Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/10/2023, 17:25
Behavioral task
behavioral1
Sample
NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe
-
Size
176KB
-
MD5
a1e6b1a7cf3df14a9e4bbe720782d810
-
SHA1
f47916dd2c5a1d0c7106873c5dcfeae1b5ec27b2
-
SHA256
d8c66212c7f9bb69618c72fadafd14aeebf455c71abace899a839b00d9194051
-
SHA512
e45cc3c72850fb86aaf4561fc27dce78bc409239c433678ccf57abe99604d91e750989ef76068cd1248a7fd799c1af216026c29fb43608e019cbe17724f1a214
-
SSDEEP
3072:KHowiDdp8deAc4OpR3duVgfpUjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQSH:KH0y+Tf2jVu3w8BdTj2V3ppQ60MMCf0F
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidphq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnkpobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmpibam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfgcieii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdajpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmijfmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnomjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcjpncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhfke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpohakbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggabaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfnkqgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhfke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigmnqgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljeeqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkgig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcjhdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpfdeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenioenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baigca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioheci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfkaone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkckblgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jempcgad.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2152-0-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000d00000001200b-5.dat family_berbew behavioral1/memory/2152-6-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x000d00000001200b-9.dat family_berbew behavioral1/files/0x000d00000001200b-12.dat family_berbew behavioral1/files/0x000d00000001200b-8.dat family_berbew behavioral1/files/0x000d00000001200b-13.dat family_berbew behavioral1/files/0x00360000000139ec-24.dat family_berbew behavioral1/files/0x00360000000139ec-27.dat family_berbew behavioral1/files/0x0007000000014204-32.dat family_berbew behavioral1/files/0x00360000000139ec-25.dat family_berbew behavioral1/files/0x00360000000139ec-21.dat family_berbew behavioral1/memory/2344-20-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x00360000000139ec-18.dat family_berbew behavioral1/files/0x0007000000014204-34.dat family_berbew behavioral1/files/0x0007000000014204-35.dat family_berbew behavioral1/files/0x0007000000014204-38.dat family_berbew behavioral1/files/0x0007000000014204-40.dat family_berbew behavioral1/memory/2396-39-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/memory/2396-46-0x00000000005D0000-0x000000000060F000-memory.dmp family_berbew behavioral1/files/0x00090000000142cd-52.dat family_berbew behavioral1/files/0x00090000000142cd-49.dat family_berbew behavioral1/files/0x00090000000142cd-48.dat family_berbew behavioral1/files/0x00090000000142cd-45.dat family_berbew behavioral1/files/0x00090000000142cd-53.dat family_berbew behavioral1/files/0x0008000000014492-58.dat family_berbew behavioral1/files/0x0008000000014492-62.dat family_berbew behavioral1/files/0x0008000000014492-61.dat family_berbew behavioral1/files/0x0008000000014492-67.dat family_berbew behavioral1/memory/2584-69-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0008000000014492-66.dat family_berbew behavioral1/files/0x000600000001453b-73.dat family_berbew behavioral1/memory/2540-60-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x000600000001453b-80.dat family_berbew behavioral1/files/0x00060000000146aa-86.dat family_berbew behavioral1/files/0x0006000000014836-106.dat family_berbew behavioral1/files/0x0006000000014836-108.dat family_berbew behavioral1/files/0x0006000000014abe-116.dat family_berbew behavioral1/files/0x0006000000014abe-119.dat family_berbew behavioral1/files/0x0006000000014abe-121.dat family_berbew behavioral1/files/0x00120000000139fc-134.dat family_berbew behavioral1/files/0x0006000000014c43-146.dat family_berbew behavioral1/memory/1260-145-0x0000000000220000-0x000000000025F000-memory.dmp family_berbew behavioral1/files/0x0006000000014c43-142.dat family_berbew behavioral1/memory/1260-147-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x0006000000014c43-148.dat family_berbew behavioral1/files/0x0006000000014c43-141.dat family_berbew behavioral1/files/0x0006000000014c43-139.dat family_berbew behavioral1/files/0x00120000000139fc-132.dat family_berbew behavioral1/files/0x00120000000139fc-129.dat family_berbew behavioral1/files/0x00120000000139fc-128.dat family_berbew behavioral1/files/0x0006000000014fb2-153.dat family_berbew behavioral1/files/0x0006000000014fb2-160.dat family_berbew behavioral1/files/0x0006000000014fb2-161.dat family_berbew behavioral1/files/0x0006000000014fb2-157.dat family_berbew behavioral1/files/0x000600000001521f-166.dat family_berbew behavioral1/files/0x000600000001521f-170.dat family_berbew behavioral1/files/0x000600000001521f-173.dat family_berbew behavioral1/files/0x000600000001521f-174.dat family_berbew behavioral1/files/0x00060000000155ff-185.dat family_berbew behavioral1/files/0x000600000001560f-193.dat family_berbew behavioral1/memory/2552-200-0x0000000000400000-0x000000000043F000-memory.dmp family_berbew behavioral1/files/0x000600000001560f-199.dat family_berbew behavioral1/files/0x000600000001560f-201.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2344 Nbhfke32.exe 2720 Naopaa32.exe 2396 Ndnlnm32.exe 2540 Nkjapglg.exe 2584 Oaffbqaa.exe 560 Okojkf32.exe 2484 Odgodl32.exe 1296 Oidglb32.exe 2700 Ocllehcj.exe 1260 Oaaifdhb.exe 1740 Olgmcmgh.exe 1652 Pafbadcm.exe 2020 Pqkobqhd.exe 2888 Pdihiook.exe 2552 Pkcpei32.exe 2916 Qfmafg32.exe 2304 Qfonkfqd.exe 2420 Qogbdl32.exe 2176 Aojojl32.exe 1824 Aeggbbci.exe 1644 Anolkh32.exe 1904 Aidphq32.exe 2160 Anahqh32.exe 1076 Aigmnqgm.exe 1896 Badnhbce.exe 1696 Bmkomchi.exe 1900 Bibpad32.exe 2244 Baigca32.exe 2808 Blchcpko.exe 2668 Bncaekhp.exe 1104 Chlfnp32.exe 2684 Cljodo32.exe 364 Cafgle32.exe 828 Caidaeak.exe 1240 Ckahkk32.exe 2184 Cdjmcpnl.exe 2744 Elqaca32.exe 2848 Eamilh32.exe 2164 Ehgbhbgn.exe 1512 Endjaief.exe 1924 Ejkkfjkj.exe 2320 Epecbd32.exe 3056 Eniclh32.exe 1040 Edclib32.exe 1052 Eolmip32.exe 1488 Fjbafi32.exe 1228 Fcjeon32.exe 1764 Fmcjhdbc.exe 2032 Fdnolfon.exe 760 Foccjood.exe 3012 Fdpkbf32.exe 2972 Fbdlkj32.exe 1596 Gjpqpl32.exe 2172 Geeemeif.exe 2828 Gqlebf32.exe 2796 Gfhnjm32.exe 564 Gcmoda32.exe 2556 Gpcoib32.exe 1216 Gmgpbf32.exe 1448 Gbdhjm32.exe 2044 Hebdfind.exe 2024 Hfbaql32.exe 1636 Hibjbgbh.exe 1968 Hjdfjo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 2344 Nbhfke32.exe 2344 Nbhfke32.exe 2720 Naopaa32.exe 2720 Naopaa32.exe 2396 Ndnlnm32.exe 2396 Ndnlnm32.exe 2540 Nkjapglg.exe 2540 Nkjapglg.exe 2584 Oaffbqaa.exe 2584 Oaffbqaa.exe 560 Okojkf32.exe 560 Okojkf32.exe 2484 Odgodl32.exe 2484 Odgodl32.exe 1296 Oidglb32.exe 1296 Oidglb32.exe 2700 Ocllehcj.exe 2700 Ocllehcj.exe 1260 Oaaifdhb.exe 1260 Oaaifdhb.exe 1740 Olgmcmgh.exe 1740 Olgmcmgh.exe 1652 Pafbadcm.exe 1652 Pafbadcm.exe 2020 Pqkobqhd.exe 2020 Pqkobqhd.exe 2888 Pdihiook.exe 2888 Pdihiook.exe 2552 Pkcpei32.exe 2552 Pkcpei32.exe 2916 Qfmafg32.exe 2916 Qfmafg32.exe 2304 Qfonkfqd.exe 2304 Qfonkfqd.exe 2420 Qogbdl32.exe 2420 Qogbdl32.exe 2176 Aojojl32.exe 2176 Aojojl32.exe 1824 Aeggbbci.exe 1824 Aeggbbci.exe 1644 Anolkh32.exe 1644 Anolkh32.exe 1904 Aidphq32.exe 1904 Aidphq32.exe 2160 Anahqh32.exe 2160 Anahqh32.exe 1076 Aigmnqgm.exe 1076 Aigmnqgm.exe 1896 Badnhbce.exe 1896 Badnhbce.exe 1696 Bmkomchi.exe 1696 Bmkomchi.exe 1900 Bibpad32.exe 1900 Bibpad32.exe 2244 Baigca32.exe 2244 Baigca32.exe 2808 Blchcpko.exe 2808 Blchcpko.exe 2668 Bncaekhp.exe 2668 Bncaekhp.exe 1104 Chlfnp32.exe 1104 Chlfnp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ppfomk32.exe Pilfpqaa.exe File created C:\Windows\SysWOW64\Cjlheehe.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Bdoaqh32.dll Accqnc32.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Elcpbigl.exe File opened for modification C:\Windows\SysWOW64\Jjneoeeh.exe Jcdmbk32.exe File created C:\Windows\SysWOW64\Pmjoacao.dll Nhakecld.exe File opened for modification C:\Windows\SysWOW64\Nlapaapg.exe Nalldh32.exe File created C:\Windows\SysWOW64\Jphiff32.dll Ibkkjp32.exe File created C:\Windows\SysWOW64\Pkkblp32.exe Pdajpf32.exe File opened for modification C:\Windows\SysWOW64\Dmmmfc32.exe Dhpemm32.exe File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe Khielcfh.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Offmipej.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Alihaioe.exe File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mqjefamk.exe File opened for modification C:\Windows\SysWOW64\Pfpibn32.exe Ppfafcpb.exe File created C:\Windows\SysWOW64\Fdpkbf32.exe Foccjood.exe File opened for modification C:\Windows\SysWOW64\Afnfcl32.exe Amebjgai.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Jmlobg32.exe File opened for modification C:\Windows\SysWOW64\Kfgcieii.exe Kbkgig32.exe File opened for modification C:\Windows\SysWOW64\Kfbemi32.exe Kccian32.exe File created C:\Windows\SysWOW64\Eegkpo32.exe Dmijfmfi.exe File created C:\Windows\SysWOW64\Hgapag32.dll Lljpjchg.exe File created C:\Windows\SysWOW64\Abgdnm32.exe Akkokc32.exe File opened for modification C:\Windows\SysWOW64\Paiaplin.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Mbfmiaej.dll Idcacc32.exe File created C:\Windows\SysWOW64\Jkobgm32.exe Jjneoeeh.exe File opened for modification C:\Windows\SysWOW64\Onlooh32.exe Ocfkaone.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Edclib32.exe File created C:\Windows\SysWOW64\Oflpao32.dll Knnkpobc.exe File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oagoep32.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe Mnijnjbh.exe File opened for modification C:\Windows\SysWOW64\Pdajpf32.exe Phjjkefd.exe File created C:\Windows\SysWOW64\Epecbd32.exe Ejkkfjkj.exe File created C:\Windows\SysWOW64\Nonlfc32.dll Jpjngh32.exe File opened for modification C:\Windows\SysWOW64\Fogibnha.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Jbfghckb.dll Kmcjedcg.exe File created C:\Windows\SysWOW64\Ellcac32.dll Gfhnjm32.exe File created C:\Windows\SysWOW64\Iibfajdc.exe Idfnicfl.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eggndi32.exe File created C:\Windows\SysWOW64\Paiaplin.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Dcllbhdn.exe Dmbcen32.exe File opened for modification C:\Windows\SysWOW64\Jkobgm32.exe Jjneoeeh.exe File created C:\Windows\SysWOW64\Anolkh32.exe Aeggbbci.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Khielcfh.exe File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe Pdgmlhha.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kfpifm32.exe File created C:\Windows\SysWOW64\Ibfmbhnd.dll Jkmeoa32.exe File created C:\Windows\SysWOW64\Bgffhkoj.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Ofehob32.dll Ehmdgp32.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Iampng32.dll Cmfmojcb.exe File created C:\Windows\SysWOW64\Bmkomchi.exe Badnhbce.exe File opened for modification C:\Windows\SysWOW64\Kofcbl32.exe Kijkje32.exe File created C:\Windows\SysWOW64\Fnofjfhk.exe Fhbnbpjc.exe File created C:\Windows\SysWOW64\Mfiema32.dll Hghillnd.exe File created C:\Windows\SysWOW64\Lpcfmngo.dll Nnnbni32.exe File created C:\Windows\SysWOW64\Fljelj32.dll Nfigck32.exe File created C:\Windows\SysWOW64\Iifedg32.dll Onlooh32.exe File opened for modification C:\Windows\SysWOW64\Phocfd32.exe Paekijkb.exe File opened for modification C:\Windows\SysWOW64\Accqnc32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Dogpdg32.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Hpdgka32.dll Gnphdceh.exe File opened for modification C:\Windows\SysWOW64\Qmahog32.exe Pkplgoop.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1448 3136 WerFault.exe 500 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akkokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edclib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnfkge32.dll" Aidphq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moancj32.dll" Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflbhgjm.dll" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mbhlek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opppqdgk.dll" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjfiqjch.dll" Nejdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppicjm32.dll" Mmcpjfcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naionh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll" Iqfiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloimaiq.dll" Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhlek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnijnjbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Panehkaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baigca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Badnhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgodnk32.dll" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jodhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhbig32.dll" Ojmbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpelefj.dll" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfhplbf.dll" Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofejpmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olophhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhapci32.dll" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnqjhh32.dll" Eanldqgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jndjmifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accqnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ablmilgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghfacem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekbgfpm.dll" Cfnoogbo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2152 wrote to memory of 2344 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 28 PID 2152 wrote to memory of 2344 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 28 PID 2152 wrote to memory of 2344 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 28 PID 2152 wrote to memory of 2344 2152 NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe 28 PID 2344 wrote to memory of 2720 2344 Nbhfke32.exe 30 PID 2344 wrote to memory of 2720 2344 Nbhfke32.exe 30 PID 2344 wrote to memory of 2720 2344 Nbhfke32.exe 30 PID 2344 wrote to memory of 2720 2344 Nbhfke32.exe 30 PID 2720 wrote to memory of 2396 2720 Naopaa32.exe 29 PID 2720 wrote to memory of 2396 2720 Naopaa32.exe 29 PID 2720 wrote to memory of 2396 2720 Naopaa32.exe 29 PID 2720 wrote to memory of 2396 2720 Naopaa32.exe 29 PID 2396 wrote to memory of 2540 2396 Ndnlnm32.exe 31 PID 2396 wrote to memory of 2540 2396 Ndnlnm32.exe 31 PID 2396 wrote to memory of 2540 2396 Ndnlnm32.exe 31 PID 2396 wrote to memory of 2540 2396 Ndnlnm32.exe 31 PID 2540 wrote to memory of 2584 2540 Nkjapglg.exe 62 PID 2540 wrote to memory of 2584 2540 Nkjapglg.exe 62 PID 2540 wrote to memory of 2584 2540 Nkjapglg.exe 62 PID 2540 wrote to memory of 2584 2540 Nkjapglg.exe 62 PID 2584 wrote to memory of 560 2584 Oaffbqaa.exe 32 PID 2584 wrote to memory of 560 2584 Oaffbqaa.exe 32 PID 2584 wrote to memory of 560 2584 Oaffbqaa.exe 32 PID 2584 wrote to memory of 560 2584 Oaffbqaa.exe 32 PID 560 wrote to memory of 2484 560 Okojkf32.exe 61 PID 560 wrote to memory of 2484 560 Okojkf32.exe 61 PID 560 wrote to memory of 2484 560 Okojkf32.exe 61 PID 560 wrote to memory of 2484 560 Okojkf32.exe 61 PID 2484 wrote to memory of 1296 2484 Odgodl32.exe 33 PID 2484 wrote to memory of 1296 2484 Odgodl32.exe 33 PID 2484 wrote to memory of 1296 2484 Odgodl32.exe 33 PID 2484 wrote to memory of 1296 2484 Odgodl32.exe 33 PID 1296 wrote to memory of 2700 1296 Oidglb32.exe 34 PID 1296 wrote to memory of 2700 1296 Oidglb32.exe 34 PID 1296 wrote to memory of 2700 1296 Oidglb32.exe 34 PID 1296 wrote to memory of 2700 1296 Oidglb32.exe 34 PID 2700 wrote to memory of 1260 2700 Ocllehcj.exe 60 PID 2700 wrote to memory of 1260 2700 Ocllehcj.exe 60 PID 2700 wrote to memory of 1260 2700 Ocllehcj.exe 60 PID 2700 wrote to memory of 1260 2700 Ocllehcj.exe 60 PID 1260 wrote to memory of 1740 1260 Oaaifdhb.exe 35 PID 1260 wrote to memory of 1740 1260 Oaaifdhb.exe 35 PID 1260 wrote to memory of 1740 1260 Oaaifdhb.exe 35 PID 1260 wrote to memory of 1740 1260 Oaaifdhb.exe 35 PID 1740 wrote to memory of 1652 1740 Olgmcmgh.exe 59 PID 1740 wrote to memory of 1652 1740 Olgmcmgh.exe 59 PID 1740 wrote to memory of 1652 1740 Olgmcmgh.exe 59 PID 1740 wrote to memory of 1652 1740 Olgmcmgh.exe 59 PID 1652 wrote to memory of 2020 1652 Pafbadcm.exe 58 PID 1652 wrote to memory of 2020 1652 Pafbadcm.exe 58 PID 1652 wrote to memory of 2020 1652 Pafbadcm.exe 58 PID 1652 wrote to memory of 2020 1652 Pafbadcm.exe 58 PID 2020 wrote to memory of 2888 2020 Pqkobqhd.exe 36 PID 2020 wrote to memory of 2888 2020 Pqkobqhd.exe 36 PID 2020 wrote to memory of 2888 2020 Pqkobqhd.exe 36 PID 2020 wrote to memory of 2888 2020 Pqkobqhd.exe 36 PID 2888 wrote to memory of 2552 2888 Pdihiook.exe 57 PID 2888 wrote to memory of 2552 2888 Pdihiook.exe 57 PID 2888 wrote to memory of 2552 2888 Pdihiook.exe 57 PID 2888 wrote to memory of 2552 2888 Pdihiook.exe 57 PID 2552 wrote to memory of 2916 2552 Pkcpei32.exe 56 PID 2552 wrote to memory of 2916 2552 Pkcpei32.exe 56 PID 2552 wrote to memory of 2916 2552 Pkcpei32.exe 56 PID 2552 wrote to memory of 2916 2552 Pkcpei32.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a1e6b1a7cf3df14a9e4bbe720782d810.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720
-
-
-
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584
-
-
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484
-
-
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260
-
-
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
-
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
-
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1900
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe4⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe5⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe6⤵
- Executes dropped EXE
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe7⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe8⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe9⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe10⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe11⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe12⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe14⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe15⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe17⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe18⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe19⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe21⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe23⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe24⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe26⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe27⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe30⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe31⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe34⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe35⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe36⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe37⤵PID:1508
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe38⤵PID:2008
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe39⤵PID:2292
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe40⤵PID:464
-
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe41⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe42⤵PID:1044
-
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe43⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe44⤵PID:1952
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe45⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe46⤵PID:2948
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe47⤵PID:1832
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe48⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe50⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe51⤵PID:2716
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe52⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe53⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe55⤵PID:2632
-
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe56⤵PID:2976
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe57⤵PID:2496
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe58⤵PID:1456
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe59⤵PID:292
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe60⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe61⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe62⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe63⤵PID:1528
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe64⤵PID:2224
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe66⤵PID:1988
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe67⤵PID:1200
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe68⤵PID:1728
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe71⤵PID:584
-
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe72⤵PID:2372
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe73⤵PID:2080
-
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe75⤵PID:1604
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe76⤵PID:2872
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe77⤵PID:2824
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe78⤵PID:1156
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe80⤵PID:2992
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe81⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe82⤵PID:924
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe83⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe84⤵PID:1088
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe85⤵PID:1704
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe86⤵PID:2920
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe87⤵PID:2404
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe88⤵PID:1116
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe89⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe90⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe91⤵PID:2968
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe92⤵PID:2476
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe94⤵PID:2900
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe95⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe96⤵PID:2984
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe97⤵PID:2996
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe98⤵PID:2892
-
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe99⤵PID:1256
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe100⤵PID:2688
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe101⤵PID:1912
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe103⤵PID:1264
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe104⤵PID:2400
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe105⤵PID:2312
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe106⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe107⤵PID:892
-
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe108⤵PID:1444
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe109⤵PID:2656
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe111⤵PID:2572
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe112⤵PID:2436
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe113⤵PID:1580
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe114⤵PID:1356
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe115⤵PID:2840
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe117⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe118⤵PID:2452
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe119⤵PID:344
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe120⤵PID:1608
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-