Analysis
-
max time kernel
183s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 03:28
Behavioral task
behavioral1
Sample
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.055abb3b4da1780e637bf46c2aff1a50.exe
-
Size
88KB
-
MD5
055abb3b4da1780e637bf46c2aff1a50
-
SHA1
aea2c372b990c608de907e3fa20cd2ceca6f20de
-
SHA256
96a73dff679af6c45b4e009e271a73c1a87bb20bdb858a6dd93495824b481fd8
-
SHA512
418f2345480fef00c09f882766c4742ab6aaf67496d67948605cfff00a3b513869ce1d9692650d78645686b4f83174fcb9f31dfcf5d6aaebe9d21a141294f4f2
-
SSDEEP
1536:HtFyndIMoigAKZ4wFL8QOVXtE1ukVd71rFZO7+90vT:HvEqieZTLi9EIIJ15ZO7Vr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mncfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeegnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejfffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigohejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeiecfga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanhihno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qigebglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amgjnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkbqfcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhicbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjbchnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofafgipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaogbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhbfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkpppmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgmolb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjagdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chmkkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaoddodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anfeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjalndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfkebkjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigohejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmegodpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpfjomf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akkokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqknjlfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcika32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoaaqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edhbjjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjagdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpphdpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkdbab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkekilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbdmljln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohaklfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allgoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglfndaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafkookd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2816-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0032000000015ce9-5.dat family_berbew behavioral1/memory/2816-6-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0032000000015ce9-8.dat family_berbew behavioral1/files/0x0032000000015ce9-9.dat family_berbew behavioral1/files/0x0032000000015ce9-12.dat family_berbew behavioral1/files/0x0032000000015ce9-13.dat family_berbew behavioral1/files/0x000700000001626b-27.dat family_berbew behavioral1/files/0x000700000001626b-38.dat family_berbew behavioral1/files/0x000900000001658b-47.dat family_berbew behavioral1/files/0x000900000001658b-51.dat family_berbew behavioral1/files/0x0006000000016c2b-53.dat family_berbew behavioral1/files/0x0006000000016c2b-64.dat family_berbew behavioral1/memory/1672-69-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2640-70-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000016c2b-63.dat family_berbew behavioral1/files/0x0006000000016ca3-78.dat family_berbew behavioral1/files/0x0006000000016ca3-75.dat family_berbew behavioral1/files/0x0006000000016ca3-74.dat family_berbew behavioral1/memory/1672-73-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca3-71.dat family_berbew behavioral1/files/0x000900000001658b-52.dat family_berbew behavioral1/files/0x0006000000016c2b-59.dat family_berbew behavioral1/files/0x0006000000016c2b-57.dat family_berbew behavioral1/memory/2836-50-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000700000001626b-39.dat family_berbew behavioral1/files/0x000900000001658b-46.dat family_berbew behavioral1/files/0x000900000001658b-44.dat family_berbew behavioral1/memory/2752-37-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000700000001626b-33.dat family_berbew behavioral1/files/0x000700000001626b-31.dat family_berbew behavioral1/files/0x0008000000015ecd-26.dat family_berbew behavioral1/files/0x0006000000016ca3-79.dat family_berbew behavioral1/files/0x0008000000015ecd-25.dat family_berbew behavioral1/files/0x0008000000015ecd-22.dat family_berbew behavioral1/files/0x0008000000015ecd-20.dat family_berbew behavioral1/files/0x0008000000015ecd-18.dat family_berbew behavioral1/files/0x0033000000015d39-87.dat family_berbew behavioral1/files/0x0033000000015d39-91.dat family_berbew behavioral1/files/0x0033000000015d39-90.dat family_berbew behavioral1/files/0x0033000000015d39-86.dat family_berbew behavioral1/files/0x0033000000015d39-84.dat family_berbew behavioral1/files/0x0006000000016ce7-99.dat family_berbew behavioral1/files/0x0006000000016ce7-103.dat family_berbew behavioral1/files/0x0006000000016ce7-102.dat family_berbew behavioral1/files/0x0006000000016d01-114.dat family_berbew behavioral1/files/0x0006000000016d01-115.dat family_berbew behavioral1/files/0x0006000000016d01-111.dat family_berbew behavioral1/files/0x0006000000016d01-110.dat family_berbew behavioral1/files/0x0006000000016d01-108.dat family_berbew behavioral1/files/0x0006000000016ce7-98.dat family_berbew behavioral1/files/0x0006000000016ce7-96.dat family_berbew behavioral1/files/0x0006000000016d0a-123.dat family_berbew behavioral1/files/0x0006000000016d0a-126.dat family_berbew behavioral1/files/0x0006000000016d0a-122.dat family_berbew behavioral1/files/0x0006000000016d0a-120.dat family_berbew behavioral1/files/0x0006000000016d0a-127.dat family_berbew behavioral1/files/0x0006000000016d39-132.dat family_berbew behavioral1/files/0x0006000000016d39-135.dat family_berbew behavioral1/files/0x0006000000016d39-134.dat family_berbew behavioral1/files/0x0006000000016d39-139.dat family_berbew behavioral1/files/0x0006000000016d39-138.dat family_berbew behavioral1/files/0x0006000000016d64-144.dat family_berbew behavioral1/files/0x0006000000016d64-147.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3008 Cfehhn32.exe 2752 Difqji32.exe 2836 Eakhdj32.exe 2640 Edidqf32.exe 1672 Eifmimch.exe 2028 Eemnnn32.exe 2376 Epeoaffo.exe 1036 Ebckmaec.exe 1400 Eimcjl32.exe 2920 Eknpadcn.exe 588 Fmdbnnlj.exe 2900 Fglfgd32.exe 1640 Fliook32.exe 1156 Fccglehn.exe 2408 Gncnmane.exe 2340 Ibhicbao.exe 832 Jefbnacn.exe 1092 Jnofgg32.exe 1936 Libjncnc.exe 1996 Llpfjomf.exe 1836 Ldgnklmi.exe 2004 Leikbd32.exe 620 Lpnopm32.exe 3000 Lifcib32.exe 2188 Loclai32.exe 276 Lhlqjone.exe 1100 Lofifi32.exe 2168 Ladebd32.exe 1284 Lhnmoo32.exe 1612 Mdendpbg.exe 2864 Mkofaj32.exe 2272 Mnmbme32.exe 2668 Mploiq32.exe 2132 Mhcfjnhm.exe 1656 Mjdcbf32.exe 2404 Mkcplien.exe 624 Mpphdpcf.exe 1264 Mjilmejf.exe 2036 Mfpmbf32.exe 1924 Mlieoqgg.exe 536 Nohaklfk.exe 2652 Njmfhe32.exe 684 Nkobpmlo.exe 1096 Ndggib32.exe 1644 Nkaoemjm.exe 2256 Nffccejb.exe 2088 Nghpjn32.exe 2368 Noohlkpc.exe 2688 Nbmdhfog.exe 828 Nigldq32.exe 2384 Ngjlpmnn.exe 716 Nbpqmfmd.exe 1684 Ndnmialh.exe 1980 Ogliemkk.exe 1952 Omiand32.exe 1928 Oqennbbl.exe 1484 Occjjnap.exe 2120 Ofafgipc.exe 3068 Oninhgae.exe 1296 Opjkpo32.exe 2804 Ofdclinq.exe 1152 Oaigib32.exe 2628 Obkcajde.exe 2612 Oielnd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 3008 Cfehhn32.exe 3008 Cfehhn32.exe 2752 Difqji32.exe 2752 Difqji32.exe 2836 Eakhdj32.exe 2836 Eakhdj32.exe 2640 Edidqf32.exe 2640 Edidqf32.exe 1672 Eifmimch.exe 1672 Eifmimch.exe 2028 Eemnnn32.exe 2028 Eemnnn32.exe 2376 Epeoaffo.exe 2376 Epeoaffo.exe 1036 Ebckmaec.exe 1036 Ebckmaec.exe 1400 Eimcjl32.exe 1400 Eimcjl32.exe 2920 Eknpadcn.exe 2920 Eknpadcn.exe 588 Fmdbnnlj.exe 588 Fmdbnnlj.exe 2900 Fglfgd32.exe 2900 Fglfgd32.exe 1640 Fliook32.exe 1640 Fliook32.exe 1156 Fccglehn.exe 1156 Fccglehn.exe 2408 Gncnmane.exe 2408 Gncnmane.exe 2340 Ibhicbao.exe 2340 Ibhicbao.exe 832 Jefbnacn.exe 832 Jefbnacn.exe 1092 Jnofgg32.exe 1092 Jnofgg32.exe 1936 Libjncnc.exe 1936 Libjncnc.exe 1996 Llpfjomf.exe 1996 Llpfjomf.exe 1836 Ldgnklmi.exe 1836 Ldgnklmi.exe 2004 Leikbd32.exe 2004 Leikbd32.exe 620 Lpnopm32.exe 620 Lpnopm32.exe 3000 Lifcib32.exe 3000 Lifcib32.exe 2188 Loclai32.exe 2188 Loclai32.exe 276 Lhlqjone.exe 276 Lhlqjone.exe 1100 Lofifi32.exe 1100 Lofifi32.exe 2168 Ladebd32.exe 2168 Ladebd32.exe 1284 Lhnmoo32.exe 1284 Lhnmoo32.exe 1612 Mdendpbg.exe 1612 Mdendpbg.exe 2864 Mkofaj32.exe 2864 Mkofaj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pnhjgj32.exe Pilbocej.exe File created C:\Windows\SysWOW64\Phehko32.exe Ppopja32.exe File opened for modification C:\Windows\SysWOW64\Aqanke32.exe Qfljmmjl.exe File opened for modification C:\Windows\SysWOW64\Ibejfffo.exe Ipfnjkgk.exe File created C:\Windows\SysWOW64\Lkngkj32.exe Lfaocc32.exe File created C:\Windows\SysWOW64\Pkplgoop.exe Pdfdkehc.exe File created C:\Windows\SysWOW64\Cojllidi.dll Kccbgh32.exe File created C:\Windows\SysWOW64\Enmaap32.dll Occjjnap.exe File created C:\Windows\SysWOW64\Pjahakgb.exe Phcleoho.exe File created C:\Windows\SysWOW64\Kmkkio32.dll Jefbnacn.exe File created C:\Windows\SysWOW64\Opaqpn32.exe Oighcd32.exe File created C:\Windows\SysWOW64\Eckomcec.dll Fjfjcdln.exe File created C:\Windows\SysWOW64\Fdakhmhh.dll Cbljgpja.exe File created C:\Windows\SysWOW64\Ojdciphb.dll Fkdlaplh.exe File opened for modification C:\Windows\SysWOW64\Lkhalo32.exe Lpapgnpb.exe File created C:\Windows\SysWOW64\Imfeip32.exe Ijghmd32.exe File opened for modification C:\Windows\SysWOW64\Fkdlaplh.exe Fdjddf32.exe File created C:\Windows\SysWOW64\Bgddam32.exe Bpjldc32.exe File created C:\Windows\SysWOW64\Hnmeeene.dll Fjhgidjk.exe File created C:\Windows\SysWOW64\Oedqakci.dll Anpahn32.exe File created C:\Windows\SysWOW64\Hjfmdp32.dll Dajiok32.exe File opened for modification C:\Windows\SysWOW64\Ahchdb32.exe Aedlhg32.exe File created C:\Windows\SysWOW64\Claake32.exe Bcfmfc32.exe File created C:\Windows\SysWOW64\Pmdocf32.exe Phgfko32.exe File opened for modification C:\Windows\SysWOW64\Noohlkpc.exe Nghpjn32.exe File created C:\Windows\SysWOW64\Abnjmd32.dll Acjdgf32.exe File created C:\Windows\SysWOW64\Pppnia32.exe Pmabmf32.exe File created C:\Windows\SysWOW64\Panehkaj.exe Oophlpag.exe File created C:\Windows\SysWOW64\Mfchgflg.exe Mbhlgg32.exe File created C:\Windows\SysWOW64\Fdjlhdag.dll Afffgjma.exe File created C:\Windows\SysWOW64\Einmnkgf.dll Bbdmljln.exe File created C:\Windows\SysWOW64\Fhnjdfcl.exe Fdcncg32.exe File created C:\Windows\SysWOW64\Agfikc32.exe Aehmoh32.exe File created C:\Windows\SysWOW64\Cogdhpkp.exe Chmkkf32.exe File created C:\Windows\SysWOW64\Elikhl32.dll Eghdanac.exe File opened for modification C:\Windows\SysWOW64\Fdcncg32.exe Fadagl32.exe File created C:\Windows\SysWOW64\Pniohk32.exe Pkkblp32.exe File opened for modification C:\Windows\SysWOW64\Anpahn32.exe Agfikc32.exe File created C:\Windows\SysWOW64\Fcingdbh.exe Fmofjj32.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Elgioe32.exe File created C:\Windows\SysWOW64\Empphi32.exe Eeiggk32.exe File opened for modification C:\Windows\SysWOW64\Ldkeoo32.exe Lnambeed.exe File opened for modification C:\Windows\SysWOW64\Meidib32.exe Mbjhlg32.exe File opened for modification C:\Windows\SysWOW64\Pjahakgb.exe Phcleoho.exe File opened for modification C:\Windows\SysWOW64\Clefdcog.exe Cfknhi32.exe File opened for modification C:\Windows\SysWOW64\Dlpdfjjp.exe Dhehfk32.exe File opened for modification C:\Windows\SysWOW64\Manljd32.exe Mjddnjdf.exe File opened for modification C:\Windows\SysWOW64\Nlocka32.exe Neekogkm.exe File created C:\Windows\SysWOW64\Jehpna32.exe Ipkgejcf.exe File opened for modification C:\Windows\SysWOW64\Bnhqll32.exe Bmgddcnf.exe File created C:\Windows\SysWOW64\Jcnllk32.dll Eakhdj32.exe File opened for modification C:\Windows\SysWOW64\Afpchl32.exe Akkokc32.exe File opened for modification C:\Windows\SysWOW64\Gfldno32.exe Fnelmb32.exe File opened for modification C:\Windows\SysWOW64\Oefmid32.exe Okailkhd.exe File opened for modification C:\Windows\SysWOW64\Agaifnhi.exe Aqgqid32.exe File created C:\Windows\SysWOW64\Ehgaknbp.exe Eoomai32.exe File created C:\Windows\SysWOW64\Fafeln32.dll Okkfmmqj.exe File created C:\Windows\SysWOW64\Encchoml.exe Ekdglcmh.exe File opened for modification C:\Windows\SysWOW64\Dhjdjc32.exe Daplmimi.exe File created C:\Windows\SysWOW64\Imjhfl32.dll Pmdocf32.exe File created C:\Windows\SysWOW64\Nkdegmha.dll Ejohdbok.exe File opened for modification C:\Windows\SysWOW64\Fmdfppkb.exe Fjfjcdln.exe File opened for modification C:\Windows\SysWOW64\Mhckloge.exe Magfjebk.exe File created C:\Windows\SysWOW64\Qfdkaj32.dll Afpchl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpamoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmaeoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Claake32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emncci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embbek32.dll" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfknhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifakkod.dll" Dhgelk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkekmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcpqfgol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Polobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Magfjebk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpeocnpg.dll" Claake32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mifmoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnogmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaigib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqeqoc32.dll" Ceoooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkhjhk32.dll" Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpcfcddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcnmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baaadl32.dll" Knmghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agaifnhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agcekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmelhc32.dll" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqgqid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbfibj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkilfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcfmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kccbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momdeobl.dll" Aonjpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qekdpkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegfg32.dll" Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcnmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll" Bcmjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhbjjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkaneao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndggib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glaiak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pngbcldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeeanm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmihice.dll" Noohlkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhlgpao.dll" Fmdfppkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfdkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpcmifp.dll" Akjham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elikhl32.dll" Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbhmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnbfdao.dll" Mbjhlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhnhd32.dll" Nkaoemjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkcnl32.dll" Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajlng32.dll" Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigohejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjdcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodpobjn.dll" Ciebdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnnhcknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjakil32.dll" Aaondi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 3008 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 29 PID 2816 wrote to memory of 3008 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 29 PID 2816 wrote to memory of 3008 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 29 PID 2816 wrote to memory of 3008 2816 NEAS.055abb3b4da1780e637bf46c2aff1a50.exe 29 PID 3008 wrote to memory of 2752 3008 Cfehhn32.exe 30 PID 3008 wrote to memory of 2752 3008 Cfehhn32.exe 30 PID 3008 wrote to memory of 2752 3008 Cfehhn32.exe 30 PID 3008 wrote to memory of 2752 3008 Cfehhn32.exe 30 PID 2752 wrote to memory of 2836 2752 Difqji32.exe 35 PID 2752 wrote to memory of 2836 2752 Difqji32.exe 35 PID 2752 wrote to memory of 2836 2752 Difqji32.exe 35 PID 2752 wrote to memory of 2836 2752 Difqji32.exe 35 PID 2836 wrote to memory of 2640 2836 Eakhdj32.exe 34 PID 2836 wrote to memory of 2640 2836 Eakhdj32.exe 34 PID 2836 wrote to memory of 2640 2836 Eakhdj32.exe 34 PID 2836 wrote to memory of 2640 2836 Eakhdj32.exe 34 PID 2640 wrote to memory of 1672 2640 Edidqf32.exe 32 PID 2640 wrote to memory of 1672 2640 Edidqf32.exe 32 PID 2640 wrote to memory of 1672 2640 Edidqf32.exe 32 PID 2640 wrote to memory of 1672 2640 Edidqf32.exe 32 PID 1672 wrote to memory of 2028 1672 Eifmimch.exe 31 PID 1672 wrote to memory of 2028 1672 Eifmimch.exe 31 PID 1672 wrote to memory of 2028 1672 Eifmimch.exe 31 PID 1672 wrote to memory of 2028 1672 Eifmimch.exe 31 PID 2028 wrote to memory of 2376 2028 Eemnnn32.exe 33 PID 2028 wrote to memory of 2376 2028 Eemnnn32.exe 33 PID 2028 wrote to memory of 2376 2028 Eemnnn32.exe 33 PID 2028 wrote to memory of 2376 2028 Eemnnn32.exe 33 PID 2376 wrote to memory of 1036 2376 Epeoaffo.exe 36 PID 2376 wrote to memory of 1036 2376 Epeoaffo.exe 36 PID 2376 wrote to memory of 1036 2376 Epeoaffo.exe 36 PID 2376 wrote to memory of 1036 2376 Epeoaffo.exe 36 PID 1036 wrote to memory of 1400 1036 Ebckmaec.exe 37 PID 1036 wrote to memory of 1400 1036 Ebckmaec.exe 37 PID 1036 wrote to memory of 1400 1036 Ebckmaec.exe 37 PID 1036 wrote to memory of 1400 1036 Ebckmaec.exe 37 PID 1400 wrote to memory of 2920 1400 Eimcjl32.exe 38 PID 1400 wrote to memory of 2920 1400 Eimcjl32.exe 38 PID 1400 wrote to memory of 2920 1400 Eimcjl32.exe 38 PID 1400 wrote to memory of 2920 1400 Eimcjl32.exe 38 PID 2920 wrote to memory of 588 2920 Eknpadcn.exe 39 PID 2920 wrote to memory of 588 2920 Eknpadcn.exe 39 PID 2920 wrote to memory of 588 2920 Eknpadcn.exe 39 PID 2920 wrote to memory of 588 2920 Eknpadcn.exe 39 PID 588 wrote to memory of 2900 588 Fmdbnnlj.exe 40 PID 588 wrote to memory of 2900 588 Fmdbnnlj.exe 40 PID 588 wrote to memory of 2900 588 Fmdbnnlj.exe 40 PID 588 wrote to memory of 2900 588 Fmdbnnlj.exe 40 PID 2900 wrote to memory of 1640 2900 Fglfgd32.exe 41 PID 2900 wrote to memory of 1640 2900 Fglfgd32.exe 41 PID 2900 wrote to memory of 1640 2900 Fglfgd32.exe 41 PID 2900 wrote to memory of 1640 2900 Fglfgd32.exe 41 PID 1640 wrote to memory of 1156 1640 Fliook32.exe 42 PID 1640 wrote to memory of 1156 1640 Fliook32.exe 42 PID 1640 wrote to memory of 1156 1640 Fliook32.exe 42 PID 1640 wrote to memory of 1156 1640 Fliook32.exe 42 PID 1156 wrote to memory of 2408 1156 Fccglehn.exe 43 PID 1156 wrote to memory of 2408 1156 Fccglehn.exe 43 PID 1156 wrote to memory of 2408 1156 Fccglehn.exe 43 PID 1156 wrote to memory of 2408 1156 Fccglehn.exe 43 PID 2408 wrote to memory of 2340 2408 Gncnmane.exe 44 PID 2408 wrote to memory of 2340 2408 Gncnmane.exe 44 PID 2408 wrote to memory of 2340 2408 Gncnmane.exe 44 PID 2408 wrote to memory of 2340 2408 Gncnmane.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.055abb3b4da1780e637bf46c2aff1a50.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.055abb3b4da1780e637bf46c2aff1a50.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Difqji32.exeC:\Windows\system32\Difqji32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836
-
-
-
-
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Epeoaffo.exeC:\Windows\system32\Epeoaffo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Ibhicbao.exeC:\Windows\system32\Ibhicbao.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe27⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe28⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe29⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe31⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe33⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe35⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe37⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe38⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe41⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe44⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe45⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe46⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe47⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe48⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe49⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe50⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe51⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe54⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe55⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe56⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe59⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe60⤵PID:840
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe61⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe62⤵PID:1648
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe63⤵PID:772
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe64⤵PID:672
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe65⤵PID:308
-
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe66⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:708 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe69⤵PID:1708
-
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe71⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe72⤵PID:556
-
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe73⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe74⤵PID:1424
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe76⤵
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe77⤵PID:1500
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe78⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe79⤵PID:2512
-
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe80⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe58⤵PID:3040
-
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe59⤵PID:2504
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe53⤵PID:1032
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe47⤵PID:1952
-
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe48⤵PID:1368
-
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe49⤵PID:1840
-
C:\Windows\SysWOW64\Baigen32.exeC:\Windows\system32\Baigen32.exe50⤵PID:888
-
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe51⤵PID:1040
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe53⤵PID:2624
-
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe54⤵PID:460
-
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe55⤵PID:2496
-
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe56⤵PID:1400
-
C:\Windows\SysWOW64\Cmaeoo32.exeC:\Windows\system32\Cmaeoo32.exe57⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe58⤵PID:3024
-
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe59⤵PID:2408
-
C:\Windows\SysWOW64\Capmemci.exeC:\Windows\system32\Capmemci.exe60⤵PID:2888
-
C:\Windows\SysWOW64\Cglfndaa.exeC:\Windows\system32\Cglfndaa.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe62⤵PID:1244
-
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe63⤵PID:1100
-
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe65⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe66⤵PID:1960
-
C:\Windows\SysWOW64\Dammoahg.exeC:\Windows\system32\Dammoahg.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe68⤵
- Modifies registry class
PID:528 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe69⤵PID:2440
-
C:\Windows\SysWOW64\Dapjdq32.exeC:\Windows\system32\Dapjdq32.exe70⤵PID:988
-
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe71⤵PID:3004
-
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe72⤵PID:1724
-
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe73⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe74⤵PID:2576
-
C:\Windows\SysWOW64\Egchmfnd.exeC:\Windows\system32\Egchmfnd.exe75⤵PID:672
-
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe76⤵PID:2140
-
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe77⤵
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe79⤵PID:1700
-
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe82⤵PID:2744
-
C:\Windows\SysWOW64\Fdehpn32.exeC:\Windows\system32\Fdehpn32.exe83⤵PID:2728
-
C:\Windows\SysWOW64\Fgcdlj32.exeC:\Windows\system32\Fgcdlj32.exe84⤵PID:2924
-
C:\Windows\SysWOW64\Fbiijb32.exeC:\Windows\system32\Fbiijb32.exe85⤵PID:1976
-
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe86⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe87⤵PID:1624
-
C:\Windows\SysWOW64\Fmbjjp32.exeC:\Windows\system32\Fmbjjp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:440 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe89⤵PID:2500
-
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe90⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe91⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe92⤵PID:808
-
C:\Windows\SysWOW64\Fjhgidjk.exeC:\Windows\system32\Fjhgidjk.exe93⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe94⤵PID:2180
-
C:\Windows\SysWOW64\Glomllkd.exeC:\Windows\system32\Glomllkd.exe95⤵PID:2492
-
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe96⤵PID:2364
-
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716 -
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe98⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe99⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe100⤵PID:2756
-
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe101⤵PID:1620
-
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe102⤵PID:1556
-
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe104⤵PID:2108
-
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe106⤵PID:2900
-
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe107⤵PID:1060
-
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe109⤵PID:1092
-
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe110⤵PID:2512
-
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe111⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe112⤵PID:2776
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe114⤵PID:2168
-
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe116⤵PID:2036
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe117⤵PID:1964
-
C:\Windows\SysWOW64\Noifmmec.exeC:\Windows\system32\Noifmmec.exe118⤵PID:3020
-
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe119⤵PID:2688
-
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe120⤵PID:564
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe121⤵PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-