Analysis
-
max time kernel
63s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 07:45
Behavioral task
behavioral1
Sample
NEAS.22838e830a160089e8f03d96f5a0e340.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.22838e830a160089e8f03d96f5a0e340.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.22838e830a160089e8f03d96f5a0e340.exe
-
Size
304KB
-
MD5
22838e830a160089e8f03d96f5a0e340
-
SHA1
5d2cd12411ef5abb29a6ad07fd33445c177ab52b
-
SHA256
90e5133299e3e14033500e1c5e4b8436824aa5bb26ac1130405e577797d7ef81
-
SHA512
c53169f7b110531ab5333ba435b85419b363cc1fa542d7826f27a5ad03744730aafdae4da9749a3445ce7f97c779fd257d3ac9c208c957ae058d5d78a9f253a3
-
SSDEEP
6144:rdGsxa61eKh6FeJLbnCBbC+nVLjOPj194oQAPJiduHyFfeoHiWmVlWaPxqZcNpCF:RjQMkFeJLbnCN3xjOPj1Gg2uHyFfeoHV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckdlnjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilgoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helngnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahhgnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfdhojb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affdle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpgcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcaafk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojnql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Magfjebk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlnnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblnaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckefnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjlgfaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbpjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kklpekno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdflqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iajemnia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddnfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobdqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dognlnlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdejhfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdanpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadimacd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdhoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icfofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohendqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Noemqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fchijone.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-14.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0009000000015603-20.dat family_berbew behavioral1/files/0x0009000000015603-23.dat family_berbew behavioral1/files/0x0009000000015603-24.dat family_berbew behavioral1/files/0x0009000000015603-28.dat family_berbew behavioral1/files/0x0009000000015603-27.dat family_berbew behavioral1/files/0x0007000000016fef-42.dat family_berbew behavioral1/files/0x0007000000016fef-34.dat family_berbew behavioral1/files/0x0007000000016fef-40.dat family_berbew behavioral1/files/0x0007000000016fef-37.dat family_berbew behavioral1/files/0x0007000000016fef-36.dat family_berbew behavioral1/files/0x000700000001755d-49.dat family_berbew behavioral1/files/0x000700000001755d-56.dat family_berbew behavioral1/files/0x000700000001755d-55.dat family_berbew behavioral1/files/0x0007000000018695-62.dat family_berbew behavioral1/files/0x0007000000018695-69.dat family_berbew behavioral1/files/0x0007000000018695-68.dat family_berbew behavioral1/files/0x0007000000018695-65.dat family_berbew behavioral1/files/0x0007000000018695-64.dat family_berbew behavioral1/files/0x000700000001755d-52.dat family_berbew behavioral1/files/0x000700000001755d-51.dat family_berbew behavioral1/files/0x0006000000018b5f-83.dat family_berbew behavioral1/files/0x0006000000018b5f-82.dat family_berbew behavioral1/files/0x0006000000018b5f-79.dat family_berbew behavioral1/files/0x000a000000016cfc-88.dat family_berbew behavioral1/files/0x000a000000016cfc-94.dat family_berbew behavioral1/files/0x000a000000016cfc-91.dat family_berbew behavioral1/files/0x000a000000016cfc-90.dat family_berbew behavioral1/files/0x0006000000018b5f-78.dat family_berbew behavioral1/files/0x0006000000018b5f-75.dat family_berbew behavioral1/files/0x000a000000016cfc-96.dat family_berbew behavioral1/files/0x0006000000018b8a-108.dat family_berbew behavioral1/files/0x0006000000018f8e-128.dat family_berbew behavioral1/files/0x0006000000018bbe-118.dat family_berbew behavioral1/files/0x0006000000018b8a-109.dat family_berbew behavioral1/files/0x0006000000018bbe-117.dat family_berbew behavioral1/files/0x0006000000018bbe-115.dat family_berbew behavioral1/files/0x0006000000018b8a-104.dat family_berbew behavioral1/files/0x0006000000018b8a-103.dat family_berbew behavioral1/files/0x0006000000018b8a-101.dat family_berbew behavioral1/files/0x0006000000018f8e-124.dat family_berbew behavioral1/files/0x0006000000018f8e-135.dat family_berbew behavioral1/files/0x0006000000018f8e-134.dat family_berbew behavioral1/files/0x0006000000018bbe-123.dat family_berbew behavioral1/files/0x0006000000018f8e-130.dat family_berbew behavioral1/files/0x0006000000018bbe-121.dat family_berbew behavioral1/files/0x000500000001932a-143.dat family_berbew behavioral1/files/0x000500000001932a-142.dat family_berbew behavioral1/files/0x000500000001932a-140.dat family_berbew behavioral1/files/0x00050000000193c3-169.dat family_berbew behavioral1/files/0x000500000001947e-179.dat family_berbew behavioral1/files/0x00050000000193c3-168.dat family_berbew behavioral1/files/0x00050000000193c3-166.dat family_berbew behavioral1/files/0x0005000000019394-149.dat family_berbew behavioral1/memory/2168-165-0x0000000000440000-0x0000000000475000-memory.dmp family_berbew behavioral1/files/0x0005000000019394-160.dat family_berbew behavioral1/files/0x0005000000019394-159.dat family_berbew behavioral1/files/0x000500000001932a-148.dat family_berbew behavioral1/files/0x0005000000019394-155.dat family_berbew behavioral1/files/0x0005000000019394-153.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1676 Alnqqd32.exe 2184 Aehboi32.exe 3040 Ajhgmpfg.exe 2648 Ahlgfdeq.exe 2712 Bpiipf32.exe 2544 Biamilfj.exe 1084 Bblogakg.exe 2468 Cadhnmnm.exe 1948 Clilkfnb.exe 2168 Cafecmlj.exe 312 Cojema32.exe 1092 Cppkph32.exe 1476 Dfmdho32.exe 1620 Dliijipn.exe 2844 Dhpiojfb.exe 2360 Dbkknojp.exe 2856 Dookgcij.exe 2276 Ekelld32.exe 1440 Ecqqpgli.exe 2388 Enfenplo.exe 1524 Eqijej32.exe 1320 Fcjcfe32.exe 2044 Fekpnn32.exe 1104 Flehkhai.exe 2264 Fljafg32.exe 2132 Faigdn32.exe 1804 Gjakmc32.exe 1588 Gpncej32.exe 2092 Gpcmpijk.exe 2396 Gfmemc32.exe 2904 Gbcfadgl.exe 2688 Ginnnooi.exe 2524 Hbfbgd32.exe 2656 Hkaglf32.exe 2744 Hmdmcanc.exe 2984 Hhjapjmi.exe 1732 Hkhnle32.exe 2004 Habfipdj.exe 1772 Icfofg32.exe 1324 Inkccpgk.exe 440 Igchlf32.exe 660 Ijbdha32.exe 1628 Icjhagdp.exe 2780 Ijdqna32.exe 1684 Icmegf32.exe 1812 Idnaoohk.exe 2864 Jgojpjem.exe 1852 Jofbag32.exe 1020 Jdbkjn32.exe 2668 Jkmcfhkc.exe 1808 Jqlhdo32.exe 2680 Jgfqaiod.exe 1644 Jjdmmdnh.exe 1640 Jqnejn32.exe 1036 Jghmfhmb.exe 2292 Kjfjbdle.exe 1380 Kqqboncb.exe 2956 Kfmjgeaj.exe 3024 Kilfcpqm.exe 2212 Kbdklf32.exe 2448 Kincipnk.exe 2684 Kklpekno.exe 2776 Knklagmb.exe 3012 Kiqpop32.exe -
Loads dropped DLL 64 IoCs
pid Process 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 1676 Alnqqd32.exe 1676 Alnqqd32.exe 2184 Aehboi32.exe 2184 Aehboi32.exe 3040 Ajhgmpfg.exe 3040 Ajhgmpfg.exe 2648 Ahlgfdeq.exe 2648 Ahlgfdeq.exe 2712 Bpiipf32.exe 2712 Bpiipf32.exe 2544 Biamilfj.exe 2544 Biamilfj.exe 1084 Bblogakg.exe 1084 Bblogakg.exe 2468 Cadhnmnm.exe 2468 Cadhnmnm.exe 1948 Clilkfnb.exe 1948 Clilkfnb.exe 2168 Cafecmlj.exe 2168 Cafecmlj.exe 312 Cojema32.exe 312 Cojema32.exe 1092 Cppkph32.exe 1092 Cppkph32.exe 1476 Dfmdho32.exe 1476 Dfmdho32.exe 1620 Dliijipn.exe 1620 Dliijipn.exe 2844 Dhpiojfb.exe 2844 Dhpiojfb.exe 2360 Dbkknojp.exe 2360 Dbkknojp.exe 2856 Dookgcij.exe 2856 Dookgcij.exe 2276 Ekelld32.exe 2276 Ekelld32.exe 1440 Ecqqpgli.exe 1440 Ecqqpgli.exe 2388 Enfenplo.exe 2388 Enfenplo.exe 1524 Eqijej32.exe 1524 Eqijej32.exe 1320 Fcjcfe32.exe 1320 Fcjcfe32.exe 2044 Fekpnn32.exe 2044 Fekpnn32.exe 1104 Flehkhai.exe 1104 Flehkhai.exe 2264 Fljafg32.exe 2264 Fljafg32.exe 2132 Faigdn32.exe 2132 Faigdn32.exe 1804 Gjakmc32.exe 1804 Gjakmc32.exe 1588 Gpncej32.exe 1588 Gpncej32.exe 2092 Gpcmpijk.exe 2092 Gpcmpijk.exe 2396 Gfmemc32.exe 2396 Gfmemc32.exe 2904 Gbcfadgl.exe 2904 Gbcfadgl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cilibi32.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Qadkpfeg.dll Ejehgkdp.exe File created C:\Windows\SysWOW64\Jepmdoim.dll Omnkicen.exe File opened for modification C:\Windows\SysWOW64\Dfpcblfp.exe Dkjpdcfj.exe File opened for modification C:\Windows\SysWOW64\Jlpeij32.exe Jhamckel.exe File opened for modification C:\Windows\SysWOW64\Jaeafklf.exe Jkkija32.exe File created C:\Windows\SysWOW64\Gfhnop32.dll Dlfgcl32.exe File created C:\Windows\SysWOW64\Jlpeij32.exe Jhamckel.exe File opened for modification C:\Windows\SysWOW64\Hnbopmnm.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Eeaiio32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Kechdf32.exe Koipglep.exe File created C:\Windows\SysWOW64\Gdpemeck.dll Aaondi32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Gifaciae.exe Gpnmjd32.exe File opened for modification C:\Windows\SysWOW64\Jjjclobg.exe Ihdmihpn.exe File created C:\Windows\SysWOW64\Fkmqdpce.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Jjplgd32.dll Iabhah32.exe File opened for modification C:\Windows\SysWOW64\Lonibk32.exe Kajiigba.exe File created C:\Windows\SysWOW64\Ljabkeaf.exe Lgbeoibb.exe File opened for modification C:\Windows\SysWOW64\Nledoj32.exe Ndnlnm32.exe File created C:\Windows\SysWOW64\Naalga32.exe Nocpkf32.exe File created C:\Windows\SysWOW64\Bfncpcoc.exe Akiobk32.exe File created C:\Windows\SysWOW64\Ekfhjgmd.dll Bdaojbjf.exe File created C:\Windows\SysWOW64\Dkaegg32.dll Cqjhcfpc.exe File created C:\Windows\SysWOW64\Kbkameaf.exe Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Kgbipf32.exe Kcgmoggn.exe File opened for modification C:\Windows\SysWOW64\Noljjglk.exe Nlnnnk32.exe File created C:\Windows\SysWOW64\Jpccfogk.dll Ifoqjo32.exe File created C:\Windows\SysWOW64\Iipiljgf.exe Ifampo32.exe File created C:\Windows\SysWOW64\Qemldifo.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Gfmemc32.exe Gpcmpijk.exe File created C:\Windows\SysWOW64\Gmhfmm32.dll Nledoj32.exe File opened for modification C:\Windows\SysWOW64\Hdoghdmd.exe Hnbopmnm.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Hgfooe32.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Dbifnj32.exe File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Eqamje32.exe Eobapbbg.exe File opened for modification C:\Windows\SysWOW64\Fbpbpkpj.exe Fhgnge32.exe File opened for modification C:\Windows\SysWOW64\Bkpeci32.exe Biaign32.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Aoagccfn.exe File created C:\Windows\SysWOW64\Nqpdcc32.exe Nghpjn32.exe File created C:\Windows\SysWOW64\Lnhbfpnj.dll Ogmhkmki.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Lopkjhko.exe Lmbonmll.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Kilgoe32.exe File created C:\Windows\SysWOW64\Lioglifg.dll Lpqlemaj.exe File created C:\Windows\SysWOW64\Peoalc32.exe Poeipifl.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Daipqhdg.exe File created C:\Windows\SysWOW64\Kgemplap.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Allepo32.dll Kiqpop32.exe File created C:\Windows\SysWOW64\Ajqljc32.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Jqnejn32.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Nkoielgg.dll Dobdqo32.exe File created C:\Windows\SysWOW64\Bmlgia32.dll Hllmcc32.exe File created C:\Windows\SysWOW64\Pgdekc32.dll Qiflohqk.exe File created C:\Windows\SysWOW64\Pqjfoa32.exe Pfdabino.exe File created C:\Windows\SysWOW64\Gifaciae.exe Gpnmjd32.exe File opened for modification C:\Windows\SysWOW64\Aojojl32.exe Afajafoa.exe File created C:\Windows\SysWOW64\Fnfcel32.exe Fhikme32.exe File opened for modification C:\Windows\SysWOW64\Hllmcc32.exe Gbdhjm32.exe File opened for modification C:\Windows\SysWOW64\Iipiljgf.exe Ifampo32.exe File created C:\Windows\SysWOW64\Lmoogf32.dll Nmnclmoj.exe File created C:\Windows\SysWOW64\Jfehcipm.dll Koipglep.exe File opened for modification C:\Windows\SysWOW64\Ofafgipc.exe Magfjebk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nghpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Okpcoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakemm32.dll" Lopkjhko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iconoi32.dll" Hndlem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bobhal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lflplbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lokgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjhmfekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhplkhl.dll" Ijbdha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnejbmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfhnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcodhoaf.dll" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefggi32.dll" Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ieagbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dognlnlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifaciae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gaafhloq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfkelkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhbd32.dll" Qnebjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpccjn32.dll" Mapccndn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll" Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll" Okdkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekqmbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnojacgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnpobefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pilbocej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanmhmjq.dll" Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhdknh.dll" Flehkhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqhijbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jenpajfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdmban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liolokfg.dll" Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddlde32.dll" Kajiigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnejbmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gihniioc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caidaeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nohaklfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhmbnfb.dll" Bflbigdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdoajb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 1676 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 28 PID 2940 wrote to memory of 1676 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 28 PID 2940 wrote to memory of 1676 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 28 PID 2940 wrote to memory of 1676 2940 NEAS.22838e830a160089e8f03d96f5a0e340.exe 28 PID 1676 wrote to memory of 2184 1676 Alnqqd32.exe 29 PID 1676 wrote to memory of 2184 1676 Alnqqd32.exe 29 PID 1676 wrote to memory of 2184 1676 Alnqqd32.exe 29 PID 1676 wrote to memory of 2184 1676 Alnqqd32.exe 29 PID 2184 wrote to memory of 3040 2184 Aehboi32.exe 30 PID 2184 wrote to memory of 3040 2184 Aehboi32.exe 30 PID 2184 wrote to memory of 3040 2184 Aehboi32.exe 30 PID 2184 wrote to memory of 3040 2184 Aehboi32.exe 30 PID 3040 wrote to memory of 2648 3040 Ajhgmpfg.exe 31 PID 3040 wrote to memory of 2648 3040 Ajhgmpfg.exe 31 PID 3040 wrote to memory of 2648 3040 Ajhgmpfg.exe 31 PID 3040 wrote to memory of 2648 3040 Ajhgmpfg.exe 31 PID 2648 wrote to memory of 2712 2648 Ahlgfdeq.exe 32 PID 2648 wrote to memory of 2712 2648 Ahlgfdeq.exe 32 PID 2648 wrote to memory of 2712 2648 Ahlgfdeq.exe 32 PID 2648 wrote to memory of 2712 2648 Ahlgfdeq.exe 32 PID 2712 wrote to memory of 2544 2712 Bpiipf32.exe 33 PID 2712 wrote to memory of 2544 2712 Bpiipf32.exe 33 PID 2712 wrote to memory of 2544 2712 Bpiipf32.exe 33 PID 2712 wrote to memory of 2544 2712 Bpiipf32.exe 33 PID 2544 wrote to memory of 1084 2544 Biamilfj.exe 34 PID 2544 wrote to memory of 1084 2544 Biamilfj.exe 34 PID 2544 wrote to memory of 1084 2544 Biamilfj.exe 34 PID 2544 wrote to memory of 1084 2544 Biamilfj.exe 34 PID 1084 wrote to memory of 2468 1084 Bblogakg.exe 35 PID 1084 wrote to memory of 2468 1084 Bblogakg.exe 35 PID 1084 wrote to memory of 2468 1084 Bblogakg.exe 35 PID 1084 wrote to memory of 2468 1084 Bblogakg.exe 35 PID 2468 wrote to memory of 1948 2468 Cadhnmnm.exe 36 PID 2468 wrote to memory of 1948 2468 Cadhnmnm.exe 36 PID 2468 wrote to memory of 1948 2468 Cadhnmnm.exe 36 PID 2468 wrote to memory of 1948 2468 Cadhnmnm.exe 36 PID 1948 wrote to memory of 2168 1948 Clilkfnb.exe 37 PID 1948 wrote to memory of 2168 1948 Clilkfnb.exe 37 PID 1948 wrote to memory of 2168 1948 Clilkfnb.exe 37 PID 1948 wrote to memory of 2168 1948 Clilkfnb.exe 37 PID 2168 wrote to memory of 312 2168 Cafecmlj.exe 38 PID 2168 wrote to memory of 312 2168 Cafecmlj.exe 38 PID 2168 wrote to memory of 312 2168 Cafecmlj.exe 38 PID 2168 wrote to memory of 312 2168 Cafecmlj.exe 38 PID 312 wrote to memory of 1092 312 Cojema32.exe 40 PID 312 wrote to memory of 1092 312 Cojema32.exe 40 PID 312 wrote to memory of 1092 312 Cojema32.exe 40 PID 312 wrote to memory of 1092 312 Cojema32.exe 40 PID 1092 wrote to memory of 1476 1092 Cppkph32.exe 39 PID 1092 wrote to memory of 1476 1092 Cppkph32.exe 39 PID 1092 wrote to memory of 1476 1092 Cppkph32.exe 39 PID 1092 wrote to memory of 1476 1092 Cppkph32.exe 39 PID 1476 wrote to memory of 1620 1476 Dfmdho32.exe 42 PID 1476 wrote to memory of 1620 1476 Dfmdho32.exe 42 PID 1476 wrote to memory of 1620 1476 Dfmdho32.exe 42 PID 1476 wrote to memory of 1620 1476 Dfmdho32.exe 42 PID 1620 wrote to memory of 2844 1620 Dliijipn.exe 41 PID 1620 wrote to memory of 2844 1620 Dliijipn.exe 41 PID 1620 wrote to memory of 2844 1620 Dliijipn.exe 41 PID 1620 wrote to memory of 2844 1620 Dliijipn.exe 41 PID 2844 wrote to memory of 2360 2844 Dhpiojfb.exe 44 PID 2844 wrote to memory of 2360 2844 Dhpiojfb.exe 44 PID 2844 wrote to memory of 2360 2844 Dhpiojfb.exe 44 PID 2844 wrote to memory of 2360 2844 Dhpiojfb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.22838e830a160089e8f03d96f5a0e340.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.22838e830a160089e8f03d96f5a0e340.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1092
-
-
-
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4308
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe4⤵PID:2160
-
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe5⤵PID:1748
-
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe6⤵PID:2380
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe7⤵PID:2372
-
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe8⤵PID:1592
-
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe9⤵PID:2120
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
-
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360
-
-
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe16⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe17⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe18⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe19⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe20⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe21⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe22⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe24⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe25⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe27⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe28⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe29⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe30⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe31⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe32⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe33⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe34⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe35⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe38⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe40⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe41⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe43⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe44⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe45⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe47⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Kiqpop32.exeC:\Windows\system32\Kiqpop32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe49⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe50⤵PID:2952
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe51⤵PID:2532
-
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe52⤵PID:2972
-
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe53⤵PID:1932
-
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe54⤵PID:1824
-
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe55⤵PID:1864
-
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe56⤵PID:536
-
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe57⤵PID:1652
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe58⤵PID:836
-
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe60⤵PID:2788
-
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe61⤵PID:2576
-
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe62⤵PID:2960
-
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe63⤵PID:1696
-
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe64⤵PID:832
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe65⤵PID:1596
-
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe66⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe67⤵PID:1008
-
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe68⤵PID:2108
-
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe69⤵PID:2320
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe71⤵PID:888
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe72⤵PID:2240
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe73⤵PID:3000
-
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe75⤵PID:2512
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe76⤵PID:2824
-
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe77⤵PID:2508
-
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe78⤵PID:2488
-
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe79⤵PID:2552
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe80⤵PID:1608
-
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe82⤵
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe84⤵PID:2808
-
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe85⤵PID:1540
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe86⤵PID:2868
-
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe87⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe88⤵PID:992
-
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe89⤵PID:1344
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe90⤵PID:1624
-
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe91⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe92⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe93⤵PID:2192
-
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe94⤵PID:2228
-
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe95⤵PID:2632
-
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe96⤵PID:2060
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe97⤵PID:2660
-
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe98⤵PID:1968
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe99⤵PID:796
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe100⤵PID:2548
-
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe101⤵PID:1688
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe102⤵PID:768
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe103⤵PID:580
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe104⤵PID:2848
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe105⤵PID:2832
-
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe106⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe108⤵PID:1728
-
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe110⤵PID:2136
-
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe112⤵PID:2772
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe113⤵PID:2624
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe114⤵PID:2888
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe115⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe117⤵PID:2400
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe119⤵PID:568
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe120⤵PID:1912
-
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe121⤵PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-