Analysis
-
max time kernel
18s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 09:04
Behavioral task
behavioral1
Sample
NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
-
Size
112KB
-
MD5
b6e0dd0cef61576ef6af6d5ec5530040
-
SHA1
15575dc1f11b8357e15ff156c37c9fff48d44e47
-
SHA256
c388ee8ef938e2f1249922df6bd8828da865d54bd5dfe409b14d069b6d770dbe
-
SHA512
f8dfac572754b7e2befac6b70b52d3e95127039343e8efd5ef3847b0cd3cd57a6d6868aa07579bb8ef7d3e949095a7346bf36b996511100c6985fedb321c3898
-
SSDEEP
3072:8QckcAiQbh+4G1D8mHBMQH2qC7ZQOlzSLUK6MwGsGnDc9o:Jcr9QV+4MHBMQWfdQOhwJ6MwGsw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjoifb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqiaclhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaaifdhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqnhadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjmncna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pakllc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakmfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckcepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbbdfik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgoji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjjdacik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocjophem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmgpoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nledoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnqmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqomeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeielfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkebjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noemqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedlag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkncofl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidkmojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjophem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbhkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloiib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbdkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfpafmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdnbecj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbdkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2308-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-5.dat family_berbew behavioral1/memory/2308-6-0x00000000005E0000-0x0000000000621000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-8.dat family_berbew behavioral1/files/0x000e00000001201d-10.dat family_berbew behavioral1/files/0x000e00000001201d-12.dat family_berbew behavioral1/files/0x000e00000001201d-13.dat family_berbew behavioral1/files/0x0027000000016455-18.dat family_berbew behavioral1/files/0x0027000000016455-21.dat family_berbew behavioral1/memory/2416-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000016c25-33.dat family_berbew behavioral1/files/0x0007000000016c25-39.dat family_berbew behavioral1/files/0x0007000000016c25-36.dat family_berbew behavioral1/files/0x0007000000016c25-35.dat family_berbew behavioral1/files/0x0027000000016455-27.dat family_berbew behavioral1/files/0x0027000000016455-26.dat family_berbew behavioral1/files/0x0027000000016455-22.dat family_berbew behavioral1/memory/2656-19-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0007000000016c25-41.dat family_berbew behavioral1/memory/2800-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2708-59-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d05-73.dat family_berbew behavioral1/memory/2656-86-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d26-90.dat family_berbew behavioral1/files/0x0006000000016d4d-102.dat family_berbew behavioral1/files/0x0006000000016d6c-108.dat family_berbew behavioral1/files/0x0006000000016d80-128.dat family_berbew behavioral1/files/0x0006000000016fe5-134.dat family_berbew behavioral1/memory/2428-146-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/memory/2948-151-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1680-152-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017100-156.dat family_berbew behavioral1/files/0x0006000000017100-159.dat family_berbew behavioral1/files/0x0006000000017100-155.dat family_berbew behavioral1/files/0x0006000000017100-153.dat family_berbew behavioral1/files/0x0006000000016fe5-145.dat family_berbew behavioral1/files/0x0006000000016fe5-144.dat family_berbew behavioral1/files/0x0006000000016d80-133.dat family_berbew behavioral1/files/0x0006000000016d80-132.dat family_berbew behavioral1/files/0x0006000000016fe5-140.dat family_berbew behavioral1/files/0x0006000000016fe5-138.dat family_berbew behavioral1/files/0x0006000000016d6c-120.dat family_berbew behavioral1/memory/2428-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017100-162.dat family_berbew behavioral1/files/0x0006000000017568-170.dat family_berbew behavioral1/memory/2596-173-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017568-174.dat family_berbew behavioral1/files/0x0006000000017568-176.dat family_berbew behavioral1/memory/524-175-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017568-169.dat family_berbew behavioral1/files/0x0006000000017568-167.dat family_berbew behavioral1/memory/1480-161-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1680-160-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000016d6c-118.dat family_berbew behavioral1/files/0x000500000001869a-183.dat family_berbew behavioral1/memory/1772-194-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1280-195-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001869a-189.dat family_berbew behavioral1/memory/2964-188-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001869a-187.dat family_berbew behavioral1/files/0x000500000001869a-184.dat family_berbew behavioral1/files/0x000500000001869a-181.dat family_berbew behavioral1/files/0x0006000000016d80-127.dat family_berbew behavioral1/files/0x0006000000016d80-125.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2656 Fkbdkb32.exe 2416 Gmjcblbb.exe 2800 Hfbhkb32.exe 2708 Hpkldg32.exe 2984 Hfedqagp.exe 2596 Hajinjff.exe 2428 Hfgafadm.exe 524 Hifmbmda.exe 2948 Hfjnla32.exe 2964 Hpbbdfik.exe 1680 Hflkaq32.exe 1480 Iogoec32.exe 1280 Iecdhm32.exe 1772 Ikpmpc32.exe 1884 Iefamlak.exe 3000 Ionefb32.exe 1092 Idknoi32.exe 2156 Ipbocjlg.exe 1400 Jcpkpe32.exe 340 Jpdkii32.exe 756 Jcbhee32.exe 1008 Jgqpkc32.exe 2500 Jhamckel.exe 1920 Jajala32.exe 1996 Jlpeij32.exe 1732 Jdkjnl32.exe 1552 Jkebjf32.exe 2020 Kkgopf32.exe 2160 Kdpcikdi.exe 2684 Kqfdnljm.exe 2680 Kjoifb32.exe 3012 Kqiaclhj.exe 2748 Kfeikcfa.exe 1184 Konndhmb.exe 2560 Lqmjnk32.exe 2760 Lbogfcjc.exe 1632 Lihobnap.exe 2564 Lobgoh32.exe 812 Leopgo32.exe 840 Lkihdioa.exe 1112 Lbcpac32.exe 1340 Liminmmk.exe 2992 Lnjafd32.exe 2256 Ledibnco.exe 3036 Llnaoh32.exe 2036 Makjho32.exe 1636 Mgebdipp.exe 1144 Mamgmofp.exe 2432 Mhgoji32.exe 1044 Mjekfd32.exe 764 Mmdgbp32.exe 768 Mcnpojca.exe 832 Mfllkece.exe 3004 Mpdqdkie.exe 2340 Mjjdacik.exe 2376 Mpgmijgc.exe 2052 Mbeiefff.exe 2796 Nmkncofl.exe 2804 Noljjglk.exe 2620 Nefbga32.exe 2628 Nlpkdkkd.exe 2712 Noogpfjh.exe 2940 Nehomq32.exe 2644 Nidkmojn.exe -
Loads dropped DLL 64 IoCs
pid Process 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 2656 Fkbdkb32.exe 2656 Fkbdkb32.exe 2416 Gmjcblbb.exe 2416 Gmjcblbb.exe 2800 Hfbhkb32.exe 2800 Hfbhkb32.exe 2708 Hpkldg32.exe 2708 Hpkldg32.exe 2984 Hfedqagp.exe 2984 Hfedqagp.exe 2596 Hajinjff.exe 2596 Hajinjff.exe 2428 Hfgafadm.exe 2428 Hfgafadm.exe 524 Hifmbmda.exe 524 Hifmbmda.exe 2948 Hfjnla32.exe 2948 Hfjnla32.exe 2964 Hpbbdfik.exe 2964 Hpbbdfik.exe 1680 Hflkaq32.exe 1680 Hflkaq32.exe 1480 Iogoec32.exe 1480 Iogoec32.exe 1280 Iecdhm32.exe 1280 Iecdhm32.exe 1772 Ikpmpc32.exe 1772 Ikpmpc32.exe 1884 Iefamlak.exe 1884 Iefamlak.exe 3000 Ionefb32.exe 3000 Ionefb32.exe 1092 Idknoi32.exe 1092 Idknoi32.exe 2156 Ipbocjlg.exe 2156 Ipbocjlg.exe 1400 Jcpkpe32.exe 1400 Jcpkpe32.exe 340 Jpdkii32.exe 340 Jpdkii32.exe 756 Jcbhee32.exe 756 Jcbhee32.exe 1008 Jgqpkc32.exe 1008 Jgqpkc32.exe 2500 Jhamckel.exe 2500 Jhamckel.exe 1920 Jajala32.exe 1920 Jajala32.exe 1996 Jlpeij32.exe 1996 Jlpeij32.exe 1732 Jdkjnl32.exe 1732 Jdkjnl32.exe 1552 Jkebjf32.exe 1552 Jkebjf32.exe 2020 Kkgopf32.exe 2020 Kkgopf32.exe 2160 Kdpcikdi.exe 2160 Kdpcikdi.exe 2684 Kqfdnljm.exe 2684 Kqfdnljm.exe 2680 Kjoifb32.exe 2680 Kjoifb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chqoipkk.exe Cbdgqimc.exe File created C:\Windows\SysWOW64\Egahen32.exe Edclib32.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Fgohna32.exe Ffmkfifa.exe File opened for modification C:\Windows\SysWOW64\Gaqomeke.exe Gmecmg32.exe File opened for modification C:\Windows\SysWOW64\Kfeikcfa.exe Kqiaclhj.exe File created C:\Windows\SysWOW64\Nidkmojn.exe Nehomq32.exe File created C:\Windows\SysWOW64\Bdnlccec.dll Noemqe32.exe File created C:\Windows\SysWOW64\Hlafnbal.exe Hibjbgbh.exe File opened for modification C:\Windows\SysWOW64\Bnfblgca.exe Agljom32.exe File created C:\Windows\SysWOW64\Dgjfek32.exe Dpqnhadq.exe File opened for modification C:\Windows\SysWOW64\Mjekfd32.exe Mhgoji32.exe File created C:\Windows\SysWOW64\Fcmben32.exe Fkejcq32.exe File created C:\Windows\SysWOW64\Fmebbjme.dll Gnpflj32.exe File created C:\Windows\SysWOW64\Hifmbmda.exe Hfgafadm.exe File created C:\Windows\SysWOW64\Hpbbdfik.exe Hfjnla32.exe File created C:\Windows\SysWOW64\Anllfndp.dll Jcbhee32.exe File created C:\Windows\SysWOW64\Qblodoke.dll Ocgbji32.exe File opened for modification C:\Windows\SysWOW64\Anolkh32.exe Aibcba32.exe File created C:\Windows\SysWOW64\Halbai32.exe Hnmeen32.exe File created C:\Windows\SysWOW64\Ncmflp32.dll Cofnjj32.exe File created C:\Windows\SysWOW64\Hnpbjnpo.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Hdoghdmd.exe Hapklimq.exe File opened for modification C:\Windows\SysWOW64\Oihqgbhd.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Hgokokhf.dll Pjfpafmb.exe File opened for modification C:\Windows\SysWOW64\Aennba32.exe Ancefgfd.exe File created C:\Windows\SysWOW64\Enjjhk32.dll Qqdbiopj.exe File opened for modification C:\Windows\SysWOW64\Bplhnoej.exe Baigca32.exe File created C:\Windows\SysWOW64\Eheecbia.exe Dakmfh32.exe File created C:\Windows\SysWOW64\Jlhhndno.exe Jdaqmg32.exe File opened for modification C:\Windows\SysWOW64\Jhamckel.exe Jgqpkc32.exe File created C:\Windows\SysWOW64\Cbqhfq32.dll Nefbga32.exe File opened for modification C:\Windows\SysWOW64\Ooqpdj32.exe Onocmadb.exe File opened for modification C:\Windows\SysWOW64\Pjfpafmb.exe Pakllc32.exe File created C:\Windows\SysWOW64\Biliep32.dll Ckcepj32.exe File opened for modification C:\Windows\SysWOW64\Mpgmijgc.exe Mmhamoho.exe File created C:\Windows\SysWOW64\Ocgbji32.exe Opifnm32.exe File created C:\Windows\SysWOW64\Dodgbhpi.dll Hajinjff.exe File created C:\Windows\SysWOW64\Ipbocjlg.exe Idknoi32.exe File created C:\Windows\SysWOW64\Hakofo32.dll Mgebdipp.exe File opened for modification C:\Windows\SysWOW64\Liminmmk.exe Lbcpac32.exe File created C:\Windows\SysWOW64\Pfhcmc32.dll Oaaifdhb.exe File created C:\Windows\SysWOW64\Fdbhge32.exe Fbdlkj32.exe File opened for modification C:\Windows\SysWOW64\Ocgbji32.exe Opifnm32.exe File opened for modification C:\Windows\SysWOW64\Gqiimfam.exe Gnkmqkbi.exe File created C:\Windows\SysWOW64\Mjbappoe.dll Egjbdo32.exe File created C:\Windows\SysWOW64\Hbfepmmn.exe Hphidanj.exe File created C:\Windows\SysWOW64\Akainj32.dll Jdkjnl32.exe File created C:\Windows\SysWOW64\Djamjjjj.dll Mpdqdkie.exe File opened for modification C:\Windows\SysWOW64\Bmbemb32.exe Bekmle32.exe File created C:\Windows\SysWOW64\Gqlebf32.exe Gcheib32.exe File opened for modification C:\Windows\SysWOW64\Gcmoda32.exe Gmbfggdo.exe File opened for modification C:\Windows\SysWOW64\Hdoghdmd.exe Hapklimq.exe File created C:\Windows\SysWOW64\Fkbdkb32.exe NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe File created C:\Windows\SysWOW64\Nkegeg32.exe Nidkmojn.exe File created C:\Windows\SysWOW64\Keioamid.dll Fkejcq32.exe File opened for modification C:\Windows\SysWOW64\Mmdgbp32.exe Mjekfd32.exe File created C:\Windows\SysWOW64\Ehebki32.dll Odbeilbg.exe File created C:\Windows\SysWOW64\Ojiilami.dll Oekhacbn.exe File opened for modification C:\Windows\SysWOW64\Qgjqjjll.exe Pjfpafmb.exe File created C:\Windows\SysWOW64\Jilhjm32.dll Bnfblgca.exe File created C:\Windows\SysWOW64\Ikpmpc32.exe Iecdhm32.exe File created C:\Windows\SysWOW64\Cncfcj32.dll Iecdhm32.exe File created C:\Windows\SysWOW64\Lkgkdjfb.dll Mamgmofp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2516 3536 WerFault.exe 232 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmdafpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfnfjpg.dll" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijcglcj.dll" Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmlgia32.dll" Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nocpkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphhqinm.dll" Blchcpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illhhf32.dll" Hfgafadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllfndp.dll" Jcbhee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqhfq32.dll" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplhnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdbhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgbgkabo.dll" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdlbgna.dll" Cpnaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naffihgj.dll" Dgoopkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfeim32.dll" Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hloiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobgoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjekfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpccjn32.dll" Mmdgbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgcbd32.dll" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabfljee.dll" Dpegcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foojop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgkhnpd.dll" Lobgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popoig32.dll" Lbcpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqlldigd.dll" Noljjglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehklddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfqbqqjl.dll" Hmjlhfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaifdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjgicl.dll" Hpbbdfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdeag32.dll" Jpdkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcebdq32.dll" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nblpfepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepckd32.dll" Bmbemb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhamoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpgmijgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqblbhcf.dll" Cbdgqimc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2656 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 28 PID 2308 wrote to memory of 2656 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 28 PID 2308 wrote to memory of 2656 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 28 PID 2308 wrote to memory of 2656 2308 NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe 28 PID 2656 wrote to memory of 2416 2656 Fkbdkb32.exe 29 PID 2656 wrote to memory of 2416 2656 Fkbdkb32.exe 29 PID 2656 wrote to memory of 2416 2656 Fkbdkb32.exe 29 PID 2656 wrote to memory of 2416 2656 Fkbdkb32.exe 29 PID 2416 wrote to memory of 2800 2416 Gmjcblbb.exe 30 PID 2416 wrote to memory of 2800 2416 Gmjcblbb.exe 30 PID 2416 wrote to memory of 2800 2416 Gmjcblbb.exe 30 PID 2416 wrote to memory of 2800 2416 Gmjcblbb.exe 30 PID 2800 wrote to memory of 2708 2800 Hfbhkb32.exe 31 PID 2800 wrote to memory of 2708 2800 Hfbhkb32.exe 31 PID 2800 wrote to memory of 2708 2800 Hfbhkb32.exe 31 PID 2800 wrote to memory of 2708 2800 Hfbhkb32.exe 31 PID 2708 wrote to memory of 2984 2708 Hpkldg32.exe 32 PID 2708 wrote to memory of 2984 2708 Hpkldg32.exe 32 PID 2708 wrote to memory of 2984 2708 Hpkldg32.exe 32 PID 2708 wrote to memory of 2984 2708 Hpkldg32.exe 32 PID 2984 wrote to memory of 2596 2984 Hfedqagp.exe 44 PID 2984 wrote to memory of 2596 2984 Hfedqagp.exe 44 PID 2984 wrote to memory of 2596 2984 Hfedqagp.exe 44 PID 2984 wrote to memory of 2596 2984 Hfedqagp.exe 44 PID 2596 wrote to memory of 2428 2596 Hajinjff.exe 33 PID 2596 wrote to memory of 2428 2596 Hajinjff.exe 33 PID 2596 wrote to memory of 2428 2596 Hajinjff.exe 33 PID 2596 wrote to memory of 2428 2596 Hajinjff.exe 33 PID 2428 wrote to memory of 524 2428 Hfgafadm.exe 42 PID 2428 wrote to memory of 524 2428 Hfgafadm.exe 42 PID 2428 wrote to memory of 524 2428 Hfgafadm.exe 42 PID 2428 wrote to memory of 524 2428 Hfgafadm.exe 42 PID 524 wrote to memory of 2948 524 Hifmbmda.exe 34 PID 524 wrote to memory of 2948 524 Hifmbmda.exe 34 PID 524 wrote to memory of 2948 524 Hifmbmda.exe 34 PID 524 wrote to memory of 2948 524 Hifmbmda.exe 34 PID 2948 wrote to memory of 2964 2948 Hfjnla32.exe 40 PID 2948 wrote to memory of 2964 2948 Hfjnla32.exe 40 PID 2948 wrote to memory of 2964 2948 Hfjnla32.exe 40 PID 2948 wrote to memory of 2964 2948 Hfjnla32.exe 40 PID 2964 wrote to memory of 1680 2964 Hpbbdfik.exe 35 PID 2964 wrote to memory of 1680 2964 Hpbbdfik.exe 35 PID 2964 wrote to memory of 1680 2964 Hpbbdfik.exe 35 PID 2964 wrote to memory of 1680 2964 Hpbbdfik.exe 35 PID 1680 wrote to memory of 1480 1680 Hflkaq32.exe 36 PID 1680 wrote to memory of 1480 1680 Hflkaq32.exe 36 PID 1680 wrote to memory of 1480 1680 Hflkaq32.exe 36 PID 1680 wrote to memory of 1480 1680 Hflkaq32.exe 36 PID 1480 wrote to memory of 1280 1480 Iogoec32.exe 37 PID 1480 wrote to memory of 1280 1480 Iogoec32.exe 37 PID 1480 wrote to memory of 1280 1480 Iogoec32.exe 37 PID 1480 wrote to memory of 1280 1480 Iogoec32.exe 37 PID 1280 wrote to memory of 1772 1280 Iecdhm32.exe 38 PID 1280 wrote to memory of 1772 1280 Iecdhm32.exe 38 PID 1280 wrote to memory of 1772 1280 Iecdhm32.exe 38 PID 1280 wrote to memory of 1772 1280 Iecdhm32.exe 38 PID 1772 wrote to memory of 1884 1772 Ikpmpc32.exe 39 PID 1772 wrote to memory of 1884 1772 Ikpmpc32.exe 39 PID 1772 wrote to memory of 1884 1772 Ikpmpc32.exe 39 PID 1772 wrote to memory of 1884 1772 Ikpmpc32.exe 39 PID 1884 wrote to memory of 3000 1884 Iefamlak.exe 41 PID 1884 wrote to memory of 3000 1884 Iefamlak.exe 41 PID 1884 wrote to memory of 3000 1884 Iefamlak.exe 41 PID 1884 wrote to memory of 3000 1884 Iefamlak.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596
-
-
-
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe6⤵PID:2812
-
-
-
-
-
-
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524
-
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
-
-
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe24⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe25⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe29⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe30⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe32⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe33⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe36⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe42⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe43⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe46⤵
- Drops file in System32 directory
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe52⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe53⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe56⤵PID:2924
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe57⤵
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe59⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe60⤵PID:2484
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe61⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe63⤵
- Drops file in System32 directory
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe64⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe65⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe67⤵PID:1964
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe69⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe70⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe71⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe72⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:472 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe78⤵PID:876
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe79⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe81⤵PID:1700
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe82⤵PID:2112
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe83⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe84⤵PID:1924
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe85⤵PID:1972
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe86⤵PID:760
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe87⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe88⤵
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe89⤵PID:1580
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe91⤵PID:2336
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe92⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe94⤵PID:844
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe95⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe96⤵PID:2252
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe97⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe99⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe100⤵PID:2448
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe102⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe103⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe104⤵
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe105⤵PID:1724
-
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe106⤵PID:2364
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe107⤵PID:1556
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe110⤵PID:2616
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe112⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe113⤵PID:1608
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe114⤵PID:2904
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe115⤵PID:1076
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe116⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe119⤵PID:2352
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-