Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:19
Behavioral task
behavioral1
Sample
NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe
-
Size
96KB
-
MD5
563d1e3b05c80b2c95e5573329c8f3d0
-
SHA1
8166bb9eb1759c837e9d1634a2ab90795f8964d2
-
SHA256
b173345db997636a6fc2ee59bdc7482fb50b44c915bf638312aae793d0908ace
-
SHA512
a3a3a0c4074a702abdf3f01fdf33e47d59ec0065d3508440f336fd4b3165f2ed8689bd83dca0f38fd4043e42482233d36f8528bd8379afa8cbe5766f98c2606e
-
SSDEEP
1536:QQRmCAmziQifcXELt42ura+uo08qp4ngm4nVcdZ2JVQBKoC/CKniTCvVAva61hLR:Q4vJziyc4t4nVqZ2fQkbn1vVAva63Hem
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecelm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgiiaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncamen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojpaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojlbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcgmkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanolm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgiiaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nllbdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhqjen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noagjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmpgjbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nllbdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhilimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2872-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000b000000012276-8.dat family_berbew behavioral1/files/0x000b000000012276-7.dat family_berbew behavioral1/files/0x000b000000012276-5.dat family_berbew behavioral1/files/0x00080000000142ee-18.dat family_berbew behavioral1/files/0x000b000000012276-13.dat family_berbew behavioral1/files/0x000b000000012276-11.dat family_berbew behavioral1/files/0x00080000000142ee-25.dat family_berbew behavioral1/memory/3020-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00080000000142ee-21.dat family_berbew behavioral1/files/0x00080000000142ee-20.dat family_berbew behavioral1/files/0x00080000000142ee-27.dat family_berbew behavioral1/memory/2708-26-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000700000001449d-34.dat family_berbew behavioral1/files/0x000700000001449d-35.dat family_berbew behavioral1/files/0x000700000001449d-32.dat family_berbew behavioral1/memory/2020-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000700000001449d-40.dat family_berbew behavioral1/files/0x000700000001449d-38.dat family_berbew behavioral1/files/0x00080000000146d2-51.dat family_berbew behavioral1/files/0x00080000000146d2-48.dat family_berbew behavioral1/files/0x00080000000146d2-47.dat family_berbew behavioral1/files/0x00080000000146d2-45.dat family_berbew behavioral1/memory/2600-52-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00080000000146d2-53.dat family_berbew behavioral1/files/0x0006000000014ad2-58.dat family_berbew behavioral1/files/0x0006000000014ad2-61.dat family_berbew behavioral1/files/0x0006000000014ad2-66.dat family_berbew behavioral1/memory/2872-65-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000014ad2-64.dat family_berbew behavioral1/memory/1108-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000014ad2-60.dat family_berbew behavioral1/files/0x0006000000014b7f-78.dat family_berbew behavioral1/files/0x0006000000014b7f-80.dat family_berbew behavioral1/files/0x0006000000014b7f-75.dat family_berbew behavioral1/files/0x0006000000014b7f-74.dat family_berbew behavioral1/files/0x0006000000014b7f-72.dat family_berbew behavioral1/memory/1712-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000014f1a-91.dat family_berbew behavioral1/files/0x0006000000014f1a-88.dat family_berbew behavioral1/files/0x0006000000014f1a-87.dat family_berbew behavioral1/files/0x00060000000152d3-98.dat family_berbew behavioral1/files/0x0006000000014f1a-93.dat family_berbew behavioral1/memory/2708-92-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000014f1a-85.dat family_berbew behavioral1/files/0x00060000000152d3-105.dat family_berbew behavioral1/files/0x0006000000015569-112.dat family_berbew behavioral1/files/0x0006000000015569-114.dat family_berbew behavioral1/files/0x0006000000015569-119.dat family_berbew behavioral1/files/0x0006000000015569-118.dat family_berbew behavioral1/memory/2808-104-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000152d3-103.dat family_berbew behavioral1/files/0x00060000000152d3-100.dat family_berbew behavioral1/memory/2044-110-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015569-107.dat family_berbew behavioral1/files/0x00060000000152d3-106.dat family_berbew behavioral1/memory/768-120-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2020-127-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015613-125.dat family_berbew behavioral1/files/0x0006000000015613-135.dat family_berbew behavioral1/memory/2600-134-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000015613-133.dat family_berbew behavioral1/memory/768-132-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x000600000001564c-146.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3020 Paaddgkj.exe 2708 Piliii32.exe 2020 Pmjaohol.exe 2600 Pmmneg32.exe 1108 Pbigmn32.exe 1712 Ppmgfb32.exe 2808 Qejpoi32.exe 2044 Qbnphngk.exe 768 Qlfdac32.exe 2232 Qmhahkdj.exe 2524 Aaejojjq.exe 640 Aiaoclgl.exe 1540 Aahfdihn.exe 2956 Acicla32.exe 1076 Adipfd32.exe 3040 Aobpfb32.exe 2488 Agihgp32.exe 1304 Bhkeohhn.exe 1648 Bfabnl32.exe 1016 Bhonjg32.exe 1984 Boifga32.exe 1496 Bfcodkcb.exe 2324 Bbjpil32.exe 1772 Bkbdabog.exe 2180 Bdkhjgeh.exe 2900 Cgidfcdk.exe 1768 Cfoaho32.exe 1244 Cnejim32.exe 2612 Ccbbachm.exe 2664 Cjljnn32.exe 1928 Cbgobp32.exe 2076 Ccgklc32.exe 1636 Cidddj32.exe 2820 Dpnladjl.exe 2860 Dboeco32.exe 2536 Demaoj32.exe 1948 Djjjga32.exe 2472 Deondj32.exe 1492 Djlfma32.exe 2924 Dmkcil32.exe 1628 Dnjoco32.exe 2060 Dahkok32.exe 2068 Efedga32.exe 340 Emoldlmc.exe 1956 Epnhpglg.exe 1624 Ejcmmp32.exe 1924 Eppefg32.exe 548 Efjmbaba.exe 840 Emdeok32.exe 2436 Epbbkf32.exe 888 Eeojcmfi.exe 2504 Ehnfpifm.exe 3012 Ebckmaec.exe 2468 Eeagimdf.exe 2080 Eojlbb32.exe 2592 Feddombd.exe 364 Fhbpkh32.exe 2564 Fmohco32.exe 2836 Fkcilc32.exe 1936 Glnhjjml.exe 1788 Gefmcp32.exe 2920 Gonale32.exe 1680 Ghgfekpn.exe 2428 Gglbfg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 3020 Paaddgkj.exe 3020 Paaddgkj.exe 2708 Piliii32.exe 2708 Piliii32.exe 2020 Pmjaohol.exe 2020 Pmjaohol.exe 2600 Pmmneg32.exe 2600 Pmmneg32.exe 1108 Pbigmn32.exe 1108 Pbigmn32.exe 1712 Ppmgfb32.exe 1712 Ppmgfb32.exe 2808 Qejpoi32.exe 2808 Qejpoi32.exe 2044 Qbnphngk.exe 2044 Qbnphngk.exe 768 Qlfdac32.exe 768 Qlfdac32.exe 2232 Qmhahkdj.exe 2232 Qmhahkdj.exe 2524 Aaejojjq.exe 2524 Aaejojjq.exe 640 Aiaoclgl.exe 640 Aiaoclgl.exe 1540 Aahfdihn.exe 1540 Aahfdihn.exe 2956 Acicla32.exe 2956 Acicla32.exe 1076 Adipfd32.exe 1076 Adipfd32.exe 3040 Aobpfb32.exe 3040 Aobpfb32.exe 2488 Agihgp32.exe 2488 Agihgp32.exe 1304 Bhkeohhn.exe 1304 Bhkeohhn.exe 1648 Bfabnl32.exe 1648 Bfabnl32.exe 1016 Bhonjg32.exe 1016 Bhonjg32.exe 1984 Boifga32.exe 1984 Boifga32.exe 1496 Bfcodkcb.exe 1496 Bfcodkcb.exe 2324 Bbjpil32.exe 2324 Bbjpil32.exe 1772 Bkbdabog.exe 1772 Bkbdabog.exe 2180 Bdkhjgeh.exe 2180 Bdkhjgeh.exe 2900 Cgidfcdk.exe 2900 Cgidfcdk.exe 1768 Cfoaho32.exe 1768 Cfoaho32.exe 1244 Cnejim32.exe 1244 Cnejim32.exe 2612 Ccbbachm.exe 2612 Ccbbachm.exe 2664 Cjljnn32.exe 2664 Cjljnn32.exe 1928 Cbgobp32.exe 1928 Cbgobp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hljaigmo.exe Oleepo32.exe File created C:\Windows\SysWOW64\Odqlhjbi.exe Oabplobe.exe File created C:\Windows\SysWOW64\Pnkiebib.exe Pkmmigjo.exe File created C:\Windows\SysWOW64\Clclhmin.exe Ciepkajj.exe File opened for modification C:\Windows\SysWOW64\Cbgobp32.exe Cjljnn32.exe File opened for modification C:\Windows\SysWOW64\Hnkdnqhm.exe Hcepqh32.exe File created C:\Windows\SysWOW64\Jpbcek32.exe Jfjolf32.exe File created C:\Windows\SysWOW64\Omnkicen.exe Ojpomh32.exe File created C:\Windows\SysWOW64\Ghgfekpn.exe Gonale32.exe File created C:\Windows\SysWOW64\Mfpmbf32.exe Moeeelhn.exe File created C:\Windows\SysWOW64\Hoimecmb.exe Hljaigmo.exe File created C:\Windows\SysWOW64\Ciepkajj.exe Bmnofp32.exe File created C:\Windows\SysWOW64\Faiboc32.dll Paaddgkj.exe File created C:\Windows\SysWOW64\Pbigmn32.exe Pmmneg32.exe File created C:\Windows\SysWOW64\Ojgfoglc.dll Cnejim32.exe File created C:\Windows\SysWOW64\Demaoj32.exe Dboeco32.exe File created C:\Windows\SysWOW64\Pchbmigj.exe Pajeanhf.exe File created C:\Windows\SysWOW64\Paaddgkj.exe NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe File created C:\Windows\SysWOW64\Cnejim32.exe Cfoaho32.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe Hmpaom32.exe File created C:\Windows\SysWOW64\Ndlpdbnj.exe Nbmdhfog.exe File created C:\Windows\SysWOW64\Okhefl32.exe Ncamen32.exe File created C:\Windows\SysWOW64\Aohiimmp.dll Bodhjdcc.exe File created C:\Windows\SysWOW64\Amljgema.dll Clclhmin.exe File opened for modification C:\Windows\SysWOW64\Cjljnn32.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Demaoj32.exe File opened for modification C:\Windows\SysWOW64\Hmpaom32.exe Hjaeba32.exe File opened for modification C:\Windows\SysWOW64\Nkehql32.exe Ndlpdbnj.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Podpoffm.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Acdlnnal.dll Bdodmlcm.exe File created C:\Windows\SysWOW64\Dhhdmc32.dll Ciepkajj.exe File created C:\Windows\SysWOW64\Jllqplnp.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Mjkibehc.exe Mfpmbf32.exe File opened for modification C:\Windows\SysWOW64\Ojblbgdg.exe Obkcajde.exe File created C:\Windows\SysWOW64\Hbglqg32.dll Pioamlkk.exe File created C:\Windows\SysWOW64\Dboeco32.exe Dpnladjl.exe File created C:\Windows\SysWOW64\Clffbc32.dll Hgnokgcc.exe File created C:\Windows\SysWOW64\Kjcijlpq.dll Hddmjk32.exe File created C:\Windows\SysWOW64\Iaimipjl.exe Iogpag32.exe File created C:\Windows\SysWOW64\Nbmdhfog.exe Nkclkl32.exe File created C:\Windows\SysWOW64\Defhonof.dll Pkmmigjo.exe File created C:\Windows\SysWOW64\Pohoplja.dll Aljmbknm.exe File created C:\Windows\SysWOW64\Hffpebmm.dll Qmhahkdj.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Dmkcil32.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Kcfjhebe.dll Nccnlk32.exe File opened for modification C:\Windows\SysWOW64\Njhilimb.exe Nkehql32.exe File created C:\Windows\SysWOW64\Hekefkig.exe Hpnlndkp.exe File created C:\Windows\SysWOW64\Oabplobe.exe Ojkhjabc.exe File created C:\Windows\SysWOW64\Omqjgl32.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Efjmbaba.exe Eppefg32.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Kfaalh32.exe File created C:\Windows\SysWOW64\Nfbjhf32.exe Nccnlk32.exe File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe Boifga32.exe File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Dadfhdil.dll Eeojcmfi.exe File opened for modification C:\Windows\SysWOW64\Opjkpo32.exe Omlncc32.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jnmiag32.exe File created C:\Windows\SysWOW64\Lcadghnk.exe Liipnb32.exe File created C:\Windows\SysWOW64\Ambcgi32.dll Nllbdp32.exe File opened for modification C:\Windows\SysWOW64\Ankedf32.exe Amjiln32.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Pbigmn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmeekj.dll" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmkeb32.dll" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laimda32.dll" Nbkgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoimecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll" Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hennhl32.dll" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieibq32.dll" Aaejojjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iikkon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djndfdbb.dll" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjeoijn.dll" Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbndmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkcplien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjjjgna.dll" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdfmchqk.dll" Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clclhmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllnei32.dll" Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjjfh32.dll" Nhpfdaml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Makkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhpfdaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibddbplp.dll" Obkcajde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollqllod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ochenfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moeeelhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmmigjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljipmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcodqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogabql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgodcich.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnpqce.dll" Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfhfhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdendpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looepoee.dll" Mfpmbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 3020 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 29 PID 2872 wrote to memory of 3020 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 29 PID 2872 wrote to memory of 3020 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 29 PID 2872 wrote to memory of 3020 2872 NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe 29 PID 3020 wrote to memory of 2708 3020 Paaddgkj.exe 30 PID 3020 wrote to memory of 2708 3020 Paaddgkj.exe 30 PID 3020 wrote to memory of 2708 3020 Paaddgkj.exe 30 PID 3020 wrote to memory of 2708 3020 Paaddgkj.exe 30 PID 2708 wrote to memory of 2020 2708 Piliii32.exe 31 PID 2708 wrote to memory of 2020 2708 Piliii32.exe 31 PID 2708 wrote to memory of 2020 2708 Piliii32.exe 31 PID 2708 wrote to memory of 2020 2708 Piliii32.exe 31 PID 2020 wrote to memory of 2600 2020 Pmjaohol.exe 32 PID 2020 wrote to memory of 2600 2020 Pmjaohol.exe 32 PID 2020 wrote to memory of 2600 2020 Pmjaohol.exe 32 PID 2020 wrote to memory of 2600 2020 Pmjaohol.exe 32 PID 2600 wrote to memory of 1108 2600 Pmmneg32.exe 33 PID 2600 wrote to memory of 1108 2600 Pmmneg32.exe 33 PID 2600 wrote to memory of 1108 2600 Pmmneg32.exe 33 PID 2600 wrote to memory of 1108 2600 Pmmneg32.exe 33 PID 1108 wrote to memory of 1712 1108 Pbigmn32.exe 34 PID 1108 wrote to memory of 1712 1108 Pbigmn32.exe 34 PID 1108 wrote to memory of 1712 1108 Pbigmn32.exe 34 PID 1108 wrote to memory of 1712 1108 Pbigmn32.exe 34 PID 1712 wrote to memory of 2808 1712 Ppmgfb32.exe 35 PID 1712 wrote to memory of 2808 1712 Ppmgfb32.exe 35 PID 1712 wrote to memory of 2808 1712 Ppmgfb32.exe 35 PID 1712 wrote to memory of 2808 1712 Ppmgfb32.exe 35 PID 2808 wrote to memory of 2044 2808 Qejpoi32.exe 36 PID 2808 wrote to memory of 2044 2808 Qejpoi32.exe 36 PID 2808 wrote to memory of 2044 2808 Qejpoi32.exe 36 PID 2808 wrote to memory of 2044 2808 Qejpoi32.exe 36 PID 2044 wrote to memory of 768 2044 Qbnphngk.exe 37 PID 2044 wrote to memory of 768 2044 Qbnphngk.exe 37 PID 2044 wrote to memory of 768 2044 Qbnphngk.exe 37 PID 2044 wrote to memory of 768 2044 Qbnphngk.exe 37 PID 768 wrote to memory of 2232 768 Qlfdac32.exe 38 PID 768 wrote to memory of 2232 768 Qlfdac32.exe 38 PID 768 wrote to memory of 2232 768 Qlfdac32.exe 38 PID 768 wrote to memory of 2232 768 Qlfdac32.exe 38 PID 2232 wrote to memory of 2524 2232 Qmhahkdj.exe 39 PID 2232 wrote to memory of 2524 2232 Qmhahkdj.exe 39 PID 2232 wrote to memory of 2524 2232 Qmhahkdj.exe 39 PID 2232 wrote to memory of 2524 2232 Qmhahkdj.exe 39 PID 2524 wrote to memory of 640 2524 Aaejojjq.exe 40 PID 2524 wrote to memory of 640 2524 Aaejojjq.exe 40 PID 2524 wrote to memory of 640 2524 Aaejojjq.exe 40 PID 2524 wrote to memory of 640 2524 Aaejojjq.exe 40 PID 640 wrote to memory of 1540 640 Aiaoclgl.exe 41 PID 640 wrote to memory of 1540 640 Aiaoclgl.exe 41 PID 640 wrote to memory of 1540 640 Aiaoclgl.exe 41 PID 640 wrote to memory of 1540 640 Aiaoclgl.exe 41 PID 1540 wrote to memory of 2956 1540 Aahfdihn.exe 42 PID 1540 wrote to memory of 2956 1540 Aahfdihn.exe 42 PID 1540 wrote to memory of 2956 1540 Aahfdihn.exe 42 PID 1540 wrote to memory of 2956 1540 Aahfdihn.exe 42 PID 2956 wrote to memory of 1076 2956 Acicla32.exe 43 PID 2956 wrote to memory of 1076 2956 Acicla32.exe 43 PID 2956 wrote to memory of 1076 2956 Acicla32.exe 43 PID 2956 wrote to memory of 1076 2956 Acicla32.exe 43 PID 1076 wrote to memory of 3040 1076 Adipfd32.exe 44 PID 1076 wrote to memory of 3040 1076 Adipfd32.exe 44 PID 1076 wrote to memory of 3040 1076 Adipfd32.exe 44 PID 1076 wrote to memory of 3040 1076 Adipfd32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.563d1e3b05c80b2c95e5573329c8f3d0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Adipfd32.exeC:\Windows\system32\Adipfd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Ccgklc32.exeC:\Windows\system32\Ccgklc32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe34⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe38⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe39⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe45⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe47⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe51⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe55⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe58⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe59⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe61⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe62⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe64⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe65⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe66⤵PID:2984
-
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Hjmlhbbg.exeC:\Windows\system32\Hjmlhbbg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe70⤵PID:1388
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe72⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe73⤵
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe74⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe76⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Hmbndmkb.exeC:\Windows\system32\Hmbndmkb.exe77⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe79⤵PID:1756
-
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe81⤵PID:2052
-
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe82⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe83⤵PID:2792
-
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe84⤵PID:1792
-
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe85⤵PID:1996
-
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe88⤵PID:1764
-
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe89⤵PID:1572
-
C:\Windows\SysWOW64\Icifjk32.exeC:\Windows\system32\Icifjk32.exe90⤵PID:2928
-
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe91⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe92⤵PID:3032
-
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe93⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Jfjolf32.exeC:\Windows\system32\Jfjolf32.exe94⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe96⤵PID:2368
-
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe98⤵PID:3060
-
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1172 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe102⤵PID:2648
-
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe103⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe104⤵PID:1632
-
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe105⤵PID:1728
-
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe106⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe109⤵PID:1520
-
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe110⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe111⤵PID:1144
-
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe112⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe113⤵PID:2168
-
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe114⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe115⤵PID:2112
-
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe116⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe118⤵PID:2896
-
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe119⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe120⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-