Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
28/10/2023, 19:57
Behavioral task
behavioral1
Sample
NEAS.949d01732f924717bb50f6a5d6018620.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.949d01732f924717bb50f6a5d6018620.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.949d01732f924717bb50f6a5d6018620.exe
-
Size
85KB
-
MD5
949d01732f924717bb50f6a5d6018620
-
SHA1
7d9a48df80cbbe0bffb2fafc2b65146d550b1d75
-
SHA256
023bb8b077757b6914013859ed09b552a3874274e919fa24674f5917d24f3f04
-
SHA512
e3155455521c0ba0e1643b4117af7f13a3fb16ec4d9c199310d6855395ee992d83c47186468ce8bbb9a26096177dcc8e0435b89a3c4add225fcc416f398cff94
-
SSDEEP
1536:JCvgD62Zuhjl97JE/KrsDbX8z2500F43em2LH1MQ262AjCsQ2PCZZrqOlNfVSLUN:Jwu/KIDuVOLH1MQH2qC7ZQOlzSLUK+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kklikejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnihdemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbcdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfblgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcqaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bagkmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianhplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqnkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicqmmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcfhkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ednbncmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdhoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhnifmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgmodel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfpel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkoai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiqmlfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipfmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkkpmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjfpafmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipehmebh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbicoamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domqjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjophem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elipgofb.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2200-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00070000000120b7-5.dat family_berbew behavioral1/memory/2200-6-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x00070000000120b7-8.dat family_berbew behavioral1/files/0x00070000000120b7-9.dat family_berbew behavioral1/files/0x00070000000120b7-12.dat family_berbew behavioral1/files/0x00070000000120b7-13.dat family_berbew behavioral1/files/0x001b00000001422b-27.dat family_berbew behavioral1/files/0x0007000000014491-32.dat family_berbew behavioral1/files/0x0007000000014491-41.dat family_berbew behavioral1/memory/2404-40-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000014491-39.dat family_berbew behavioral1/files/0x0007000000014491-35.dat family_berbew behavioral1/files/0x0007000000014505-46.dat family_berbew behavioral1/files/0x0007000000014505-52.dat family_berbew behavioral1/files/0x0007000000014505-49.dat family_berbew behavioral1/files/0x0007000000014505-48.dat family_berbew behavioral1/files/0x0007000000014491-34.dat family_berbew behavioral1/files/0x001b00000001422b-21.dat family_berbew behavioral1/memory/1740-20-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x001b00000001422b-18.dat family_berbew behavioral1/memory/2800-53-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000014505-55.dat family_berbew behavioral1/memory/2288-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x001b00000001422b-25.dat family_berbew behavioral1/files/0x001b00000001422b-24.dat family_berbew behavioral1/files/0x0006000000014ad8-61.dat family_berbew behavioral1/files/0x0006000000014ad8-65.dat family_berbew behavioral1/files/0x0006000000014ad8-68.dat family_berbew behavioral1/files/0x0006000000014ad8-69.dat family_berbew behavioral1/files/0x0006000000014ad8-64.dat family_berbew behavioral1/memory/2288-63-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000014b9a-74.dat family_berbew behavioral1/memory/2200-76-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014b9a-78.dat family_berbew behavioral1/files/0x0006000000014b9a-83.dat family_berbew behavioral1/memory/2592-82-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014b9a-77.dat family_berbew behavioral1/files/0x0006000000014b9a-81.dat family_berbew behavioral1/files/0x0006000000014f77-92.dat family_berbew behavioral1/files/0x0006000000014f77-96.dat family_berbew behavioral1/files/0x0006000000014f77-97.dat family_berbew behavioral1/memory/1740-95-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000014f77-91.dat family_berbew behavioral1/memory/2592-90-0x0000000000220000-0x0000000000261000-memory.dmp family_berbew behavioral1/files/0x0006000000014f77-88.dat family_berbew behavioral1/memory/2640-102-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000600000001531d-104.dat family_berbew behavioral1/memory/3012-117-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015594-121.dat family_berbew behavioral1/files/0x0006000000015594-125.dat family_berbew behavioral1/files/0x0006000000015594-126.dat family_berbew behavioral1/files/0x0006000000015594-120.dat family_berbew behavioral1/memory/2620-124-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000015594-118.dat family_berbew behavioral1/files/0x000600000001531d-112.dat family_berbew behavioral1/files/0x000600000001560c-137.dat family_berbew behavioral1/files/0x000600000001560c-134.dat family_berbew behavioral1/files/0x000600000001560c-133.dat family_berbew behavioral1/files/0x000600000001560c-131.dat family_berbew behavioral1/files/0x000600000001531d-111.dat family_berbew behavioral1/memory/2288-110-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000600000001531d-107.dat family_berbew behavioral1/files/0x000600000001531d-106.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1740 Gbqbaofc.exe 2404 Heakcjcd.exe 2800 Hfbhkb32.exe 2288 Hpkldg32.exe 2620 Hicqmmfc.exe 2592 Hbleeb32.exe 2640 Hldjnhce.exe 3012 Hmcfhkjg.exe 3016 Hflkaq32.exe 2952 Ihmgiiff.exe 1728 Iaelanmg.exe 1636 Iimcclni.exe 1520 Ihbqdh32.exe 528 Iefamlak.exe 1584 Ikefkcmo.exe 1000 Jjjclobg.exe 796 Jgncfcaa.exe 1996 Jcedkd32.exe 1976 Jlmicj32.exe 1924 Jajala32.exe 1108 Jblnaq32.exe 2196 Jhffnk32.exe 2424 Kopokehd.exe 1744 Khiccj32.exe 1308 Kobkpdfa.exe 904 Kkileele.exe 1712 Kbcdbp32.exe 1564 Kklikejc.exe 2796 Knjegqif.exe 2724 Kddmdk32.exe 2704 Kgbipf32.exe 3008 Kjaelaok.exe 1988 Kqknil32.exe 2716 Lfhfab32.exe 2784 Lifbmn32.exe 2976 Lqmjnk32.exe 2912 Lclgjg32.exe 488 Lfjcfb32.exe 2944 Lihobnap.exe 2920 Lobgoh32.exe 1548 Mhgoji32.exe 2324 Mdpldi32.exe 2372 Mfoiqe32.exe 2008 Nlnnnk32.exe 2516 Noljjglk.exe 1640 Nfcbldmm.exe 844 Nianhplq.exe 1540 Nlpkdkkd.exe 1360 Noogpfjh.exe 1900 Namclbil.exe 2164 Nidkmojn.exe 808 Nlbgikia.exe 1004 Noacef32.exe 2680 Naopaa32.exe 2560 Ndnlnm32.exe 2780 Nkhdkgnj.exe 2792 Naalga32.exe 2736 Nhlddkmc.exe 2644 Nkjapglg.exe 2884 Nmhmlbkk.exe 2272 Npgihn32.exe 2580 Ogqaehak.exe 2956 Oionacqo.exe 2928 Odebolpe.exe -
Loads dropped DLL 64 IoCs
pid Process 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 1740 Gbqbaofc.exe 1740 Gbqbaofc.exe 2404 Heakcjcd.exe 2404 Heakcjcd.exe 2800 Hfbhkb32.exe 2800 Hfbhkb32.exe 2288 Hpkldg32.exe 2288 Hpkldg32.exe 2620 Hicqmmfc.exe 2620 Hicqmmfc.exe 2592 Hbleeb32.exe 2592 Hbleeb32.exe 2640 Hldjnhce.exe 2640 Hldjnhce.exe 3012 Hmcfhkjg.exe 3012 Hmcfhkjg.exe 3016 Hflkaq32.exe 3016 Hflkaq32.exe 2952 Ihmgiiff.exe 2952 Ihmgiiff.exe 1728 Iaelanmg.exe 1728 Iaelanmg.exe 1636 Iimcclni.exe 1636 Iimcclni.exe 1520 Ihbqdh32.exe 1520 Ihbqdh32.exe 528 Iefamlak.exe 528 Iefamlak.exe 1584 Ikefkcmo.exe 1584 Ikefkcmo.exe 1000 Jjjclobg.exe 1000 Jjjclobg.exe 796 Jgncfcaa.exe 796 Jgncfcaa.exe 1996 Jcedkd32.exe 1996 Jcedkd32.exe 1976 Jlmicj32.exe 1976 Jlmicj32.exe 1924 Jajala32.exe 1924 Jajala32.exe 1108 Jblnaq32.exe 1108 Jblnaq32.exe 2196 Jhffnk32.exe 2196 Jhffnk32.exe 2424 Kopokehd.exe 2424 Kopokehd.exe 1744 Khiccj32.exe 1744 Khiccj32.exe 1308 Kobkpdfa.exe 1308 Kobkpdfa.exe 904 Kkileele.exe 904 Kkileele.exe 1712 Kbcdbp32.exe 1712 Kbcdbp32.exe 1564 Kklikejc.exe 1564 Kklikejc.exe 2796 Knjegqif.exe 2796 Knjegqif.exe 2724 Kddmdk32.exe 2724 Kddmdk32.exe 2704 Kgbipf32.exe 2704 Kgbipf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bbjdjjdn.exe Bmnlbcfg.exe File created C:\Windows\SysWOW64\Hfbaql32.exe Hbfepmmn.exe File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Hfmddp32.exe File created C:\Windows\SysWOW64\Jbpdeogo.exe Jodhdp32.exe File created C:\Windows\SysWOW64\Kjaelaok.exe Kgbipf32.exe File opened for modification C:\Windows\SysWOW64\Mhgoji32.exe Lobgoh32.exe File created C:\Windows\SysWOW64\Mdpldi32.exe Mhgoji32.exe File opened for modification C:\Windows\SysWOW64\Qinjgbpg.exe Qfonkfqd.exe File created C:\Windows\SysWOW64\Caphpgkj.dll Lgkhdddo.exe File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Becpap32.exe File created C:\Windows\SysWOW64\Daofpchf.exe Copjdhib.exe File created C:\Windows\SysWOW64\Eggndi32.exe Edibhmml.exe File created C:\Windows\SysWOW64\Elipgofb.exe Eacljf32.exe File created C:\Windows\SysWOW64\Dlndnacm.exe Diphbfdi.exe File created C:\Windows\SysWOW64\Ihmpobck.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Cmhlga32.dll Jjbbpmgo.exe File created C:\Windows\SysWOW64\Hcohnaep.dll Pilfpqaa.exe File created C:\Windows\SysWOW64\Hdoghdmd.exe Hapklimq.exe File created C:\Windows\SysWOW64\Kljabgnh.exe Kjleflod.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Baefnmml.exe File created C:\Windows\SysWOW64\Odgfhpob.dll Mfoiqe32.exe File created C:\Windows\SysWOW64\Gaiedd32.dll Pkjmoj32.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Ejpdai32.exe File opened for modification C:\Windows\SysWOW64\Fdpkbf32.exe Fnfcel32.exe File opened for modification C:\Windows\SysWOW64\Jajala32.exe Jlmicj32.exe File opened for modification C:\Windows\SysWOW64\Nlnnnk32.exe Mfoiqe32.exe File created C:\Windows\SysWOW64\Hckabh32.dll Ocllehcj.exe File opened for modification C:\Windows\SysWOW64\Gqlebf32.exe Gjbmelgm.exe File opened for modification C:\Windows\SysWOW64\Lkdhoc32.exe Lhelbh32.exe File opened for modification C:\Windows\SysWOW64\Qaqnkafa.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Bpjmnknl.dll Fjhcegll.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Ggicgopd.exe File created C:\Windows\SysWOW64\Fppnga32.dll Chqoipkk.exe File opened for modification C:\Windows\SysWOW64\Cojhejbh.exe Ckolek32.exe File opened for modification C:\Windows\SysWOW64\Eapfagno.exe Eoajel32.exe File created C:\Windows\SysWOW64\Jkcfcend.dll Gmecmg32.exe File created C:\Windows\SysWOW64\Bgqcjlhp.exe Bagkmb32.exe File created C:\Windows\SysWOW64\Bmlgia32.dll Hphidanj.exe File created C:\Windows\SysWOW64\Ljajkolc.dll Halbai32.exe File created C:\Windows\SysWOW64\Kielkojm.dll Mngjeamd.exe File opened for modification C:\Windows\SysWOW64\Lgkhdddo.exe Ldllgiek.exe File opened for modification C:\Windows\SysWOW64\Ajgbkbjp.exe Acnjnh32.exe File created C:\Windows\SysWOW64\Peipigfb.dll Dllhhaep.exe File created C:\Windows\SysWOW64\Qmkfmdne.dll Gildahhp.exe File created C:\Windows\SysWOW64\Kmkejc32.dll Hmglajcd.exe File created C:\Windows\SysWOW64\Gckemgnc.dll Jodhdp32.exe File opened for modification C:\Windows\SysWOW64\Hnpbjnpo.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Ajgbkbjp.exe Acnjnh32.exe File opened for modification C:\Windows\SysWOW64\Cbiiog32.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Lqmjnk32.exe Lifbmn32.exe File created C:\Windows\SysWOW64\Fajplnhf.dll Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Debplg32.exe Dohgomgf.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fofpoo32.exe File created C:\Windows\SysWOW64\Abhkfg32.exe Akncimmh.exe File opened for modification C:\Windows\SysWOW64\Imiigiab.exe Ijklknbn.exe File created C:\Windows\SysWOW64\Fckada32.dll Kbigpn32.exe File created C:\Windows\SysWOW64\Eppcmncq.exe Emagacdm.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gdkgkcpq.exe File created C:\Windows\SysWOW64\Kbdjhe32.dll Bleeioil.exe File opened for modification C:\Windows\SysWOW64\Fmcjhdbc.exe Fheabelm.exe File opened for modification C:\Windows\SysWOW64\Ieigfk32.exe Ibkkjp32.exe File created C:\Windows\SysWOW64\Bbknmg32.dll Kbdmeoob.exe File opened for modification C:\Windows\SysWOW64\Bccjdnbi.exe Bnfblgca.exe File opened for modification C:\Windows\SysWOW64\Nnkcpq32.exe Nfdkoc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqnfackh.dll" Nnkcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elajgpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjlmca32.dll" Kjaelaok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfonkfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddiibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imnbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppcmncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnboam32.dll" Dohgomgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmldkn.dll" Khiccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coicmk32.dll" Kkileele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogleomil.dll" Aekqmbod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhgpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqmjnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhnjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphidanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcegq32.dll" Gonocmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagigd32.dll" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambnnc32.dll" Cofnjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khabghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbgqjdce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgmigeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhlbmkc.dll" Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mknhnalm.dll" Aeidgbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljghjpfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljieppcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhmhm32.dll" Epbpbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfmiaej.dll" Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iegjqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbnfb32.dll" Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akaneplm.dll" Iaelanmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgfhpob.dll" Mfoiqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknjekca.dll" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkllaj32.dll" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmla32.dll" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbknmg32.dll" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmcidp.dll" Ihmgiiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akncimmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdfddadf.dll" Eppcmncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naopaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqnlhpfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhhgcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkleabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgoji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepckd32.dll" Bekmle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieigfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmcjhdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmegncpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1740 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 27 PID 2200 wrote to memory of 1740 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 27 PID 2200 wrote to memory of 1740 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 27 PID 2200 wrote to memory of 1740 2200 NEAS.949d01732f924717bb50f6a5d6018620.exe 27 PID 1740 wrote to memory of 2404 1740 Gbqbaofc.exe 28 PID 1740 wrote to memory of 2404 1740 Gbqbaofc.exe 28 PID 1740 wrote to memory of 2404 1740 Gbqbaofc.exe 28 PID 1740 wrote to memory of 2404 1740 Gbqbaofc.exe 28 PID 2404 wrote to memory of 2800 2404 Heakcjcd.exe 29 PID 2404 wrote to memory of 2800 2404 Heakcjcd.exe 29 PID 2404 wrote to memory of 2800 2404 Heakcjcd.exe 29 PID 2404 wrote to memory of 2800 2404 Heakcjcd.exe 29 PID 2800 wrote to memory of 2288 2800 Hfbhkb32.exe 30 PID 2800 wrote to memory of 2288 2800 Hfbhkb32.exe 30 PID 2800 wrote to memory of 2288 2800 Hfbhkb32.exe 30 PID 2800 wrote to memory of 2288 2800 Hfbhkb32.exe 30 PID 2288 wrote to memory of 2620 2288 Hpkldg32.exe 31 PID 2288 wrote to memory of 2620 2288 Hpkldg32.exe 31 PID 2288 wrote to memory of 2620 2288 Hpkldg32.exe 31 PID 2288 wrote to memory of 2620 2288 Hpkldg32.exe 31 PID 2620 wrote to memory of 2592 2620 Hicqmmfc.exe 32 PID 2620 wrote to memory of 2592 2620 Hicqmmfc.exe 32 PID 2620 wrote to memory of 2592 2620 Hicqmmfc.exe 32 PID 2620 wrote to memory of 2592 2620 Hicqmmfc.exe 32 PID 2592 wrote to memory of 2640 2592 Hbleeb32.exe 33 PID 2592 wrote to memory of 2640 2592 Hbleeb32.exe 33 PID 2592 wrote to memory of 2640 2592 Hbleeb32.exe 33 PID 2592 wrote to memory of 2640 2592 Hbleeb32.exe 33 PID 2640 wrote to memory of 3012 2640 Hldjnhce.exe 34 PID 2640 wrote to memory of 3012 2640 Hldjnhce.exe 34 PID 2640 wrote to memory of 3012 2640 Hldjnhce.exe 34 PID 2640 wrote to memory of 3012 2640 Hldjnhce.exe 34 PID 3012 wrote to memory of 3016 3012 Hmcfhkjg.exe 35 PID 3012 wrote to memory of 3016 3012 Hmcfhkjg.exe 35 PID 3012 wrote to memory of 3016 3012 Hmcfhkjg.exe 35 PID 3012 wrote to memory of 3016 3012 Hmcfhkjg.exe 35 PID 3016 wrote to memory of 2952 3016 Hflkaq32.exe 36 PID 3016 wrote to memory of 2952 3016 Hflkaq32.exe 36 PID 3016 wrote to memory of 2952 3016 Hflkaq32.exe 36 PID 3016 wrote to memory of 2952 3016 Hflkaq32.exe 36 PID 2952 wrote to memory of 1728 2952 Ihmgiiff.exe 37 PID 2952 wrote to memory of 1728 2952 Ihmgiiff.exe 37 PID 2952 wrote to memory of 1728 2952 Ihmgiiff.exe 37 PID 2952 wrote to memory of 1728 2952 Ihmgiiff.exe 37 PID 1728 wrote to memory of 1636 1728 Iaelanmg.exe 38 PID 1728 wrote to memory of 1636 1728 Iaelanmg.exe 38 PID 1728 wrote to memory of 1636 1728 Iaelanmg.exe 38 PID 1728 wrote to memory of 1636 1728 Iaelanmg.exe 38 PID 1636 wrote to memory of 1520 1636 Iimcclni.exe 39 PID 1636 wrote to memory of 1520 1636 Iimcclni.exe 39 PID 1636 wrote to memory of 1520 1636 Iimcclni.exe 39 PID 1636 wrote to memory of 1520 1636 Iimcclni.exe 39 PID 1520 wrote to memory of 528 1520 Ihbqdh32.exe 40 PID 1520 wrote to memory of 528 1520 Ihbqdh32.exe 40 PID 1520 wrote to memory of 528 1520 Ihbqdh32.exe 40 PID 1520 wrote to memory of 528 1520 Ihbqdh32.exe 40 PID 528 wrote to memory of 1584 528 Iefamlak.exe 41 PID 528 wrote to memory of 1584 528 Iefamlak.exe 41 PID 528 wrote to memory of 1584 528 Iefamlak.exe 41 PID 528 wrote to memory of 1584 528 Iefamlak.exe 41 PID 1584 wrote to memory of 1000 1584 Ikefkcmo.exe 42 PID 1584 wrote to memory of 1000 1584 Ikefkcmo.exe 42 PID 1584 wrote to memory of 1000 1584 Ikefkcmo.exe 42 PID 1584 wrote to memory of 1000 1584 Ikefkcmo.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.949d01732f924717bb50f6a5d6018620.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.949d01732f924717bb50f6a5d6018620.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe34⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe35⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe38⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe39⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe40⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe43⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe46⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe47⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe50⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe51⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe52⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe53⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe54⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe56⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe57⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe59⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe60⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe61⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe62⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe64⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe66⤵PID:2252
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe67⤵PID:2984
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe68⤵PID:1628
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:268 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe70⤵PID:1056
-
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe71⤵PID:1644
-
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe72⤵PID:572
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe74⤵PID:1020
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe75⤵PID:292
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe76⤵PID:1400
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe77⤵PID:632
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe78⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe79⤵PID:2892
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe80⤵PID:2824
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe81⤵PID:2708
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe82⤵PID:2632
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe83⤵PID:2980
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe84⤵PID:2864
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe87⤵PID:2368
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe89⤵PID:1160
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe90⤵PID:1824
-
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe91⤵PID:2028
-
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe92⤵PID:1336
-
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe95⤵PID:2384
-
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe96⤵PID:2676
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe97⤵PID:2032
-
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe100⤵PID:2880
-
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe101⤵PID:2668
-
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe102⤵PID:2844
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe103⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe104⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe105⤵PID:1780
-
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe106⤵PID:320
-
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe107⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe109⤵PID:2064
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe110⤵PID:448
-
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe111⤵PID:2876
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe113⤵PID:612
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe114⤵PID:2376
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:892 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe117⤵PID:2448
-
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe118⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe119⤵PID:2828
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe120⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe121⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-