Analysis
-
max time kernel
32s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
04-11-2023 12:02
Behavioral task
behavioral1
Sample
NEAS.e9ed1568405763fad927725c0b469f40.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e9ed1568405763fad927725c0b469f40.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e9ed1568405763fad927725c0b469f40.exe
-
Size
164KB
-
MD5
e9ed1568405763fad927725c0b469f40
-
SHA1
8b3ae9e686734d16210c4dca2a8cb816275a24b1
-
SHA256
c6f15f7b1ff4ec71d02f347308fa73dc4ab938309f21a5e6d3e50e763ca162b5
-
SHA512
8e86bcdc5c85aa0dd90ed3599ce01c92e46fd5b379dbe9c6237b2e7b0212ecc524f08c4f3f0ad6f3e0609a746b80d1183447c7cceaa0b53ae1624c5cd13e46c2
-
SSDEEP
3072:6btg4mqdo2MT08uFafmHURHAVgnvedh6DRyU:Et/mqdo2MT08uF8YU8gnve7GR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcjamoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefamlak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdmihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaifdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fokdfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naimccpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmopkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglgpdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgjfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdiejfej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ionefb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbocjlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pndpajgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopkjhko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkihdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabcggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noacef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibckfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjqqap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhqbkhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejdiffp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkbeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldjnhce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcedkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfqgbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkaglf32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2152-0-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x000b00000000e620-5.dat family_berbew behavioral1/files/0x000b00000000e620-10.dat family_berbew behavioral1/memory/3016-18-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x000b00000000e620-13.dat family_berbew behavioral1/files/0x000b00000000e620-12.dat family_berbew behavioral1/files/0x000b00000000e620-8.dat family_berbew behavioral1/files/0x002f000000015cad-26.dat family_berbew behavioral1/files/0x002f000000015cad-23.dat family_berbew behavioral1/files/0x002f000000015cad-22.dat family_berbew behavioral1/files/0x002f000000015cad-20.dat family_berbew behavioral1/memory/2152-6-0x0000000000220000-0x0000000000265000-memory.dmp family_berbew behavioral1/memory/2680-29-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x002f000000015cad-27.dat family_berbew behavioral1/files/0x0007000000015ec8-33.dat family_berbew behavioral1/memory/2680-34-0x0000000000220000-0x0000000000265000-memory.dmp family_berbew behavioral1/files/0x0007000000015ec8-37.dat family_berbew behavioral1/files/0x0007000000015ec8-40.dat family_berbew behavioral1/files/0x0007000000015ec8-41.dat family_berbew behavioral1/files/0x0007000000015ec8-36.dat family_berbew behavioral1/files/0x0009000000016064-50.dat family_berbew behavioral1/memory/2612-56-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00060000000167f7-70.dat family_berbew behavioral1/memory/2572-69-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00060000000167f7-68.dat family_berbew behavioral1/files/0x00060000000167f7-64.dat family_berbew behavioral1/files/0x00060000000167f7-63.dat family_berbew behavioral1/files/0x00060000000167f7-61.dat family_berbew behavioral1/files/0x0009000000016064-54.dat family_berbew behavioral1/files/0x0006000000016baa-81.dat family_berbew behavioral1/files/0x0006000000016baa-78.dat family_berbew behavioral1/files/0x0006000000016baa-77.dat family_berbew behavioral1/files/0x0006000000016baa-75.dat family_berbew behavioral1/files/0x0009000000016064-55.dat family_berbew behavioral1/memory/2732-48-0x00000000002D0000-0x0000000000315000-memory.dmp family_berbew behavioral1/files/0x0006000000016baa-82.dat family_berbew behavioral1/files/0x0009000000016064-49.dat family_berbew behavioral1/files/0x0009000000016064-46.dat family_berbew behavioral1/memory/1896-94-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016c2c-96.dat family_berbew behavioral1/files/0x0006000000016c2c-95.dat family_berbew behavioral1/files/0x0006000000016c2c-91.dat family_berbew behavioral1/files/0x0006000000016c2c-90.dat family_berbew behavioral1/files/0x0006000000016c2c-87.dat family_berbew behavioral1/memory/1860-102-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca4-109.dat family_berbew behavioral1/files/0x0006000000016ce0-121.dat family_berbew behavioral1/files/0x0006000000016ce0-118.dat family_berbew behavioral1/memory/1092-127-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016ce0-122.dat family_berbew behavioral1/files/0x0006000000016ce0-117.dat family_berbew behavioral1/files/0x0006000000016ce0-115.dat family_berbew behavioral1/memory/2068-114-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca4-108.dat family_berbew behavioral1/files/0x0006000000016cf6-134.dat family_berbew behavioral1/files/0x0006000000016cf6-131.dat family_berbew behavioral1/files/0x0006000000016cf6-130.dat family_berbew behavioral1/files/0x0006000000016cf6-128.dat family_berbew behavioral1/files/0x0006000000016ca4-105.dat family_berbew behavioral1/files/0x0006000000016ca4-104.dat family_berbew behavioral1/files/0x0006000000016ca4-101.dat family_berbew behavioral1/memory/308-141-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000016cf6-136.dat family_berbew behavioral1/files/0x002e000000015cb3-142.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3016 Cddaphkn.exe 2680 Cahail32.exe 2732 Cnobnmpl.exe 2612 Ckccgane.exe 2572 Djhphncm.exe 1896 Dglpbbbg.exe 1860 Dpeekh32.exe 2068 Dfamcogo.exe 1092 Dojald32.exe 308 Dhbfdjdp.exe 2888 Dhdcji32.exe 432 Enakbp32.exe 1312 Eqbddk32.exe 1676 Enfenplo.exe 1472 Efaibbij.exe 3004 Eojnkg32.exe 1636 Eplkpgnh.exe 2344 Fidoim32.exe 396 Fpngfgle.exe 1464 Figlolbf.exe 1784 Fncdgcqm.exe 856 Fepiimfg.exe 1868 Fjmaaddo.exe 1528 Fhqbkhch.exe 1508 Fnkjhb32.exe 872 Gnmgmbhb.exe 2348 Ghelfg32.exe 1600 Gdllkhdg.exe 2792 Gjfdhbld.exe 3036 Gfmemc32.exe 1532 Ginnnooi.exe 2824 Haiccald.exe 2688 Hipkdnmf.exe 2156 Hkaglf32.exe 2556 Heglio32.exe 2900 Hlqdei32.exe 272 Hmbpmapf.exe 748 Hmdmcanc.exe 652 Hdnepk32.exe 472 Hiknhbcg.exe 572 Hpefdl32.exe 616 Ikkjbe32.exe 1660 Ipgbjl32.exe 2480 Iipgcaob.exe 2352 Ilncom32.exe 292 Ichllgfb.exe 2268 Ijbdha32.exe 980 Ioolqh32.exe 1544 Ieidmbcc.exe 1628 Ikfmfi32.exe 904 Ifkacb32.exe 1900 Ihjnom32.exe 2084 Jnffgd32.exe 2772 Jfknbe32.exe 2724 Kjifhc32.exe 2848 Kkjcplpa.exe 2960 Kbdklf32.exe 2596 Kmjojo32.exe 2696 Kfbcbd32.exe 2992 Kkolkk32.exe 2412 Knmhgf32.exe 2920 Kegqdqbl.exe 1744 Kgemplap.exe 1624 Lanaiahq.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 3016 Cddaphkn.exe 3016 Cddaphkn.exe 2680 Cahail32.exe 2680 Cahail32.exe 2732 Cnobnmpl.exe 2732 Cnobnmpl.exe 2612 Ckccgane.exe 2612 Ckccgane.exe 2572 Djhphncm.exe 2572 Djhphncm.exe 1896 Dglpbbbg.exe 1896 Dglpbbbg.exe 1860 Dpeekh32.exe 1860 Dpeekh32.exe 2068 Dfamcogo.exe 2068 Dfamcogo.exe 1092 Dojald32.exe 1092 Dojald32.exe 308 Dhbfdjdp.exe 308 Dhbfdjdp.exe 2888 Dhdcji32.exe 2888 Dhdcji32.exe 432 Enakbp32.exe 432 Enakbp32.exe 1312 Eqbddk32.exe 1312 Eqbddk32.exe 1676 Enfenplo.exe 1676 Enfenplo.exe 1472 Efaibbij.exe 1472 Efaibbij.exe 3004 Eojnkg32.exe 3004 Eojnkg32.exe 1636 Eplkpgnh.exe 1636 Eplkpgnh.exe 2344 Fidoim32.exe 2344 Fidoim32.exe 396 Fpngfgle.exe 396 Fpngfgle.exe 1464 Figlolbf.exe 1464 Figlolbf.exe 1784 Fncdgcqm.exe 1784 Fncdgcqm.exe 856 Fepiimfg.exe 856 Fepiimfg.exe 1868 Fjmaaddo.exe 1868 Fjmaaddo.exe 1528 Fhqbkhch.exe 1528 Fhqbkhch.exe 1508 Fnkjhb32.exe 1508 Fnkjhb32.exe 872 Gnmgmbhb.exe 872 Gnmgmbhb.exe 2348 Ghelfg32.exe 2348 Ghelfg32.exe 1600 Gdllkhdg.exe 1600 Gdllkhdg.exe 2792 Gjfdhbld.exe 2792 Gjfdhbld.exe 3036 Gfmemc32.exe 3036 Gfmemc32.exe 1532 Ginnnooi.exe 1532 Ginnnooi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cifmcd32.dll Bfpnmj32.exe File opened for modification C:\Windows\SysWOW64\Pnalad32.exe Pclhdl32.exe File created C:\Windows\SysWOW64\Qgjqjjll.exe Pnalad32.exe File created C:\Windows\SysWOW64\Oghiae32.dll Dojald32.exe File created C:\Windows\SysWOW64\Kcpnnfqg.dll Naimccpo.exe File created C:\Windows\SysWOW64\Kncphpjl.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Edfpjabf.dll Hmbpmapf.exe File created C:\Windows\SysWOW64\Hibeif32.dll Ohaeia32.exe File opened for modification C:\Windows\SysWOW64\Ibckfa32.exe Ihmgiiff.exe File opened for modification C:\Windows\SysWOW64\Kmobhmnn.exe Kgbipf32.exe File created C:\Windows\SysWOW64\Cmmhaf32.exe Cllkin32.exe File created C:\Windows\SysWOW64\Hcodhoaf.dll Hipkdnmf.exe File opened for modification C:\Windows\SysWOW64\Lbfdaigg.exe Lmikibio.exe File created C:\Windows\SysWOW64\Jnghnbki.dll Oifdbb32.exe File opened for modification C:\Windows\SysWOW64\Kdmgclfk.exe Kbokgpgg.exe File created C:\Windows\SysWOW64\Bdnlccec.dll Nmhmlbkk.exe File created C:\Windows\SysWOW64\Kkdonaop.dll Phnnho32.exe File opened for modification C:\Windows\SysWOW64\Hiknhbcg.exe Hdnepk32.exe File created C:\Windows\SysWOW64\Diaagb32.dll Mmneda32.exe File created C:\Windows\SysWOW64\Qkhpkoen.exe Qeohnd32.exe File created C:\Windows\SysWOW64\Glgjednf.exe Gembhj32.exe File opened for modification C:\Windows\SysWOW64\Cdgpnqpo.exe Cmmhaf32.exe File created C:\Windows\SysWOW64\Dcnilecc.dll Okdkal32.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oappcfmb.exe File created C:\Windows\SysWOW64\Pnalad32.exe Pclhdl32.exe File opened for modification C:\Windows\SysWOW64\Nmbknddp.exe Ngibaj32.exe File opened for modification C:\Windows\SysWOW64\Dhmfod32.exe Dkiefp32.exe File created C:\Windows\SysWOW64\Nmbknddp.exe Ngibaj32.exe File opened for modification C:\Windows\SysWOW64\Fnqqgm32.exe Fidhof32.exe File created C:\Windows\SysWOW64\Fgnokb32.exe Fnejbmko.exe File created C:\Windows\SysWOW64\Fbddqihf.dll Kobkpdfa.exe File opened for modification C:\Windows\SysWOW64\Poeipifl.exe Olgmcmgh.exe File created C:\Windows\SysWOW64\Ijbdha32.exe Ichllgfb.exe File created C:\Windows\SysWOW64\Lpekon32.exe Lndohedg.exe File created C:\Windows\SysWOW64\Ipbocjlg.exe Ikefkcmo.exe File created C:\Windows\SysWOW64\Abmdafpp.exe Aoohekal.exe File created C:\Windows\SysWOW64\Lednakhd.dll Dhdcji32.exe File opened for modification C:\Windows\SysWOW64\Qiladcdh.exe Qqeicede.exe File created C:\Windows\SysWOW64\Qofpoogh.dll Agdjkogm.exe File created C:\Windows\SysWOW64\Jblnaq32.exe Jcjnfdbp.exe File opened for modification C:\Windows\SysWOW64\Knjegqif.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Haiccald.exe Ginnnooi.exe File created C:\Windows\SysWOW64\Amqccfed.exe Agdjkogm.exe File created C:\Windows\SysWOW64\Gbgffb32.dll Kbcdbp32.exe File opened for modification C:\Windows\SysWOW64\Aidphq32.exe Abkhkgbb.exe File opened for modification C:\Windows\SysWOW64\Fjmaaddo.exe Fepiimfg.exe File created C:\Windows\SysWOW64\Adagkoae.dll Pfdabino.exe File created C:\Windows\SysWOW64\Oaebbp32.dll Jblnaq32.exe File opened for modification C:\Windows\SysWOW64\Bbmapj32.exe Bjoofhgc.exe File created C:\Windows\SysWOW64\Bfpnmj32.exe Bpfeppop.exe File opened for modification C:\Windows\SysWOW64\Ihdmihpn.exe Iefamlak.exe File created C:\Windows\SysWOW64\Fcmmdp32.dll Gnefapmj.exe File opened for modification C:\Windows\SysWOW64\Helngnie.exe Hdkape32.exe File created C:\Windows\SysWOW64\Odjbnhfc.dll Kbokgpgg.exe File created C:\Windows\SysWOW64\Mildmcdo.dll Lcncpfaf.exe File created C:\Windows\SysWOW64\Jajjnjlc.dll Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Deccjdkf.dll Fmfnhj32.exe File created C:\Windows\SysWOW64\Amcbfmck.dll Ndnlnm32.exe File opened for modification C:\Windows\SysWOW64\Chnbcpmn.exe Cbajkiof.exe File opened for modification C:\Windows\SysWOW64\Hlqdei32.exe Heglio32.exe File opened for modification C:\Windows\SysWOW64\Lnjafd32.exe Lklejh32.exe File created C:\Windows\SysWOW64\Ehieciqq.dll Bphbeplm.exe File opened for modification C:\Windows\SysWOW64\Fokdfajl.exe Egdlec32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdhlnhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imoilo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbjcqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Accnekon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Badnhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdlklmn.dll" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcijeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeiloh32.dll" Jcbhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianinp32.dll" Pakllc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chnbcpmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnghm32.dll" Cdecha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfamcogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhbfdjdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgmbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ginnnooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnlccec.dll" Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpkmqgb.dll" Clgbno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnffgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkihdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bolejaam.dll" Gejebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oionacqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkefga32.dll" Heakcjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdbpnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllcjack.dll" Lflplbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohaeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elhnof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okojkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekqmbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnlkmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohodj32.dll" Gnpmfqap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lihobnap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pohfehdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgpeal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfdabino.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 3016 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 28 PID 2152 wrote to memory of 3016 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 28 PID 2152 wrote to memory of 3016 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 28 PID 2152 wrote to memory of 3016 2152 NEAS.e9ed1568405763fad927725c0b469f40.exe 28 PID 3016 wrote to memory of 2680 3016 Cddaphkn.exe 29 PID 3016 wrote to memory of 2680 3016 Cddaphkn.exe 29 PID 3016 wrote to memory of 2680 3016 Cddaphkn.exe 29 PID 3016 wrote to memory of 2680 3016 Cddaphkn.exe 29 PID 2680 wrote to memory of 2732 2680 Cahail32.exe 30 PID 2680 wrote to memory of 2732 2680 Cahail32.exe 30 PID 2680 wrote to memory of 2732 2680 Cahail32.exe 30 PID 2680 wrote to memory of 2732 2680 Cahail32.exe 30 PID 2732 wrote to memory of 2612 2732 Cnobnmpl.exe 31 PID 2732 wrote to memory of 2612 2732 Cnobnmpl.exe 31 PID 2732 wrote to memory of 2612 2732 Cnobnmpl.exe 31 PID 2732 wrote to memory of 2612 2732 Cnobnmpl.exe 31 PID 2612 wrote to memory of 2572 2612 Ckccgane.exe 32 PID 2612 wrote to memory of 2572 2612 Ckccgane.exe 32 PID 2612 wrote to memory of 2572 2612 Ckccgane.exe 32 PID 2612 wrote to memory of 2572 2612 Ckccgane.exe 32 PID 2572 wrote to memory of 1896 2572 Djhphncm.exe 33 PID 2572 wrote to memory of 1896 2572 Djhphncm.exe 33 PID 2572 wrote to memory of 1896 2572 Djhphncm.exe 33 PID 2572 wrote to memory of 1896 2572 Djhphncm.exe 33 PID 1896 wrote to memory of 1860 1896 Dglpbbbg.exe 34 PID 1896 wrote to memory of 1860 1896 Dglpbbbg.exe 34 PID 1896 wrote to memory of 1860 1896 Dglpbbbg.exe 34 PID 1896 wrote to memory of 1860 1896 Dglpbbbg.exe 34 PID 1860 wrote to memory of 2068 1860 Dpeekh32.exe 35 PID 1860 wrote to memory of 2068 1860 Dpeekh32.exe 35 PID 1860 wrote to memory of 2068 1860 Dpeekh32.exe 35 PID 1860 wrote to memory of 2068 1860 Dpeekh32.exe 35 PID 2068 wrote to memory of 1092 2068 Dfamcogo.exe 37 PID 2068 wrote to memory of 1092 2068 Dfamcogo.exe 37 PID 2068 wrote to memory of 1092 2068 Dfamcogo.exe 37 PID 2068 wrote to memory of 1092 2068 Dfamcogo.exe 37 PID 1092 wrote to memory of 308 1092 Dojald32.exe 36 PID 1092 wrote to memory of 308 1092 Dojald32.exe 36 PID 1092 wrote to memory of 308 1092 Dojald32.exe 36 PID 1092 wrote to memory of 308 1092 Dojald32.exe 36 PID 308 wrote to memory of 2888 308 Dhbfdjdp.exe 38 PID 308 wrote to memory of 2888 308 Dhbfdjdp.exe 38 PID 308 wrote to memory of 2888 308 Dhbfdjdp.exe 38 PID 308 wrote to memory of 2888 308 Dhbfdjdp.exe 38 PID 2888 wrote to memory of 432 2888 Dhdcji32.exe 39 PID 2888 wrote to memory of 432 2888 Dhdcji32.exe 39 PID 2888 wrote to memory of 432 2888 Dhdcji32.exe 39 PID 2888 wrote to memory of 432 2888 Dhdcji32.exe 39 PID 432 wrote to memory of 1312 432 Enakbp32.exe 40 PID 432 wrote to memory of 1312 432 Enakbp32.exe 40 PID 432 wrote to memory of 1312 432 Enakbp32.exe 40 PID 432 wrote to memory of 1312 432 Enakbp32.exe 40 PID 1312 wrote to memory of 1676 1312 Eqbddk32.exe 41 PID 1312 wrote to memory of 1676 1312 Eqbddk32.exe 41 PID 1312 wrote to memory of 1676 1312 Eqbddk32.exe 41 PID 1312 wrote to memory of 1676 1312 Eqbddk32.exe 41 PID 1676 wrote to memory of 1472 1676 Enfenplo.exe 42 PID 1676 wrote to memory of 1472 1676 Enfenplo.exe 42 PID 1676 wrote to memory of 1472 1676 Enfenplo.exe 42 PID 1676 wrote to memory of 1472 1676 Enfenplo.exe 42 PID 1472 wrote to memory of 3004 1472 Efaibbij.exe 43 PID 1472 wrote to memory of 3004 1472 Efaibbij.exe 43 PID 1472 wrote to memory of 3004 1472 Efaibbij.exe 43 PID 1472 wrote to memory of 3004 1472 Efaibbij.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e9ed1568405763fad927725c0b469f40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e9ed1568405763fad927725c0b469f40.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe5⤵PID:2616
-
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe6⤵PID:4384
-
-
-
-
-
-
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe23⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe27⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe29⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe32⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe34⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe36⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe38⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe39⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe41⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe42⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe43⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe45⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe46⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe47⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe48⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe49⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe51⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe52⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe53⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe54⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe55⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe56⤵PID:2764
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe57⤵PID:920
-
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe58⤵PID:1292
-
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe59⤵
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe60⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe61⤵PID:2436
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe62⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe63⤵PID:1912
-
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe65⤵PID:2428
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe66⤵PID:2160
-
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe68⤵PID:2000
-
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe69⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe70⤵PID:2840
-
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe72⤵PID:2464
-
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe74⤵PID:484
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe75⤵PID:792
-
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe76⤵PID:764
-
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe77⤵PID:2948
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe78⤵PID:700
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe80⤵PID:1356
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe81⤵PID:1000
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe82⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe84⤵PID:940
-
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe86⤵PID:1720
-
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe87⤵PID:1260
-
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe88⤵PID:1548
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe89⤵PID:2340
-
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe90⤵PID:2708
-
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe93⤵PID:2652
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe94⤵PID:2756
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe95⤵PID:1300
-
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe96⤵PID:1364
-
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe97⤵PID:2040
-
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe98⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe99⤵PID:988
-
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe100⤵PID:2080
-
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe101⤵PID:1308
-
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe103⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe104⤵PID:1808
-
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe105⤵PID:1052
-
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe106⤵PID:2136
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe107⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe108⤵PID:2200
-
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe111⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe112⤵PID:1632
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe113⤵PID:2712
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe114⤵PID:1224
-
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe115⤵PID:2636
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe116⤵PID:2564
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe117⤵PID:876
-
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe119⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe120⤵PID:1704
-
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-