Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 19:56
Behavioral task
behavioral1
Sample
NEAS.7b0bd22f4d10139bd099723540a943f0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.7b0bd22f4d10139bd099723540a943f0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.7b0bd22f4d10139bd099723540a943f0.exe
-
Size
106KB
-
MD5
7b0bd22f4d10139bd099723540a943f0
-
SHA1
4a54fe3c5ed85d97e1f05db1ccd780cf3cd437c9
-
SHA256
52b9c9b18ff27273c702dcf7fb12f27efb9826560cef26cdf3d73865eb049046
-
SHA512
80e38603bb14c8d7d040f0761eae2001581d6745b033ce16b9c3c694df8e3073242a077af21ee5958f7520b4313e2d82d78d07a94619b913ed07530678dfca98
-
SSDEEP
3072:oJw9bh6d79kfcHwe+UrXp1WdTCn93OGey/ZhC:T9bh6dWfcQenrXSTCndOGeKY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpdnkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbeqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aibajhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckoilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfmfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehakigbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbqje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoebpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdojfgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfjognl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnaocmmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpkldg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioliqbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibajhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hppfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldidkbpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfhladfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppfog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okikfagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joaeeklp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmbhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejdiffp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chfpoeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebcjamoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjcblbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceodnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhngjmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkglameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebefgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcadac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlljjjnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopnlacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffcllo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgdhjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/memory/2208-6-0x0000000000230000-0x0000000000271000-memory.dmp family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x0009000000012024-12.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x00360000000152d1-26.dat family_berbew behavioral1/memory/2568-31-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000015c14-35.dat family_berbew behavioral1/files/0x0007000000015c14-39.dat family_berbew behavioral1/files/0x0007000000015c14-38.dat family_berbew behavioral1/files/0x0007000000015c14-34.dat family_berbew behavioral1/files/0x0007000000015c14-32.dat family_berbew behavioral1/files/0x00360000000152d1-25.dat family_berbew behavioral1/files/0x00360000000152d1-23.dat family_berbew behavioral1/files/0x0007000000015c41-50.dat family_berbew behavioral1/files/0x0007000000015c41-47.dat family_berbew behavioral1/files/0x0007000000015c41-46.dat family_berbew behavioral1/files/0x0007000000015c41-44.dat family_berbew behavioral1/files/0x00360000000152d1-20.dat family_berbew behavioral1/files/0x00360000000152d1-18.dat family_berbew behavioral1/files/0x0007000000015c41-52.dat family_berbew behavioral1/memory/2604-56-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2748-51-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca2-58.dat family_berbew behavioral1/files/0x0006000000015ca2-62.dat family_berbew behavioral1/files/0x0006000000015ca2-67.dat family_berbew behavioral1/memory/2884-66-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca2-65.dat family_berbew behavioral1/files/0x0006000000015ca2-61.dat family_berbew behavioral1/memory/2604-60-0x0000000001BE0000-0x0000000001C21000-memory.dmp family_berbew behavioral1/files/0x0006000000015cb3-74.dat family_berbew behavioral1/files/0x0006000000015cb3-79.dat family_berbew behavioral1/files/0x0006000000015cb3-80.dat family_berbew behavioral1/memory/2884-78-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000015cb3-75.dat family_berbew behavioral1/files/0x0006000000015cb3-72.dat family_berbew behavioral1/memory/1868-85-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015db8-86.dat family_berbew behavioral1/files/0x0006000000015db8-89.dat family_berbew behavioral1/files/0x0006000000015db8-92.dat family_berbew behavioral1/files/0x0006000000015db8-94.dat family_berbew behavioral1/memory/1656-93-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015db8-88.dat family_berbew behavioral1/files/0x0006000000015e0c-99.dat family_berbew behavioral1/files/0x000600000001605c-128.dat family_berbew behavioral1/files/0x000600000001605c-132.dat family_berbew behavioral1/files/0x000600000001626a-134.dat family_berbew behavioral1/files/0x000600000001626a-145.dat family_berbew behavioral1/files/0x000600000001626a-147.dat family_berbew behavioral1/files/0x0006000000016454-158.dat family_berbew behavioral1/files/0x0006000000016454-155.dat family_berbew behavioral1/files/0x0006000000016454-154.dat family_berbew behavioral1/files/0x0006000000016454-152.dat family_berbew behavioral1/memory/1032-146-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1944-144-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000600000001626a-140.dat family_berbew behavioral1/files/0x000600000001626a-138.dat family_berbew behavioral1/files/0x000600000001605c-133.dat family_berbew behavioral1/memory/2328-131-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000016454-160.dat family_berbew behavioral1/memory/524-165-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00360000000153cf-170.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1688 Kfbkmk32.exe 2568 Kfegbj32.exe 2748 Kaklpcoc.exe 2604 Kfgdhjmk.exe 2884 Lldlqakb.exe 1868 Lmcijcbe.exe 1656 Lbcnhjnj.exe 3004 Lojomkdn.exe 2328 Ldfgebbe.exe 1944 Lollckbk.exe 1032 Ldidkbpb.exe 524 Mmahdggc.exe 1068 Mmceigep.exe 808 Mbpnanch.exe 2088 Mpdnkb32.exe 2064 Meagci32.exe 1740 Mcegmm32.exe 1804 Meccii32.exe 1124 Mpigfa32.exe 2496 Ncgdbmmp.exe 1808 Nialog32.exe 832 Nondgn32.exe 1988 Nehmdhja.exe 2472 Nlbeqb32.exe 2184 Ndmjedoi.exe 1708 Nkiogn32.exe 1596 Nceclqan.exe 2464 Oddpfc32.exe 1680 Ofelmloo.exe 3028 Olpdjf32.exe 2804 Ogeigofa.exe 2956 Oopnlacm.exe 2672 Obojhlbq.exe 2168 Ohibdf32.exe 2852 Ocnfbo32.exe 2024 Ofmbnkhg.exe 2480 Okikfagn.exe 2776 Pbfpik32.exe 908 Piphee32.exe 472 Pkndaa32.exe 536 Pbhmnkjf.exe 2116 Pefijfii.exe 1104 Pgeefbhm.exe 2972 Pjcabmga.exe 824 Pclfkc32.exe 1568 Pjenhm32.exe 2420 Pmdjdh32.exe 688 Ppbfpd32.exe 1912 Pikkiijf.exe 2004 Qpecfc32.exe 944 Qfokbnip.exe 1556 Qimhoi32.exe 564 Qpgpkcpp.exe 660 Qfahhm32.exe 2536 Alnqqd32.exe 2188 Anlmmp32.exe 2780 Aefeijle.exe 2688 Aibajhdn.exe 2800 Anojbobe.exe 2728 Aehboi32.exe 2732 Albjlcao.exe 2600 Abmbhn32.exe 2576 Aaobdjof.exe 2960 Adnopfoj.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 1688 Kfbkmk32.exe 1688 Kfbkmk32.exe 2568 Kfegbj32.exe 2568 Kfegbj32.exe 2748 Kaklpcoc.exe 2748 Kaklpcoc.exe 2604 Kfgdhjmk.exe 2604 Kfgdhjmk.exe 2884 Lldlqakb.exe 2884 Lldlqakb.exe 1868 Lmcijcbe.exe 1868 Lmcijcbe.exe 1656 Lbcnhjnj.exe 1656 Lbcnhjnj.exe 3004 Lojomkdn.exe 3004 Lojomkdn.exe 2328 Ldfgebbe.exe 2328 Ldfgebbe.exe 1944 Lollckbk.exe 1944 Lollckbk.exe 1032 Ldidkbpb.exe 1032 Ldidkbpb.exe 524 Mmahdggc.exe 524 Mmahdggc.exe 1068 Mmceigep.exe 1068 Mmceigep.exe 808 Mbpnanch.exe 808 Mbpnanch.exe 2088 Mpdnkb32.exe 2088 Mpdnkb32.exe 2064 Meagci32.exe 2064 Meagci32.exe 1740 Mcegmm32.exe 1740 Mcegmm32.exe 1804 Meccii32.exe 1804 Meccii32.exe 1124 Mpigfa32.exe 1124 Mpigfa32.exe 2496 Ncgdbmmp.exe 2496 Ncgdbmmp.exe 1808 Nialog32.exe 1808 Nialog32.exe 832 Nondgn32.exe 832 Nondgn32.exe 1988 Nehmdhja.exe 1988 Nehmdhja.exe 2472 Nlbeqb32.exe 2472 Nlbeqb32.exe 2184 Ndmjedoi.exe 2184 Ndmjedoi.exe 1708 Nkiogn32.exe 1708 Nkiogn32.exe 1596 Nceclqan.exe 1596 Nceclqan.exe 2464 Oddpfc32.exe 2464 Oddpfc32.exe 1680 Ofelmloo.exe 1680 Ofelmloo.exe 3028 Olpdjf32.exe 3028 Olpdjf32.exe 2804 Ogeigofa.exe 2804 Ogeigofa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kfegbj32.exe Kfbkmk32.exe File opened for modification C:\Windows\SysWOW64\Nialog32.exe Ncgdbmmp.exe File created C:\Windows\SysWOW64\Fadminnn.exe Fpcqaf32.exe File created C:\Windows\SysWOW64\Lpaggobk.dll Dacnbjml.exe File created C:\Windows\SysWOW64\Obojhlbq.exe Oopnlacm.exe File opened for modification C:\Windows\SysWOW64\Afohaa32.exe Aemkjiem.exe File created C:\Windows\SysWOW64\Nhokkp32.dll Bhkdeggl.exe File created C:\Windows\SysWOW64\Jbhnql32.dll Habfipdj.exe File created C:\Windows\SysWOW64\Gihniioc.exe Gaafhloq.exe File created C:\Windows\SysWOW64\Egoaonaq.dll Hpbbdfik.exe File created C:\Windows\SysWOW64\Pgnlcdfj.dll Ilnmdgkj.exe File created C:\Windows\SysWOW64\Obdkcckg.dll Mbpnanch.exe File opened for modification C:\Windows\SysWOW64\Meagci32.exe Mpdnkb32.exe File opened for modification C:\Windows\SysWOW64\Gfhladfn.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Gfmemc32.exe Giieco32.exe File created C:\Windows\SysWOW64\Ifjeknjd.dll Anojbobe.exe File created C:\Windows\SysWOW64\Idnmhkin.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Gbndia32.dll Dddfdejn.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Ddigjkid.exe Dkqbaecc.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gfhladfn.exe File created C:\Windows\SysWOW64\Cjgheann.dll Inkccpgk.exe File created C:\Windows\SysWOW64\Dpjgifpa.exe Dahgni32.exe File opened for modification C:\Windows\SysWOW64\Gfgegnbb.exe Glbqje32.exe File created C:\Windows\SysWOW64\Kllnhg32.exe Kfbfkmeh.exe File opened for modification C:\Windows\SysWOW64\Jhngjmlo.exe Jbdonb32.exe File created C:\Windows\SysWOW64\Hmjppn32.dll Dpjgifpa.exe File created C:\Windows\SysWOW64\Ebgclm32.exe Eoigpa32.exe File created C:\Windows\SysWOW64\Hnjplo32.exe Hjndlqal.exe File created C:\Windows\SysWOW64\Giahhj32.exe Ffcllo32.exe File opened for modification C:\Windows\SysWOW64\Ginnnooi.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Hdlhjl32.exe Hmbpmapf.exe File created C:\Windows\SysWOW64\Jbgeqa32.dll Ddajoelp.exe File created C:\Windows\SysWOW64\Djjmob32.dll Fgnokb32.exe File created C:\Windows\SysWOW64\Iopodh32.dll Mmceigep.exe File opened for modification C:\Windows\SysWOW64\Hppfog32.exe Hldjnhce.exe File opened for modification C:\Windows\SysWOW64\Piphee32.exe Pbfpik32.exe File opened for modification C:\Windows\SysWOW64\Bfadgq32.exe Aadloj32.exe File created C:\Windows\SysWOW64\Maiooo32.dll Fjmaaddo.exe File opened for modification C:\Windows\SysWOW64\Ikhjki32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Ckoilb32.exe File created C:\Windows\SysWOW64\Ionefb32.exe Iggned32.exe File opened for modification C:\Windows\SysWOW64\Lclnemgd.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Jpiedieo.exe Jhamckel.exe File opened for modification C:\Windows\SysWOW64\Kgkleabc.exe Jepmgj32.exe File opened for modification C:\Windows\SysWOW64\Amfcikek.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Dkkbkp32.exe Ddajoelp.exe File created C:\Windows\SysWOW64\Qkekligg.dll Fcefji32.exe File created C:\Windows\SysWOW64\Deliip32.dll Glbqje32.exe File created C:\Windows\SysWOW64\Maanfn32.dll Gmjcblbb.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File created C:\Windows\SysWOW64\Pmmokmik.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Gjodeppm.dll Ldidkbpb.exe File created C:\Windows\SysWOW64\Ddajoelp.exe Dacnbjml.exe File opened for modification C:\Windows\SysWOW64\Ebefgm32.exe Eogjka32.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mpigfa32.exe File created C:\Windows\SysWOW64\Gljnej32.exe Gfmemc32.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Mpdcoomf.dll Ceaadk32.exe File created C:\Windows\SysWOW64\Enlejpga.dll Jghmfhmb.exe File created C:\Windows\SysWOW64\Jfgcgnik.dll Jlpeij32.exe File created C:\Windows\SysWOW64\Ceaadk32.exe Cnkicn32.exe File opened for modification C:\Windows\SysWOW64\Bejdiffp.exe Lfbpag32.exe File opened for modification C:\Windows\SysWOW64\Ghiaof32.exe Gifaciae.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4884 2660 WerFault.exe 424 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmcfln32.dll" Jpiedieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmokmik.dll" Olpdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll" Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll" Kjfjbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmahdggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqelfddi.dll" Dhpiojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfgo32.dll" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dliijipn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joaeeklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdlhjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iccbqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcidp32.dll" Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjjnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lollckbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbcbk32.dll" Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maapdeaa.dll" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfommp32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igakgfpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpjgifpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebgclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpiedieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Nceclqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdiboe32.dll" Dkgippgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giioglkn.dll" Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlfejcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dacnbjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idiaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhngjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddajoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamedlhf.dll" Iaelanmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaelanmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceodnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcadac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpaggobk.dll" Dacnbjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimkgkgm.dll" Idiaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noafdi32.dll" Khoebi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meagci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmpkjkma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkkbkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpdoo32.dll" Eogjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieagbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmol32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkcojga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbdonb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1688 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 28 PID 2208 wrote to memory of 1688 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 28 PID 2208 wrote to memory of 1688 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 28 PID 2208 wrote to memory of 1688 2208 NEAS.7b0bd22f4d10139bd099723540a943f0.exe 28 PID 1688 wrote to memory of 2568 1688 Kfbkmk32.exe 29 PID 1688 wrote to memory of 2568 1688 Kfbkmk32.exe 29 PID 1688 wrote to memory of 2568 1688 Kfbkmk32.exe 29 PID 1688 wrote to memory of 2568 1688 Kfbkmk32.exe 29 PID 2568 wrote to memory of 2748 2568 Kfegbj32.exe 31 PID 2568 wrote to memory of 2748 2568 Kfegbj32.exe 31 PID 2568 wrote to memory of 2748 2568 Kfegbj32.exe 31 PID 2568 wrote to memory of 2748 2568 Kfegbj32.exe 31 PID 2748 wrote to memory of 2604 2748 Kaklpcoc.exe 30 PID 2748 wrote to memory of 2604 2748 Kaklpcoc.exe 30 PID 2748 wrote to memory of 2604 2748 Kaklpcoc.exe 30 PID 2748 wrote to memory of 2604 2748 Kaklpcoc.exe 30 PID 2604 wrote to memory of 2884 2604 Kfgdhjmk.exe 32 PID 2604 wrote to memory of 2884 2604 Kfgdhjmk.exe 32 PID 2604 wrote to memory of 2884 2604 Kfgdhjmk.exe 32 PID 2604 wrote to memory of 2884 2604 Kfgdhjmk.exe 32 PID 2884 wrote to memory of 1868 2884 Lldlqakb.exe 33 PID 2884 wrote to memory of 1868 2884 Lldlqakb.exe 33 PID 2884 wrote to memory of 1868 2884 Lldlqakb.exe 33 PID 2884 wrote to memory of 1868 2884 Lldlqakb.exe 33 PID 1868 wrote to memory of 1656 1868 Lmcijcbe.exe 34 PID 1868 wrote to memory of 1656 1868 Lmcijcbe.exe 34 PID 1868 wrote to memory of 1656 1868 Lmcijcbe.exe 34 PID 1868 wrote to memory of 1656 1868 Lmcijcbe.exe 34 PID 1656 wrote to memory of 3004 1656 Lbcnhjnj.exe 35 PID 1656 wrote to memory of 3004 1656 Lbcnhjnj.exe 35 PID 1656 wrote to memory of 3004 1656 Lbcnhjnj.exe 35 PID 1656 wrote to memory of 3004 1656 Lbcnhjnj.exe 35 PID 3004 wrote to memory of 2328 3004 Lojomkdn.exe 36 PID 3004 wrote to memory of 2328 3004 Lojomkdn.exe 36 PID 3004 wrote to memory of 2328 3004 Lojomkdn.exe 36 PID 3004 wrote to memory of 2328 3004 Lojomkdn.exe 36 PID 2328 wrote to memory of 1944 2328 Ldfgebbe.exe 37 PID 2328 wrote to memory of 1944 2328 Ldfgebbe.exe 37 PID 2328 wrote to memory of 1944 2328 Ldfgebbe.exe 37 PID 2328 wrote to memory of 1944 2328 Ldfgebbe.exe 37 PID 1944 wrote to memory of 1032 1944 Lollckbk.exe 41 PID 1944 wrote to memory of 1032 1944 Lollckbk.exe 41 PID 1944 wrote to memory of 1032 1944 Lollckbk.exe 41 PID 1944 wrote to memory of 1032 1944 Lollckbk.exe 41 PID 1032 wrote to memory of 524 1032 Ldidkbpb.exe 38 PID 1032 wrote to memory of 524 1032 Ldidkbpb.exe 38 PID 1032 wrote to memory of 524 1032 Ldidkbpb.exe 38 PID 1032 wrote to memory of 524 1032 Ldidkbpb.exe 38 PID 524 wrote to memory of 1068 524 Mmahdggc.exe 39 PID 524 wrote to memory of 1068 524 Mmahdggc.exe 39 PID 524 wrote to memory of 1068 524 Mmahdggc.exe 39 PID 524 wrote to memory of 1068 524 Mmahdggc.exe 39 PID 1068 wrote to memory of 808 1068 Mmceigep.exe 40 PID 1068 wrote to memory of 808 1068 Mmceigep.exe 40 PID 1068 wrote to memory of 808 1068 Mmceigep.exe 40 PID 1068 wrote to memory of 808 1068 Mmceigep.exe 40 PID 808 wrote to memory of 2088 808 Mbpnanch.exe 42 PID 808 wrote to memory of 2088 808 Mbpnanch.exe 42 PID 808 wrote to memory of 2088 808 Mbpnanch.exe 42 PID 808 wrote to memory of 2088 808 Mbpnanch.exe 42 PID 2088 wrote to memory of 2064 2088 Mpdnkb32.exe 44 PID 2088 wrote to memory of 2064 2088 Mpdnkb32.exe 44 PID 2088 wrote to memory of 2064 2088 Mpdnkb32.exe 44 PID 2088 wrote to memory of 2064 2088 Mpdnkb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.7b0bd22f4d10139bd099723540a943f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.7b0bd22f4d10139bd099723540a943f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kaklpcoc.exeC:\Windows\system32\Kaklpcoc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
-
-
-
-
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Lmcijcbe.exeC:\Windows\system32\Lmcijcbe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Lollckbk.exeC:\Windows\system32\Lollckbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064
-
-
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe5⤵PID:2140
-
-
-
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe4⤵PID:2052
-
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe5⤵PID:1032
-
-
-
-
-
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Oopnlacm.exeC:\Windows\system32\Oopnlacm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Obojhlbq.exeC:\Windows\system32\Obojhlbq.exe17⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Ohibdf32.exeC:\Windows\system32\Ohibdf32.exe18⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe19⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe20⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Pbfpik32.exeC:\Windows\system32\Pbfpik32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe27⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe29⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Pikkiijf.exeC:\Windows\system32\Pikkiijf.exe33⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe34⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Qfokbnip.exeC:\Windows\system32\Qfokbnip.exe35⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe36⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Qpgpkcpp.exeC:\Windows\system32\Qpgpkcpp.exe37⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Qfahhm32.exeC:\Windows\system32\Qfahhm32.exe38⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe39⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe41⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Aibajhdn.exeC:\Windows\system32\Aibajhdn.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Aehboi32.exeC:\Windows\system32\Aehboi32.exe44⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Abmbhn32.exeC:\Windows\system32\Abmbhn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe47⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe49⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe50⤵PID:2456
-
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe51⤵
- Drops file in System32 directory
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Bfadgq32.exeC:\Windows\system32\Bfadgq32.exe54⤵
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Bioqclil.exeC:\Windows\system32\Bioqclil.exe55⤵PID:332
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe56⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe59⤵
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Ceaadk32.exeC:\Windows\system32\Ceaadk32.exe60⤵
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe62⤵PID:1308
-
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe63⤵PID:1356
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe64⤵PID:1164
-
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe65⤵PID:1720
-
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe66⤵PID:1812
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe67⤵PID:2544
-
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe69⤵PID:2324
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe71⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Dcadac32.exeC:\Windows\system32\Dcadac32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe73⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Dfamcogo.exeC:\Windows\system32\Dfamcogo.exe75⤵PID:2140
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe76⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe77⤵PID:1652
-
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe78⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe80⤵PID:796
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe81⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe82⤵PID:1476
-
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe83⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe84⤵PID:108
-
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe85⤵PID:544
-
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe86⤵PID:1388
-
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe87⤵PID:1716
-
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe88⤵
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe89⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe90⤵PID:2224
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe91⤵PID:2896
-
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe92⤵PID:1692
-
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe93⤵PID:2700
-
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe94⤵PID:2096
-
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe95⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe96⤵PID:2984
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe98⤵PID:1052
-
C:\Windows\SysWOW64\Fbopgb32.exeC:\Windows\system32\Fbopgb32.exe99⤵PID:2696
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe100⤵PID:760
-
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe102⤵PID:388
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe103⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe104⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe105⤵PID:1924
-
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe106⤵PID:2020
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe107⤵PID:1524
-
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe110⤵PID:2336
-
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe111⤵PID:2716
-
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe112⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe113⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe114⤵PID:2784
-
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe115⤵
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe116⤵PID:1976
-
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe118⤵PID:2104
-
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe119⤵PID:432
-
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe120⤵PID:1500
-
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe121⤵
- Drops file in System32 directory
PID:612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-