Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
17/11/2023, 02:20
Behavioral task
behavioral1
Sample
NEAS.e47eeffe99e84e8d66976554592beb80.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e47eeffe99e84e8d66976554592beb80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e47eeffe99e84e8d66976554592beb80.exe
-
Size
109KB
-
MD5
e47eeffe99e84e8d66976554592beb80
-
SHA1
18edf94ae838fa8da71e3b00e8dc83e9c15daa70
-
SHA256
5aab7ff7c4894a2531cfefcd3a2cfa39a2936c1246882c5dffc655c989120ddd
-
SHA512
c72018f6034996213348a3ac6ea60e76e0eca44ec4b9bfbb67461eec18c2b27871e17a1ea0aa5508fccdd3c144303feee3832673980911a15a90b6cbdfd7ced9
-
SSDEEP
3072:VjBuyTz+AfT/GipMz/Ep8fo3PXl9Z7S/yCsKh2EzZA/z:DfHfT/GipMz/Epgo35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipgbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjnom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpcbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apimacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blbfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.e47eeffe99e84e8d66976554592beb80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poapfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgocb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooeggp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdbhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qngmgjeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apdhjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmojocel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhdcji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjoplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmlbfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blgpef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmpnhdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okanklik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkcdafqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knklagmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2068-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-5.dat family_berbew behavioral1/memory/2068-6-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-9.dat family_berbew behavioral1/files/0x00070000000120bd-12.dat family_berbew behavioral1/files/0x00070000000120bd-8.dat family_berbew behavioral1/files/0x00070000000120bd-13.dat family_berbew behavioral1/files/0x0022000000014491-18.dat family_berbew behavioral1/files/0x0022000000014491-24.dat family_berbew behavioral1/files/0x0022000000014491-26.dat family_berbew behavioral1/memory/2732-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000014980-36.dat family_berbew behavioral1/files/0x0007000000014980-40.dat family_berbew behavioral1/files/0x0007000000014980-39.dat family_berbew behavioral1/files/0x0007000000014980-35.dat family_berbew behavioral1/files/0x0007000000014980-33.dat family_berbew behavioral1/files/0x0007000000014ad8-51.dat family_berbew behavioral1/files/0x0007000000014ad8-48.dat family_berbew behavioral1/files/0x0007000000014ad8-47.dat family_berbew behavioral1/files/0x0007000000014ad8-45.dat family_berbew behavioral1/files/0x0022000000014491-27.dat family_berbew behavioral1/files/0x0022000000014491-21.dat family_berbew behavioral1/memory/2836-58-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/3064-67-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000154ab-66.dat family_berbew behavioral1/files/0x00060000000154ab-65.dat family_berbew behavioral1/files/0x00060000000154ab-62.dat family_berbew behavioral1/files/0x00060000000154ab-61.dat family_berbew behavioral1/files/0x00060000000155af-72.dat family_berbew behavioral1/files/0x00060000000154ab-59.dat family_berbew behavioral1/files/0x0007000000014ad8-53.dat family_berbew behavioral1/memory/2292-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2208-19-0x00000000002B0000-0x00000000002F4000-memory.dmp family_berbew behavioral1/files/0x00060000000155af-74.dat family_berbew behavioral1/files/0x00060000000155af-75.dat family_berbew behavioral1/files/0x00060000000155af-78.dat family_berbew behavioral1/memory/2592-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000155af-80.dat family_berbew behavioral1/files/0x0006000000015618-85.dat family_berbew behavioral1/files/0x0006000000015618-92.dat family_berbew behavioral1/files/0x0006000000015618-90.dat family_berbew behavioral1/memory/2592-91-0x00000000001B0000-0x00000000001F4000-memory.dmp family_berbew behavioral1/files/0x0006000000015618-93.dat family_berbew behavioral1/files/0x0006000000015618-87.dat family_berbew behavioral1/files/0x0006000000015c13-105.dat family_berbew behavioral1/files/0x0006000000015c13-102.dat family_berbew behavioral1/files/0x0006000000015c13-101.dat family_berbew behavioral1/memory/3028-100-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c13-98.dat family_berbew behavioral1/memory/1200-107-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2592-113-0x00000000001B0000-0x00000000001F4000-memory.dmp family_berbew behavioral1/memory/2068-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c13-106.dat family_berbew behavioral1/files/0x0006000000015c3e-114.dat family_berbew behavioral1/files/0x0006000000015c3e-118.dat family_berbew behavioral1/memory/1200-115-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x0006000000015c3e-122.dat family_berbew behavioral1/files/0x0006000000015c3e-123.dat family_berbew behavioral1/memory/2208-121-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c3e-117.dat family_berbew behavioral1/files/0x0006000000015c60-131.dat family_berbew behavioral1/memory/1616-137-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2668-138-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015c60-136.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2208 Obojhlbq.exe 2732 Obafnlpn.exe 2292 Ooeggp32.exe 2836 Pdaoog32.exe 3064 Pnjdhmdo.exe 2592 Piphee32.exe 3028 Pciifc32.exe 1200 Pnomcl32.exe 2668 Pjenhm32.exe 1616 Pgioaa32.exe 1448 Pikkiijf.exe 776 Qpgpkcpp.exe 2916 Qfahhm32.exe 1948 Apimacnn.exe 1524 Afcenm32.exe 1808 Alpmfdcb.exe 2088 Albjlcao.exe 1532 Abmbhn32.exe 2280 Alegac32.exe 1544 Amfcikek.exe 1372 Ahlgfdeq.exe 1492 Aoepcn32.exe 2424 Bdbhke32.exe 2188 Bmkmdk32.exe 2248 Bfcampgf.exe 1976 Blpjegfm.exe 1944 Bfenbpec.exe 1732 Blbfjg32.exe 2672 Bghjhp32.exe 2792 Bocolb32.exe 2952 Bemgilhh.exe 2608 Blgpef32.exe 2580 Ccahbp32.exe 2652 Cohigamf.exe 3068 Ceaadk32.exe 2560 Cahail32.exe 2760 Cgejac32.exe 2524 Cpnojioo.exe 1624 Cghggc32.exe 3000 Cldooj32.exe 676 Dgjclbdi.exe 1308 Dndlim32.exe 2360 Doehqead.exe 988 Dglpbbbg.exe 572 Dhnmij32.exe 784 Dogefd32.exe 2908 Dfamcogo.exe 1992 Dknekeef.exe 840 Dbhnhp32.exe 2964 Ddgjdk32.exe 1556 Dolnad32.exe 1924 Dbkknojp.exe 860 Dhdcji32.exe 1968 Dkcofe32.exe 2980 Ebmgcohn.exe 1060 Ehgppi32.exe 2416 Ejhlgaeh.exe 1012 Ebodiofk.exe 2004 Ecqqpgli.exe 2784 Ejkima32.exe 2692 Edpmjj32.exe 2744 Fidoim32.exe 2700 Flehkhai.exe 2720 Flgeqgog.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 2208 Obojhlbq.exe 2208 Obojhlbq.exe 2732 Obafnlpn.exe 2732 Obafnlpn.exe 2292 Ooeggp32.exe 2292 Ooeggp32.exe 2836 Pdaoog32.exe 2836 Pdaoog32.exe 3064 Pnjdhmdo.exe 3064 Pnjdhmdo.exe 2592 Piphee32.exe 2592 Piphee32.exe 3028 Pciifc32.exe 3028 Pciifc32.exe 1200 Pnomcl32.exe 1200 Pnomcl32.exe 2668 Pjenhm32.exe 2668 Pjenhm32.exe 1616 Pgioaa32.exe 1616 Pgioaa32.exe 1448 Pikkiijf.exe 1448 Pikkiijf.exe 776 Qpgpkcpp.exe 776 Qpgpkcpp.exe 2916 Qfahhm32.exe 2916 Qfahhm32.exe 1948 Apimacnn.exe 1948 Apimacnn.exe 1524 Afcenm32.exe 1524 Afcenm32.exe 1808 Alpmfdcb.exe 1808 Alpmfdcb.exe 2088 Albjlcao.exe 2088 Albjlcao.exe 1532 Abmbhn32.exe 1532 Abmbhn32.exe 2280 Alegac32.exe 2280 Alegac32.exe 1544 Amfcikek.exe 1544 Amfcikek.exe 1372 Ahlgfdeq.exe 1372 Ahlgfdeq.exe 1492 Aoepcn32.exe 1492 Aoepcn32.exe 2424 Bdbhke32.exe 2424 Bdbhke32.exe 2188 Bmkmdk32.exe 2188 Bmkmdk32.exe 2248 Bfcampgf.exe 2248 Bfcampgf.exe 1976 Blpjegfm.exe 1976 Blpjegfm.exe 1944 Bfenbpec.exe 1944 Bfenbpec.exe 1732 Blbfjg32.exe 1732 Blbfjg32.exe 2672 Bghjhp32.exe 2672 Bghjhp32.exe 2792 Bocolb32.exe 2792 Bocolb32.exe 2952 Bemgilhh.exe 2952 Bemgilhh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdaoog32.exe Ooeggp32.exe File opened for modification C:\Windows\SysWOW64\Doehqead.exe Dndlim32.exe File created C:\Windows\SysWOW64\Lhghcb32.dll Fikejl32.exe File created C:\Windows\SysWOW64\Aaebnq32.dll Lfpclh32.exe File created C:\Windows\SysWOW64\Ljmlbfhi.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Pmmani32.dll Aaloddnn.exe File opened for modification C:\Windows\SysWOW64\Qfahhm32.exe Qpgpkcpp.exe File created C:\Windows\SysWOW64\Dgjclbdi.exe Cldooj32.exe File created C:\Windows\SysWOW64\Egqdeaqb.dll Dfamcogo.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hgjefg32.exe File opened for modification C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Jdehon32.exe Jbgkcb32.exe File created C:\Windows\SysWOW64\Jcjbelmp.dll Kilfcpqm.exe File opened for modification C:\Windows\SysWOW64\Kmjojo32.exe Kebgia32.exe File created C:\Windows\SysWOW64\Fnqkpajk.dll Mencccop.exe File opened for modification C:\Windows\SysWOW64\Mgalqkbk.exe Mdcpdp32.exe File opened for modification C:\Windows\SysWOW64\Cbgjqo32.exe Cphndc32.exe File created C:\Windows\SysWOW64\Cbcodmih.dll Dhdcji32.exe File created C:\Windows\SysWOW64\Jmamaoln.dll Ghqnjk32.exe File created C:\Windows\SysWOW64\Heihnoph.exe Hkcdafqb.exe File opened for modification C:\Windows\SysWOW64\Jdgdempa.exe Jmplcp32.exe File created C:\Windows\SysWOW64\Jgfqaiod.exe Jdgdempa.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gakcimgf.exe File opened for modification C:\Windows\SysWOW64\Hbfbgd32.exe Ghqnjk32.exe File created C:\Windows\SysWOW64\Kmjojo32.exe Kebgia32.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Lmgocb32.exe File created C:\Windows\SysWOW64\Djihnh32.dll Pgioaa32.exe File created C:\Windows\SysWOW64\Ehgppi32.exe Ebmgcohn.exe File opened for modification C:\Windows\SysWOW64\Gfjhgdck.exe Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Hkcdafqb.exe Hhehek32.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hkcdafqb.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jbgkcb32.exe File opened for modification C:\Windows\SysWOW64\Kebgia32.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Mmihhelk.exe Mhloponc.exe File created C:\Windows\SysWOW64\Incbogkn.dll Nibebfpl.exe File created C:\Windows\SysWOW64\Bmclhi32.exe Bhfcpb32.exe File created C:\Windows\SysWOW64\Jbgkcb32.exe Jjpcbe32.exe File created C:\Windows\SysWOW64\Jghmfhmb.exe Jqnejn32.exe File created C:\Windows\SysWOW64\Papnde32.dll Kaldcb32.exe File opened for modification C:\Windows\SysWOW64\Mlaeonld.exe Libicbma.exe File created C:\Windows\SysWOW64\Aaapnkij.dll Oegbheiq.exe File created C:\Windows\SysWOW64\Pmojocel.exe Pjpnbg32.exe File created C:\Windows\SysWOW64\Pfgngh32.exe Pomfkndo.exe File created C:\Windows\SysWOW64\Bfpnmj32.exe Bpfeppop.exe File created C:\Windows\SysWOW64\Obilnl32.dll Ccahbp32.exe File created C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Llcefjgf.exe File created C:\Windows\SysWOW64\Okbekdoi.dll Amnfnfgg.exe File created C:\Windows\SysWOW64\Nmmfff32.dll Bmclhi32.exe File created C:\Windows\SysWOW64\Dljnnb32.dll Ipgbjl32.exe File created C:\Windows\SysWOW64\Kqqboncb.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Bfqgjgep.dll Ajecmj32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Bhfcpb32.exe File created C:\Windows\SysWOW64\Gcgnbi32.dll Kqqboncb.exe File opened for modification C:\Windows\SysWOW64\Aaolidlk.exe Ajecmj32.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Bonoflae.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Mclgfa32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Gmgninie.exe Gbaileio.exe File opened for modification C:\Windows\SysWOW64\Iefhhbef.exe Ichllgfb.exe File opened for modification C:\Windows\SysWOW64\Kjfjbdle.exe Jghmfhmb.exe File created C:\Windows\SysWOW64\Pomfkndo.exe Pmojocel.exe File created C:\Windows\SysWOW64\Poocpnbm.exe Piekcd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3844 3788 WerFault.exe 259 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piphee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pomfkndo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piekcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 NEAS.e47eeffe99e84e8d66976554592beb80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnag32.dll" Hbfbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" Mbmjah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apdhjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccahbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbaileio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqhijbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll" Nibebfpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeaedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akmjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll" Bghjhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgafalg.dll" Ikhjki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doqplo32.dll" Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiqpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcagpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhloponc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpooed32.dll" Bemgilhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddgjdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inifnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poocpnbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbgjqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejmmiihp.dll" Ceaadk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecqqpgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" Bphbeplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edekcace.dll" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fidoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbgkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" Linphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeelpbm.dll" Jqgoiokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaolidlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Heihnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heihnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdcpdp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2208 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 28 PID 2068 wrote to memory of 2208 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 28 PID 2068 wrote to memory of 2208 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 28 PID 2068 wrote to memory of 2208 2068 NEAS.e47eeffe99e84e8d66976554592beb80.exe 28 PID 2208 wrote to memory of 2732 2208 Obojhlbq.exe 29 PID 2208 wrote to memory of 2732 2208 Obojhlbq.exe 29 PID 2208 wrote to memory of 2732 2208 Obojhlbq.exe 29 PID 2208 wrote to memory of 2732 2208 Obojhlbq.exe 29 PID 2732 wrote to memory of 2292 2732 Obafnlpn.exe 31 PID 2732 wrote to memory of 2292 2732 Obafnlpn.exe 31 PID 2732 wrote to memory of 2292 2732 Obafnlpn.exe 31 PID 2732 wrote to memory of 2292 2732 Obafnlpn.exe 31 PID 2292 wrote to memory of 2836 2292 Ooeggp32.exe 30 PID 2292 wrote to memory of 2836 2292 Ooeggp32.exe 30 PID 2292 wrote to memory of 2836 2292 Ooeggp32.exe 30 PID 2292 wrote to memory of 2836 2292 Ooeggp32.exe 30 PID 2836 wrote to memory of 3064 2836 Pdaoog32.exe 32 PID 2836 wrote to memory of 3064 2836 Pdaoog32.exe 32 PID 2836 wrote to memory of 3064 2836 Pdaoog32.exe 32 PID 2836 wrote to memory of 3064 2836 Pdaoog32.exe 32 PID 3064 wrote to memory of 2592 3064 Pnjdhmdo.exe 33 PID 3064 wrote to memory of 2592 3064 Pnjdhmdo.exe 33 PID 3064 wrote to memory of 2592 3064 Pnjdhmdo.exe 33 PID 3064 wrote to memory of 2592 3064 Pnjdhmdo.exe 33 PID 2592 wrote to memory of 3028 2592 Piphee32.exe 34 PID 2592 wrote to memory of 3028 2592 Piphee32.exe 34 PID 2592 wrote to memory of 3028 2592 Piphee32.exe 34 PID 2592 wrote to memory of 3028 2592 Piphee32.exe 34 PID 3028 wrote to memory of 1200 3028 Pciifc32.exe 35 PID 3028 wrote to memory of 1200 3028 Pciifc32.exe 35 PID 3028 wrote to memory of 1200 3028 Pciifc32.exe 35 PID 3028 wrote to memory of 1200 3028 Pciifc32.exe 35 PID 1200 wrote to memory of 2668 1200 Pnomcl32.exe 36 PID 1200 wrote to memory of 2668 1200 Pnomcl32.exe 36 PID 1200 wrote to memory of 2668 1200 Pnomcl32.exe 36 PID 1200 wrote to memory of 2668 1200 Pnomcl32.exe 36 PID 2668 wrote to memory of 1616 2668 Pjenhm32.exe 37 PID 2668 wrote to memory of 1616 2668 Pjenhm32.exe 37 PID 2668 wrote to memory of 1616 2668 Pjenhm32.exe 37 PID 2668 wrote to memory of 1616 2668 Pjenhm32.exe 37 PID 1616 wrote to memory of 1448 1616 Pgioaa32.exe 38 PID 1616 wrote to memory of 1448 1616 Pgioaa32.exe 38 PID 1616 wrote to memory of 1448 1616 Pgioaa32.exe 38 PID 1616 wrote to memory of 1448 1616 Pgioaa32.exe 38 PID 1448 wrote to memory of 776 1448 Pikkiijf.exe 39 PID 1448 wrote to memory of 776 1448 Pikkiijf.exe 39 PID 1448 wrote to memory of 776 1448 Pikkiijf.exe 39 PID 1448 wrote to memory of 776 1448 Pikkiijf.exe 39 PID 776 wrote to memory of 2916 776 Qpgpkcpp.exe 40 PID 776 wrote to memory of 2916 776 Qpgpkcpp.exe 40 PID 776 wrote to memory of 2916 776 Qpgpkcpp.exe 40 PID 776 wrote to memory of 2916 776 Qpgpkcpp.exe 40 PID 2916 wrote to memory of 1948 2916 Qfahhm32.exe 41 PID 2916 wrote to memory of 1948 2916 Qfahhm32.exe 41 PID 2916 wrote to memory of 1948 2916 Qfahhm32.exe 41 PID 2916 wrote to memory of 1948 2916 Qfahhm32.exe 41 PID 1948 wrote to memory of 1524 1948 Apimacnn.exe 42 PID 1948 wrote to memory of 1524 1948 Apimacnn.exe 42 PID 1948 wrote to memory of 1524 1948 Apimacnn.exe 42 PID 1948 wrote to memory of 1524 1948 Apimacnn.exe 42 PID 1524 wrote to memory of 1808 1524 Afcenm32.exe 43 PID 1524 wrote to memory of 1808 1524 Afcenm32.exe 43 PID 1524 wrote to memory of 1808 1524 Afcenm32.exe 43 PID 1524 wrote to memory of 1808 1524 Afcenm32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e47eeffe99e84e8d66976554592beb80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e47eeffe99e84e8d66976554592beb80.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292
-
-
-
-
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Afcenm32.exeC:\Windows\system32\Afcenm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Alegac32.exeC:\Windows\system32\Alegac32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Bocolb32.exeC:\Windows\system32\Bocolb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Bemgilhh.exeC:\Windows\system32\Bemgilhh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe31⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe34⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe36⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe40⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe43⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe46⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe48⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe49⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe51⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe54⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe55⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe57⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe58⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe60⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe61⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe62⤵PID:3032
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe64⤵PID:1912
-
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe65⤵PID:1480
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe67⤵PID:1932
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe68⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe69⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe70⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe71⤵PID:968
-
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe72⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe73⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe75⤵PID:2272
-
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe78⤵PID:1752
-
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe79⤵PID:2012
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe80⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe81⤵
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe82⤵PID:2180
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe83⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe84⤵PID:2776
-
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Hkcdafqb.exeC:\Windows\system32\Hkcdafqb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe87⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe88⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe89⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe90⤵PID:2680
-
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe91⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Hpefdl32.exeC:\Windows\system32\Hpefdl32.exe92⤵PID:2312
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe93⤵PID:1412
-
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe94⤵
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe96⤵PID:1736
-
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Ichllgfb.exeC:\Windows\system32\Ichllgfb.exe98⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe99⤵PID:2484
-
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe100⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe101⤵PID:1864
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe102⤵PID:2232
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe103⤵PID:2948
-
C:\Windows\SysWOW64\Ihjnom32.exeC:\Windows\system32\Ihjnom32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe105⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe106⤵PID:2828
-
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe107⤵PID:1592
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe108⤵PID:2796
-
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe109⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe110⤵PID:1596
-
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Jbgkcb32.exeC:\Windows\system32\Jbgkcb32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe113⤵PID:688
-
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe114⤵PID:1988
-
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe115⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe116⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe117⤵PID:2956
-
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe118⤵PID:1784
-
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-