Analysis
-
max time kernel
12s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
13/11/2023, 01:46
Behavioral task
behavioral1
Sample
NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe
-
Size
130KB
-
MD5
dc4e006fc1f9b9f93caccae2d48c7c40
-
SHA1
8c5aa566c233c3cf4d2c9818bbf73b2a9d7264c2
-
SHA256
c86b4b71395dc4eed79776367286734bf4baa26fe877c1ec0f233f9004b80552
-
SHA512
cf6982613863e08682c2d1b1a6edfcb7ee07cdcc01ecd0950a5d7e116d0f6ab23f5b450c9ca572c87772f03f6c23e2894b8f13889b616dd0da2a967fb64d7ba9
-
SSDEEP
3072:nnkOO2sFszCeSGR2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:ajsziq4BhHmNEcYj9nhV8NCV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igchlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmomml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblmglgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddomif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdihkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgcab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpkfooh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobhal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmomml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngibaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgoapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcdcgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaonhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amelne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbpnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgncfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eobapbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqmpni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdiejfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhjbjopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdanpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfpih32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2924-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00070000000120e5-5.dat family_berbew behavioral1/memory/2924-6-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x00070000000120e5-8.dat family_berbew behavioral1/files/0x00070000000120e5-9.dat family_berbew behavioral1/files/0x00070000000120e5-12.dat family_berbew behavioral1/files/0x00070000000120e5-13.dat family_berbew behavioral1/files/0x00330000000162f2-18.dat family_berbew behavioral1/files/0x00330000000162f2-22.dat family_berbew behavioral1/files/0x00330000000162f2-25.dat family_berbew behavioral1/files/0x00330000000162f2-21.dat family_berbew behavioral1/memory/2788-26-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00330000000162f2-27.dat family_berbew behavioral1/files/0x0008000000016c67-32.dat family_berbew behavioral1/files/0x0008000000016c67-34.dat family_berbew behavioral1/files/0x0008000000016c67-35.dat family_berbew behavioral1/files/0x0007000000016ccd-45.dat family_berbew behavioral1/files/0x0007000000016ccd-47.dat family_berbew behavioral1/files/0x0007000000016ccd-48.dat family_berbew behavioral1/memory/2536-51-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/3008-58-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000016ccd-53.dat family_berbew behavioral1/files/0x0009000000016ce9-65.dat family_berbew behavioral1/files/0x0009000000016ce9-62.dat family_berbew behavioral1/files/0x0009000000016ce9-61.dat family_berbew behavioral1/files/0x0009000000016ce9-59.dat family_berbew behavioral1/files/0x0007000000016ccd-52.dat family_berbew behavioral1/files/0x0008000000016c67-40.dat family_berbew behavioral1/files/0x0009000000016ce9-67.dat family_berbew behavioral1/memory/2524-66-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0008000000016c67-39.dat family_berbew behavioral1/memory/2788-38-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000016d3d-79.dat family_berbew behavioral1/files/0x0006000000016d3d-76.dat family_berbew behavioral1/files/0x0006000000016d3d-75.dat family_berbew behavioral1/memory/2524-74-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000016d3d-72.dat family_berbew behavioral1/files/0x0006000000016d3d-80.dat family_berbew behavioral1/files/0x0006000000016d62-85.dat family_berbew behavioral1/files/0x0006000000016d62-87.dat family_berbew behavioral1/memory/3060-88-0x00000000002E0000-0x0000000000321000-memory.dmp family_berbew behavioral1/files/0x0006000000016d62-91.dat family_berbew behavioral1/files/0x0006000000016d62-92.dat family_berbew behavioral1/files/0x0006000000016d62-93.dat family_berbew behavioral1/files/0x0006000000016e5e-98.dat family_berbew behavioral1/files/0x0006000000016e5e-100.dat family_berbew behavioral1/files/0x0006000000016e5e-101.dat family_berbew behavioral1/files/0x0006000000016e5e-104.dat family_berbew behavioral1/memory/2884-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016e5e-106.dat family_berbew behavioral1/files/0x00340000000165ee-114.dat family_berbew behavioral1/files/0x00340000000165ee-118.dat family_berbew behavioral1/files/0x00340000000165ee-119.dat family_berbew behavioral1/files/0x00340000000165ee-113.dat family_berbew behavioral1/files/0x00340000000165ee-111.dat family_berbew behavioral1/files/0x00060000000171d6-131.dat family_berbew behavioral1/files/0x00060000000171d6-128.dat family_berbew behavioral1/files/0x00060000000171d6-127.dat family_berbew behavioral1/files/0x00060000000171d6-125.dat family_berbew behavioral1/memory/2056-138-0x00000000002C0000-0x0000000000301000-memory.dmp family_berbew behavioral1/memory/1144-139-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000171d6-133.dat family_berbew behavioral1/memory/2056-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000900000001860c-140.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2016 Hgjefg32.exe 2788 Hiknhbcg.exe 2536 Igonafba.exe 3008 Igakgfpn.exe 2524 Igchlf32.exe 3060 Ipllekdl.exe 268 Iapebchh.exe 2884 Jdpndnei.exe 2056 Jqgoiokm.exe 1144 Jbgkcb32.exe 884 Jqlhdo32.exe 1692 Jcmafj32.exe 1604 Kiijnq32.exe 1632 Kofopj32.exe 2252 Kincipnk.exe 2340 Keednado.exe 2128 Kbidgeci.exe 2484 Kjdilgpc.exe 2136 Lanaiahq.exe 280 Ljffag32.exe 1288 Lcojjmea.exe 1952 Ljkomfjl.exe 584 Lbfdaigg.exe 2260 Lfdmggnm.exe 2228 Mmneda32.exe 888 Moanaiie.exe 1656 Mhjbjopf.exe 2672 Mkklljmg.exe 2804 Mholen32.exe 2644 Nhaikn32.exe 2756 Naimccpo.exe 2532 Niebhf32.exe 2604 Ngibaj32.exe 600 Nmbknddp.exe 2896 Npagjpcd.exe 3004 Ngkogj32.exe 2220 Nhllob32.exe 1992 Ncbplk32.exe 1644 Nilhhdga.exe 2820 Nkmdpm32.exe 1628 Oebimf32.exe 1732 Okoafmkm.exe 2384 Ookmfk32.exe 1848 Ohcaoajg.exe 916 Oomjlk32.exe 2296 Oalfhf32.exe 1524 Oghopm32.exe 988 Oancnfoe.exe 1968 Ohhkjp32.exe 848 Onecbg32.exe 1088 Pcfefmnk.exe 2412 Poocpnbm.exe 1564 Pihgic32.exe 2944 Pndpajgd.exe 2660 Qflhbhgg.exe 2640 Qijdocfj.exe 2512 Qkhpkoen.exe 1076 Qbbhgi32.exe 2872 Qgoapp32.exe 2992 Aniimjbo.exe 1936 Aecaidjl.exe 2500 Aganeoip.exe 576 Achojp32.exe 1688 Afgkfl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 2016 Hgjefg32.exe 2016 Hgjefg32.exe 2788 Hiknhbcg.exe 2788 Hiknhbcg.exe 2536 Igonafba.exe 2536 Igonafba.exe 3008 Igakgfpn.exe 3008 Igakgfpn.exe 2524 Igchlf32.exe 2524 Igchlf32.exe 3060 Ipllekdl.exe 3060 Ipllekdl.exe 268 Iapebchh.exe 268 Iapebchh.exe 2884 Jdpndnei.exe 2884 Jdpndnei.exe 2056 Jqgoiokm.exe 2056 Jqgoiokm.exe 1144 Jbgkcb32.exe 1144 Jbgkcb32.exe 884 Jqlhdo32.exe 884 Jqlhdo32.exe 1692 Jcmafj32.exe 1692 Jcmafj32.exe 1604 Kiijnq32.exe 1604 Kiijnq32.exe 1632 Kofopj32.exe 1632 Kofopj32.exe 2252 Kincipnk.exe 2252 Kincipnk.exe 2340 Keednado.exe 2340 Keednado.exe 2128 Kbidgeci.exe 2128 Kbidgeci.exe 2484 Kjdilgpc.exe 2484 Kjdilgpc.exe 2136 Lanaiahq.exe 2136 Lanaiahq.exe 280 Ljffag32.exe 280 Ljffag32.exe 1288 Lcojjmea.exe 1288 Lcojjmea.exe 1952 Ljkomfjl.exe 1952 Ljkomfjl.exe 584 Lbfdaigg.exe 584 Lbfdaigg.exe 2260 Lfdmggnm.exe 2260 Lfdmggnm.exe 2228 Mmneda32.exe 2228 Mmneda32.exe 888 Moanaiie.exe 888 Moanaiie.exe 1656 Mhjbjopf.exe 1656 Mhjbjopf.exe 2672 Mkklljmg.exe 2672 Mkklljmg.exe 2804 Mholen32.exe 2804 Mholen32.exe 2644 Nhaikn32.exe 2644 Nhaikn32.exe 2756 Naimccpo.exe 2756 Naimccpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qfgkcdoe.dll Iapebchh.exe File opened for modification C:\Windows\SysWOW64\Jqlhdo32.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Dkkbkp32.exe Dhmfod32.exe File created C:\Windows\SysWOW64\Jhdihkcj.exe Jajala32.exe File opened for modification C:\Windows\SysWOW64\Kopokehd.exe Jlbboiip.exe File created C:\Windows\SysWOW64\Ceamohhb.dll Nhllob32.exe File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Imklkg32.dll Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Cicpch32.exe Ccigfn32.exe File opened for modification C:\Windows\SysWOW64\Igijkd32.exe Ihfjognl.exe File created C:\Windows\SysWOW64\Mkklljmg.exe Mhjbjopf.exe File created C:\Windows\SysWOW64\Pemqjmkp.dll Cddjebgb.exe File created C:\Windows\SysWOW64\Ehmbng32.exe Ebcjamoh.exe File created C:\Windows\SysWOW64\Eogjka32.exe Ehmbng32.exe File created C:\Windows\SysWOW64\Fbddqihf.dll Kbaglpee.exe File created C:\Windows\SysWOW64\Diceon32.dll Mholen32.exe File opened for modification C:\Windows\SysWOW64\Aecaidjl.exe Aniimjbo.exe File opened for modification C:\Windows\SysWOW64\Eqamje32.exe Ejgemkbm.exe File created C:\Windows\SysWOW64\Jmiiak32.dll Gdboig32.exe File created C:\Windows\SysWOW64\Hgqabcec.dll Hdfhdfgl.exe File created C:\Windows\SysWOW64\Jgqpkc32.exe Jpfhoi32.exe File created C:\Windows\SysWOW64\Kdbpnk32.exe Kbcdbp32.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Igchlf32.exe File created C:\Windows\SysWOW64\Eppddhlj.dll Nhaikn32.exe File created C:\Windows\SysWOW64\Jmbckb32.dll Niebhf32.exe File created C:\Windows\SysWOW64\Kklcab32.dll Npagjpcd.exe File created C:\Windows\SysWOW64\Jbgeqa32.dll Dhmfod32.exe File created C:\Windows\SysWOW64\Jpiedieo.exe Jjomgo32.exe File created C:\Windows\SysWOW64\Nlhqhm32.dll Gpnmjd32.exe File created C:\Windows\SysWOW64\Igonafba.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Malllmgi.dll Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Acpdko32.exe Amelne32.exe File created C:\Windows\SysWOW64\Niehmp32.dll Cckdlnjg.exe File opened for modification C:\Windows\SysWOW64\Gihniioc.exe Gaafhloq.exe File created C:\Windows\SysWOW64\Mholen32.exe Mkklljmg.exe File created C:\Windows\SysWOW64\Ngoohnkj.dll Ngibaj32.exe File opened for modification C:\Windows\SysWOW64\Afiglkle.exe Apoooa32.exe File opened for modification C:\Windows\SysWOW64\Igonafba.exe Hiknhbcg.exe File opened for modification C:\Windows\SysWOW64\Jdpndnei.exe Iapebchh.exe File created C:\Windows\SysWOW64\Cehdmo32.dll Dkkbkp32.exe File opened for modification C:\Windows\SysWOW64\Hahlhkhi.exe Hjndlqal.exe File opened for modification C:\Windows\SysWOW64\Nhaikn32.exe Mholen32.exe File opened for modification C:\Windows\SysWOW64\Ccigfn32.exe Cpkkjc32.exe File opened for modification C:\Windows\SysWOW64\Iaonhm32.exe Iihfgp32.exe File created C:\Windows\SysWOW64\Hikmgj32.dll Dacnbjml.exe File created C:\Windows\SysWOW64\Jjomgo32.exe Jgqpkc32.exe File created C:\Windows\SysWOW64\Aceobl32.dll Onecbg32.exe File created C:\Windows\SysWOW64\Plnfdigq.dll Pndpajgd.exe File created C:\Windows\SysWOW64\Qbbhgi32.exe Qkhpkoen.exe File opened for modification C:\Windows\SysWOW64\Cddjebgb.exe Cphndc32.exe File opened for modification C:\Windows\SysWOW64\Ejgemkbm.exe Eobapbbg.exe File created C:\Windows\SysWOW64\Nhllob32.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Behgcf32.exe Bonoflae.exe File opened for modification C:\Windows\SysWOW64\Cklfll32.exe Cdanpb32.exe File created C:\Windows\SysWOW64\Ddomif32.exe Dobdqo32.exe File created C:\Windows\SysWOW64\Ikdlhpmb.dll Dlfejcoe.exe File created C:\Windows\SysWOW64\Iihfgp32.exe Igijkd32.exe File created C:\Windows\SysWOW64\Ihfeaiog.dll Jkbfdfbm.exe File created C:\Windows\SysWOW64\Gdfaom32.dll Jlbboiip.exe File created C:\Windows\SysWOW64\Fcpfedki.exe Fkdaqa32.exe File created C:\Windows\SysWOW64\Dnjjbl32.dll Hahlhkhi.exe File created C:\Windows\SysWOW64\Kpijcjdl.dll Jhdihkcj.exe File opened for modification C:\Windows\SysWOW64\Lbfdaigg.exe Ljkomfjl.exe File created C:\Windows\SysWOW64\Poocpnbm.exe Pcfefmnk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpicodoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmomml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll" Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihfgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imogmg32.dll" Pcfefmnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inoqpi32.dll" Ddomif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjppn32.dll" Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllhoqlh.dll" Iamabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcjnfdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll" Ookmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmgclfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igchlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afiglkle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoconjf.dll" Eobapbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Hiknhbcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oomjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekpheb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbdkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikjig32.dll" Kkileele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igakgfpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll" Lcojjmea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pndpajgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" Behgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iamabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjlgmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgkbeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcfln32.dll" Jpiedieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll" Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" Oghopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddomif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" Aigchgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehoocgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll" Moanaiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdihkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmgclfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cinfhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnqlnqc.dll" Cielhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhookbna.dll" Jkgcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapebchh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2016 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 28 PID 2924 wrote to memory of 2016 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 28 PID 2924 wrote to memory of 2016 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 28 PID 2924 wrote to memory of 2016 2924 NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe 28 PID 2016 wrote to memory of 2788 2016 Hgjefg32.exe 29 PID 2016 wrote to memory of 2788 2016 Hgjefg32.exe 29 PID 2016 wrote to memory of 2788 2016 Hgjefg32.exe 29 PID 2016 wrote to memory of 2788 2016 Hgjefg32.exe 29 PID 2788 wrote to memory of 2536 2788 Hiknhbcg.exe 30 PID 2788 wrote to memory of 2536 2788 Hiknhbcg.exe 30 PID 2788 wrote to memory of 2536 2788 Hiknhbcg.exe 30 PID 2788 wrote to memory of 2536 2788 Hiknhbcg.exe 30 PID 2536 wrote to memory of 3008 2536 Igonafba.exe 32 PID 2536 wrote to memory of 3008 2536 Igonafba.exe 32 PID 2536 wrote to memory of 3008 2536 Igonafba.exe 32 PID 2536 wrote to memory of 3008 2536 Igonafba.exe 32 PID 3008 wrote to memory of 2524 3008 Igakgfpn.exe 31 PID 3008 wrote to memory of 2524 3008 Igakgfpn.exe 31 PID 3008 wrote to memory of 2524 3008 Igakgfpn.exe 31 PID 3008 wrote to memory of 2524 3008 Igakgfpn.exe 31 PID 2524 wrote to memory of 3060 2524 Igchlf32.exe 33 PID 2524 wrote to memory of 3060 2524 Igchlf32.exe 33 PID 2524 wrote to memory of 3060 2524 Igchlf32.exe 33 PID 2524 wrote to memory of 3060 2524 Igchlf32.exe 33 PID 3060 wrote to memory of 268 3060 Ipllekdl.exe 34 PID 3060 wrote to memory of 268 3060 Ipllekdl.exe 34 PID 3060 wrote to memory of 268 3060 Ipllekdl.exe 34 PID 3060 wrote to memory of 268 3060 Ipllekdl.exe 34 PID 268 wrote to memory of 2884 268 Iapebchh.exe 35 PID 268 wrote to memory of 2884 268 Iapebchh.exe 35 PID 268 wrote to memory of 2884 268 Iapebchh.exe 35 PID 268 wrote to memory of 2884 268 Iapebchh.exe 35 PID 2884 wrote to memory of 2056 2884 Jdpndnei.exe 36 PID 2884 wrote to memory of 2056 2884 Jdpndnei.exe 36 PID 2884 wrote to memory of 2056 2884 Jdpndnei.exe 36 PID 2884 wrote to memory of 2056 2884 Jdpndnei.exe 36 PID 2056 wrote to memory of 1144 2056 Jqgoiokm.exe 37 PID 2056 wrote to memory of 1144 2056 Jqgoiokm.exe 37 PID 2056 wrote to memory of 1144 2056 Jqgoiokm.exe 37 PID 2056 wrote to memory of 1144 2056 Jqgoiokm.exe 37 PID 1144 wrote to memory of 884 1144 Jbgkcb32.exe 38 PID 1144 wrote to memory of 884 1144 Jbgkcb32.exe 38 PID 1144 wrote to memory of 884 1144 Jbgkcb32.exe 38 PID 1144 wrote to memory of 884 1144 Jbgkcb32.exe 38 PID 884 wrote to memory of 1692 884 Jqlhdo32.exe 39 PID 884 wrote to memory of 1692 884 Jqlhdo32.exe 39 PID 884 wrote to memory of 1692 884 Jqlhdo32.exe 39 PID 884 wrote to memory of 1692 884 Jqlhdo32.exe 39 PID 1692 wrote to memory of 1604 1692 Jcmafj32.exe 40 PID 1692 wrote to memory of 1604 1692 Jcmafj32.exe 40 PID 1692 wrote to memory of 1604 1692 Jcmafj32.exe 40 PID 1692 wrote to memory of 1604 1692 Jcmafj32.exe 40 PID 1604 wrote to memory of 1632 1604 Kiijnq32.exe 41 PID 1604 wrote to memory of 1632 1604 Kiijnq32.exe 41 PID 1604 wrote to memory of 1632 1604 Kiijnq32.exe 41 PID 1604 wrote to memory of 1632 1604 Kiijnq32.exe 41 PID 1632 wrote to memory of 2252 1632 Kofopj32.exe 42 PID 1632 wrote to memory of 2252 1632 Kofopj32.exe 42 PID 1632 wrote to memory of 2252 1632 Kofopj32.exe 42 PID 1632 wrote to memory of 2252 1632 Kofopj32.exe 42 PID 2252 wrote to memory of 2340 2252 Kincipnk.exe 43 PID 2252 wrote to memory of 2340 2252 Kincipnk.exe 43 PID 2252 wrote to memory of 2340 2252 Kincipnk.exe 43 PID 2252 wrote to memory of 2340 2252 Kincipnk.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.dc4e006fc1f9b9f93caccae2d48c7c40.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008
-
-
-
-
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe3⤵PID:2792
-
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe4⤵PID:3024
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe5⤵PID:6376
-
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe6⤵PID:276
-
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe7⤵PID:6632
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe8⤵PID:1144
-
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe9⤵PID:1604
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1288 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe34⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe35⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe36⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe44⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe48⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe58⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe59⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe60⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe61⤵PID:1572
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe62⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe64⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1844 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2416 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe68⤵PID:1900
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1256 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe70⤵PID:908
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:856 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe73⤵
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe74⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe75⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe76⤵PID:1600
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe77⤵PID:2752
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe78⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe80⤵PID:2580
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe84⤵PID:2816
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe85⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe86⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe87⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe88⤵PID:1568
-
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe89⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe90⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe91⤵PID:1620
-
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe92⤵PID:1956
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe93⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe94⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe95⤵
- Drops file in System32 directory
PID:300 -
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe97⤵
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe98⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe99⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe100⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe101⤵PID:2900
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe105⤵PID:1932
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe107⤵
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe110⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe111⤵PID:1920
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe112⤵
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:616 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe115⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe116⤵PID:1104
-
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe117⤵PID:2720
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe119⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe120⤵PID:2272
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-