Analysis
-
max time kernel
64s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 05:01
Behavioral task
behavioral1
Sample
NEAS.d99122121ffc8c5cca54359393643990.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d99122121ffc8c5cca54359393643990.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.d99122121ffc8c5cca54359393643990.exe
-
Size
78KB
-
MD5
d99122121ffc8c5cca54359393643990
-
SHA1
0330dc5d8a03305e909ad99ce7b78fdd60a18a30
-
SHA256
2e53c77327b5338d742ae83b5703f324aa8663362edc05cbe1afb49cd882d446
-
SHA512
1ab4192a86667f49db5bdef617fba19008af89eaf7fc7a85278678d6d4512dca1d7a1fc4e518f1057b4afb437ace3c4e8cf093a5e72c0677f54a27d246d0df78
-
SSDEEP
1536:re6/LpH3UYcfQOYMTP5xJNJD4t5Ntikl6yf5oAnqDM+4yyF:F/lH3TcfNDtNW3iwCuq4cyF
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcpdfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehpga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndafcmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqcjlhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfoihhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmdafpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghhfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegnglnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endjaief.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglmefcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeaahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diidjpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijmbnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Namclbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkifkdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmeen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaanh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnkanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbaken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhgnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniefm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghlndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqqpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmepdbc.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1192-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-5.dat family_berbew behavioral1/memory/1192-6-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-8.dat family_berbew behavioral1/files/0x00060000000120bd-9.dat family_berbew behavioral1/files/0x00060000000120bd-12.dat family_berbew behavioral1/files/0x00060000000120bd-13.dat family_berbew behavioral1/files/0x0038000000016057-18.dat family_berbew behavioral1/files/0x0038000000016057-21.dat family_berbew behavioral1/memory/2636-32-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0038000000016057-27.dat family_berbew behavioral1/files/0x0007000000016adb-39.dat family_berbew behavioral1/files/0x0007000000016adb-36.dat family_berbew behavioral1/files/0x0007000000016adb-40.dat family_berbew behavioral1/files/0x0007000000016adb-35.dat family_berbew behavioral1/files/0x0007000000016adb-33.dat family_berbew behavioral1/files/0x0038000000016057-26.dat family_berbew behavioral1/files/0x0009000000016c1e-45.dat family_berbew behavioral1/memory/2664-46-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000016c1e-54.dat family_berbew behavioral1/memory/2596-53-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016cd8-62.dat family_berbew behavioral1/files/0x0006000000016cd8-65.dat family_berbew behavioral1/files/0x0006000000016cd8-61.dat family_berbew behavioral1/files/0x0006000000016cd8-59.dat family_berbew behavioral1/files/0x0009000000016c1e-52.dat family_berbew behavioral1/files/0x0009000000016c1e-49.dat family_berbew behavioral1/memory/1744-66-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000016c1e-48.dat family_berbew behavioral1/files/0x0038000000016057-22.dat family_berbew behavioral1/memory/2708-20-0x00000000002B0000-0x00000000002F1000-memory.dmp family_berbew behavioral1/files/0x0006000000016cd8-67.dat family_berbew behavioral1/files/0x0006000000016cec-72.dat family_berbew behavioral1/files/0x0006000000016cec-74.dat family_berbew behavioral1/files/0x0006000000016cec-77.dat family_berbew behavioral1/files/0x0006000000016cec-78.dat family_berbew behavioral1/memory/2156-79-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016cec-80.dat family_berbew behavioral1/files/0x0006000000016cfd-85.dat family_berbew behavioral1/files/0x0006000000016cfd-88.dat family_berbew behavioral1/files/0x0006000000016cfd-87.dat family_berbew behavioral1/files/0x0006000000016cfd-92.dat family_berbew behavioral1/memory/2156-91-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x0006000000016cfd-93.dat family_berbew behavioral1/files/0x0006000000016d20-98.dat family_berbew behavioral1/files/0x0006000000016d20-101.dat family_berbew behavioral1/files/0x0006000000016d20-100.dat family_berbew behavioral1/files/0x0006000000016d20-104.dat family_berbew behavioral1/memory/2784-105-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d20-106.dat family_berbew behavioral1/files/0x0006000000016d40-111.dat family_berbew behavioral1/memory/2784-117-0x0000000000230000-0x0000000000271000-memory.dmp family_berbew behavioral1/files/0x0006000000016d40-114.dat family_berbew behavioral1/files/0x0006000000016d40-119.dat family_berbew behavioral1/files/0x0006000000016d40-118.dat family_berbew behavioral1/files/0x0006000000016d40-113.dat family_berbew behavioral1/files/0x0006000000016d66-124.dat family_berbew behavioral1/memory/596-126-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x003600000001625a-134.dat family_berbew behavioral1/files/0x003600000001625a-144.dat family_berbew behavioral1/files/0x0006000000016fdf-160.dat family_berbew behavioral1/files/0x0006000000016d7d-159.dat family_berbew behavioral1/memory/1584-158-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016d7d-157.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2708 Mbcmpfhi.exe 2636 Nefbga32.exe 2664 Namclbil.exe 2596 Nlbgikia.exe 1744 Naopaa32.exe 2156 Nmfqgbmm.exe 1944 Nhlddkmc.exe 2784 Nadimacd.exe 596 Ohnaik32.exe 2064 Oaffbqaa.exe 1900 Ogcnkgoh.exe 1584 Oiakgcnl.exe 1480 Odgodl32.exe 2360 Ogekpg32.exe 1264 Oghhfg32.exe 2228 Ohidmoaa.exe 3020 Ocohkh32.exe 1376 Ohkaco32.exe 1188 Padeldeo.exe 2268 Plijimee.exe 1220 Pnjfae32.exe 1460 Pddnnp32.exe 1240 Pnmcfeia.exe 876 Pdihiook.exe 2992 Pjfpafmb.exe 2336 Pcnejk32.exe 1704 Qndigd32.exe 2556 Abfnpg32.exe 2300 Aipfmane.exe 3012 Acekjjmk.exe 2564 Affdle32.exe 2500 Akcldl32.exe 1668 Abmdafpp.exe 2728 Aigmnqgm.exe 2748 Ajhiei32.exe 276 Aennba32.exe 1980 Ajjfkh32.exe 692 Bccjdnbi.exe 1132 Bagkmb32.exe 1648 Bgqcjlhp.exe 1632 Baigca32.exe 632 Bmphhc32.exe 2220 Bbmapj32.exe 2104 Bncaekhp.exe 532 Cdgpnqpo.exe 2288 Cheido32.exe 1596 Dmdnbecj.exe 812 Dikogf32.exe 2856 Dohgomgf.exe 1512 Dpgcip32.exe 1580 Dhbhmb32.exe 2964 Domqjm32.exe 2552 Degiggjm.exe 1740 Eheecbia.exe 2540 Enbnkigh.exe 2152 Edlfhc32.exe 2408 Egjbdo32.exe 2692 Endjaief.exe 472 Ehjona32.exe 2368 Ekhkjm32.exe 572 Enfgfh32.exe 2136 Edqocbkp.exe 2328 Ejmhkiig.exe 1628 Elldgehk.exe -
Loads dropped DLL 64 IoCs
pid Process 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 2708 Mbcmpfhi.exe 2708 Mbcmpfhi.exe 2636 Nefbga32.exe 2636 Nefbga32.exe 2664 Namclbil.exe 2664 Namclbil.exe 2596 Nlbgikia.exe 2596 Nlbgikia.exe 1744 Naopaa32.exe 1744 Naopaa32.exe 2156 Nmfqgbmm.exe 2156 Nmfqgbmm.exe 1944 Nhlddkmc.exe 1944 Nhlddkmc.exe 2784 Nadimacd.exe 2784 Nadimacd.exe 596 Ohnaik32.exe 596 Ohnaik32.exe 2064 Oaffbqaa.exe 2064 Oaffbqaa.exe 1900 Ogcnkgoh.exe 1900 Ogcnkgoh.exe 1584 Oiakgcnl.exe 1584 Oiakgcnl.exe 1480 Odgodl32.exe 1480 Odgodl32.exe 2360 Ogekpg32.exe 2360 Ogekpg32.exe 1264 Oghhfg32.exe 1264 Oghhfg32.exe 2228 Ohidmoaa.exe 2228 Ohidmoaa.exe 3020 Ocohkh32.exe 3020 Ocohkh32.exe 1376 Ohkaco32.exe 1376 Ohkaco32.exe 1188 Padeldeo.exe 1188 Padeldeo.exe 2268 Plijimee.exe 2268 Plijimee.exe 1220 Pnjfae32.exe 1220 Pnjfae32.exe 1460 Pddnnp32.exe 1460 Pddnnp32.exe 1240 Pnmcfeia.exe 1240 Pnmcfeia.exe 876 Pdihiook.exe 876 Pdihiook.exe 2992 Pjfpafmb.exe 2992 Pjfpafmb.exe 2336 Pcnejk32.exe 2336 Pcnejk32.exe 1704 Qndigd32.exe 1704 Qndigd32.exe 2556 Abfnpg32.exe 2556 Abfnpg32.exe 2300 Aipfmane.exe 2300 Aipfmane.exe 3012 Acekjjmk.exe 3012 Acekjjmk.exe 2564 Affdle32.exe 2564 Affdle32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eheecbia.exe Degiggjm.exe File created C:\Windows\SysWOW64\Ifbaapfk.exe Ioiidfon.exe File created C:\Windows\SysWOW64\Jacibm32.exe Joblkegc.exe File created C:\Windows\SysWOW64\Cfgnmg32.dll Kbbakc32.exe File opened for modification C:\Windows\SysWOW64\Ocohkh32.exe Ohidmoaa.exe File opened for modification C:\Windows\SysWOW64\Plijimee.exe Padeldeo.exe File created C:\Windows\SysWOW64\Bbpiog32.dll Hhjcic32.exe File created C:\Windows\SysWOW64\Mkgeehnl.exe Mhhiiloh.exe File created C:\Windows\SysWOW64\Beldao32.exe Bmelpa32.exe File created C:\Windows\SysWOW64\Dhbhmb32.exe Dpgcip32.exe File opened for modification C:\Windows\SysWOW64\Jplkmgol.exe Jjbbpmgo.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Lnbdko32.exe File opened for modification C:\Windows\SysWOW64\Klhioioc.exe Kijmbnpo.exe File created C:\Windows\SysWOW64\Jilhjm32.dll Ajjfkh32.exe File created C:\Windows\SysWOW64\Gcmoda32.exe Gnpflj32.exe File opened for modification C:\Windows\SysWOW64\Joblkegc.exe Jkfpjf32.exe File created C:\Windows\SysWOW64\Hefccdhf.dll Jkfpjf32.exe File created C:\Windows\SysWOW64\Hmhonm32.dll Okhgod32.exe File created C:\Windows\SysWOW64\Ghfmdj32.dll Padeldeo.exe File created C:\Windows\SysWOW64\Hipmmg32.exe Hbfepmmn.exe File opened for modification C:\Windows\SysWOW64\Heikgh32.exe Hbknkl32.exe File opened for modification C:\Windows\SysWOW64\Jnkakl32.exe Jkmeoa32.exe File opened for modification C:\Windows\SysWOW64\Jdejhfig.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Elooehob.dll Kbgjkn32.exe File created C:\Windows\SysWOW64\Khlajd32.dll NEAS.d99122121ffc8c5cca54359393643990.exe File created C:\Windows\SysWOW64\Nedohngn.dll Khabghdl.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jijacjnc.exe File opened for modification C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Qgfkchmp.exe Pegnglnm.exe File opened for modification C:\Windows\SysWOW64\Fbbofjnh.exe Foccjood.exe File created C:\Windows\SysWOW64\Ioiidfon.exe Imjmhkpj.exe File opened for modification C:\Windows\SysWOW64\Ldpnoj32.exe Lglmefcg.exe File created C:\Windows\SysWOW64\Aegkfpah.exe Alofnj32.exe File created C:\Windows\SysWOW64\Edlfhc32.exe Enbnkigh.exe File created C:\Windows\SysWOW64\Kijmbnpo.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Chdccacf.dll Lkelpd32.exe File opened for modification C:\Windows\SysWOW64\Nlohmonb.exe Ngbpehpj.exe File created C:\Windows\SysWOW64\Pnjfae32.exe Plijimee.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Hjipenda.exe Hhjcic32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Acohnhab.exe File created C:\Windows\SysWOW64\Amjiln32.exe Afpapcnc.exe File opened for modification C:\Windows\SysWOW64\Pjfpafmb.exe Pdihiook.exe File created C:\Windows\SysWOW64\Alofnj32.exe Aiqjao32.exe File created C:\Windows\SysWOW64\Mhflcm32.exe Mehpga32.exe File opened for modification C:\Windows\SysWOW64\Nhmbdl32.exe Ndafcmci.exe File created C:\Windows\SysWOW64\Ppkbfk32.dll Ogekpg32.exe File created C:\Windows\SysWOW64\Affdle32.exe Acekjjmk.exe File created C:\Windows\SysWOW64\Mjddiflm.dll Gpelnb32.exe File created C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe File opened for modification C:\Windows\SysWOW64\Kfkpknkq.exe Kdjccf32.exe File opened for modification C:\Windows\SysWOW64\Kdhcli32.exe Kbigpn32.exe File opened for modification C:\Windows\SysWOW64\Lglmefcg.exe Lhimji32.exe File created C:\Windows\SysWOW64\Amglgn32.exe Abbhje32.exe File opened for modification C:\Windows\SysWOW64\Beldao32.exe Bmelpa32.exe File created C:\Windows\SysWOW64\Odikqa32.dll Fbpbpkpj.exe File created C:\Windows\SysWOW64\Poeofkoh.dll Jkmeoa32.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kohnoc32.exe File created C:\Windows\SysWOW64\Dehdbhgg.dll Hpcpdfhj.exe File created C:\Windows\SysWOW64\Gjdnoa32.dll Jeoeclek.exe File created C:\Windows\SysWOW64\Kfidqb32.exe Kbnhpdke.exe File created C:\Windows\SysWOW64\Keacocpm.dll Ejpdai32.exe File created C:\Windows\SysWOW64\Lghlndfa.exe Ldjpbign.exe File opened for modification C:\Windows\SysWOW64\Kfnnlboi.exe Kbbakc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmelpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aennba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibfaopoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilabmedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Okhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacpijip.dll" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihdnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnnlboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfoihhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obcffefa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.d99122121ffc8c5cca54359393643990.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naopaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfqgbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfcend.dll" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llkbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhmod32.dll" Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihgclgo.dll" Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endjaief.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maojpk32.dll" Lqqpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgaeaao.dll" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhocpkj.dll" Naopaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckainog.dll" Dohgomgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadafg32.dll" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflpao32.dll" Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfchnl32.dll" Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaffbqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aigmnqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll" Pchbmigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agacqb32.dll" Hnmeen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbhlkkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgfpp32.dll" Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmbma32.dll" Ldbjdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaihlkd.dll" Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdibkoon.dll" Jjpgfbom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbjdoj32.dll" Nefbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjdgpcmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2708 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 28 PID 1192 wrote to memory of 2708 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 28 PID 1192 wrote to memory of 2708 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 28 PID 1192 wrote to memory of 2708 1192 NEAS.d99122121ffc8c5cca54359393643990.exe 28 PID 2708 wrote to memory of 2636 2708 Mbcmpfhi.exe 29 PID 2708 wrote to memory of 2636 2708 Mbcmpfhi.exe 29 PID 2708 wrote to memory of 2636 2708 Mbcmpfhi.exe 29 PID 2708 wrote to memory of 2636 2708 Mbcmpfhi.exe 29 PID 2636 wrote to memory of 2664 2636 Nefbga32.exe 31 PID 2636 wrote to memory of 2664 2636 Nefbga32.exe 31 PID 2636 wrote to memory of 2664 2636 Nefbga32.exe 31 PID 2636 wrote to memory of 2664 2636 Nefbga32.exe 31 PID 2664 wrote to memory of 2596 2664 Namclbil.exe 30 PID 2664 wrote to memory of 2596 2664 Namclbil.exe 30 PID 2664 wrote to memory of 2596 2664 Namclbil.exe 30 PID 2664 wrote to memory of 2596 2664 Namclbil.exe 30 PID 2596 wrote to memory of 1744 2596 Nlbgikia.exe 32 PID 2596 wrote to memory of 1744 2596 Nlbgikia.exe 32 PID 2596 wrote to memory of 1744 2596 Nlbgikia.exe 32 PID 2596 wrote to memory of 1744 2596 Nlbgikia.exe 32 PID 1744 wrote to memory of 2156 1744 Naopaa32.exe 33 PID 1744 wrote to memory of 2156 1744 Naopaa32.exe 33 PID 1744 wrote to memory of 2156 1744 Naopaa32.exe 33 PID 1744 wrote to memory of 2156 1744 Naopaa32.exe 33 PID 2156 wrote to memory of 1944 2156 Nmfqgbmm.exe 34 PID 2156 wrote to memory of 1944 2156 Nmfqgbmm.exe 34 PID 2156 wrote to memory of 1944 2156 Nmfqgbmm.exe 34 PID 2156 wrote to memory of 1944 2156 Nmfqgbmm.exe 34 PID 1944 wrote to memory of 2784 1944 Nhlddkmc.exe 35 PID 1944 wrote to memory of 2784 1944 Nhlddkmc.exe 35 PID 1944 wrote to memory of 2784 1944 Nhlddkmc.exe 35 PID 1944 wrote to memory of 2784 1944 Nhlddkmc.exe 35 PID 2784 wrote to memory of 596 2784 Nadimacd.exe 36 PID 2784 wrote to memory of 596 2784 Nadimacd.exe 36 PID 2784 wrote to memory of 596 2784 Nadimacd.exe 36 PID 2784 wrote to memory of 596 2784 Nadimacd.exe 36 PID 596 wrote to memory of 2064 596 Ohnaik32.exe 37 PID 596 wrote to memory of 2064 596 Ohnaik32.exe 37 PID 596 wrote to memory of 2064 596 Ohnaik32.exe 37 PID 596 wrote to memory of 2064 596 Ohnaik32.exe 37 PID 2064 wrote to memory of 1900 2064 Oaffbqaa.exe 41 PID 2064 wrote to memory of 1900 2064 Oaffbqaa.exe 41 PID 2064 wrote to memory of 1900 2064 Oaffbqaa.exe 41 PID 2064 wrote to memory of 1900 2064 Oaffbqaa.exe 41 PID 1900 wrote to memory of 1584 1900 Ogcnkgoh.exe 40 PID 1900 wrote to memory of 1584 1900 Ogcnkgoh.exe 40 PID 1900 wrote to memory of 1584 1900 Ogcnkgoh.exe 40 PID 1900 wrote to memory of 1584 1900 Ogcnkgoh.exe 40 PID 1584 wrote to memory of 1480 1584 Oiakgcnl.exe 39 PID 1584 wrote to memory of 1480 1584 Oiakgcnl.exe 39 PID 1584 wrote to memory of 1480 1584 Oiakgcnl.exe 39 PID 1584 wrote to memory of 1480 1584 Oiakgcnl.exe 39 PID 1480 wrote to memory of 2360 1480 Odgodl32.exe 38 PID 1480 wrote to memory of 2360 1480 Odgodl32.exe 38 PID 1480 wrote to memory of 2360 1480 Odgodl32.exe 38 PID 1480 wrote to memory of 2360 1480 Odgodl32.exe 38 PID 2360 wrote to memory of 1264 2360 Ogekpg32.exe 42 PID 2360 wrote to memory of 1264 2360 Ogekpg32.exe 42 PID 2360 wrote to memory of 1264 2360 Ogekpg32.exe 42 PID 2360 wrote to memory of 1264 2360 Ogekpg32.exe 42 PID 1264 wrote to memory of 2228 1264 Oghhfg32.exe 43 PID 1264 wrote to memory of 2228 1264 Oghhfg32.exe 43 PID 1264 wrote to memory of 2228 1264 Oghhfg32.exe 43 PID 1264 wrote to memory of 2228 1264 Oghhfg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d99122121ffc8c5cca54359393643990.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d99122121ffc8c5cca54359393643990.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664
-
-
-
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe19⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe22⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe25⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe28⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe29⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe30⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe31⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe32⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe34⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe38⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe39⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe41⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe43⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe44⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe46⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe47⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe49⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe51⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe52⤵PID:2224
-
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe53⤵
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe54⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe55⤵PID:2028
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe56⤵PID:1208
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe58⤵PID:2904
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe59⤵PID:2948
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe60⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe61⤵PID:2656
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe62⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe63⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe64⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe66⤵PID:2764
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe67⤵PID:2344
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe68⤵PID:2380
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe70⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe71⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe72⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Gljpncgc.exeC:\Windows\system32\Gljpncgc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe75⤵
- Drops file in System32 directory
PID:756 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe76⤵PID:2172
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe77⤵PID:1720
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe78⤵
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe80⤵PID:2580
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe82⤵PID:1260
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe83⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe84⤵PID:2724
-
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe85⤵PID:2716
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe86⤵PID:2876
-
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe87⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe88⤵PID:568
-
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe90⤵PID:1588
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe91⤵PID:1592
-
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe92⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe93⤵PID:828
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe94⤵PID:3068
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe95⤵PID:1860
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe96⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe98⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe99⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe100⤵PID:1612
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe104⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe106⤵PID:2040
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe107⤵PID:1972
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe108⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe109⤵PID:2792
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe110⤵PID:2192
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe112⤵PID:1420
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe113⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe114⤵PID:816
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe115⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe116⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe117⤵PID:2420
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe118⤵PID:1404
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe119⤵PID:1996
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe120⤵PID:1928
-
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe121⤵
- Modifies registry class
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-