Analysis
-
max time kernel
180s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
16/11/2023, 17:09
Behavioral task
behavioral1
Sample
NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe
-
Size
96KB
-
MD5
edc67ed7bad8f1f18fac054595e69dcb
-
SHA1
7c13bd9f9b58f690d1bed9b016f6faa2f7744d32
-
SHA256
f3a3514595370de09e084cc3ffdc6e3d93eb65fadb5d44785a3b06bccd8fafc2
-
SHA512
8d51fe292433d1eb20d16dd86cd0ff92c2dff721ea50ec272557182d85bebca46e3fa42e0fbadfdd5ed46697c3ba3e9e49736c91bf6db54d1cfe1c7f8d396df4
-
SSDEEP
1536:8kRRZRRlRb/AfIlo0wlx8YCUpPx3CM4I3YhTnWuS73APgnDNBrcN4i6tBYuR3PlD:8kRRRnb/Ad0wlx8YCU33CMwhf83APgxb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkplnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baoopndk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfdlpje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kchfpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmceiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdofep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facdgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phknlfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgdgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpohb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqijck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphjkfbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcncnpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcageqgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijgemok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhhia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbbcjic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagianlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcoioi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phacnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjpjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccadhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjcaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbfcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahhoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Minnmomo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbdbbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhookh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfemdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpieli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbfcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alicahno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjldiln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ognobcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmnga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idncdgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noffadai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehejc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phknlfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffgfancd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhalag32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000b00000001225d-5.dat family_berbew behavioral1/memory/2736-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2736-6-0x00000000005E0000-0x0000000000624000-memory.dmp family_berbew behavioral1/files/0x000b00000001225d-9.dat family_berbew behavioral1/files/0x000b00000001225d-8.dat family_berbew behavioral1/files/0x000b00000001225d-12.dat family_berbew behavioral1/files/0x000b00000001225d-13.dat family_berbew behavioral1/memory/2620-18-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x003300000001453c-19.dat family_berbew behavioral1/files/0x003300000001453c-22.dat family_berbew behavioral1/memory/2828-33-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x003300000001453c-27.dat family_berbew behavioral1/files/0x003300000001453c-26.dat family_berbew behavioral1/files/0x003300000001453c-21.dat family_berbew behavioral1/files/0x0008000000014834-34.dat family_berbew behavioral1/files/0x0008000000014834-40.dat family_berbew behavioral1/files/0x0008000000014834-41.dat family_berbew behavioral1/files/0x0008000000014834-37.dat family_berbew behavioral1/files/0x0008000000014834-36.dat family_berbew behavioral1/memory/2540-42-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2540-49-0x0000000000230000-0x0000000000274000-memory.dmp family_berbew behavioral1/files/0x0007000000014adb-47.dat family_berbew behavioral1/files/0x0007000000014adb-50.dat family_berbew behavioral1/files/0x0007000000014adb-51.dat family_berbew behavioral1/files/0x0007000000014adb-54.dat family_berbew behavioral1/files/0x0007000000014adb-56.dat family_berbew behavioral1/memory/1320-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0008000000014f13-61.dat family_berbew behavioral1/memory/1320-63-0x00000000002A0000-0x00000000002E4000-memory.dmp family_berbew behavioral1/files/0x0008000000014f13-64.dat family_berbew behavioral1/files/0x0008000000014f13-68.dat family_berbew behavioral1/files/0x0008000000014f13-66.dat family_berbew behavioral1/files/0x0008000000014f13-69.dat family_berbew behavioral1/memory/2924-73-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015606-75.dat family_berbew behavioral1/files/0x0006000000015606-81.dat family_berbew behavioral1/files/0x0006000000015606-78.dat family_berbew behavioral1/memory/2856-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015606-77.dat family_berbew behavioral1/files/0x0006000000015606-83.dat family_berbew behavioral1/files/0x0006000000015c00-88.dat family_berbew behavioral1/memory/2856-90-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0006000000015c00-92.dat family_berbew behavioral1/memory/936-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c00-96.dat family_berbew behavioral1/files/0x0006000000015c00-95.dat family_berbew behavioral1/files/0x0006000000015c00-91.dat family_berbew behavioral1/files/0x0006000000015c23-108.dat family_berbew behavioral1/files/0x0006000000015c23-105.dat family_berbew behavioral1/files/0x0006000000015c23-104.dat family_berbew behavioral1/files/0x0006000000015c23-102.dat family_berbew behavioral1/memory/2816-109-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/936-114-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0006000000015c4c-118.dat family_berbew behavioral1/files/0x0006000000015c4c-122.dat family_berbew behavioral1/files/0x0006000000015c4c-124.dat family_berbew behavioral1/memory/2012-123-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c4c-119.dat family_berbew behavioral1/files/0x0006000000015c4c-116.dat family_berbew behavioral1/files/0x0006000000015c23-110.dat family_berbew behavioral1/files/0x0006000000015c5c-129.dat family_berbew behavioral1/memory/2012-131-0x00000000001B0000-0x00000000001F4000-memory.dmp family_berbew behavioral1/files/0x0006000000015c5c-133.dat family_berbew behavioral1/files/0x0006000000015c5c-136.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2620 Objjnkie.exe 2828 Aclpaali.exe 2540 Afliclij.exe 1320 Jimdcqom.exe 2924 Qdlipplq.exe 2856 Qdofep32.exe 936 Aiknnf32.exe 2816 Alaqjaaa.exe 2012 Ahhaobfe.exe 2860 Bdobdc32.exe 1984 Chgnneiq.exe 1468 Ccmblnif.exe 1168 Ckhfpp32.exe 3040 Cbbomjnn.exe 852 Cgogealf.exe 1836 Cnipak32.exe 836 Chocodch.exe 1520 Cqjhcfpc.exe 1656 Doabjbci.exe 904 Dcmnja32.exe 2164 Dbbklnpj.exe 2396 Dmgoif32.exe 2160 Dkjpdcfj.exe 1276 Dcageqgm.exe 1184 Decdmi32.exe 880 Dbgdgm32.exe 2224 Diqmcgca.exe 1396 Eloipb32.exe 2672 Ealahi32.exe 2268 Ejdfqogm.exe 2840 Eejjnhgc.exe 2944 Eldbkbop.exe 2568 Enbogmnc.exe 2108 Eelgcg32.exe 2148 Endklmlq.exe 2932 Epfhde32.exe 2992 Ejklan32.exe 2948 Einlmkhp.exe 1668 Edcqjc32.exe 1308 Fjnignob.exe 1732 Floeof32.exe 2376 Ffdilo32.exe 1208 Ffgfancd.exe 1324 Fejfmk32.exe 1460 Fhhbif32.exe 2196 Fpokjd32.exe 552 Fbngfo32.exe 1688 Figocipe.exe 2280 Fkilka32.exe 2348 Facdgl32.exe 1972 Fhmldfdm.exe 2088 Fogdap32.exe 1600 Gckfpc32.exe 776 Gieommdc.exe 1016 Gdjcjf32.exe 1736 Ggiofa32.exe 2448 Glfgnh32.exe 560 Gcppkbia.exe 1684 Hljaigmo.exe 1948 Hoimecmb.exe 2472 Hagianlf.exe 2764 Hdefnjkj.exe 3016 Hnnjfo32.exe 2172 Hgfooe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 2620 Objjnkie.exe 2620 Objjnkie.exe 2828 Aclpaali.exe 2828 Aclpaali.exe 2540 Afliclij.exe 2540 Afliclij.exe 1320 Jimdcqom.exe 1320 Jimdcqom.exe 2924 Qdlipplq.exe 2924 Qdlipplq.exe 2856 Qdofep32.exe 2856 Qdofep32.exe 936 Aiknnf32.exe 936 Aiknnf32.exe 2816 Alaqjaaa.exe 2816 Alaqjaaa.exe 2012 Ahhaobfe.exe 2012 Ahhaobfe.exe 2860 Bdobdc32.exe 2860 Bdobdc32.exe 1984 Chgnneiq.exe 1984 Chgnneiq.exe 1468 Ccmblnif.exe 1468 Ccmblnif.exe 1168 Ckhfpp32.exe 1168 Ckhfpp32.exe 3040 Cbbomjnn.exe 3040 Cbbomjnn.exe 852 Cgogealf.exe 852 Cgogealf.exe 1836 Cnipak32.exe 1836 Cnipak32.exe 836 Chocodch.exe 836 Chocodch.exe 1520 Cqjhcfpc.exe 1520 Cqjhcfpc.exe 1656 Doabjbci.exe 1656 Doabjbci.exe 904 Dcmnja32.exe 904 Dcmnja32.exe 2164 Dbbklnpj.exe 2164 Dbbklnpj.exe 2396 Dmgoif32.exe 2396 Dmgoif32.exe 2160 Dkjpdcfj.exe 2160 Dkjpdcfj.exe 1276 Dcageqgm.exe 1276 Dcageqgm.exe 1184 Decdmi32.exe 1184 Decdmi32.exe 880 Dbgdgm32.exe 880 Dbgdgm32.exe 2224 Diqmcgca.exe 2224 Diqmcgca.exe 1396 Eloipb32.exe 1396 Eloipb32.exe 2672 Ealahi32.exe 2672 Ealahi32.exe 2268 Ejdfqogm.exe 2268 Ejdfqogm.exe 2840 Eejjnhgc.exe 2840 Eejjnhgc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Floeof32.exe Fjnignob.exe File created C:\Windows\SysWOW64\Cgogealf.exe Cbbomjnn.exe File opened for modification C:\Windows\SysWOW64\Eldbkbop.exe Eejjnhgc.exe File opened for modification C:\Windows\SysWOW64\Qhdabemb.exe Qdieaf32.exe File created C:\Windows\SysWOW64\Hfqddkgm.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Kqijck32.exe Kjpafanf.exe File opened for modification C:\Windows\SysWOW64\Doabjbci.exe Cqjhcfpc.exe File opened for modification C:\Windows\SysWOW64\Epfhde32.exe Endklmlq.exe File created C:\Windows\SysWOW64\Qjnoacdc.exe Pmjohoej.exe File opened for modification C:\Windows\SysWOW64\Chocodch.exe Cnipak32.exe File created C:\Windows\SysWOW64\Ndekok32.exe Nagobp32.exe File created C:\Windows\SysWOW64\Qjcmoqlf.exe Qhdabemb.exe File created C:\Windows\SysWOW64\Hagianlf.exe Hoimecmb.exe File opened for modification C:\Windows\SysWOW64\Mnqdpj32.exe Mgglcqdk.exe File opened for modification C:\Windows\SysWOW64\Aajedn32.exe Aolihc32.exe File opened for modification C:\Windows\SysWOW64\Cclkcdpl.exe Clbbfj32.exe File created C:\Windows\SysWOW64\Iniebmfg.exe Ijmibn32.exe File created C:\Windows\SysWOW64\Fjnignob.exe Edcqjc32.exe File opened for modification C:\Windows\SysWOW64\Nkphmc32.exe Nhalag32.exe File created C:\Windows\SysWOW64\Amaiklki.exe Qjcmoqlf.exe File opened for modification C:\Windows\SysWOW64\Hnnjfo32.exe Hdefnjkj.exe File created C:\Windows\SysWOW64\Pjpfjf32.dll Nbegonmd.exe File opened for modification C:\Windows\SysWOW64\Pfjbdn32.exe Pppihdha.exe File opened for modification C:\Windows\SysWOW64\Ejklan32.exe Epfhde32.exe File created C:\Windows\SysWOW64\Ilnamhfg.dll Akahokho.exe File opened for modification C:\Windows\SysWOW64\Hgfooe32.exe Hnnjfo32.exe File opened for modification C:\Windows\SysWOW64\Eejjnhgc.exe Ejdfqogm.exe File opened for modification C:\Windows\SysWOW64\Gieommdc.exe Gckfpc32.exe File opened for modification C:\Windows\SysWOW64\Nhookh32.exe Nbegonmd.exe File created C:\Windows\SysWOW64\Klfjpm32.dll Djfooa32.exe File opened for modification C:\Windows\SysWOW64\Pmjohoej.exe Pfpflenm.exe File created C:\Windows\SysWOW64\Fkldcapk.dll Ealahi32.exe File opened for modification C:\Windows\SysWOW64\Ocglmcdp.exe Onggom32.exe File created C:\Windows\SysWOW64\Cijiejka.dll Bdbdgh32.exe File opened for modification C:\Windows\SysWOW64\Bdobdc32.exe Ahhaobfe.exe File opened for modification C:\Windows\SysWOW64\Bnhljnhm.exe Bgndnd32.exe File created C:\Windows\SysWOW64\Nnkjca32.dll Dpbgghhl.exe File created C:\Windows\SysWOW64\Aiacqhfi.dll Jkhhpeka.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Pdjcaf32.exe Ekofijic.exe File created C:\Windows\SysWOW64\Chickknc.exe Cclkcdpl.exe File created C:\Windows\SysWOW64\Ngknpb32.dll Lebemmbk.exe File created C:\Windows\SysWOW64\Pbpehnhq.dll Jfkphnmj.exe File created C:\Windows\SysWOW64\Haekqknh.dll Onqaonnc.exe File opened for modification C:\Windows\SysWOW64\Nbgcdmjb.exe Noighakn.exe File created C:\Windows\SysWOW64\Dhipnoln.dll Pfjbdn32.exe File created C:\Windows\SysWOW64\Gombop32.dll Opllclcb.exe File created C:\Windows\SysWOW64\Djlecd32.dll Ocmdeg32.exe File created C:\Windows\SysWOW64\Fejfmk32.exe Ffgfancd.exe File created C:\Windows\SysWOW64\Hoimecmb.exe Hljaigmo.exe File opened for modification C:\Windows\SysWOW64\Pjlgna32.exe Pikkfilp.exe File created C:\Windows\SysWOW64\Kjdnqckh.dll Jgaikb32.exe File created C:\Windows\SysWOW64\Igncjolp.dll Ofbgbaio.exe File opened for modification C:\Windows\SysWOW64\Chgnneiq.exe Bdobdc32.exe File opened for modification C:\Windows\SysWOW64\Legohm32.exe Lnmglbgh.exe File created C:\Windows\SysWOW64\Onggom32.exe Ognobcqo.exe File opened for modification C:\Windows\SysWOW64\Eclejclg.exe Ddbbod32.exe File created C:\Windows\SysWOW64\Oenjdp32.dll Knmjmodm.exe File created C:\Windows\SysWOW64\Dipfpa32.dll Olapcm32.exe File created C:\Windows\SysWOW64\Jpdepqif.dll Ggiofa32.exe File created C:\Windows\SysWOW64\Mklfde32.dll Phacnm32.exe File created C:\Windows\SysWOW64\Cbcdjpba.exe Cnhhia32.exe File opened for modification C:\Windows\SysWOW64\Ikhlaaif.exe Idncdgai.exe File created C:\Windows\SysWOW64\Kglhbijp.dll Pfnjfepp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2324 2228 WerFault.exe 315 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmgdfdh.dll" Paldmbmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlobbi32.dll" Hqochjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndhlfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfmdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chmlfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbbcjic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlngdfab.dll" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdnqckh.dll" Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnheoak.dll" Maejpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfioaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlbpigi.dll" Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbgdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmmeecf.dll" Diqmcgca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opohil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpieli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moncom32.dll" Aogpmcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leebcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokdfe32.dll" Obniel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockhpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdmpmb.dll" Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eobenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobhaimm.dll" Cqjhcfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfehfd.dll" Ikhlaaif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eobenc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnpmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhjldiln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiogbmb.dll" Okmceiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnoacdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhdabemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinelbbc.dll" Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmhejjl.dll" Pikkfilp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkbak32.dll" Leebcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdjceb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogpmcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqcncnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjmco32.dll" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpcmb32.dll" Mmijmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjnikd32.dll" Eobenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfiebi32.dll" Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoaaqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acbnggjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iicbdnjn.dll" Dgefmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhaobfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biogkbfn.dll" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Floeof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkplnp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2620 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 29 PID 2736 wrote to memory of 2620 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 29 PID 2736 wrote to memory of 2620 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 29 PID 2736 wrote to memory of 2620 2736 NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe 29 PID 2620 wrote to memory of 2828 2620 Objjnkie.exe 30 PID 2620 wrote to memory of 2828 2620 Objjnkie.exe 30 PID 2620 wrote to memory of 2828 2620 Objjnkie.exe 30 PID 2620 wrote to memory of 2828 2620 Objjnkie.exe 30 PID 2828 wrote to memory of 2540 2828 Aclpaali.exe 31 PID 2828 wrote to memory of 2540 2828 Aclpaali.exe 31 PID 2828 wrote to memory of 2540 2828 Aclpaali.exe 31 PID 2828 wrote to memory of 2540 2828 Aclpaali.exe 31 PID 2540 wrote to memory of 1320 2540 Afliclij.exe 32 PID 2540 wrote to memory of 1320 2540 Afliclij.exe 32 PID 2540 wrote to memory of 1320 2540 Afliclij.exe 32 PID 2540 wrote to memory of 1320 2540 Afliclij.exe 32 PID 1320 wrote to memory of 2924 1320 Jimdcqom.exe 33 PID 1320 wrote to memory of 2924 1320 Jimdcqom.exe 33 PID 1320 wrote to memory of 2924 1320 Jimdcqom.exe 33 PID 1320 wrote to memory of 2924 1320 Jimdcqom.exe 33 PID 2924 wrote to memory of 2856 2924 Qdlipplq.exe 34 PID 2924 wrote to memory of 2856 2924 Qdlipplq.exe 34 PID 2924 wrote to memory of 2856 2924 Qdlipplq.exe 34 PID 2924 wrote to memory of 2856 2924 Qdlipplq.exe 34 PID 2856 wrote to memory of 936 2856 Qdofep32.exe 35 PID 2856 wrote to memory of 936 2856 Qdofep32.exe 35 PID 2856 wrote to memory of 936 2856 Qdofep32.exe 35 PID 2856 wrote to memory of 936 2856 Qdofep32.exe 35 PID 936 wrote to memory of 2816 936 Aiknnf32.exe 36 PID 936 wrote to memory of 2816 936 Aiknnf32.exe 36 PID 936 wrote to memory of 2816 936 Aiknnf32.exe 36 PID 936 wrote to memory of 2816 936 Aiknnf32.exe 36 PID 2816 wrote to memory of 2012 2816 Alaqjaaa.exe 37 PID 2816 wrote to memory of 2012 2816 Alaqjaaa.exe 37 PID 2816 wrote to memory of 2012 2816 Alaqjaaa.exe 37 PID 2816 wrote to memory of 2012 2816 Alaqjaaa.exe 37 PID 2012 wrote to memory of 2860 2012 Ahhaobfe.exe 38 PID 2012 wrote to memory of 2860 2012 Ahhaobfe.exe 38 PID 2012 wrote to memory of 2860 2012 Ahhaobfe.exe 38 PID 2012 wrote to memory of 2860 2012 Ahhaobfe.exe 38 PID 2860 wrote to memory of 1984 2860 Bdobdc32.exe 39 PID 2860 wrote to memory of 1984 2860 Bdobdc32.exe 39 PID 2860 wrote to memory of 1984 2860 Bdobdc32.exe 39 PID 2860 wrote to memory of 1984 2860 Bdobdc32.exe 39 PID 1984 wrote to memory of 1468 1984 Chgnneiq.exe 40 PID 1984 wrote to memory of 1468 1984 Chgnneiq.exe 40 PID 1984 wrote to memory of 1468 1984 Chgnneiq.exe 40 PID 1984 wrote to memory of 1468 1984 Chgnneiq.exe 40 PID 1468 wrote to memory of 1168 1468 Ccmblnif.exe 41 PID 1468 wrote to memory of 1168 1468 Ccmblnif.exe 41 PID 1468 wrote to memory of 1168 1468 Ccmblnif.exe 41 PID 1468 wrote to memory of 1168 1468 Ccmblnif.exe 41 PID 1168 wrote to memory of 3040 1168 Ckhfpp32.exe 42 PID 1168 wrote to memory of 3040 1168 Ckhfpp32.exe 42 PID 1168 wrote to memory of 3040 1168 Ckhfpp32.exe 42 PID 1168 wrote to memory of 3040 1168 Ckhfpp32.exe 42 PID 3040 wrote to memory of 852 3040 Cbbomjnn.exe 45 PID 3040 wrote to memory of 852 3040 Cbbomjnn.exe 45 PID 3040 wrote to memory of 852 3040 Cbbomjnn.exe 45 PID 3040 wrote to memory of 852 3040 Cbbomjnn.exe 45 PID 852 wrote to memory of 1836 852 Cgogealf.exe 44 PID 852 wrote to memory of 1836 852 Cgogealf.exe 44 PID 852 wrote to memory of 1836 852 Cgogealf.exe 44 PID 852 wrote to memory of 1836 852 Cgogealf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.edc67ed7bad8f1f18fac054595e69dcb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe16⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe17⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe18⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe21⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe22⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe28⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe31⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe33⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe35⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe38⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe41⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe42⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe48⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe49⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe50⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe51⤵
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe53⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe54⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Qoaaqb32.exeC:\Windows\system32\Qoaaqb32.exe55⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe56⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe57⤵PID:1156
-
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe58⤵PID:2180
-
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe59⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe60⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe61⤵PID:2152
-
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe63⤵PID:2648
-
C:\Windows\SysWOW64\Mgglcqdk.exeC:\Windows\system32\Mgglcqdk.exe64⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe65⤵PID:2592
-
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe66⤵PID:2908
-
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Ngkfnp32.exeC:\Windows\system32\Ngkfnp32.exe68⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe69⤵PID:2284
-
C:\Windows\SysWOW64\Nqdjge32.exeC:\Windows\system32\Nqdjge32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Nbegonmd.exeC:\Windows\system32\Nbegonmd.exe72⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Nhookh32.exeC:\Windows\system32\Nhookh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe74⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Nbgcdmjb.exeC:\Windows\system32\Nbgcdmjb.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Nkphmc32.exeC:\Windows\system32\Nkphmc32.exe77⤵PID:2992
-
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe79⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe80⤵PID:784
-
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe82⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe83⤵PID:776
-
C:\Windows\SysWOW64\Oifelfni.exeC:\Windows\system32\Oifelfni.exe84⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe86⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe87⤵PID:848
-
C:\Windows\SysWOW64\Okgnna32.exeC:\Windows\system32\Okgnna32.exe88⤵PID:2256
-
C:\Windows\SysWOW64\Onejjm32.exeC:\Windows\system32\Onejjm32.exe89⤵PID:2112
-
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe90⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Ognobcqo.exeC:\Windows\system32\Ognobcqo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe92⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe93⤵PID:2188
-
C:\Windows\SysWOW64\Pjqdjn32.exeC:\Windows\system32\Pjqdjn32.exe94⤵PID:1588
-
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe95⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Ppnmbd32.exeC:\Windows\system32\Ppnmbd32.exe96⤵PID:2100
-
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe97⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe98⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe99⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Phknlfem.exeC:\Windows\system32\Phknlfem.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe101⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe102⤵PID:880
-
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe104⤵PID:1884
-
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe105⤵PID:2700
-
C:\Windows\SysWOW64\Peakkj32.exeC:\Windows\system32\Peakkj32.exe106⤵PID:1324
-
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe107⤵PID:2876
-
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe108⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Qhdabemb.exeC:\Windows\system32\Qhdabemb.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Qjcmoqlf.exeC:\Windows\system32\Qjcmoqlf.exe110⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe112⤵PID:572
-
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe113⤵PID:2480
-
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe114⤵PID:1484
-
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe115⤵PID:932
-
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:328 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe119⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Aahhoo32.exeC:\Windows\system32\Aahhoo32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Almmlg32.exeC:\Windows\system32\Almmlg32.exe121⤵PID:1104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-