Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
181s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 19:57
Behavioral task
behavioral1
Sample
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe
-
Size
378KB
-
MD5
8e3e79eaaa01b9eb2f8805c5177e9650
-
SHA1
d4be22a0623c461dd92dae4ed04cf703566dee9d
-
SHA256
a36296a84ca1fd708d76953221352e823edbd04b46a60ec4266c33c6c004d70e
-
SHA512
27577375ca154e32905f3239b88511f44d49d1f3388a5e31883dbe9deb706dfbdf7986e20ead51350d019856bf785df08f1d0748eb043ec6c9c5c3e4ca0da911
-
SSDEEP
6144:Gf4S/m97OprtMsQBma/atn9pG4l+0K76zHTgb8ecFeK8TJ4u392vVAMR4/5V0lL5:Gf4SmqRMsEat9pG4l+0K7WHT91M52vV1
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhooaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcddca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdkolm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajldkhjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdjjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdcofpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqngkcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onhihepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkaaolf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgoohk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhihepp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqfeda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihinkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johpcgap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdibfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocihgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfobjdoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agonig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epchbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jddhknpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkechk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmffa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfmeddag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceehijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjpcjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjmodph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikcjdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqigohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allbpqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfflal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfahaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqibjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddjpbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piiekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdehgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmocjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhcmkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefnjdgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caomgjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oinbglkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agmacgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcckjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mknbmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqknfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehikpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkenmidf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllpmlqj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefnjdgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkheal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhlmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lccepqdo.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0003000000004ed5-5.dat family_berbew behavioral1/files/0x0003000000004ed5-8.dat family_berbew behavioral1/files/0x0003000000004ed5-9.dat family_berbew behavioral1/files/0x0003000000004ed5-14.dat family_berbew behavioral1/files/0x0003000000004ed5-12.dat family_berbew behavioral1/files/0x00090000000120ff-22.dat family_berbew behavioral1/files/0x00090000000120ff-23.dat family_berbew behavioral1/files/0x00090000000120ff-27.dat family_berbew behavioral1/files/0x00090000000120ff-28.dat family_berbew behavioral1/files/0x00090000000120ff-20.dat family_berbew behavioral1/files/0x001c0000000146ab-35.dat family_berbew behavioral1/files/0x001c0000000146ab-38.dat family_berbew behavioral1/files/0x001c0000000146ab-39.dat family_berbew behavioral1/files/0x001c0000000146ab-43.dat family_berbew behavioral1/files/0x001c0000000146ab-44.dat family_berbew behavioral1/files/0x0008000000014b79-49.dat family_berbew behavioral1/files/0x0008000000014b79-51.dat family_berbew behavioral1/files/0x0008000000014b79-52.dat family_berbew behavioral1/files/0x0008000000014b79-57.dat family_berbew behavioral1/files/0x0008000000014b79-56.dat family_berbew behavioral1/files/0x0007000000014fb1-63.dat family_berbew behavioral1/files/0x0007000000014fb1-69.dat family_berbew behavioral1/files/0x0007000000014fb1-71.dat family_berbew behavioral1/files/0x0007000000014fb1-66.dat family_berbew behavioral1/files/0x0007000000014fb1-65.dat family_berbew behavioral1/files/0x00090000000153ae-79.dat family_berbew behavioral1/files/0x00090000000153ae-84.dat family_berbew behavioral1/files/0x00090000000153ae-83.dat family_berbew behavioral1/files/0x00090000000153ae-78.dat family_berbew behavioral1/files/0x00090000000153ae-76.dat family_berbew behavioral1/files/0x0006000000015c23-91.dat family_berbew behavioral1/files/0x0006000000015c23-95.dat family_berbew behavioral1/files/0x0006000000015c23-94.dat family_berbew behavioral1/files/0x0006000000015c23-99.dat family_berbew behavioral1/files/0x0006000000015c23-98.dat family_berbew behavioral1/files/0x0006000000015c4c-107.dat family_berbew behavioral1/files/0x0006000000015c4c-108.dat family_berbew behavioral1/files/0x0006000000015c4c-113.dat family_berbew behavioral1/files/0x0006000000015c4c-111.dat family_berbew behavioral1/files/0x0006000000015c4c-105.dat family_berbew behavioral1/files/0x0006000000015c5c-119.dat family_berbew behavioral1/memory/1912-125-0x00000000001B0000-0x00000000001E4000-memory.dmp family_berbew behavioral1/files/0x0006000000015c5c-127.dat family_berbew behavioral1/files/0x0006000000015c5c-126.dat family_berbew behavioral1/files/0x0006000000015c5c-122.dat family_berbew behavioral1/files/0x0006000000015c5c-121.dat family_berbew behavioral1/files/0x0006000000015c79-139.dat family_berbew behavioral1/files/0x0006000000015c79-138.dat family_berbew behavioral1/files/0x0006000000015c79-135.dat family_berbew behavioral1/files/0x0006000000015c79-134.dat family_berbew behavioral1/files/0x0006000000015c79-132.dat family_berbew behavioral1/memory/1912-145-0x00000000001B0000-0x00000000001E4000-memory.dmp family_berbew behavioral1/files/0x0006000000015c90-153.dat family_berbew behavioral1/files/0x0006000000015c90-152.dat family_berbew behavioral1/files/0x0006000000015ca8-163.dat family_berbew behavioral1/files/0x0006000000015ca8-164.dat family_berbew behavioral1/files/0x0006000000015ca8-167.dat family_berbew behavioral1/files/0x0006000000015ca8-161.dat family_berbew behavioral1/files/0x0006000000015ca8-169.dat family_berbew behavioral1/files/0x0006000000015c90-148.dat family_berbew behavioral1/files/0x0006000000015c90-147.dat family_berbew behavioral1/files/0x0006000000015c90-144.dat family_berbew behavioral1/files/0x0006000000015ce7-176.dat family_berbew behavioral1/files/0x0006000000015ce7-183.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2716 Gdhfdffl.exe 2772 Qldjdlgb.exe 2660 Ajldkhjh.exe 2556 Bimphc32.exe 1412 Bdfahaaa.exe 1896 Befnbd32.exe 2552 Cnhhge32.exe 1912 Coladm32.exe 1164 Dhdfmbjc.exe 848 Dnckki32.exe 592 Dochelmj.exe 2076 Dgnminke.exe 2296 Eddjhb32.exe 2344 Epqgopbi.exe 436 Fnadkjlc.exe 1780 Fdqiiaih.exe 2036 Gedbfimc.exe 1956 Hcjldp32.exe 3056 Hlbpme32.exe 2360 Eqnillbb.exe 1432 Mnncii32.exe 1704 Malpee32.exe 2420 Mdmhfpkg.exe 1996 Npcika32.exe 2628 Npffaq32.exe 1084 Nfpnnk32.exe 2780 Nlmffa32.exe 2768 Niqgof32.exe 2608 Nalldh32.exe 2524 Nanhihno.exe 2988 Ngkaaolf.exe 2012 Ocihgo32.exe 268 Jbpfpd32.exe 2792 Akpkok32.exe 1684 Jbjejojn.exe 1876 Kpiihgoh.exe 2068 Kkomepon.exe 1616 Kplfmfmf.exe 1152 Kpnbcfkc.exe 624 Lccepqdo.exe 2352 Lhpmhgbf.exe 2744 Lahaqm32.exe 1664 Lgejidgn.exe 2368 Ljfckodo.exe 1564 Lppkgi32.exe 1924 Lkepdbkb.exe 1880 Lpbhmiji.exe 1008 Mlkegimk.exe 2264 Mbhnpplb.exe 2028 Mhbflj32.exe 2644 Nfcfob32.exe 2640 Nnknqpgi.exe 2836 Ncggifep.exe 2732 Nidoamch.exe 2980 Ncjcnfcn.exe 2716 Opennf32.exe 2820 Obdjjb32.exe 1756 Oinbglkm.exe 2384 Obffpa32.exe 2176 Oedclm32.exe 2560 Oakcan32.exe 1976 Pfhlie32.exe 1000 Pmbdfolj.exe 2724 Piiekp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 2716 Gdhfdffl.exe 2716 Gdhfdffl.exe 2772 Qldjdlgb.exe 2772 Qldjdlgb.exe 2660 Ajldkhjh.exe 2660 Ajldkhjh.exe 2556 Bimphc32.exe 2556 Bimphc32.exe 1412 Bdfahaaa.exe 1412 Bdfahaaa.exe 1896 Befnbd32.exe 1896 Befnbd32.exe 2552 Cnhhge32.exe 2552 Cnhhge32.exe 1912 Coladm32.exe 1912 Coladm32.exe 1164 Dhdfmbjc.exe 1164 Dhdfmbjc.exe 848 Dnckki32.exe 848 Dnckki32.exe 592 Dochelmj.exe 592 Dochelmj.exe 2076 Dgnminke.exe 2076 Dgnminke.exe 2296 Eddjhb32.exe 2296 Eddjhb32.exe 2344 Epqgopbi.exe 2344 Epqgopbi.exe 436 Fnadkjlc.exe 436 Fnadkjlc.exe 1780 Fdqiiaih.exe 1780 Fdqiiaih.exe 2036 Gedbfimc.exe 2036 Gedbfimc.exe 1956 Hcjldp32.exe 1956 Hcjldp32.exe 3056 Hlbpme32.exe 3056 Hlbpme32.exe 2360 Eqnillbb.exe 2360 Eqnillbb.exe 1432 Mnncii32.exe 1432 Mnncii32.exe 1704 Malpee32.exe 1704 Malpee32.exe 2420 Mdmhfpkg.exe 2420 Mdmhfpkg.exe 1996 Npcika32.exe 1996 Npcika32.exe 2628 Npffaq32.exe 2628 Npffaq32.exe 1084 Nfpnnk32.exe 1084 Nfpnnk32.exe 2780 Nlmffa32.exe 2780 Nlmffa32.exe 2768 Niqgof32.exe 2768 Niqgof32.exe 2608 Nalldh32.exe 2608 Nalldh32.exe 2524 Nanhihno.exe 2524 Nanhihno.exe 2988 Ngkaaolf.exe 2988 Ngkaaolf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Caomgjnk.exe Clbdobpc.exe File created C:\Windows\SysWOW64\Jbqkmj32.exe Jmdcecpp.exe File created C:\Windows\SysWOW64\Qhehmkqn.exe Pbfcoedi.exe File created C:\Windows\SysWOW64\Aadbfp32.exe Agonig32.exe File created C:\Windows\SysWOW64\Bmdehgcf.exe Blplkp32.exe File created C:\Windows\SysWOW64\Bbcjfn32.exe Bkheal32.exe File opened for modification C:\Windows\SysWOW64\Gbhpidak.exe Cmocjn32.exe File opened for modification C:\Windows\SysWOW64\Kajbie32.exe Kiomec32.exe File created C:\Windows\SysWOW64\Kgibpg32.dll Minika32.exe File opened for modification C:\Windows\SysWOW64\Kpiihgoh.exe Jbjejojn.exe File created C:\Windows\SysWOW64\Pfhlie32.exe Oakcan32.exe File created C:\Windows\SysWOW64\Ibbbhe32.dll Blplkp32.exe File opened for modification C:\Windows\SysWOW64\Acldpojj.exe Qpnkjq32.exe File created C:\Windows\SysWOW64\Bkheal32.exe Bmdehgcf.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Ehphdf32.exe File opened for modification C:\Windows\SysWOW64\Mnheniaa.exe Mhklfbcj.exe File created C:\Windows\SysWOW64\Nimeje32.exe Napdpchk.exe File created C:\Windows\SysWOW64\Mpbodi32.dll Nlmffa32.exe File created C:\Windows\SysWOW64\Pjkegjeg.dll Ncjcnfcn.exe File created C:\Windows\SysWOW64\Bnoidn32.dll Onelbfab.exe File created C:\Windows\SysWOW64\Hcoalbbk.dll Hafppp32.exe File created C:\Windows\SysWOW64\Fbledk32.dll Mjdcofpe.exe File created C:\Windows\SysWOW64\Cnhhge32.exe Befnbd32.exe File created C:\Windows\SysWOW64\Cbfajl32.dll Hlbpme32.exe File created C:\Windows\SysWOW64\Nlpnhnoo.dll Acldpojj.exe File opened for modification C:\Windows\SysWOW64\Jkegigal.exe Jdkolm32.exe File created C:\Windows\SysWOW64\Lpgekanj.exe Ljmmng32.exe File created C:\Windows\SysWOW64\Cfcjopoa.dll Lpgekanj.exe File opened for modification C:\Windows\SysWOW64\Lqknfq32.exe Lhdfec32.exe File opened for modification C:\Windows\SysWOW64\Pinnfonh.exe Pfobjdoe.exe File opened for modification C:\Windows\SysWOW64\Aapikqel.exe Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Bmdehgcf.exe Blplkp32.exe File created C:\Windows\SysWOW64\Ooncljom.exe Ndhooaog.exe File opened for modification C:\Windows\SysWOW64\Bkheal32.exe Bmdehgcf.exe File opened for modification C:\Windows\SysWOW64\Cnhjbjam.exe Cgnbepjp.exe File created C:\Windows\SysWOW64\Fpgpjdnf.exe Fqbbig32.exe File created C:\Windows\SysWOW64\Okcfob32.dll Kfflal32.exe File created C:\Windows\SysWOW64\Phkdfgmp.dll Oedclm32.exe File opened for modification C:\Windows\SysWOW64\Plljbkml.exe Pinnfonh.exe File opened for modification C:\Windows\SysWOW64\Aadbfp32.exe Agonig32.exe File created C:\Windows\SysWOW64\Lkgpmj32.exe Lpbkpa32.exe File opened for modification C:\Windows\SysWOW64\Mgqigohb.exe Minika32.exe File created C:\Windows\SysWOW64\Apeflmjc.exe Aodjdede.exe File created C:\Windows\SysWOW64\Nbghmegj.dll Ndhooaog.exe File created C:\Windows\SysWOW64\Odmhjp32.exe Okecak32.exe File created C:\Windows\SysWOW64\Kadogppo.dll Efoobkej.exe File opened for modification C:\Windows\SysWOW64\Kfflal32.exe Jfoeqmfg.exe File opened for modification C:\Windows\SysWOW64\Lhpmhgbf.exe Lccepqdo.exe File opened for modification C:\Windows\SysWOW64\Lgejidgn.exe Lahaqm32.exe File created C:\Windows\SysWOW64\Oclblaid.dll Opennf32.exe File opened for modification C:\Windows\SysWOW64\Hncjiecj.exe Hkenmidf.exe File created C:\Windows\SysWOW64\Klkmkoce.exe Keadoe32.exe File created C:\Windows\SysWOW64\Egpgja32.dll Ncjgao32.exe File created C:\Windows\SysWOW64\Kajbie32.exe Kiomec32.exe File created C:\Windows\SysWOW64\Dnckki32.exe Dhdfmbjc.exe File created C:\Windows\SysWOW64\Epqgopbi.exe Eddjhb32.exe File opened for modification C:\Windows\SysWOW64\Lkepdbkb.exe Lppkgi32.exe File created C:\Windows\SysWOW64\Qpnkjq32.exe Qgbfen32.exe File created C:\Windows\SysWOW64\Jdnijidk.dll Miqmkh32.exe File created C:\Windows\SysWOW64\Hmhgjahb.exe Hncjiecj.exe File opened for modification C:\Windows\SysWOW64\Keadoe32.exe Koglbkdl.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Epqgopbi.exe File opened for modification C:\Windows\SysWOW64\Nnknqpgi.exe Nfcfob32.exe File opened for modification C:\Windows\SysWOW64\Qgbfen32.exe Qklfqm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihkdc32.dll" Mnjaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmkhlph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfcoedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhpidak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcbogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaanlk32.dll" Jahieboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkamoald.dll" Iiaddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbadih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnmblgo.dll" Obffpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjnllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkbagjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbfjckjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejmhaqc.dll" Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaaope32.dll" Oqibjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdfec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfhhicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbadih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiglh32.dll" Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkmkoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcgnmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onelbfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdflepqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncjiecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmlfdqg.dll" Ihinkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igffogeb.dll" Ncggifep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfhlie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpgja32.dll" Ncjgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpkpl32.dll" Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qklfqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoekqp32.dll" Iekbob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfckn32.dll" Iihkea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpnbcfkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklgjbca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbagjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkboc32.dll" Hjlhcegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kceehijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfhcmkkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciijbkd.dll" Mbhnpplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfmeddag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kikcjdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koglbkdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehlbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgkjoea.dll" Mcddca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmocjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agonig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mogqlgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onhihepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgegk32.dll" Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booqgija.dll" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlbpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfhad32.dll" Pbfcoedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoefea32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2716 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 29 PID 2636 wrote to memory of 2716 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 29 PID 2636 wrote to memory of 2716 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 29 PID 2636 wrote to memory of 2716 2636 NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe 29 PID 2716 wrote to memory of 2772 2716 Gdhfdffl.exe 30 PID 2716 wrote to memory of 2772 2716 Gdhfdffl.exe 30 PID 2716 wrote to memory of 2772 2716 Gdhfdffl.exe 30 PID 2716 wrote to memory of 2772 2716 Gdhfdffl.exe 30 PID 2772 wrote to memory of 2660 2772 Qldjdlgb.exe 31 PID 2772 wrote to memory of 2660 2772 Qldjdlgb.exe 31 PID 2772 wrote to memory of 2660 2772 Qldjdlgb.exe 31 PID 2772 wrote to memory of 2660 2772 Qldjdlgb.exe 31 PID 2660 wrote to memory of 2556 2660 Ajldkhjh.exe 32 PID 2660 wrote to memory of 2556 2660 Ajldkhjh.exe 32 PID 2660 wrote to memory of 2556 2660 Ajldkhjh.exe 32 PID 2660 wrote to memory of 2556 2660 Ajldkhjh.exe 32 PID 2556 wrote to memory of 1412 2556 Bimphc32.exe 33 PID 2556 wrote to memory of 1412 2556 Bimphc32.exe 33 PID 2556 wrote to memory of 1412 2556 Bimphc32.exe 33 PID 2556 wrote to memory of 1412 2556 Bimphc32.exe 33 PID 1412 wrote to memory of 1896 1412 Bdfahaaa.exe 34 PID 1412 wrote to memory of 1896 1412 Bdfahaaa.exe 34 PID 1412 wrote to memory of 1896 1412 Bdfahaaa.exe 34 PID 1412 wrote to memory of 1896 1412 Bdfahaaa.exe 34 PID 1896 wrote to memory of 2552 1896 Befnbd32.exe 35 PID 1896 wrote to memory of 2552 1896 Befnbd32.exe 35 PID 1896 wrote to memory of 2552 1896 Befnbd32.exe 35 PID 1896 wrote to memory of 2552 1896 Befnbd32.exe 35 PID 2552 wrote to memory of 1912 2552 Cnhhge32.exe 36 PID 2552 wrote to memory of 1912 2552 Cnhhge32.exe 36 PID 2552 wrote to memory of 1912 2552 Cnhhge32.exe 36 PID 2552 wrote to memory of 1912 2552 Cnhhge32.exe 36 PID 1912 wrote to memory of 1164 1912 Coladm32.exe 37 PID 1912 wrote to memory of 1164 1912 Coladm32.exe 37 PID 1912 wrote to memory of 1164 1912 Coladm32.exe 37 PID 1912 wrote to memory of 1164 1912 Coladm32.exe 37 PID 1164 wrote to memory of 848 1164 Dhdfmbjc.exe 38 PID 1164 wrote to memory of 848 1164 Dhdfmbjc.exe 38 PID 1164 wrote to memory of 848 1164 Dhdfmbjc.exe 38 PID 1164 wrote to memory of 848 1164 Dhdfmbjc.exe 38 PID 848 wrote to memory of 592 848 Dnckki32.exe 39 PID 848 wrote to memory of 592 848 Dnckki32.exe 39 PID 848 wrote to memory of 592 848 Dnckki32.exe 39 PID 848 wrote to memory of 592 848 Dnckki32.exe 39 PID 592 wrote to memory of 2076 592 Dochelmj.exe 40 PID 592 wrote to memory of 2076 592 Dochelmj.exe 40 PID 592 wrote to memory of 2076 592 Dochelmj.exe 40 PID 592 wrote to memory of 2076 592 Dochelmj.exe 40 PID 2076 wrote to memory of 2296 2076 Dgnminke.exe 41 PID 2076 wrote to memory of 2296 2076 Dgnminke.exe 41 PID 2076 wrote to memory of 2296 2076 Dgnminke.exe 41 PID 2076 wrote to memory of 2296 2076 Dgnminke.exe 41 PID 2296 wrote to memory of 2344 2296 Eddjhb32.exe 42 PID 2296 wrote to memory of 2344 2296 Eddjhb32.exe 42 PID 2296 wrote to memory of 2344 2296 Eddjhb32.exe 42 PID 2296 wrote to memory of 2344 2296 Eddjhb32.exe 42 PID 2344 wrote to memory of 436 2344 Epqgopbi.exe 43 PID 2344 wrote to memory of 436 2344 Epqgopbi.exe 43 PID 2344 wrote to memory of 436 2344 Epqgopbi.exe 43 PID 2344 wrote to memory of 436 2344 Epqgopbi.exe 43 PID 436 wrote to memory of 1780 436 Fnadkjlc.exe 44 PID 436 wrote to memory of 1780 436 Fnadkjlc.exe 44 PID 436 wrote to memory of 1780 436 Fnadkjlc.exe 44 PID 436 wrote to memory of 1780 436 Fnadkjlc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8e3e79eaaa01b9eb2f8805c5177e9650.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe34⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe37⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe38⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Kpnbcfkc.exeC:\Windows\system32\Kpnbcfkc.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe44⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe45⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe48⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe49⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Mbhnpplb.exeC:\Windows\system32\Mbhnpplb.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Mhbflj32.exeC:\Windows\system32\Mhbflj32.exe51⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe55⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Oinbglkm.exeC:\Windows\system32\Oinbglkm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe64⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe67⤵PID:1464
-
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Plljbkml.exeC:\Windows\system32\Plljbkml.exe70⤵PID:2972
-
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe72⤵PID:2364
-
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe73⤵PID:1256
-
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe74⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe75⤵PID:1952
-
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:320 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe77⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe80⤵PID:2432
-
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe81⤵PID:1432
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe82⤵PID:1048
-
C:\Windows\SysWOW64\Adekhkng.exeC:\Windows\system32\Adekhkng.exe83⤵PID:2708
-
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe84⤵PID:2600
-
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe88⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe90⤵PID:2548
-
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe91⤵PID:1164
-
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe93⤵PID:1972
-
C:\Windows\SysWOW64\Odkkdqmd.exeC:\Windows\system32\Odkkdqmd.exe94⤵PID:952
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe95⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe96⤵PID:2800
-
C:\Windows\SysWOW64\Ogldfl32.exeC:\Windows\system32\Ogldfl32.exe97⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Onelbfab.exeC:\Windows\system32\Onelbfab.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Onhihepp.exeC:\Windows\system32\Onhihepp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe102⤵PID:1184
-
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe104⤵PID:2436
-
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe105⤵PID:2196
-
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe106⤵PID:2116
-
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe107⤵PID:3044
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe110⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe111⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe112⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe113⤵PID:2988
-
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe114⤵PID:2496
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe115⤵PID:1996
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1876 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe117⤵
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Blplkp32.exeC:\Windows\system32\Blplkp32.exe118⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Bkheal32.exeC:\Windows\system32\Bkheal32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe121⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-