Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11-11-2023 17:57
Behavioral task
behavioral1
Sample
NEAS.a9d47034ee759d8e688475b26ae30b80.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a9d47034ee759d8e688475b26ae30b80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a9d47034ee759d8e688475b26ae30b80.exe
-
Size
104KB
-
MD5
a9d47034ee759d8e688475b26ae30b80
-
SHA1
42b6759b6d6e055618b1bd53723cc92d17d06e07
-
SHA256
a84ae0921d2845826c720e3522262382419cb25d032dfa3e3920416037a1d611
-
SHA512
9591b62c8ea40cf94ec85cbddbd252b17d59ce6a0c00a798ad023eada004660060901f32475446f50446bf757eb4bd6c83e9c5daa7b0f1e0cf6f8559ad44b521
-
SSDEEP
3072:MpCcxVhlEAAxZe5tx7cEGrhkngpDvchkqbAIQS:M5VhQs5tx4brq2Ahn
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifelgmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opplolac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhjbobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ielclkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nipdkieg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbackc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkomchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjfcpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oemegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiokbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpamde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noemqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chnbcpmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnpojca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oidglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melifl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behilopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.a9d47034ee759d8e688475b26ae30b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amohfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofjfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lipecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihpdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkail32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2888-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x00070000000120ca-5.dat family_berbew behavioral1/files/0x00070000000120ca-10.dat family_berbew behavioral1/files/0x00070000000120ca-14.dat family_berbew behavioral1/files/0x00070000000120ca-12.dat family_berbew behavioral1/files/0x00070000000120ca-8.dat family_berbew behavioral1/memory/2888-6-0x0000000000490000-0x00000000004D3000-memory.dmp family_berbew behavioral1/files/0x000a000000014abe-32.dat family_berbew behavioral1/memory/2620-34-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000a000000014abe-36.dat family_berbew behavioral1/files/0x000a000000014abe-41.dat family_berbew behavioral1/memory/3004-40-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000a000000014abe-39.dat family_berbew behavioral1/files/0x000a000000014abe-35.dat family_berbew behavioral1/files/0x0009000000014faf-46.dat family_berbew behavioral1/files/0x00340000000144fa-27.dat family_berbew behavioral1/files/0x00340000000144fa-26.dat family_berbew behavioral1/files/0x00340000000144fa-25.dat family_berbew behavioral1/files/0x00340000000144fa-22.dat family_berbew behavioral1/memory/2624-21-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x00340000000144fa-19.dat family_berbew behavioral1/files/0x0006000000015223-61.dat family_berbew behavioral1/files/0x0006000000015223-66.dat family_berbew behavioral1/files/0x0006000000015223-65.dat family_berbew behavioral1/files/0x00060000000155fd-79.dat family_berbew behavioral1/files/0x000600000001560d-88.dat family_berbew behavioral1/files/0x000600000001560d-91.dat family_berbew behavioral1/files/0x0006000000015c3d-117.dat family_berbew behavioral1/files/0x0006000000015c3d-118.dat family_berbew behavioral1/files/0x0006000000015c57-127.dat family_berbew behavioral1/files/0x0006000000015c57-126.dat family_berbew behavioral1/files/0x0006000000015c57-130.dat family_berbew behavioral1/files/0x0006000000015c57-132.dat family_berbew behavioral1/memory/2984-131-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000015c7a-143.dat family_berbew behavioral1/files/0x0006000000015c7a-144.dat family_berbew behavioral1/memory/2416-149-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000f000000014539-150.dat family_berbew behavioral1/files/0x000f000000014539-153.dat family_berbew behavioral1/memory/1592-163-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca5-170.dat family_berbew behavioral1/files/0x0006000000015ca5-172.dat family_berbew behavioral1/memory/1388-184-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000015ce1-185.dat family_berbew behavioral1/files/0x0006000000015db6-190.dat family_berbew behavioral1/memory/1388-192-0x00000000002E0000-0x0000000000323000-memory.dmp family_berbew behavioral1/files/0x0006000000015db6-197.dat family_berbew behavioral1/memory/1668-204-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000015e1b-207.dat family_berbew behavioral1/files/0x0006000000015e1b-213.dat family_berbew behavioral1/memory/2836-212-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0006000000015e78-219.dat family_berbew behavioral1/memory/2304-228-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/2304-233-0x0000000000290000-0x00000000002D3000-memory.dmp family_berbew behavioral1/files/0x0006000000015ed7-230.dat family_berbew behavioral1/files/0x000600000001606a-239.dat family_berbew behavioral1/files/0x0006000000015e1b-211.dat family_berbew behavioral1/memory/1876-242-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/1156-258-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000600000001647f-261.dat family_berbew behavioral1/memory/840-264-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/1828-280-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/1648-286-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/2088-291-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2624 Ehjehh32.exe 2620 Ejjbbkpj.exe 3004 Edccch32.exe 2516 Efcomkcl.exe 2512 Fqmpni32.exe 2904 Fkbdkb32.exe 2472 Fqomci32.exe 1620 Fncmmmma.exe 1912 Femeig32.exe 2984 Fjjnan32.exe 2416 Fiokbjgn.exe 1592 Gjngmmnp.exe 836 Gfehan32.exe 1388 Glbqje32.exe 1668 Ghiaof32.exe 2836 Ghkndf32.exe 2304 Geoonjeg.exe 1876 Gjlgfaco.exe 840 Hjndlqal.exe 1156 Hfedqagp.exe 1648 Hmomml32.exe 1828 Hmaick32.exe 2088 Hbnbkbja.exe 1332 Hpbbdfik.exe 1704 Ihpdoh32.exe 1416 Imoilo32.exe 2708 Iggned32.exe 2528 Incbgnmc.exe 2668 Jkgcab32.exe 2572 Jdpgjhbm.exe 2092 Jeadap32.exe 2560 Jcedkd32.exe 1728 Jhamckel.exe 2476 Jfemlpdf.exe 112 Jkbfdfbm.exe 2456 Jfhjbobc.exe 2556 Jkebjf32.exe 1632 Kfjggo32.exe 1092 Kkgopf32.exe 1664 Kqdhhm32.exe 2288 Khkpijma.exe 1908 Kbcdbp32.exe 1044 Lfjcfb32.exe 2164 Lbackc32.exe 1536 Liklhmom.exe 2988 Leammn32.exe 2112 Lipecm32.exe 1792 Ljabkeaf.exe 2236 Mcifdj32.exe 2648 Mmakmp32.exe 1580 Mclcijfd.exe 2584 Mnaggcej.exe 2660 Mcnpojca.exe 600 Mikhgqbi.exe 2900 Mpdqdkie.exe 532 Mlkail32.exe 2876 Mbeiefff.exe 2588 Nmkncofl.exe 1628 Nfcbldmm.exe 1492 Nlpkdkkd.exe 2024 Namclbil.exe 2056 Nkegeg32.exe 2376 Naopaa32.exe 2180 Nledoj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 2624 Ehjehh32.exe 2624 Ehjehh32.exe 2620 Ejjbbkpj.exe 2620 Ejjbbkpj.exe 3004 Edccch32.exe 3004 Edccch32.exe 2516 Efcomkcl.exe 2516 Efcomkcl.exe 2512 Fqmpni32.exe 2512 Fqmpni32.exe 2904 Fkbdkb32.exe 2904 Fkbdkb32.exe 2472 Fqomci32.exe 2472 Fqomci32.exe 1620 Fncmmmma.exe 1620 Fncmmmma.exe 1912 Femeig32.exe 1912 Femeig32.exe 2984 Fjjnan32.exe 2984 Fjjnan32.exe 2416 Fiokbjgn.exe 2416 Fiokbjgn.exe 1592 Gjngmmnp.exe 1592 Gjngmmnp.exe 836 Gfehan32.exe 836 Gfehan32.exe 1388 Glbqje32.exe 1388 Glbqje32.exe 1668 Ghiaof32.exe 1668 Ghiaof32.exe 2836 Ghkndf32.exe 2836 Ghkndf32.exe 2304 Geoonjeg.exe 2304 Geoonjeg.exe 1876 Gjlgfaco.exe 1876 Gjlgfaco.exe 840 Hjndlqal.exe 840 Hjndlqal.exe 1156 Hfedqagp.exe 1156 Hfedqagp.exe 1648 Hmomml32.exe 1648 Hmomml32.exe 1828 Hmaick32.exe 1828 Hmaick32.exe 2088 Hbnbkbja.exe 2088 Hbnbkbja.exe 1332 Hpbbdfik.exe 1332 Hpbbdfik.exe 1704 Ihpdoh32.exe 1704 Ihpdoh32.exe 1416 Imoilo32.exe 1416 Imoilo32.exe 2708 Iggned32.exe 2708 Iggned32.exe 2528 Incbgnmc.exe 2528 Incbgnmc.exe 2668 Jkgcab32.exe 2668 Jkgcab32.exe 2572 Jdpgjhbm.exe 2572 Jdpgjhbm.exe 2092 Jeadap32.exe 2092 Jeadap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Namclbil.exe Nlpkdkkd.exe File created C:\Windows\SysWOW64\Hbiaemkk.exe Hhcmhdke.exe File created C:\Windows\SysWOW64\Feglhlfm.dll Edibhmml.exe File created C:\Windows\SysWOW64\Fhdjgoha.exe Fnofjfhk.exe File created C:\Windows\SysWOW64\Ihaiqn32.dll Opqoge32.exe File opened for modification C:\Windows\SysWOW64\Qgjccb32.exe Qppkfhlc.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Lgeajlgp.dll Jkgcab32.exe File created C:\Windows\SysWOW64\Jioopgef.exe Jojkco32.exe File created C:\Windows\SysWOW64\Nlhjhi32.exe Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kohnoc32.exe File created C:\Windows\SysWOW64\Fmegncpp.exe Diibag32.exe File opened for modification C:\Windows\SysWOW64\Nenakoho.exe Nbpeoc32.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Nfcbldmm.exe Nmkncofl.exe File created C:\Windows\SysWOW64\Noafdi32.dll Khoebi32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lkakicam.exe File created C:\Windows\SysWOW64\Hicapn32.dll Eacljf32.exe File created C:\Windows\SysWOW64\Godonkii.dll Aqbdkk32.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hjfcpo32.exe File created C:\Windows\SysWOW64\Bcgdom32.exe Bibpad32.exe File created C:\Windows\SysWOW64\Ljajkolc.dll Hbiaemkk.exe File created C:\Windows\SysWOW64\Kjkbonmp.dll Najpll32.exe File created C:\Windows\SysWOW64\Akiobk32.exe Ajgbkbjp.exe File opened for modification C:\Windows\SysWOW64\Ehpalp32.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Lbdebnpa.dll Olpgconp.exe File created C:\Windows\SysWOW64\Jondnnbk.exe Jhdlad32.exe File created C:\Windows\SysWOW64\Afbioogg.dll Mggabaea.exe File created C:\Windows\SysWOW64\Fhioaa32.dll Kbcdbp32.exe File created C:\Windows\SysWOW64\Hdoghdmd.exe Hmeolj32.exe File created C:\Windows\SysWOW64\Eihgfd32.exe Eppcmncq.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Khkpijma.exe Kqdhhm32.exe File created C:\Windows\SysWOW64\Nabkgh32.dll Gbfiaj32.exe File created C:\Windows\SysWOW64\Obdojcef.exe Ohojmjep.exe File created C:\Windows\SysWOW64\Lqipkhbj.exe Lklgbadb.exe File opened for modification C:\Windows\SysWOW64\Mpebmc32.exe Mjhjdm32.exe File created C:\Windows\SysWOW64\Leblqb32.dll Paknelgk.exe File created C:\Windows\SysWOW64\Mcnpojca.exe Mnaggcej.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dogpdg32.exe File opened for modification C:\Windows\SysWOW64\Jhdlad32.exe Jefpeh32.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Jampjian.exe File created C:\Windows\SysWOW64\Kqkfag32.dll Oidglb32.exe File opened for modification C:\Windows\SysWOW64\Ajjfkh32.exe Acqnnndl.exe File created C:\Windows\SysWOW64\Jkjplo32.dll Bcgdom32.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Ffeganon.dll Plgolf32.exe File created C:\Windows\SysWOW64\Hkgoklhk.dll Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Adifpk32.exe Achjibcl.exe File created C:\Windows\SysWOW64\Oemegc32.exe Opplolac.exe File created C:\Windows\SysWOW64\Jkkija32.exe Jhlmmfef.exe File opened for modification C:\Windows\SysWOW64\Jkmeoa32.exe Jepmgj32.exe File created C:\Windows\SysWOW64\Lfbbjpgd.exe Lqejbiim.exe File opened for modification C:\Windows\SysWOW64\Qqfkln32.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mnaiol32.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Pdldnomh.exe Pggdejno.exe File created C:\Windows\SysWOW64\Gmbmdane.dll Aibcba32.exe File created C:\Windows\SysWOW64\Abmdafpp.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Hibjbgbh.exe Hbiaemkk.exe File opened for modification C:\Windows\SysWOW64\Hjdfjo32.exe Hibjbgbh.exe File created C:\Windows\SysWOW64\Lghlndfa.exe Lqncaj32.exe File created C:\Windows\SysWOW64\Jdbfnoac.dll Lqcmmjko.exe File created C:\Windows\SysWOW64\Nhdhif32.exe Najpll32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Eahedh32.¾ll Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfemlpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefejmjq.dll" Peoalc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chlfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npolmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pojecajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qgjccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Akabgebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlpkdkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecpel32.dll" Pkljdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmojkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfhiplmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chcloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oemegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njifbl32.dll" Cmpdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgghom32.dll" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hpbbdfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Mjaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklijoqm.dll" Fkbdkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acqnnndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkejof32.dll" Mpamde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpeip32.dll" Khkbbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbcbjlmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qfonkfqd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agdmdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhhch32.dll" Incbgnmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mlkail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll" Oemgplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jkbfdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpdqdkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ggcaiqhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Aqbdkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbmaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdlkim32.dll" Ehjehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfqpecma.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2624 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 28 PID 2888 wrote to memory of 2624 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 28 PID 2888 wrote to memory of 2624 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 28 PID 2888 wrote to memory of 2624 2888 NEAS.a9d47034ee759d8e688475b26ae30b80.exe 28 PID 2624 wrote to memory of 2620 2624 Ehjehh32.exe 29 PID 2624 wrote to memory of 2620 2624 Ehjehh32.exe 29 PID 2624 wrote to memory of 2620 2624 Ehjehh32.exe 29 PID 2624 wrote to memory of 2620 2624 Ehjehh32.exe 29 PID 2620 wrote to memory of 3004 2620 Ejjbbkpj.exe 30 PID 2620 wrote to memory of 3004 2620 Ejjbbkpj.exe 30 PID 2620 wrote to memory of 3004 2620 Ejjbbkpj.exe 30 PID 2620 wrote to memory of 3004 2620 Ejjbbkpj.exe 30 PID 3004 wrote to memory of 2516 3004 Edccch32.exe 31 PID 3004 wrote to memory of 2516 3004 Edccch32.exe 31 PID 3004 wrote to memory of 2516 3004 Edccch32.exe 31 PID 3004 wrote to memory of 2516 3004 Edccch32.exe 31 PID 2516 wrote to memory of 2512 2516 Efcomkcl.exe 32 PID 2516 wrote to memory of 2512 2516 Efcomkcl.exe 32 PID 2516 wrote to memory of 2512 2516 Efcomkcl.exe 32 PID 2516 wrote to memory of 2512 2516 Efcomkcl.exe 32 PID 2512 wrote to memory of 2904 2512 Fqmpni32.exe 33 PID 2512 wrote to memory of 2904 2512 Fqmpni32.exe 33 PID 2512 wrote to memory of 2904 2512 Fqmpni32.exe 33 PID 2512 wrote to memory of 2904 2512 Fqmpni32.exe 33 PID 2904 wrote to memory of 2472 2904 Fkbdkb32.exe 34 PID 2904 wrote to memory of 2472 2904 Fkbdkb32.exe 34 PID 2904 wrote to memory of 2472 2904 Fkbdkb32.exe 34 PID 2904 wrote to memory of 2472 2904 Fkbdkb32.exe 34 PID 2472 wrote to memory of 1620 2472 Fqomci32.exe 68 PID 2472 wrote to memory of 1620 2472 Fqomci32.exe 68 PID 2472 wrote to memory of 1620 2472 Fqomci32.exe 68 PID 2472 wrote to memory of 1620 2472 Fqomci32.exe 68 PID 1620 wrote to memory of 1912 1620 Fncmmmma.exe 67 PID 1620 wrote to memory of 1912 1620 Fncmmmma.exe 67 PID 1620 wrote to memory of 1912 1620 Fncmmmma.exe 67 PID 1620 wrote to memory of 1912 1620 Fncmmmma.exe 67 PID 1912 wrote to memory of 2984 1912 Femeig32.exe 35 PID 1912 wrote to memory of 2984 1912 Femeig32.exe 35 PID 1912 wrote to memory of 2984 1912 Femeig32.exe 35 PID 1912 wrote to memory of 2984 1912 Femeig32.exe 35 PID 2984 wrote to memory of 2416 2984 Fjjnan32.exe 36 PID 2984 wrote to memory of 2416 2984 Fjjnan32.exe 36 PID 2984 wrote to memory of 2416 2984 Fjjnan32.exe 36 PID 2984 wrote to memory of 2416 2984 Fjjnan32.exe 36 PID 2416 wrote to memory of 1592 2416 Fiokbjgn.exe 65 PID 2416 wrote to memory of 1592 2416 Fiokbjgn.exe 65 PID 2416 wrote to memory of 1592 2416 Fiokbjgn.exe 65 PID 2416 wrote to memory of 1592 2416 Fiokbjgn.exe 65 PID 1592 wrote to memory of 836 1592 Gjngmmnp.exe 63 PID 1592 wrote to memory of 836 1592 Gjngmmnp.exe 63 PID 1592 wrote to memory of 836 1592 Gjngmmnp.exe 63 PID 1592 wrote to memory of 836 1592 Gjngmmnp.exe 63 PID 836 wrote to memory of 1388 836 Gfehan32.exe 37 PID 836 wrote to memory of 1388 836 Gfehan32.exe 37 PID 836 wrote to memory of 1388 836 Gfehan32.exe 37 PID 836 wrote to memory of 1388 836 Gfehan32.exe 37 PID 1388 wrote to memory of 1668 1388 Glbqje32.exe 38 PID 1388 wrote to memory of 1668 1388 Glbqje32.exe 38 PID 1388 wrote to memory of 1668 1388 Glbqje32.exe 38 PID 1388 wrote to memory of 1668 1388 Glbqje32.exe 38 PID 1668 wrote to memory of 2836 1668 Ghiaof32.exe 60 PID 1668 wrote to memory of 2836 1668 Ghiaof32.exe 60 PID 1668 wrote to memory of 2836 1668 Ghiaof32.exe 60 PID 1668 wrote to memory of 2836 1668 Ghiaof32.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a9d47034ee759d8e688475b26ae30b80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a9d47034ee759d8e688475b26ae30b80.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592
-
-
-
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836
-
-
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828
-
-
-
-
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1704
-
-
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2528
-
-
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe3⤵
- Executes dropped EXE
PID:2560
-
-
-
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe2⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe4⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe5⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe6⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe8⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe10⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe12⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe13⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe15⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe16⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe17⤵
- Executes dropped EXE
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe18⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe21⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe22⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe24⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe28⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe29⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe30⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe31⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe32⤵PID:648
-
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe33⤵PID:2948
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe35⤵PID:1928
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe36⤵PID:1276
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe37⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe38⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe40⤵PID:2612
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe41⤵PID:2632
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:376 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe44⤵PID:1724
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe45⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe46⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe47⤵PID:1480
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe48⤵PID:1624
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe49⤵PID:1564
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe50⤵PID:2848
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe51⤵PID:1160
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe52⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe53⤵PID:2464
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe54⤵PID:2132
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe55⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe56⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe57⤵PID:2824
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe58⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe59⤵PID:1996
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe60⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe61⤵PID:576
-
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe62⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe63⤵PID:1880
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe64⤵PID:2028
-
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe65⤵PID:2032
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe67⤵PID:1872
-
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe68⤵PID:2068
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe69⤵PID:2980
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe71⤵PID:2776
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe72⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe73⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe74⤵PID:2300
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe75⤵PID:2420
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe76⤵PID:952
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe77⤵PID:2800
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe78⤵PID:2532
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe79⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe80⤵PID:1744
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe82⤵PID:1364
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe84⤵PID:1168
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe85⤵
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe87⤵
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe90⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe91⤵PID:900
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe92⤵PID:2460
-
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe93⤵PID:2704
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe94⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe95⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe96⤵PID:1976
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe97⤵PID:1112
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe98⤵PID:1640
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe99⤵PID:2844
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe100⤵PID:2392
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe101⤵PID:3008
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe102⤵PID:2440
-
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe103⤵PID:2932
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe104⤵PID:2508
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe106⤵PID:1832
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe107⤵PID:1652
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe108⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe109⤵
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe112⤵PID:2744
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe115⤵PID:2040
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe116⤵PID:2268
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe117⤵PID:1952
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe118⤵PID:1584
-
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe119⤵PID:2792
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe120⤵PID:2924
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-