Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 08:39
Behavioral task
behavioral1
Sample
NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe
-
Size
165KB
-
MD5
c9d80b4592bfcea7b69124a89aa015e2
-
SHA1
c2582af0999e8754190e0b080d313654a61ad316
-
SHA256
50d9fc6e9db862a65c85bca1bb98dfe33ff839cc520121a98cc1c7cae8fd386c
-
SHA512
195cf04841ec4a3a49531d08db76f24e5af1727c360879aadee66f2fa8edeca369d2210a9aa50502928d2b1a4c3be6870f163ce607d0dd383f87de7d96479961
-
SSDEEP
3072:e3hVBb7rZXpSfWNgwTV2gChQbGxI8opFWehLrCimBaH8UH300UqrJ:e3B/GwTV2geQbGxI8oPWHpaH8m3pUqN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgpkpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamgmofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclcijfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbiji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aekqmbod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eflill32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlddkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgckjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjfek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfjggo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhldeho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaelanmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlbboiip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makjho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgkil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkpijma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgmoggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhdqdnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbemfbdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcqaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncmmmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkihdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noacef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhmfekp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojddmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnejbmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfolaang.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpqnhadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedlag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjlgmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblnaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgajgeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdgkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eapfagno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlpneh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlddkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohnaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkacpihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cafgle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidhof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noljjglk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfblgca.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2144-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-5.dat family_berbew behavioral1/memory/2144-6-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-9.dat family_berbew behavioral1/files/0x000e00000001201d-8.dat family_berbew behavioral1/files/0x000e00000001201d-12.dat family_berbew behavioral1/files/0x000e00000001201d-13.dat family_berbew behavioral1/files/0x0027000000018696-20.dat family_berbew behavioral1/memory/2120-24-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/memory/3040-31-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0007000000018b6f-34.dat family_berbew behavioral1/files/0x0007000000018b6f-39.dat family_berbew behavioral1/files/0x0007000000018b6f-40.dat family_berbew behavioral1/files/0x0007000000018b6f-35.dat family_berbew behavioral1/files/0x0007000000018b6f-32.dat family_berbew behavioral1/files/0x0027000000018696-26.dat family_berbew behavioral1/files/0x0027000000018696-25.dat family_berbew behavioral1/files/0x0007000000018b8c-51.dat family_berbew behavioral1/files/0x0007000000018b8c-48.dat family_berbew behavioral1/files/0x0007000000018b8c-47.dat family_berbew behavioral1/files/0x0007000000018b8c-45.dat family_berbew behavioral1/files/0x0027000000018696-22.dat family_berbew behavioral1/files/0x0027000000018696-18.dat family_berbew behavioral1/files/0x0007000000018b8c-53.dat family_berbew behavioral1/memory/2752-58-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0008000000018bab-65.dat family_berbew behavioral1/memory/2784-67-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0008000000018bab-66.dat family_berbew behavioral1/files/0x0008000000018bab-62.dat family_berbew behavioral1/files/0x0008000000018bab-61.dat family_berbew behavioral1/files/0x0008000000018bab-59.dat family_berbew behavioral1/memory/2748-52-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/memory/2492-79-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000500000001949b-100.dat family_berbew behavioral1/memory/324-105-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x000500000001949b-104.dat family_berbew behavioral1/files/0x00050000000194a1-113.dat family_berbew behavioral1/memory/548-118-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x00050000000194a1-119.dat family_berbew behavioral1/files/0x00050000000194ab-131.dat family_berbew behavioral1/memory/2892-136-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x00050000000194ab-130.dat family_berbew behavioral1/files/0x00050000000194ab-127.dat family_berbew behavioral1/files/0x00050000000194ab-126.dat family_berbew behavioral1/files/0x00050000000194ab-124.dat family_berbew behavioral1/files/0x00050000000194a1-117.dat family_berbew behavioral1/files/0x00050000000194a1-111.dat family_berbew behavioral1/files/0x00050000000194a1-107.dat family_berbew behavioral1/files/0x0005000000019526-137.dat family_berbew behavioral1/files/0x000500000001949b-106.dat family_berbew behavioral1/files/0x000500000001949b-95.dat family_berbew behavioral1/memory/2924-93-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral1/files/0x0005000000019456-92.dat family_berbew behavioral1/files/0x0005000000019456-91.dat family_berbew behavioral1/files/0x0005000000019456-87.dat family_berbew behavioral1/files/0x000500000001949b-98.dat family_berbew behavioral1/files/0x0005000000019456-81.dat family_berbew behavioral1/files/0x00050000000193bb-80.dat family_berbew behavioral1/files/0x0005000000019456-85.dat family_berbew behavioral1/files/0x00050000000193bb-78.dat family_berbew behavioral1/files/0x00050000000193bb-75.dat family_berbew behavioral1/files/0x00050000000193bb-74.dat family_berbew behavioral1/files/0x00050000000193bb-72.dat family_berbew behavioral1/files/0x0005000000019526-139.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2120 Bjbcfn32.exe 3040 Baohhgnf.exe 2748 Bobhal32.exe 2752 Cdoajb32.exe 2784 Cbdnko32.exe 2492 Cinfhigl.exe 2924 Cbgjqo32.exe 324 Clooiddm.exe 548 Cgdcgm32.exe 2892 Cophko32.exe 2012 Chhldeho.exe 1616 Dodafoni.exe 1956 Dgpfkakd.exe 1908 Dddfdejn.exe 2324 Dnlkmkpn.exe 2844 Efjlgmlf.exe 2352 Eflill32.exe 1036 Elhnof32.exe 764 Ebefgm32.exe 1464 Eknkpbdf.exe 1108 Edfpih32.exe 1960 Fbjpblip.exe 896 Fidhof32.exe 2268 Fgiepced.exe 1496 Fncmmmma.exe 3000 Fnejbmko.exe 2448 Fgnokb32.exe 1548 Fbgpkpnn.exe 1072 Gpnmjd32.exe 2716 Gembhj32.exe 2728 Gjijqa32.exe 2496 Gdboig32.exe 880 Gngcgp32.exe 2500 Hhpgpebh.exe 1656 Hnjplo32.exe 1992 Hpkldg32.exe 832 Hjqqap32.exe 596 Hjcmgp32.exe 1248 Hihjhl32.exe 1500 Hbqoqbho.exe 1932 Hijgml32.exe 604 Ilicig32.exe 1876 Iaelanmg.exe 1052 Iimcclni.exe 312 Ilkpogmm.exe 2216 Ibehla32.exe 1848 Idfdcijh.exe 944 Jjjclobg.exe 1124 Jpfhoi32.exe 560 Jajala32.exe 1884 Jjaimn32.exe 1844 Jonbee32.exe 2464 Jblnaq32.exe 1408 Jlbboiip.exe 800 Kncofa32.exe 2616 Kfjggo32.exe 2700 Kkgopf32.exe 2524 Knekla32.exe 2604 Khkpijma.exe 2044 Kqfdnljm.exe 1732 Kceqjhiq.exe 2776 Kjoifb32.exe 1560 Kcgmoggn.exe 616 Kjaelaok.exe -
Loads dropped DLL 64 IoCs
pid Process 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 2120 Bjbcfn32.exe 2120 Bjbcfn32.exe 3040 Baohhgnf.exe 3040 Baohhgnf.exe 2748 Bobhal32.exe 2748 Bobhal32.exe 2752 Cdoajb32.exe 2752 Cdoajb32.exe 2784 Cbdnko32.exe 2784 Cbdnko32.exe 2492 Cinfhigl.exe 2492 Cinfhigl.exe 2924 Cbgjqo32.exe 2924 Cbgjqo32.exe 324 Clooiddm.exe 324 Clooiddm.exe 548 Cgdcgm32.exe 548 Cgdcgm32.exe 2892 Cophko32.exe 2892 Cophko32.exe 2012 Chhldeho.exe 2012 Chhldeho.exe 1616 Dodafoni.exe 1616 Dodafoni.exe 1956 Dgpfkakd.exe 1956 Dgpfkakd.exe 1908 Dddfdejn.exe 1908 Dddfdejn.exe 2324 Dnlkmkpn.exe 2324 Dnlkmkpn.exe 2844 Efjlgmlf.exe 2844 Efjlgmlf.exe 2352 Eflill32.exe 2352 Eflill32.exe 1036 Elhnof32.exe 1036 Elhnof32.exe 764 Ebefgm32.exe 764 Ebefgm32.exe 1464 Eknkpbdf.exe 1464 Eknkpbdf.exe 1108 Edfpih32.exe 1108 Edfpih32.exe 1960 Fbjpblip.exe 1960 Fbjpblip.exe 896 Fidhof32.exe 896 Fidhof32.exe 2268 Fgiepced.exe 2268 Fgiepced.exe 1496 Fncmmmma.exe 1496 Fncmmmma.exe 3000 Fnejbmko.exe 3000 Fnejbmko.exe 2448 Fgnokb32.exe 2448 Fgnokb32.exe 1548 Fbgpkpnn.exe 1548 Fbgpkpnn.exe 1072 Gpnmjd32.exe 1072 Gpnmjd32.exe 2716 Gembhj32.exe 2716 Gembhj32.exe 2728 Gjijqa32.exe 2728 Gjijqa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pggdejno.exe Pqnlhpfb.exe File created C:\Windows\SysWOW64\Pdddkijo.dll Aoohekal.exe File created C:\Windows\SysWOW64\Ofmcfn32.dll Dodafoni.exe File created C:\Windows\SysWOW64\Jgjiif32.dll Kncofa32.exe File opened for modification C:\Windows\SysWOW64\Lbogfcjc.exe Lopkjhko.exe File created C:\Windows\SysWOW64\Nhdocl32.exe Nefbga32.exe File opened for modification C:\Windows\SysWOW64\Odgodl32.exe Olpgconp.exe File created C:\Windows\SysWOW64\Npgbpebh.dll Oifdbb32.exe File created C:\Windows\SysWOW64\Dakmfh32.exe Domqjm32.exe File opened for modification C:\Windows\SysWOW64\Epgphcqd.exe Eccpoo32.exe File created C:\Windows\SysWOW64\Qfndckhj.dll Dddfdejn.exe File opened for modification C:\Windows\SysWOW64\Jlbboiip.exe Jblnaq32.exe File created C:\Windows\SysWOW64\Oaebbp32.dll Jblnaq32.exe File opened for modification C:\Windows\SysWOW64\Kfjggo32.exe Kncofa32.exe File opened for modification C:\Windows\SysWOW64\Dakmfh32.exe Domqjm32.exe File created C:\Windows\SysWOW64\Ahehia32.dll Efjlgmlf.exe File opened for modification C:\Windows\SysWOW64\Jpfhoi32.exe Jjjclobg.exe File created C:\Windows\SysWOW64\Khkpijma.exe Knekla32.exe File created C:\Windows\SysWOW64\Lopkjhko.exe Lifbmn32.exe File created C:\Windows\SysWOW64\Lgilllcm.dll Gpnmjd32.exe File created C:\Windows\SysWOW64\Pdbahpec.exe Pcaepg32.exe File created C:\Windows\SysWOW64\Pkljdj32.exe Pdbahpec.exe File created C:\Windows\SysWOW64\Pbmkli32.dll Qjhmfekp.exe File created C:\Windows\SysWOW64\Nhlddkmc.exe Naalga32.exe File created C:\Windows\SysWOW64\Gmfhfajb.dll Oionacqo.exe File created C:\Windows\SysWOW64\Oidglb32.exe Odgodl32.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Ecfldoph.exe File opened for modification C:\Windows\SysWOW64\Aennba32.exe Aboaff32.exe File created C:\Windows\SysWOW64\Ddnfop32.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Dgpfkakd.exe Dodafoni.exe File opened for modification C:\Windows\SysWOW64\Gjijqa32.exe Gembhj32.exe File created C:\Windows\SysWOW64\Ocbjdb32.dll Gembhj32.exe File created C:\Windows\SysWOW64\Olbchn32.exe Oidglb32.exe File created C:\Windows\SysWOW64\Glegaime.dll Efdhpjok.exe File created C:\Windows\SysWOW64\Bobhal32.exe Baohhgnf.exe File created C:\Windows\SysWOW64\Fbgpkpnn.exe Fgnokb32.exe File created C:\Windows\SysWOW64\Ljfogake.exe Lbogfcjc.exe File created C:\Windows\SysWOW64\Ajmfad32.exe Abfnpg32.exe File opened for modification C:\Windows\SysWOW64\Abmdafpp.exe Aoohekal.exe File opened for modification C:\Windows\SysWOW64\Cafgle32.exe Cikbhc32.exe File opened for modification C:\Windows\SysWOW64\Lnlnlc32.exe Lgbeoibb.exe File opened for modification C:\Windows\SysWOW64\Noacef32.exe Nhgkil32.exe File created C:\Windows\SysWOW64\Nadimacd.exe Nkjapglg.exe File opened for modification C:\Windows\SysWOW64\Pdgkco32.exe Pgckjk32.exe File created C:\Windows\SysWOW64\Fnejbmko.exe Fncmmmma.exe File created C:\Windows\SysWOW64\Kkgopf32.exe Kfjggo32.exe File opened for modification C:\Windows\SysWOW64\Makjho32.exe Lnlnlc32.exe File opened for modification C:\Windows\SysWOW64\Bnfblgca.exe Aennba32.exe File created C:\Windows\SysWOW64\Pnalad32.exe Pggdejno.exe File created C:\Windows\SysWOW64\Dlmkljal.dll Aboaff32.exe File opened for modification C:\Windows\SysWOW64\Fbjpblip.exe Edfpih32.exe File created C:\Windows\SysWOW64\Ilicig32.exe Hijgml32.exe File created C:\Windows\SysWOW64\Lgbeoibb.exe Lbemfbdk.exe File created C:\Windows\SysWOW64\Lkgela32.dll Naalga32.exe File opened for modification C:\Windows\SysWOW64\Hhpgpebh.exe Gngcgp32.exe File opened for modification C:\Windows\SysWOW64\Oionacqo.exe Ohnaik32.exe File created C:\Windows\SysWOW64\Oemegc32.exe Ocohkh32.exe File created C:\Windows\SysWOW64\Flacnl32.dll Qoeeolig.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Bjbcfn32.exe File created C:\Windows\SysWOW64\Kfjggo32.exe Kncofa32.exe File created C:\Windows\SysWOW64\Goackilq.dll Kkgopf32.exe File created C:\Windows\SysWOW64\Mdbiji32.exe Mpgmijgc.exe File created C:\Windows\SysWOW64\Ecfldoph.exe Epgphcqd.exe File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opifnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfebijjj.dll" Lnhdqdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcdeq32.dll" Opifnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllcjack.dll" Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfhgcpi.dll" Nocpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjhpemb.dll" Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkidapal.dll" Nadimacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcebdq32.dll" Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmfaill.dll" Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilbn32.dll" Khkpijma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkhkgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgmbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimcclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknjekca.dll" Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjjhk32.dll" Qqdbiopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjijqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflplbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgajgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakemm32.dll" Lopkjhko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbejeo32.dll" Nmkncofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiligca.dll" Nhdocl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paefhp32.dll" Fgnokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimcclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjaimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpoag32.dll" Cgdcgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjlgmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fidhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllhhaep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naopaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckabh32.dll" Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddfdejn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajilqpqd.dll" Hbqoqbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqnlhpfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodafoni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjgop32.dll" Lgpiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfcik32.dll" Lgbeoibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdebnpa.dll" Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfcag32.dll" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmcfn32.dll" Dodafoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnokb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onejdijo.dll" Dakmfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaelanmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbboiip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2120 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 28 PID 2144 wrote to memory of 2120 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 28 PID 2144 wrote to memory of 2120 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 28 PID 2144 wrote to memory of 2120 2144 NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe 28 PID 2120 wrote to memory of 3040 2120 Bjbcfn32.exe 29 PID 2120 wrote to memory of 3040 2120 Bjbcfn32.exe 29 PID 2120 wrote to memory of 3040 2120 Bjbcfn32.exe 29 PID 2120 wrote to memory of 3040 2120 Bjbcfn32.exe 29 PID 3040 wrote to memory of 2748 3040 Baohhgnf.exe 31 PID 3040 wrote to memory of 2748 3040 Baohhgnf.exe 31 PID 3040 wrote to memory of 2748 3040 Baohhgnf.exe 31 PID 3040 wrote to memory of 2748 3040 Baohhgnf.exe 31 PID 2748 wrote to memory of 2752 2748 Bobhal32.exe 30 PID 2748 wrote to memory of 2752 2748 Bobhal32.exe 30 PID 2748 wrote to memory of 2752 2748 Bobhal32.exe 30 PID 2748 wrote to memory of 2752 2748 Bobhal32.exe 30 PID 2752 wrote to memory of 2784 2752 Cdoajb32.exe 32 PID 2752 wrote to memory of 2784 2752 Cdoajb32.exe 32 PID 2752 wrote to memory of 2784 2752 Cdoajb32.exe 32 PID 2752 wrote to memory of 2784 2752 Cdoajb32.exe 32 PID 2784 wrote to memory of 2492 2784 Cbdnko32.exe 38 PID 2784 wrote to memory of 2492 2784 Cbdnko32.exe 38 PID 2784 wrote to memory of 2492 2784 Cbdnko32.exe 38 PID 2784 wrote to memory of 2492 2784 Cbdnko32.exe 38 PID 2492 wrote to memory of 2924 2492 Cinfhigl.exe 33 PID 2492 wrote to memory of 2924 2492 Cinfhigl.exe 33 PID 2492 wrote to memory of 2924 2492 Cinfhigl.exe 33 PID 2492 wrote to memory of 2924 2492 Cinfhigl.exe 33 PID 2924 wrote to memory of 324 2924 Cbgjqo32.exe 37 PID 2924 wrote to memory of 324 2924 Cbgjqo32.exe 37 PID 2924 wrote to memory of 324 2924 Cbgjqo32.exe 37 PID 2924 wrote to memory of 324 2924 Cbgjqo32.exe 37 PID 324 wrote to memory of 548 324 Clooiddm.exe 34 PID 324 wrote to memory of 548 324 Clooiddm.exe 34 PID 324 wrote to memory of 548 324 Clooiddm.exe 34 PID 324 wrote to memory of 548 324 Clooiddm.exe 34 PID 548 wrote to memory of 2892 548 Cgdcgm32.exe 35 PID 548 wrote to memory of 2892 548 Cgdcgm32.exe 35 PID 548 wrote to memory of 2892 548 Cgdcgm32.exe 35 PID 548 wrote to memory of 2892 548 Cgdcgm32.exe 35 PID 2892 wrote to memory of 2012 2892 Cophko32.exe 36 PID 2892 wrote to memory of 2012 2892 Cophko32.exe 36 PID 2892 wrote to memory of 2012 2892 Cophko32.exe 36 PID 2892 wrote to memory of 2012 2892 Cophko32.exe 36 PID 2012 wrote to memory of 1616 2012 Chhldeho.exe 39 PID 2012 wrote to memory of 1616 2012 Chhldeho.exe 39 PID 2012 wrote to memory of 1616 2012 Chhldeho.exe 39 PID 2012 wrote to memory of 1616 2012 Chhldeho.exe 39 PID 1616 wrote to memory of 1956 1616 Dodafoni.exe 40 PID 1616 wrote to memory of 1956 1616 Dodafoni.exe 40 PID 1616 wrote to memory of 1956 1616 Dodafoni.exe 40 PID 1616 wrote to memory of 1956 1616 Dodafoni.exe 40 PID 1956 wrote to memory of 1908 1956 Dgpfkakd.exe 41 PID 1956 wrote to memory of 1908 1956 Dgpfkakd.exe 41 PID 1956 wrote to memory of 1908 1956 Dgpfkakd.exe 41 PID 1956 wrote to memory of 1908 1956 Dgpfkakd.exe 41 PID 1908 wrote to memory of 2324 1908 Dddfdejn.exe 42 PID 1908 wrote to memory of 2324 1908 Dddfdejn.exe 42 PID 1908 wrote to memory of 2324 1908 Dddfdejn.exe 42 PID 1908 wrote to memory of 2324 1908 Dddfdejn.exe 42 PID 2324 wrote to memory of 2844 2324 Dnlkmkpn.exe 43 PID 2324 wrote to memory of 2844 2324 Dnlkmkpn.exe 43 PID 2324 wrote to memory of 2844 2324 Dnlkmkpn.exe 43 PID 2324 wrote to memory of 2844 2324 Dnlkmkpn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c9d80b4592bfcea7b69124a89aa015e2.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748
-
-
-
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
-
-
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324
-
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe24⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe26⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe27⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe28⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe29⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe30⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe31⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe37⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe38⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe39⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe41⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe44⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe53⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe56⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1600 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe58⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe59⤵
- Drops file in System32 directory
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe60⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:460 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe62⤵PID:1784
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe64⤵PID:1448
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2428 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe68⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe72⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe77⤵PID:2504
-
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe78⤵PID:2920
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe79⤵PID:288
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe80⤵PID:1164
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe81⤵PID:664
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe82⤵PID:1712
-
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe83⤵PID:2444
-
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe84⤵
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe86⤵PID:1664
-
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe87⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe89⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe90⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe91⤵PID:2408
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe92⤵PID:1796
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe95⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe96⤵PID:1840
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe97⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe100⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe101⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe102⤵PID:2468
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe104⤵
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe105⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe106⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe107⤵PID:1800
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe108⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe110⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe111⤵PID:2188
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe112⤵
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe114⤵PID:760
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe115⤵
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe116⤵PID:1316
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe117⤵PID:2100
-
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe118⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe119⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe120⤵PID:1436
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe121⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-