Analysis
-
max time kernel
196s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05/11/2023, 09:37
Behavioral task
behavioral1
Sample
NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe
-
Size
199KB
-
MD5
c4aee5064604760471ce9fdac27737c0
-
SHA1
3106a48a91539d337f196591ca19bfeb56bb88fb
-
SHA256
f993a383a5b48b50a22f945352e59ae42f85695de9439ae501a852bf62578e5b
-
SHA512
99493f7fe5d7985f827e367907acbe1a25edc6f6fbdfadd9847167f09745b1ffd2501238a30302dde959dd5ebb386a89920f7055eab2b638bf03f8ece7fc7f0b
-
SSDEEP
6144:tTcscD3fPSZSCZj81+jq4peBK034YOmFz1h:DcjSZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocglmcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbjca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeahpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllpmlqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linfpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpkkbcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njconi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjikh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeedcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhoegqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmknipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egihcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbfin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifjod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpppoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkphcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolemj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpdnlgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmeddag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjikh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klniao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmmng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egkgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmapna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbakpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiahpkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkpgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mochmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjeedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmhljip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggpdmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjcedj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognobcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcpmonea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidhfgpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogkbmcba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecdpmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphgpnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbpmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlhcegl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdjfpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkcbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlaeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogpkhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdahbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefnjdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncdqcbl.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000300000000b1f2-5.dat family_berbew behavioral1/files/0x000300000000b1f2-8.dat family_berbew behavioral1/files/0x000300000000b1f2-11.dat family_berbew behavioral1/files/0x000300000000b1f2-12.dat family_berbew behavioral1/files/0x000300000000b1f2-13.dat family_berbew behavioral1/files/0x0003000000004ed5-18.dat family_berbew behavioral1/files/0x0003000000004ed5-20.dat family_berbew behavioral1/files/0x0003000000004ed5-21.dat family_berbew behavioral1/files/0x0003000000004ed5-26.dat family_berbew behavioral1/files/0x0003000000004ed5-25.dat family_berbew behavioral1/files/0x0007000000015c79-34.dat family_berbew behavioral1/files/0x0007000000015c79-39.dat family_berbew behavioral1/files/0x0007000000015c79-38.dat family_berbew behavioral1/files/0x0007000000015c79-33.dat family_berbew behavioral1/files/0x0007000000015c79-31.dat family_berbew behavioral1/files/0x0014000000015c6d-47.dat family_berbew behavioral1/files/0x0014000000015c6d-50.dat family_berbew behavioral1/files/0x0014000000015c6d-46.dat family_berbew behavioral1/files/0x0014000000015c6d-44.dat family_berbew behavioral1/memory/2540-51-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0007000000015ca8-54.dat family_berbew behavioral1/files/0x0009000000015ce7-74.dat family_berbew behavioral1/files/0x0009000000015ce7-75.dat family_berbew behavioral1/files/0x0009000000015ce7-78.dat family_berbew behavioral1/files/0x0009000000015ce7-80.dat family_berbew behavioral1/files/0x00060000000162f2-98.dat family_berbew behavioral1/files/0x00060000000162f2-101.dat family_berbew behavioral1/files/0x00060000000162f2-104.dat family_berbew behavioral1/files/0x00060000000162f2-100.dat family_berbew behavioral1/files/0x000600000001608c-81.dat family_berbew behavioral1/files/0x000600000001608c-92.dat family_berbew behavioral1/files/0x00060000000162f2-106.dat family_berbew behavioral1/files/0x000600000001608c-91.dat family_berbew behavioral1/files/0x000600000001608c-87.dat family_berbew behavioral1/files/0x000600000001608c-85.dat family_berbew behavioral1/files/0x0007000000015ca8-67.dat family_berbew behavioral1/files/0x0009000000015ce7-72.dat family_berbew behavioral1/files/0x0007000000015ca8-65.dat family_berbew behavioral1/files/0x0007000000015ca8-61.dat family_berbew behavioral1/files/0x0014000000015c6d-53.dat family_berbew behavioral1/files/0x0007000000015ca8-58.dat family_berbew behavioral1/files/0x000600000001656d-113.dat family_berbew behavioral1/files/0x000600000001656d-120.dat family_berbew behavioral1/files/0x000600000001656d-118.dat family_berbew behavioral1/files/0x000600000001656d-114.dat family_berbew behavioral1/files/0x000600000001656d-111.dat family_berbew behavioral1/files/0x0006000000016803-129.dat family_berbew behavioral1/files/0x0006000000016bf8-134.dat family_berbew behavioral1/files/0x0006000000016bf8-145.dat family_berbew behavioral1/files/0x0006000000016bf8-146.dat family_berbew behavioral1/files/0x0006000000016c1b-159.dat family_berbew behavioral1/files/0x0006000000016c1b-158.dat family_berbew behavioral1/files/0x0006000000016c1b-155.dat family_berbew behavioral1/files/0x0006000000016c1b-154.dat family_berbew behavioral1/files/0x0006000000016c1b-152.dat family_berbew behavioral1/files/0x0006000000016bf8-141.dat family_berbew behavioral1/files/0x0006000000016bf8-139.dat family_berbew behavioral1/files/0x0006000000016c8e-165.dat family_berbew behavioral1/files/0x0006000000016c8e-172.dat family_berbew behavioral1/files/0x0006000000016c8e-169.dat family_berbew behavioral1/files/0x0006000000016c8e-168.dat family_berbew behavioral1/files/0x0006000000016803-133.dat family_berbew behavioral1/files/0x0006000000016803-132.dat family_berbew behavioral1/files/0x0006000000016803-128.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2640 Apnfno32.exe 2776 Cobhdhha.exe 2540 Dnnkec32.exe 2572 Dckcnj32.exe 2476 Dncdqcbl.exe 2860 Dodahk32.exe 324 Djjeedhp.exe 1532 Dhobgp32.exe 2408 Elmkmo32.exe 632 Egihcl32.exe 2728 Edmilpld.exe 860 Enenef32.exe 2244 Edofbpja.exe 2948 Ffeldglk.exe 2932 Ffiepg32.exe 2112 Facfpddd.exe 2360 Glijnmdj.exe 1864 Gjngoj32.exe 1804 Gecklbih.exe 964 Gjpddigo.exe 900 Ghddnnfi.exe 1404 Gdmbhnjj.exe 2440 Hijjpeha.exe 2908 Hlkcbp32.exe 2968 Hechkfkc.exe 2084 Holldk32.exe 2768 Hhdqma32.exe 3068 Hmqieh32.exe 2628 Ipdolbbj.exe 2720 Inhoegqc.exe 2468 Igpdnlgd.exe 3016 Injlkf32.exe 588 Ihdmld32.exe 2844 Iciaim32.exe 592 Jlaeab32.exe 2980 Jldbgb32.exe 1856 Jbakpi32.exe 784 Jddqgdii.exe 568 Jknicnpf.exe 1364 Kqkalenn.exe 1560 Kjcedj32.exe 2028 Kopnma32.exe 2024 Opjlkc32.exe 1048 Egkgad32.exe 1564 Obonfj32.exe 1300 Ahllda32.exe 1328 Ajmhljip.exe 2172 Imqdcjkd.exe 1516 Nfppfcmj.exe 1728 Cmapna32.exe 2576 Pfmeddag.exe 2744 Linfpi32.exe 2748 Lgbfin32.exe 2632 Lmlofhmb.exe 2212 Lpkkbcle.exe 2996 Lgdcom32.exe 2808 Llalgdbj.exe 2848 Lggpdmap.exe 2900 Lielphqc.exe 1636 Lldhldpg.exe 1940 Laqadknn.exe 1380 Mlfebcnd.exe 1744 Mcpmonea.exe 2076 Mkkbcpbl.exe -
Loads dropped DLL 64 IoCs
pid Process 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 2640 Apnfno32.exe 2640 Apnfno32.exe 2776 Cobhdhha.exe 2776 Cobhdhha.exe 2540 Dnnkec32.exe 2540 Dnnkec32.exe 2572 Dckcnj32.exe 2572 Dckcnj32.exe 2476 Dncdqcbl.exe 2476 Dncdqcbl.exe 2860 Dodahk32.exe 2860 Dodahk32.exe 324 Djjeedhp.exe 324 Djjeedhp.exe 1532 Dhobgp32.exe 1532 Dhobgp32.exe 2408 Elmkmo32.exe 2408 Elmkmo32.exe 632 Egihcl32.exe 632 Egihcl32.exe 2728 Edmilpld.exe 2728 Edmilpld.exe 860 Enenef32.exe 860 Enenef32.exe 2244 Edofbpja.exe 2244 Edofbpja.exe 2948 Ffeldglk.exe 2948 Ffeldglk.exe 2932 Ffiepg32.exe 2932 Ffiepg32.exe 2112 Facfpddd.exe 2112 Facfpddd.exe 2360 Glijnmdj.exe 2360 Glijnmdj.exe 1864 Gjngoj32.exe 1864 Gjngoj32.exe 1804 Gecklbih.exe 1804 Gecklbih.exe 964 Gjpddigo.exe 964 Gjpddigo.exe 900 Ghddnnfi.exe 900 Ghddnnfi.exe 1404 Gdmbhnjj.exe 1404 Gdmbhnjj.exe 2440 Hijjpeha.exe 2440 Hijjpeha.exe 2908 Hlkcbp32.exe 2908 Hlkcbp32.exe 2968 Hechkfkc.exe 2968 Hechkfkc.exe 2084 Holldk32.exe 2084 Holldk32.exe 2768 Hhdqma32.exe 2768 Hhdqma32.exe 3068 Hmqieh32.exe 3068 Hmqieh32.exe 2628 Ipdolbbj.exe 2628 Ipdolbbj.exe 2720 Inhoegqc.exe 2720 Inhoegqc.exe 2468 Igpdnlgd.exe 2468 Igpdnlgd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lhdfec32.exe Lffjih32.exe File created C:\Windows\SysWOW64\Peblbj32.dll Djjeedhp.exe File created C:\Windows\SysWOW64\Lmlofhmb.exe Lgbfin32.exe File created C:\Windows\SysWOW64\Lffjih32.exe Lcgnmlkk.exe File created C:\Windows\SysWOW64\Chkpakla.exe Cobkhe32.exe File created C:\Windows\SysWOW64\Gqajfmpb.exe Gjhbic32.exe File created C:\Windows\SysWOW64\Kceehijb.exe Kpgiln32.exe File created C:\Windows\SysWOW64\Ncjgao32.exe Mmpodedg.exe File created C:\Windows\SysWOW64\Dgmeoach.dll Edofbpja.exe File created C:\Windows\SysWOW64\Inhoegqc.exe Ipdolbbj.exe File created C:\Windows\SysWOW64\Hgnoehoj.dll Aolihc32.exe File opened for modification C:\Windows\SysWOW64\Injlkf32.exe Igpdnlgd.exe File created C:\Windows\SysWOW64\Nlikco32.dll Cnhhia32.exe File opened for modification C:\Windows\SysWOW64\Lhicao32.exe Lpbkpa32.exe File created C:\Windows\SysWOW64\Jhbaam32.exe Jahieboa.exe File opened for modification C:\Windows\SysWOW64\Jhbaam32.exe Jahieboa.exe File opened for modification C:\Windows\SysWOW64\Khdjfpfg.exe Kefnjdgc.exe File created C:\Windows\SysWOW64\Qpcgkfno.dll Kgjgglko.exe File created C:\Windows\SysWOW64\Igcopdgo.dll Mkeogn32.exe File created C:\Windows\SysWOW64\Facfpddd.exe Ffiepg32.exe File created C:\Windows\SysWOW64\Nhalag32.exe Meafpibb.exe File opened for modification C:\Windows\SysWOW64\Almmlg32.exe Aecdpmbm.exe File opened for modification C:\Windows\SysWOW64\Ieokjbkp.exe Ibaonfll.exe File created C:\Windows\SysWOW64\Dncdqcbl.exe Dckcnj32.exe File created C:\Windows\SysWOW64\Kqeeabhm.dll Gjeedcjh.exe File created C:\Windows\SysWOW64\Haafepbn.exe Hkenmidf.exe File created C:\Windows\SysWOW64\Fgbpmh32.exe Fphgpnhm.exe File opened for modification C:\Windows\SysWOW64\Hjjknfin.exe Haafepbn.exe File created C:\Windows\SysWOW64\Kolemj32.exe Klniao32.exe File created C:\Windows\SysWOW64\Ccekdaeg.dll Dodahk32.exe File created C:\Windows\SysWOW64\Oeobfgak.exe Omhjejai.exe File created C:\Windows\SysWOW64\Mmklad32.dll Bdknfiea.exe File created C:\Windows\SysWOW64\Biehcmhh.dll Bhiglh32.exe File created C:\Windows\SysWOW64\Gcbchhmc.exe Gmhkkn32.exe File opened for modification C:\Windows\SysWOW64\Hechkfkc.exe Hlkcbp32.exe File created C:\Windows\SysWOW64\Ihdmld32.exe Injlkf32.exe File created C:\Windows\SysWOW64\Kqkalenn.exe Jknicnpf.exe File created C:\Windows\SysWOW64\Jboejf32.dll Aajedn32.exe File opened for modification C:\Windows\SysWOW64\Jllpmlqj.exe Jeahpa32.exe File created C:\Windows\SysWOW64\Jpnffoci.exe Jmoijc32.exe File created C:\Windows\SysWOW64\Ipkmal32.exe Immqeq32.exe File opened for modification C:\Windows\SysWOW64\Lcgnmlkk.exe Lnkedemc.exe File opened for modification C:\Windows\SysWOW64\Mgqigohb.exe Mqfajdpe.exe File created C:\Windows\SysWOW64\Opnboecn.dll Hafppp32.exe File created C:\Windows\SysWOW64\Jaafdelg.dll Ljmmng32.exe File created C:\Windows\SysWOW64\Pfjoeg32.dll Mhippbem.exe File created C:\Windows\SysWOW64\Ahllda32.exe Obonfj32.exe File created C:\Windows\SysWOW64\Jafkmh32.dll Oqajqi32.exe File created C:\Windows\SysWOW64\Ifnnae32.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Hhdqma32.exe Holldk32.exe File created C:\Windows\SysWOW64\Ldlamh32.dll Khbmqpii.exe File opened for modification C:\Windows\SysWOW64\Ljjpighp.exe Lhicao32.exe File created C:\Windows\SysWOW64\Jahieboa.exe Jojmigpn.exe File created C:\Windows\SysWOW64\Jihgdd32.exe Jbnogjqj.exe File created C:\Windows\SysWOW64\Ljjpighp.exe Lhicao32.exe File created C:\Windows\SysWOW64\Dcbgef32.dll Lffjih32.exe File opened for modification C:\Windows\SysWOW64\Hlkcbp32.exe Hijjpeha.exe File created C:\Windows\SysWOW64\Oahfnj32.dll Ppnmbd32.exe File created C:\Windows\SysWOW64\Incfhh32.exe Ifeenfjm.exe File created C:\Windows\SysWOW64\Lpbkpa32.exe Koaohila.exe File created C:\Windows\SysWOW64\Bpojmn32.dll Lhdfec32.exe File opened for modification C:\Windows\SysWOW64\Opjlkc32.exe Kopnma32.exe File opened for modification C:\Windows\SysWOW64\Gcbchhmc.exe Gmhkkn32.exe File created C:\Windows\SysWOW64\Gldgomqc.dll Hjjknfin.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpodedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndlek32.dll" Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqajqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiahpkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeggj32.dll" Aecdpmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkenmidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnnae32.dll" Pejejkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndcgd32.dll" Linfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdicckk.dll" Chkpakla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeljmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macllibi.dll" Fgbpmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnffoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndecfjhe.dll" Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geiabo32.dll" Jbakpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemhba32.dll" Gmhkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbcgcikh.dll" Jpnffoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncdqcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffeldglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbchhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jahieboa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klniao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkain32.dll" Mcpmonea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pocbcp32.dll" Mnjaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpkkbcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddqgdii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lielphqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddogmf32.dll" Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepllj32.dll" Klniao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbkpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Holldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpqq32.dll" Opjlkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifeenfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doahjaco.dll" Jddqgdii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohglnm.dll" Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oknckq32.dll" Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdacfp32.dll" Kpgiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqinpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppgfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdahbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abpcepjm.dll" Fcipaien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilggal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmba32.dll" Alkpgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laojmojg.dll" Mbogchnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gndjpoaa.dll" Immqeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdnenjf.dll" Incfhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kolemj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Highje32.dll" Lbmknipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kopnma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqadknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkqmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljfipga.dll" Kehjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqfajdpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2640 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 29 PID 2756 wrote to memory of 2640 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 29 PID 2756 wrote to memory of 2640 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 29 PID 2756 wrote to memory of 2640 2756 NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe 29 PID 2640 wrote to memory of 2776 2640 Apnfno32.exe 30 PID 2640 wrote to memory of 2776 2640 Apnfno32.exe 30 PID 2640 wrote to memory of 2776 2640 Apnfno32.exe 30 PID 2640 wrote to memory of 2776 2640 Apnfno32.exe 30 PID 2776 wrote to memory of 2540 2776 Cobhdhha.exe 31 PID 2776 wrote to memory of 2540 2776 Cobhdhha.exe 31 PID 2776 wrote to memory of 2540 2776 Cobhdhha.exe 31 PID 2776 wrote to memory of 2540 2776 Cobhdhha.exe 31 PID 2540 wrote to memory of 2572 2540 Dnnkec32.exe 32 PID 2540 wrote to memory of 2572 2540 Dnnkec32.exe 32 PID 2540 wrote to memory of 2572 2540 Dnnkec32.exe 32 PID 2540 wrote to memory of 2572 2540 Dnnkec32.exe 32 PID 2572 wrote to memory of 2476 2572 Dckcnj32.exe 33 PID 2572 wrote to memory of 2476 2572 Dckcnj32.exe 33 PID 2572 wrote to memory of 2476 2572 Dckcnj32.exe 33 PID 2572 wrote to memory of 2476 2572 Dckcnj32.exe 33 PID 2476 wrote to memory of 2860 2476 Dncdqcbl.exe 36 PID 2476 wrote to memory of 2860 2476 Dncdqcbl.exe 36 PID 2476 wrote to memory of 2860 2476 Dncdqcbl.exe 36 PID 2476 wrote to memory of 2860 2476 Dncdqcbl.exe 36 PID 2860 wrote to memory of 324 2860 Dodahk32.exe 34 PID 2860 wrote to memory of 324 2860 Dodahk32.exe 34 PID 2860 wrote to memory of 324 2860 Dodahk32.exe 34 PID 2860 wrote to memory of 324 2860 Dodahk32.exe 34 PID 324 wrote to memory of 1532 324 Djjeedhp.exe 35 PID 324 wrote to memory of 1532 324 Djjeedhp.exe 35 PID 324 wrote to memory of 1532 324 Djjeedhp.exe 35 PID 324 wrote to memory of 1532 324 Djjeedhp.exe 35 PID 1532 wrote to memory of 2408 1532 Dhobgp32.exe 37 PID 1532 wrote to memory of 2408 1532 Dhobgp32.exe 37 PID 1532 wrote to memory of 2408 1532 Dhobgp32.exe 37 PID 1532 wrote to memory of 2408 1532 Dhobgp32.exe 37 PID 2408 wrote to memory of 632 2408 Elmkmo32.exe 38 PID 2408 wrote to memory of 632 2408 Elmkmo32.exe 38 PID 2408 wrote to memory of 632 2408 Elmkmo32.exe 38 PID 2408 wrote to memory of 632 2408 Elmkmo32.exe 38 PID 632 wrote to memory of 2728 632 Egihcl32.exe 41 PID 632 wrote to memory of 2728 632 Egihcl32.exe 41 PID 632 wrote to memory of 2728 632 Egihcl32.exe 41 PID 632 wrote to memory of 2728 632 Egihcl32.exe 41 PID 2728 wrote to memory of 860 2728 Edmilpld.exe 40 PID 2728 wrote to memory of 860 2728 Edmilpld.exe 40 PID 2728 wrote to memory of 860 2728 Edmilpld.exe 40 PID 2728 wrote to memory of 860 2728 Edmilpld.exe 40 PID 860 wrote to memory of 2244 860 Enenef32.exe 39 PID 860 wrote to memory of 2244 860 Enenef32.exe 39 PID 860 wrote to memory of 2244 860 Enenef32.exe 39 PID 860 wrote to memory of 2244 860 Enenef32.exe 39 PID 2244 wrote to memory of 2948 2244 Edofbpja.exe 42 PID 2244 wrote to memory of 2948 2244 Edofbpja.exe 42 PID 2244 wrote to memory of 2948 2244 Edofbpja.exe 42 PID 2244 wrote to memory of 2948 2244 Edofbpja.exe 42 PID 2948 wrote to memory of 2932 2948 Ffeldglk.exe 43 PID 2948 wrote to memory of 2932 2948 Ffeldglk.exe 43 PID 2948 wrote to memory of 2932 2948 Ffeldglk.exe 43 PID 2948 wrote to memory of 2932 2948 Ffeldglk.exe 43 PID 2932 wrote to memory of 2112 2932 Ffiepg32.exe 44 PID 2932 wrote to memory of 2112 2932 Ffiepg32.exe 44 PID 2932 wrote to memory of 2112 2932 Ffiepg32.exe 44 PID 2932 wrote to memory of 2112 2932 Ffiepg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c4aee5064604760471ce9fdac27737c0_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Apnfno32.exeC:\Windows\system32\Apnfno32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728
-
-
-
-
-
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Ffeldglk.exeC:\Windows\system32\Ffeldglk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Gjngoj32.exeC:\Windows\system32\Gjngoj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Inhoegqc.exeC:\Windows\system32\Inhoegqc.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe21⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe22⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jlaeab32.exeC:\Windows\system32\Jlaeab32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Jldbgb32.exeC:\Windows\system32\Jldbgb32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe28⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe34⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe36⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe37⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe42⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Lgdcom32.exeC:\Windows\system32\Lgdcom32.exe44⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Llalgdbj.exeC:\Windows\system32\Llalgdbj.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Lldhldpg.exeC:\Windows\system32\Lldhldpg.exe48⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Laqadknn.exeC:\Windows\system32\Laqadknn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Mcpmonea.exeC:\Windows\system32\Mcpmonea.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe52⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe53⤵
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe55⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1036 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe57⤵PID:1652
-
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Okdahbmm.exeC:\Windows\system32\Okdahbmm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe60⤵
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1444 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe62⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe63⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe65⤵PID:2984
-
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Oiahpkdj.exeC:\Windows\system32\Oiahpkdj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe69⤵PID:936
-
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe70⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Alkpgh32.exeC:\Windows\system32\Alkpgh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe75⤵
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe76⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Aajedn32.exeC:\Windows\system32\Aajedn32.exe77⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Bhdmahpn.exeC:\Windows\system32\Bhdmahpn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe79⤵PID:2800
-
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe80⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Bkefcc32.exeC:\Windows\system32\Bkefcc32.exe81⤵PID:2072
-
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe82⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Cfhjjp32.exeC:\Windows\system32\Cfhjjp32.exe83⤵PID:276
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe84⤵PID:1420
-
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe85⤵PID:2556
-
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe86⤵PID:2008
-
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe87⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe88⤵
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Aeljmq32.exeC:\Windows\system32\Aeljmq32.exe90⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Oimpppoj.exeC:\Windows\system32\Oimpppoj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Fphgpnhm.exeC:\Windows\system32\Fphgpnhm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Fgbpmh32.exeC:\Windows\system32\Fgbpmh32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Fahdja32.exeC:\Windows\system32\Fahdja32.exe94⤵PID:300
-
C:\Windows\SysWOW64\Fcipaien.exeC:\Windows\system32\Fcipaien.exe95⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Gqmqkn32.exeC:\Windows\system32\Gqmqkn32.exe97⤵PID:2340
-
C:\Windows\SysWOW64\Gjeedcjh.exeC:\Windows\system32\Gjeedcjh.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe99⤵PID:2560
-
C:\Windows\SysWOW64\Gjhbic32.exeC:\Windows\system32\Gjhbic32.exe100⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Gqajfmpb.exeC:\Windows\system32\Gqajfmpb.exe101⤵PID:692
-
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe103⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Hkenmidf.exeC:\Windows\system32\Hkenmidf.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe105⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Hjjknfin.exeC:\Windows\system32\Hjjknfin.exe106⤵
- Drops file in System32 directory
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Hadckp32.exeC:\Windows\system32\Hadckp32.exe107⤵PID:2352
-
C:\Windows\SysWOW64\Hjlhcegl.exeC:\Windows\system32\Hjlhcegl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1888 -
C:\Windows\SysWOW64\Hafppp32.exeC:\Windows\system32\Hafppp32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ifchhf32.exeC:\Windows\system32\Ifchhf32.exe110⤵PID:2396
-
C:\Windows\SysWOW64\Immqeq32.exeC:\Windows\system32\Immqeq32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ipkmal32.exeC:\Windows\system32\Ipkmal32.exe112⤵PID:2416
-
C:\Windows\SysWOW64\Ifeenfjm.exeC:\Windows\system32\Ifeenfjm.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Incfhh32.exeC:\Windows\system32\Incfhh32.exe114⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Iemoebmb.exeC:\Windows\system32\Iemoebmb.exe115⤵PID:2744
-
C:\Windows\SysWOW64\Ilggal32.exeC:\Windows\system32\Ilggal32.exe116⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Ibaonfll.exeC:\Windows\system32\Ibaonfll.exe117⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ieokjbkp.exeC:\Windows\system32\Ieokjbkp.exe118⤵PID:2292
-
C:\Windows\SysWOW64\Jjldbiig.exeC:\Windows\system32\Jjldbiig.exe119⤵PID:1248
-
C:\Windows\SysWOW64\Jeahpa32.exeC:\Windows\system32\Jeahpa32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Jllpmlqj.exeC:\Windows\system32\Jllpmlqj.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-