Analysis
-
max time kernel
206s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2023, 18:58
Behavioral task
behavioral1
Sample
NEAS.870da7f3826c0459742ff15552b6c792.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.870da7f3826c0459742ff15552b6c792.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.870da7f3826c0459742ff15552b6c792.exe
-
Size
135KB
-
MD5
870da7f3826c0459742ff15552b6c792
-
SHA1
6d08c77181584eaa70877ee71913a75110b99a3b
-
SHA256
31ef36ddfc2eb190f4b58a5c15f07a0c6779727f342d01555a896df0d1fdf5dc
-
SHA512
f6888413d8a1526a015abe39bb6f6348f31412cf8683e9be579740b5ea7df8ca5ca2eed63f25d576b965735e1ee05c5a9cbb23f2191442b5e189a91e34d652e4
-
SSDEEP
3072:IUmWfIJzSRATYK8Qr5+ViKGe7Yfs0a0Uoi:ItWftRATYK9cViK4fs0l
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmekd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adagjagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldbococ.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmach32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fangfcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcqika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmpicbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.870da7f3826c0459742ff15552b6c792.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcolpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agngqmhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckklfoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbidfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaalom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkancm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dioinf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifkni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgemgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bannajom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfmddff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fogmaoib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikocggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncibpaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdnbipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjhig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epckkeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhdhipd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfpoimj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kobmkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qamleagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfhgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlfcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noalfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjodiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcllii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blaficqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniaap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdemap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgaaiian.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agkjknji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofbph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgdfocge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcceqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihdblpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlljiklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfcigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdiode32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/3028-0-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0003000000004ed7-5.dat family_berbew behavioral1/memory/3028-6-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0003000000004ed7-8.dat family_berbew behavioral1/files/0x0003000000004ed7-13.dat family_berbew behavioral1/files/0x0003000000004ed7-12.dat family_berbew behavioral1/files/0x0003000000004ed7-14.dat family_berbew behavioral1/files/0x000b00000001225d-19.dat family_berbew behavioral1/memory/2944-28-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x000b00000001225d-27.dat family_berbew behavioral1/files/0x000b00000001225d-26.dat family_berbew behavioral1/files/0x000b00000001225d-22.dat family_berbew behavioral1/files/0x000b00000001225d-21.dat family_berbew behavioral1/files/0x0008000000014834-41.dat family_berbew behavioral1/memory/1940-46-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0008000000014834-36.dat family_berbew behavioral1/files/0x0008000000014834-35.dat family_berbew behavioral1/files/0x0008000000014834-33.dat family_berbew behavioral1/files/0x0008000000014834-40.dat family_berbew behavioral1/files/0x0007000000014adb-47.dat family_berbew behavioral1/memory/1940-48-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0007000000014adb-54.dat family_berbew behavioral1/files/0x0007000000014adb-51.dat family_berbew behavioral1/files/0x0007000000014adb-50.dat family_berbew behavioral1/files/0x0007000000014adb-55.dat family_berbew behavioral1/files/0x003400000001453c-60.dat family_berbew behavioral1/files/0x003400000001453c-66.dat family_berbew behavioral1/files/0x003400000001453c-68.dat family_berbew behavioral1/files/0x003400000001453c-67.dat family_berbew behavioral1/files/0x003400000001453c-63.dat family_berbew behavioral1/memory/2964-73-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0008000000014f13-75.dat family_berbew behavioral1/files/0x0008000000014f13-78.dat family_berbew behavioral1/files/0x0008000000014f13-84.dat family_berbew behavioral1/memory/2800-85-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0008000000014f13-83.dat family_berbew behavioral1/files/0x0008000000014f13-79.dat family_berbew behavioral1/memory/2964-77-0x0000000000230000-0x0000000000272000-memory.dmp family_berbew behavioral1/files/0x0006000000015606-90.dat family_berbew behavioral1/memory/2800-96-0x0000000000220000-0x0000000000262000-memory.dmp family_berbew behavioral1/files/0x0006000000015606-97.dat family_berbew behavioral1/files/0x0006000000015606-98.dat family_berbew behavioral1/files/0x0006000000015606-94.dat family_berbew behavioral1/files/0x0006000000015606-92.dat family_berbew behavioral1/files/0x0006000000015c00-103.dat family_berbew behavioral1/files/0x0006000000015c00-106.dat family_berbew behavioral1/files/0x0006000000015c23-120.dat family_berbew behavioral1/memory/2792-124-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000015c23-125.dat family_berbew behavioral1/files/0x0006000000015c23-123.dat family_berbew behavioral1/files/0x0006000000015c23-119.dat family_berbew behavioral1/files/0x0006000000015c23-117.dat family_berbew behavioral1/files/0x0006000000015c00-111.dat family_berbew behavioral1/files/0x0006000000015c00-110.dat family_berbew behavioral1/memory/2816-109-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/files/0x0006000000015c4c-136.dat family_berbew behavioral1/files/0x0006000000015c4c-133.dat family_berbew behavioral1/files/0x0006000000015c4c-132.dat family_berbew behavioral1/files/0x0006000000015c4c-130.dat family_berbew behavioral1/files/0x0006000000015c00-105.dat family_berbew behavioral1/memory/2860-137-0x0000000000230000-0x0000000000272000-memory.dmp family_berbew behavioral1/files/0x0006000000015c4c-138.dat family_berbew behavioral1/memory/2860-143-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew behavioral1/memory/1984-144-0x0000000000400000-0x0000000000442000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1224 Bdipfi32.exe 2944 Dhodpidl.exe 1940 Eaalom32.exe 2868 Kobmkj32.exe 2964 Pkcfak32.exe 2800 Ofbikf32.exe 2816 Gqkqbe32.exe 2792 Qakppa32.exe 2860 Qamleagn.exe 1984 Alcqcjgd.exe 536 Agmacgcc.exe 2072 Aimkeb32.exe 1688 Akmgoehg.exe 1472 Apjpglfn.exe 1972 Aefhpc32.exe 2024 Bcjhig32.exe 1536 Boainhic.exe 776 Babbpc32.exe 616 Bqilfp32.exe 2396 Cjbpoeoj.exe 1212 Cnpieceq.exe 704 Cjfjjd32.exe 1204 Cgjjdijo.exe 2604 Cccgni32.exe 2288 Dmllgo32.exe 1596 Dgemgm32.exe 3008 Dnpedghl.exe 2052 Dghjmlnm.exe 2684 Deljfqmf.exe 2592 Dabkla32.exe 2128 Djkodg32.exe 924 Emilqb32.exe 2932 Efbpihoo.exe 2976 Eagdgaoe.exe 2176 Efdmohmm.exe 900 Elaego32.exe 2352 Emqaaabg.exe 2044 Eabgjeef.exe 1696 Fijolbfh.exe 2928 Fhlogo32.exe 2876 Faedpdcc.exe 1548 Fkmhij32.exe 1516 Fdemap32.exe 1980 Fmnakege.exe 3048 Fdhigo32.exe 3044 Fgffck32.exe 1932 Fmpnpe32.exe 640 Fgibijkb.exe 2492 Fangfcki.exe 1448 Gcocnk32.exe 1540 Gmegkd32.exe 1844 Gpccgppq.exe 328 Geplpfnh.exe 1480 Gljdlq32.exe 1640 Gohqhl32.exe 1768 Gebiefle.exe 1200 Gllabp32.exe 1948 Gcfioj32.exe 2156 Gkancm32.exe 2672 Galfpgpg.exe 2648 Hopgikop.exe 2236 Hkfgnldd.exe 2760 Happkf32.exe 1556 Hhjhgpcn.exe -
Loads dropped DLL 64 IoCs
pid Process 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 1224 Bdipfi32.exe 1224 Bdipfi32.exe 2944 Dhodpidl.exe 2944 Dhodpidl.exe 1940 Eaalom32.exe 1940 Eaalom32.exe 2868 Kobmkj32.exe 2868 Kobmkj32.exe 2964 Pkcfak32.exe 2964 Pkcfak32.exe 2800 Ofbikf32.exe 2800 Ofbikf32.exe 2816 Gqkqbe32.exe 2816 Gqkqbe32.exe 2792 Qakppa32.exe 2792 Qakppa32.exe 2860 Qamleagn.exe 2860 Qamleagn.exe 1984 Alcqcjgd.exe 1984 Alcqcjgd.exe 536 Agmacgcc.exe 536 Agmacgcc.exe 2072 Aimkeb32.exe 2072 Aimkeb32.exe 1688 Akmgoehg.exe 1688 Akmgoehg.exe 1472 Apjpglfn.exe 1472 Apjpglfn.exe 1972 Aefhpc32.exe 1972 Aefhpc32.exe 2024 Bcjhig32.exe 2024 Bcjhig32.exe 1536 Boainhic.exe 1536 Boainhic.exe 776 Babbpc32.exe 776 Babbpc32.exe 616 Bqilfp32.exe 616 Bqilfp32.exe 2396 Cjbpoeoj.exe 2396 Cjbpoeoj.exe 1212 Cnpieceq.exe 1212 Cnpieceq.exe 704 Cjfjjd32.exe 704 Cjfjjd32.exe 1204 Cgjjdijo.exe 1204 Cgjjdijo.exe 2604 Cccgni32.exe 2604 Cccgni32.exe 2288 Dmllgo32.exe 2288 Dmllgo32.exe 1596 Dgemgm32.exe 1596 Dgemgm32.exe 3008 Dnpedghl.exe 3008 Dnpedghl.exe 2052 Dghjmlnm.exe 2052 Dghjmlnm.exe 2684 Deljfqmf.exe 2684 Deljfqmf.exe 2592 Dabkla32.exe 2592 Dabkla32.exe 2128 Djkodg32.exe 2128 Djkodg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ddghpbab.dll Boainhic.exe File created C:\Windows\SysWOW64\Kmnnblmj.exe Kkmakd32.exe File opened for modification C:\Windows\SysWOW64\Mlljiklc.exe Mfpaqdnk.exe File created C:\Windows\SysWOW64\Claqoinf.dll Mmlfcn32.exe File created C:\Windows\SysWOW64\Efqian32.exe Epgqddoh.exe File created C:\Windows\SysWOW64\Pkcfak32.exe Kobmkj32.exe File created C:\Windows\SysWOW64\Fmnakege.exe Fdemap32.exe File created C:\Windows\SysWOW64\Bjpaic32.dll Gcocnk32.exe File created C:\Windows\SysWOW64\Lnpcabef.exe Lcjodiep.exe File created C:\Windows\SysWOW64\Adokdbib.exe Apdodc32.exe File created C:\Windows\SysWOW64\Pgaonhkj.dll Cflcglho.exe File created C:\Windows\SysWOW64\Khbjhk32.dll Emhdhipd.exe File created C:\Windows\SysWOW64\Iqidng32.dll Cjbpoeoj.exe File opened for modification C:\Windows\SysWOW64\Emqaaabg.exe Elaego32.exe File created C:\Windows\SysWOW64\Fmcnbemk.dll Lnmglbgh.exe File opened for modification C:\Windows\SysWOW64\Neeafmqb.exe Glkjif32.exe File created C:\Windows\SysWOW64\Bqilfp32.exe Babbpc32.exe File created C:\Windows\SysWOW64\Hhjhgpcn.exe Happkf32.exe File created C:\Windows\SysWOW64\Mfmekd32.exe Maplcm32.exe File created C:\Windows\SysWOW64\Nhhdiknb.exe Nanlla32.exe File created C:\Windows\SysWOW64\Emhdhipd.exe Efnlko32.exe File created C:\Windows\SysWOW64\Gpdide32.exe Ghmach32.exe File created C:\Windows\SysWOW64\Agkfil32.exe Aihenoef.exe File created C:\Windows\SysWOW64\Ncdmcd32.dll Adokdbib.exe File created C:\Windows\SysWOW64\Ajlcmigj.exe Agngqmhf.exe File opened for modification C:\Windows\SysWOW64\Bonepo32.exe Bnlihgln.exe File opened for modification C:\Windows\SysWOW64\Kniaap32.exe Kgoief32.exe File created C:\Windows\SysWOW64\Bjopbh32.exe Bklpglom.exe File created C:\Windows\SysWOW64\Dckjlopo.dll Nanlla32.exe File opened for modification C:\Windows\SysWOW64\Anebhh32.exe Akgfll32.exe File created C:\Windows\SysWOW64\Kbeccb32.dll Eafmng32.exe File created C:\Windows\SysWOW64\Fiecfgfc.dll Fogmaoib.exe File created C:\Windows\SysWOW64\Jlbchbqk.dll Kkmakd32.exe File created C:\Windows\SysWOW64\Jcbbnmjj.dll Kqlgikcq.exe File created C:\Windows\SysWOW64\Oifjjk32.dll Neldbo32.exe File created C:\Windows\SysWOW64\Ohljcnlh.exe Oenngb32.exe File created C:\Windows\SysWOW64\Oofbph32.exe Ohljcnlh.exe File created C:\Windows\SysWOW64\Efdmohmm.exe Eagdgaoe.exe File opened for modification C:\Windows\SysWOW64\Oenngb32.exe Oodejhfg.exe File created C:\Windows\SysWOW64\Emlbce32.dll Bjamhh32.exe File opened for modification C:\Windows\SysWOW64\Bgemal32.exe Bonepo32.exe File created C:\Windows\SysWOW64\Ikcaqk32.dll Ckklfoah.exe File created C:\Windows\SysWOW64\Eempcfbi.exe Encgglkm.exe File created C:\Windows\SysWOW64\Fogmaoib.exe Fdbidfjm.exe File created C:\Windows\SysWOW64\Nfdmqoad.dll Fgffck32.exe File created C:\Windows\SysWOW64\Jnfdlpje.exe Jhjldiln.exe File opened for modification C:\Windows\SysWOW64\Maplcm32.exe Mjfdfcjj.exe File created C:\Windows\SysWOW64\Megkgpaq.exe Mpjboi32.exe File created C:\Windows\SysWOW64\Agaigjmi.dll Daognhlc.exe File created C:\Windows\SysWOW64\Nkbjodoj.exe Nhdnbipf.exe File created C:\Windows\SysWOW64\Gcfioj32.exe Gllabp32.exe File created C:\Windows\SysWOW64\Elkadhch.dll Kgoief32.exe File opened for modification C:\Windows\SysWOW64\Bopbeopi.exe Blaficqe.exe File created C:\Windows\SysWOW64\Didbifoh.exe Damjhhne.exe File opened for modification C:\Windows\SysWOW64\Nhdnbipf.exe Neeafmqb.exe File opened for modification C:\Windows\SysWOW64\Kobmkj32.exe Eaalom32.exe File created C:\Windows\SysWOW64\Alcqcjgd.exe Qamleagn.exe File created C:\Windows\SysWOW64\Oenjdp32.dll Kmpkhl32.exe File opened for modification C:\Windows\SysWOW64\Lmgaikep.exe Lcolpe32.exe File created C:\Windows\SysWOW64\Dqicfdjc.dll Dfambk32.exe File opened for modification C:\Windows\SysWOW64\Dcbpfp32.exe Djjlmj32.exe File created C:\Windows\SysWOW64\Idqold32.dll NEAS.870da7f3826c0459742ff15552b6c792.exe File opened for modification C:\Windows\SysWOW64\Elaego32.exe Efdmohmm.exe File created C:\Windows\SysWOW64\Agffkn32.dll Emqaaabg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlljiklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgmldhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjcimhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chpmocpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID NEAS.870da7f3826c0459742ff15552b6c792.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhoegi32.dll" Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgibijkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqlhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpijol32.dll" Aihenoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfpaqdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Angklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epckkeek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccngkphk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffoec32.dll" Dioinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benqjobn.dll" Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfcic32.dll" Flgdod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcnleahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqncnjan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhdiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknfqe32.dll" Bonepo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bannajom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daognhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gebiefle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmgaikep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejpcbl32.dll" Adagjagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpaic32.dll" Gcocnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megkgpaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adokdbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdfocge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmoghklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faedpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocnfeo32.dll" Lmgaikep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfpaqdnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbpo32.dll" Gcceqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agkjknji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adagjagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipojekb.dll" Cggffocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjdkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbnfcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannhd32.dll" Agngqmhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qakppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoglnab.dll" Dghjmlnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmhkjpg.dll" Nkbjodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cflcglho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lebemmbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcllii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feaeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhpen32.dll" Efbpihoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gebiefle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Claqoinf.dll" Mmlfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcindbjd.dll" Gkancm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1224 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 29 PID 3028 wrote to memory of 1224 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 29 PID 3028 wrote to memory of 1224 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 29 PID 3028 wrote to memory of 1224 3028 NEAS.870da7f3826c0459742ff15552b6c792.exe 29 PID 1224 wrote to memory of 2944 1224 Bdipfi32.exe 30 PID 1224 wrote to memory of 2944 1224 Bdipfi32.exe 30 PID 1224 wrote to memory of 2944 1224 Bdipfi32.exe 30 PID 1224 wrote to memory of 2944 1224 Bdipfi32.exe 30 PID 2944 wrote to memory of 1940 2944 Dhodpidl.exe 31 PID 2944 wrote to memory of 1940 2944 Dhodpidl.exe 31 PID 2944 wrote to memory of 1940 2944 Dhodpidl.exe 31 PID 2944 wrote to memory of 1940 2944 Dhodpidl.exe 31 PID 1940 wrote to memory of 2868 1940 Eaalom32.exe 32 PID 1940 wrote to memory of 2868 1940 Eaalom32.exe 32 PID 1940 wrote to memory of 2868 1940 Eaalom32.exe 32 PID 1940 wrote to memory of 2868 1940 Eaalom32.exe 32 PID 2868 wrote to memory of 2964 2868 Kobmkj32.exe 33 PID 2868 wrote to memory of 2964 2868 Kobmkj32.exe 33 PID 2868 wrote to memory of 2964 2868 Kobmkj32.exe 33 PID 2868 wrote to memory of 2964 2868 Kobmkj32.exe 33 PID 2964 wrote to memory of 2800 2964 Pkcfak32.exe 34 PID 2964 wrote to memory of 2800 2964 Pkcfak32.exe 34 PID 2964 wrote to memory of 2800 2964 Pkcfak32.exe 34 PID 2964 wrote to memory of 2800 2964 Pkcfak32.exe 34 PID 2800 wrote to memory of 2816 2800 Ofbikf32.exe 35 PID 2800 wrote to memory of 2816 2800 Ofbikf32.exe 35 PID 2800 wrote to memory of 2816 2800 Ofbikf32.exe 35 PID 2800 wrote to memory of 2816 2800 Ofbikf32.exe 35 PID 2816 wrote to memory of 2792 2816 Gqkqbe32.exe 36 PID 2816 wrote to memory of 2792 2816 Gqkqbe32.exe 36 PID 2816 wrote to memory of 2792 2816 Gqkqbe32.exe 36 PID 2816 wrote to memory of 2792 2816 Gqkqbe32.exe 36 PID 2792 wrote to memory of 2860 2792 Qakppa32.exe 37 PID 2792 wrote to memory of 2860 2792 Qakppa32.exe 37 PID 2792 wrote to memory of 2860 2792 Qakppa32.exe 37 PID 2792 wrote to memory of 2860 2792 Qakppa32.exe 37 PID 2860 wrote to memory of 1984 2860 Qamleagn.exe 38 PID 2860 wrote to memory of 1984 2860 Qamleagn.exe 38 PID 2860 wrote to memory of 1984 2860 Qamleagn.exe 38 PID 2860 wrote to memory of 1984 2860 Qamleagn.exe 38 PID 1984 wrote to memory of 536 1984 Alcqcjgd.exe 39 PID 1984 wrote to memory of 536 1984 Alcqcjgd.exe 39 PID 1984 wrote to memory of 536 1984 Alcqcjgd.exe 39 PID 1984 wrote to memory of 536 1984 Alcqcjgd.exe 39 PID 536 wrote to memory of 2072 536 Agmacgcc.exe 40 PID 536 wrote to memory of 2072 536 Agmacgcc.exe 40 PID 536 wrote to memory of 2072 536 Agmacgcc.exe 40 PID 536 wrote to memory of 2072 536 Agmacgcc.exe 40 PID 2072 wrote to memory of 1688 2072 Aimkeb32.exe 45 PID 2072 wrote to memory of 1688 2072 Aimkeb32.exe 45 PID 2072 wrote to memory of 1688 2072 Aimkeb32.exe 45 PID 2072 wrote to memory of 1688 2072 Aimkeb32.exe 45 PID 1688 wrote to memory of 1472 1688 Akmgoehg.exe 44 PID 1688 wrote to memory of 1472 1688 Akmgoehg.exe 44 PID 1688 wrote to memory of 1472 1688 Akmgoehg.exe 44 PID 1688 wrote to memory of 1472 1688 Akmgoehg.exe 44 PID 1472 wrote to memory of 1972 1472 Apjpglfn.exe 42 PID 1472 wrote to memory of 1972 1472 Apjpglfn.exe 42 PID 1472 wrote to memory of 1972 1472 Apjpglfn.exe 42 PID 1472 wrote to memory of 1972 1472 Apjpglfn.exe 42 PID 1972 wrote to memory of 2024 1972 Aefhpc32.exe 41 PID 1972 wrote to memory of 2024 1972 Aefhpc32.exe 41 PID 1972 wrote to memory of 2024 1972 Aefhpc32.exe 41 PID 1972 wrote to memory of 2024 1972 Aefhpc32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.870da7f3826c0459742ff15552b6c792.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.870da7f3826c0459742ff15552b6c792.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Gqkqbe32.exeC:\Windows\system32\Gqkqbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Qakppa32.exeC:\Windows\system32\Qakppa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Cccgni32.exeC:\Windows\system32\Cccgni32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe17⤵
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe24⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe27⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe29⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe30⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe32⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe36⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe37⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe43⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe45⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe46⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe47⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Hngppgae.exeC:\Windows\system32\Hngppgae.exe50⤵PID:768
-
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe52⤵PID:268
-
C:\Windows\SysWOW64\Jhjldiln.exeC:\Windows\system32\Jhjldiln.exe53⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Jnfdlpje.exeC:\Windows\system32\Jnfdlpje.exe54⤵PID:1372
-
C:\Windows\SysWOW64\Kgoief32.exeC:\Windows\system32\Kgoief32.exe55⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Kniaap32.exeC:\Windows\system32\Kniaap32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Kceijg32.exeC:\Windows\system32\Kceijg32.exe57⤵PID:1832
-
C:\Windows\SysWOW64\Kkmakd32.exeC:\Windows\system32\Kkmakd32.exe58⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Kmnnblmj.exeC:\Windows\system32\Kmnnblmj.exe59⤵PID:2392
-
C:\Windows\SysWOW64\Kchfpf32.exeC:\Windows\system32\Kchfpf32.exe60⤵PID:2032
-
C:\Windows\SysWOW64\Kmpkhl32.exeC:\Windows\system32\Kmpkhl32.exe61⤵
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Kqlgikcq.exeC:\Windows\system32\Kqlgikcq.exe62⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Kgfoee32.exeC:\Windows\system32\Kgfoee32.exe63⤵PID:2068
-
C:\Windows\SysWOW64\Kjdkap32.exeC:\Windows\system32\Kjdkap32.exe64⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kqncnjan.exeC:\Windows\system32\Kqncnjan.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Kjfhgp32.exeC:\Windows\system32\Kjfhgp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Kmedck32.exeC:\Windows\system32\Kmedck32.exe67⤵PID:2324
-
C:\Windows\SysWOW64\Lpcppgff.exeC:\Windows\system32\Lpcppgff.exe68⤵PID:2544
-
C:\Windows\SysWOW64\Lcolpe32.exeC:\Windows\system32\Lcolpe32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Lmgaikep.exeC:\Windows\system32\Lmgaikep.exe70⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Lnhmqc32.exeC:\Windows\system32\Lnhmqc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Lebemmbk.exeC:\Windows\system32\Lebemmbk.exe72⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Lgaaiian.exeC:\Windows\system32\Lgaaiian.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Lnkjfcik.exeC:\Windows\system32\Lnkjfcik.exe74⤵PID:968
-
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe75⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Lnmglbgh.exeC:\Windows\system32\Lnmglbgh.exe76⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Lcjodiep.exeC:\Windows\system32\Lcjodiep.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Lnpcabef.exeC:\Windows\system32\Lnpcabef.exe78⤵PID:2892
-
C:\Windows\SysWOW64\Lcllii32.exeC:\Windows\system32\Lcllii32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Mjfdfcjj.exeC:\Windows\system32\Mjfdfcjj.exe80⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Maplcm32.exeC:\Windows\system32\Maplcm32.exe81⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Mfmekd32.exeC:\Windows\system32\Mfmekd32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Mabihm32.exeC:\Windows\system32\Mabihm32.exe83⤵PID:328
-
C:\Windows\SysWOW64\Mfpaqdnk.exeC:\Windows\system32\Mfpaqdnk.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Mlljiklc.exeC:\Windows\system32\Mlljiklc.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mfbnfcli.exeC:\Windows\system32\Mfbnfcli.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Mmlfcn32.exeC:\Windows\system32\Mmlfcn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Mpjboi32.exeC:\Windows\system32\Mpjboi32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Megkgpaq.exeC:\Windows\system32\Megkgpaq.exe89⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Mlacdj32.exeC:\Windows\system32\Mlacdj32.exe90⤵PID:456
-
C:\Windows\SysWOW64\Nanlla32.exeC:\Windows\system32\Nanlla32.exe91⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Nhhdiknb.exeC:\Windows\system32\Nhhdiknb.exe92⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Noalfe32.exeC:\Windows\system32\Noalfe32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Neldbo32.exeC:\Windows\system32\Neldbo32.exe94⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Oodejhfg.exeC:\Windows\system32\Oodejhfg.exe95⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Oenngb32.exeC:\Windows\system32\Oenngb32.exe96⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Ohljcnlh.exeC:\Windows\system32\Ohljcnlh.exe97⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Oofbph32.exeC:\Windows\system32\Oofbph32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Ocbnqfln.exeC:\Windows\system32\Ocbnqfln.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Odckho32.exeC:\Windows\system32\Odckho32.exe100⤵PID:1460
-
C:\Windows\SysWOW64\Okmceiii.exeC:\Windows\system32\Okmceiii.exe101⤵PID:1972
-
C:\Windows\SysWOW64\Oagkac32.exeC:\Windows\system32\Oagkac32.exe102⤵PID:1736
-
C:\Windows\SysWOW64\Pokkkgpo.exeC:\Windows\system32\Pokkkgpo.exe103⤵PID:1596
-
C:\Windows\SysWOW64\Pqlhbo32.exeC:\Windows\system32\Pqlhbo32.exe104⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Pgfpoimj.exeC:\Windows\system32\Pgfpoimj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Pjdlkeln.exeC:\Windows\system32\Pjdlkeln.exe106⤵PID:2016
-
C:\Windows\SysWOW64\Paldmbmq.exeC:\Windows\system32\Paldmbmq.exe107⤵PID:1980
-
C:\Windows\SysWOW64\Pcmadj32.exeC:\Windows\system32\Pcmadj32.exe108⤵PID:1476
-
C:\Windows\SysWOW64\Pjgiad32.exeC:\Windows\system32\Pjgiad32.exe109⤵PID:3040
-
C:\Windows\SysWOW64\Afgmldhe.exeC:\Windows\system32\Afgmldhe.exe110⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Aieihpgi.exeC:\Windows\system32\Aieihpgi.exe111⤵PID:1540
-
C:\Windows\SysWOW64\Aihenoef.exeC:\Windows\system32\Aihenoef.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Agkfil32.exeC:\Windows\system32\Agkfil32.exe113⤵PID:2648
-
C:\Windows\SysWOW64\Andnff32.exeC:\Windows\system32\Andnff32.exe114⤵PID:2884
-
C:\Windows\SysWOW64\Acafnm32.exeC:\Windows\system32\Acafnm32.exe115⤵PID:2116
-
C:\Windows\SysWOW64\Akhopj32.exeC:\Windows\system32\Akhopj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Angklf32.exeC:\Windows\system32\Angklf32.exe117⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Acdcdm32.exeC:\Windows\system32\Acdcdm32.exe118⤵PID:1600
-
C:\Windows\SysWOW64\Kamooe32.exeC:\Windows\system32\Kamooe32.exe119⤵PID:2464
-
C:\Windows\SysWOW64\Epckkeek.exeC:\Windows\system32\Epckkeek.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Agkjknji.exeC:\Windows\system32\Agkjknji.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-