.exe 3140 Lbjlfi32.exe 4824 Lmppcbjd.exe 1440 Ldjhpl32.exe 4536 Llemdo32.exe 3780 Lboeaifi.exe 4072 Ldoaklml.exe 4012 Lmgfda32.exe 3992 Lphoelqn.exe 4808 Mdehlk32.exe 564 Mmnldp32.exe 1772 Mckemg32.exe 3572 Mpoefk32.exe 2832 Mgimcebb.exe 1544 Menjdbgj.exe 1596 Ndokbi32.exe 3824 Nilcjp32.exe 1604 Ndaggimg.exe 3540 Njnpppkn.exe 4604 Ndcdmikd.exe 3852 Neeqea32.exe 3900 Npjebj32.exe 496 Nnneknob.exe 1252 Npmagine.exe 2268 Nfjjppmm.exe 2932 Olcbmj32.exe 5024 Ocnjidkf.exe 1632 Oncofm32.exe 1904 Opdghh32.exe 2204 Ojllan32.exe 4380 Oqfdnhfk.exe 3456 Ojoign32.exe 976 Ocgmpccl.exe 2988 Pnlaml32.exe 4840 Pqknig32.exe 3512 Pjcbbmif.exe 1208 Pqmjog32.exe 2940 Pggbkagp.exe 4420 Pjeoglgc.exe 2576 Pflplnlg.exe 4576 Pncgmkmj.exe 2796 Pgllfp32.exe 3300 Pjjhbl32.exe 3920 Pmidog32.exe 3940 Bmbiamhi.exe 1796 Bclang32.exe 2760 Bggnof32.exe 4160 Bjfjka32.exe 1736 Cmdfgm32.exe 3280 Cabomkll.exe 2896 Ccqkigkp.exe 3164 Cmipblaq.exe 4904 Cgndoeag.exe 1732 Cjmpkqqj.exe 4276 Cmklglpn.exe 1268 Ehailbaa.exe 1620 Emnbdioi.exe 2264 Eplnpeol.exe 1520 Ehcfaboo.exe 372 Efhcbodf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Monjjgkb.exe Mmpmnl32.exe File created C:\Windows\SysWOW64\Phajna32.exe Ppjbmc32.exe File created C:\Windows\SysWOW64\Jklliiom.dll Iahgad32.exe File opened for modification C:\Windows\SysWOW64\Kfckahdj.exe Kmkfhc32.exe File created C:\Windows\SysWOW64\Bbgeno32.exe Bohibc32.exe File created C:\Windows\SysWOW64\Qgfcle32.dll Bfbaonae.exe File opened for modification C:\Windows\SysWOW64\Cimmggfl.exe Cfnqklgh.exe File created C:\Windows\SysWOW64\Knalji32.exe Kggcnoic.exe File opened for modification C:\Windows\SysWOW64\Lokdnjkg.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe Mfqlfb32.exe File created C:\Windows\SysWOW64\Pmidog32.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Gnhnaf32.exe Ggnedlao.exe File opened for modification C:\Windows\SysWOW64\Bhpofl32.exe Baegibae.exe File created C:\Windows\SysWOW64\Bgagea32.dll Nnfpinmi.exe File created C:\Windows\SysWOW64\Oophlo32.exe Oifppdpd.exe File opened for modification C:\Windows\SysWOW64\Oncofm32.exe Ocnjidkf.exe File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Oelolmnd.exe File opened for modification C:\Windows\SysWOW64\Pfandnla.exe Pccahbmn.exe File created C:\Windows\SysWOW64\Mfbaalbi.exe Mohidbkl.exe File opened for modification C:\Windows\SysWOW64\Oqklkbbi.exe Oiccje32.exe File created C:\Windows\SysWOW64\Bpcaaeme.dll Ahmjjoig.exe File created C:\Windows\SysWOW64\Igchfiof.exe Iddljmpc.exe File opened for modification C:\Windows\SysWOW64\Kpanan32.exe Koaagkcb.exe File created C:\Windows\SysWOW64\Nnfpinmi.exe Nqbpojnp.exe File created C:\Windows\SysWOW64\Phkjck32.dll Lmgfda32.exe File created C:\Windows\SysWOW64\Aamebb32.dll Coegoe32.exe File created C:\Windows\SysWOW64\Mjhjimfo.dll Dkcndeen.exe File opened for modification C:\Windows\SysWOW64\Klggli32.exe Kiikpnmj.exe File created C:\Windows\SysWOW64\Nckkfp32.exe Noppeaed.exe File created C:\Windows\SysWOW64\Ennamn32.dll Cacckp32.exe File created C:\Windows\SysWOW64\Hpceplkl.dll Haaaaeim.exe File created C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Lcmodajm.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Jjgchm32.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Lgpoihnl.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Ganldgib.exe Gkaclqkk.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Egaejeej.exe File created C:\Windows\SysWOW64\Balenlhn.dll Oanfen32.exe File created C:\Windows\SysWOW64\Bohibc32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Efhcbodf.exe Ehcfaboo.exe File opened for modification C:\Windows\SysWOW64\Hkeaqi32.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Nhjnjq32.dll Ccpdoqgd.exe File created C:\Windows\SysWOW64\Jgbchj32.exe Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Opqofe32.exe Onocomdo.exe File created C:\Windows\SysWOW64\Nabbod32.dll Ejflhm32.exe File opened for modification C:\Windows\SysWOW64\Lljdai32.exe Likhem32.exe File created C:\Windows\SysWOW64\Mablfnne.exe Lcmodajm.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Gnobcjlg.dll Gkaclqkk.exe File opened for modification C:\Windows\SysWOW64\Chfegk32.exe Cponen32.exe File opened for modification C:\Windows\SysWOW64\Fkofga32.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Enndkpea.dll Hnbeeiji.exe File opened for modification C:\Windows\SysWOW64\Ojhiogdd.exe Obqanjdb.exe File created C:\Windows\SysWOW64\Pnbmqiee.dll Cihclh32.exe File created C:\Windows\SysWOW64\Cbeapmll.exe Cofecami.exe File opened for modification C:\Windows\SysWOW64\Mjjkaabc.exe Mcpcdg32.exe File created C:\Windows\SysWOW64\Ggpenegb.dll Phajna32.exe File opened for modification C:\Windows\SysWOW64\Gnhnaf32.exe Ggnedlao.exe File created C:\Windows\SysWOW64\Cnaaib32.exe Bhblllfo.exe File created C:\Windows\SysWOW64\Nilcjp32.exe Ndokbi32.exe File created C:\Windows\SysWOW64\Hihibbjo.exe Haaaaeim.exe File opened for modification C:\Windows\SysWOW64\Pfhmjf32.exe Ppnenlka.exe File opened for modification C:\Windows\SysWOW64\Megljppl.exe Mmpdhboj.exe File created C:\Windows\SysWOW64\Mioaanec.dll Apaadpng.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 9668 WerFault.exe 618 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mofmobmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noiilpik.dll" Bclang32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jepjhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgclpkac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll" Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npakijcp.dll" Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oheihn32.dll" Efhcbodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oondonie.dll" Egaejeej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hncfnebg.dll" Gpcmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmncnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqhjggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlcalieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihpcinld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll" Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noppeaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdahg32.dll" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idieem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemqgjog.dll" Kcpahpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegpifod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll" Nmfmde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlmfeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnkfmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkcndeen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eapjpi32.dll" Pplhhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fineoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmaqlh.dll" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlppno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdlfhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeocld32.dll" Bmbiamhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhiajmod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekmnajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbfhmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhnbhok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbhd32.dll" Embkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpiqfima.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4964 wrote to memory of 1864 4964 NEAS.ec800196611763e84fb8d9a13e6deb90.exe 86 PID 4964 wrote to memory of 1864 4964 NEAS.ec800196611763e84fb8d9a13e6deb90.exe 86 PID 4964 wrote to memory of 1864 4964 NEAS.ec800196611763e84fb8d9a13e6deb90.exe 86 PID 1864 wrote to memory of 4176 1864 Klljnp32.exe 87 PID 1864 wrote to memory of 4176 1864 Klljnp32.exe 87 PID 1864 wrote to memory of 4176 1864 Klljnp32.exe 87 PID 4176 wrote to memory of 4708 4176 Kfankifm.exe 89 PID 4176 wrote to memory of 4708 4176 Kfankifm.exe 89 PID 4176 wrote to memory of 4708 4176 Kfankifm.exe 89 PID 4708 wrote to memory of 3644 4708 Kmkfhc32.exe 88 PID 4708 wrote to memory of 3644 4708 Kmkfhc32.exe 88 PID 4708 wrote to memory of 3644 4708 Kmkfhc32.exe 88 PID 3644 wrote to memory of 2200 3644 Kfckahdj.exe 90 PID 3644 wrote to memory of 2200 3644 Kfckahdj.exe 90 PID 3644 wrote to memory of 2200 3644 Kfckahdj.exe 90 PID 2200 wrote to memory of 3140 2200 Kmncnb32.exe 91 PID 2200 wrote to memory of 3140 2200 Kmncnb32.exe 91 PID 2200 wrote to memory of 3140 2200 Kmncnb32.exe 91 PID 3140 wrote to memory of 4824 3140 Lbjlfi32.exe 92 PID 3140 wrote to memory of 4824 3140 Lbjlfi32.exe 92 PID 3140 wrote to memory of 4824 3140 Lbjlfi32.exe 92 PID 4824 wrote to memory of 1440 4824 Lmppcbjd.exe 93 PID 4824 wrote to memory of 1440 4824 Lmppcbjd.exe 93 PID 4824 wrote to memory of 1440 4824 Lmppcbjd.exe 93 PID 1440 wrote to memory of 4536 1440 Ldjhpl32.exe 95 PID 1440 wrote to memory of 4536 1440 Ldjhpl32.exe 95 PID 1440 wrote to memory of 4536 1440 Ldjhpl32.exe 95 PID 4536 wrote to memory of 3780 4536 Llemdo32.exe 96 PID 4536 wrote to memory of 3780 4536 Llemdo32.exe 96 PID 4536 wrote to memory of 3780 4536 Llemdo32.exe 96 PID 3780 wrote to memory of 4072 3780 Lboeaifi.exe 97 PID 3780 wrote to memory of 4072 3780 Lboeaifi.exe 97 PID 3780 wrote to memory of 4072 3780 Lboeaifi.exe 97 PID 4072 wrote to memory of 4012 4072 Ldoaklml.exe 98 PID 4072 wrote to memory of 4012 4072 Ldoaklml.exe 98 PID 4072 wrote to memory of 4012 4072 Ldoaklml.exe 98 PID 4012 wrote to memory of 3992 4012 Lmgfda32.exe 99 PID 4012 wrote to memory of 3992 4012 Lmgfda32.exe 99 PID 4012 wrote to memory of 3992 4012 Lmgfda32.exe 99 PID 3992 wrote to memory of 4808 3992 Lphoelqn.exe 101 PID 3992 wrote to memory of 4808 3992 Lphoelqn.exe 101 PID 3992 wrote to memory of 4808 3992 Lphoelqn.exe 101 PID 4808 wrote to memory of 564 4808 Mdehlk32.exe 102 PID 4808 wrote to memory of 564 4808 Mdehlk32.exe 102 PID 4808 wrote to memory of 564 4808 Mdehlk32.exe 102 PID 564 wrote to memory of 1772 564 Mmnldp32.exe 103 PID 564 wrote to memory of 1772 564 Mmnldp32.exe 103 PID 564 wrote to memory of 1772 564 Mmnldp32.exe 103 PID 1772 wrote to memory of 3572 1772 Mckemg32.exe 104 PID 1772 wrote to memory of 3572 1772 Mckemg32.exe 104 PID 1772 wrote to memory of 3572 1772 Mckemg32.exe 104 PID 3572 wrote to memory of 2832 3572 Mpoefk32.exe 105 PID 3572 wrote to memory of 2832 3572 Mpoefk32.exe 105 PID 3572 wrote to memory of 2832 3572 Mpoefk32.exe 105 PID 2832 wrote to memory of 1544 2832 Mgimcebb.exe 109 PID 2832 wrote to memory of 1544 2832 Mgimcebb.exe 109 PID 2832 wrote to memory of 1544 2832 Mgimcebb.exe 109 PID 1544 wrote to memory of 1596 1544 Menjdbgj.exe 108 PID 1544 wrote to memory of 1596 1544 Menjdbgj.exe 108 PID 1544 wrote to memory of 1596 1544 Menjdbgj.exe 108 PID 1596 wrote to memory of 3824 1596 Ndokbi32.exe 106 PID 1596 wrote to memory of 3824 1596 Ndokbi32.exe 106 PID 1596 wrote to memory of 3824 1596 Ndokbi32.exe 106 PID 3824 wrote to memory of 1604 3824 Nilcjp32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.ec800196611763e84fb8d9a13e6deb90.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.ec800196611763e84fb8d9a13e6deb90.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708
-
-
-
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Lbjlfi32.exeC:\Windows\system32\Lbjlfi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Lphoelqn.exeC:\Windows\system32\Lphoelqn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe2⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe3⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe4⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe5⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe6⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe7⤵
- Executes dropped EXE
PID:496
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe2⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe3⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe5⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe6⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe7⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe8⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe9⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe11⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe12⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe13⤵
- Executes dropped EXE
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe14⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe16⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe17⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe18⤵
- Executes dropped EXE
PID:4576 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe19⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe21⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:3940 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe25⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe26⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe27⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe28⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe30⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe31⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe33⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe35⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe38⤵
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe39⤵PID:3948
-
C:\Windows\SysWOW64\Efkphnbd.exeC:\Windows\system32\Efkphnbd.exe40⤵PID:3128
-
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe41⤵
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe42⤵PID:1972
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe43⤵PID:4212
-
C:\Windows\SysWOW64\Fkihnmhj.exeC:\Windows\system32\Fkihnmhj.exe44⤵PID:5044
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe45⤵PID:364
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe46⤵PID:4548
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe48⤵PID:3628
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe49⤵
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe50⤵PID:3956
-
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3764 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe52⤵PID:4116
-
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe53⤵PID:772
-
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe54⤵PID:2424
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4660 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe56⤵PID:5132
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe57⤵PID:5172
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe58⤵PID:5216
-
C:\Windows\SysWOW64\Gkgeoklj.exeC:\Windows\system32\Gkgeoklj.exe59⤵PID:5260
-
C:\Windows\SysWOW64\Gpcmga32.exeC:\Windows\system32\Gpcmga32.exe60⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe61⤵
- Drops file in System32 directory
PID:5348 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe62⤵PID:5388
-
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe63⤵PID:5432
-
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe64⤵PID:5476
-
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe65⤵PID:5528
-
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe66⤵PID:5572
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe67⤵PID:5632
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe68⤵PID:5676
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe69⤵PID:5716
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe70⤵PID:5764
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe71⤵
- Modifies registry class
PID:5808 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe72⤵PID:5872
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe73⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe74⤵PID:5984
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe75⤵PID:6044
-
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe76⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe77⤵PID:6132
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe78⤵PID:5156
-
C:\Windows\SysWOW64\Hdpbon32.exeC:\Windows\system32\Hdpbon32.exe79⤵PID:5224
-
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe80⤵
- Modifies registry class
PID:5372 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe81⤵PID:5440
-
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe83⤵PID:5612
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe84⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5760 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe86⤵PID:5828
-
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe87⤵PID:5940
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe88⤵PID:6032
-
C:\Windows\SysWOW64\Ikqqlgem.exeC:\Windows\system32\Ikqqlgem.exe89⤵PID:6112
-
C:\Windows\SysWOW64\Inomhbeq.exeC:\Windows\system32\Inomhbeq.exe90⤵PID:5212
-
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe91⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe92⤵PID:5560
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe93⤵PID:5664
-
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe94⤵PID:5776
-
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe95⤵PID:5880
-
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe97⤵PID:5180
-
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe98⤵PID:5416
-
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe99⤵PID:5700
-
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe100⤵PID:5920
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe101⤵PID:6120
-
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe102⤵
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe103⤵
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe104⤵PID:2092
-
C:\Windows\SysWOW64\Bfbaonae.exeC:\Windows\system32\Bfbaonae.exe105⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe106⤵PID:5312
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe107⤵PID:4600
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe108⤵PID:2816
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe109⤵PID:3424
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe110⤵PID:2076
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe111⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe112⤵PID:3912
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe113⤵PID:6140
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe114⤵
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe115⤵
- Drops file in System32 directory
PID:6188 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe116⤵PID:6232
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe117⤵
- Drops file in System32 directory
PID:6276 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6324 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe119⤵PID:6364
-
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe120⤵PID:6412
-
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe121⤵PID:6456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-