Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/11/2023, 14:18
Behavioral task
behavioral1
Sample
NEAS.b83167734464e7c3c7b91335ab150b80.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.b83167734464e7c3c7b91335ab150b80.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.b83167734464e7c3c7b91335ab150b80.exe
-
Size
125KB
-
MD5
b83167734464e7c3c7b91335ab150b80
-
SHA1
67a2d4a280121493ad376cc0bf2fedb90609c98b
-
SHA256
32d59e299e20a0b4115a3ec5bc7367662152e05d72bf4743bc31796fb5350a77
-
SHA512
515f36234618dcef6efe100f133961df45790b3509daabf45361e2f194b0518f347afed40105fad2738050d8fd244c4cd86c465957073cc7e59056bfcfaea816
-
SSDEEP
3072:ozR+LYpIWCqfhDJldMc41WdTCn93OGey/ZhJakrPF:ozFp6qkcXTCndOGeKTaG
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icjhagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heokmmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejkkfjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikefkcmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dohgomgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmbmeifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Candgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpiedieo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmjnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipfmane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdecea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmagdbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblnaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffpki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqomci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqbecp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epecbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjclobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aibcba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmlhnagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfedqagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicqmmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meicnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lclicpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldbofgme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dldhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hicqmmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijbdha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfkeokjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dngabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmhamoho.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1692-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-5.dat family_berbew behavioral1/memory/1692-6-0x0000000000450000-0x0000000000497000-memory.dmp family_berbew behavioral1/files/0x00060000000120bd-9.dat family_berbew behavioral1/files/0x00060000000120bd-8.dat family_berbew behavioral1/files/0x00060000000120bd-12.dat family_berbew behavioral1/files/0x00060000000120bd-13.dat family_berbew behavioral1/files/0x0035000000016fda-21.dat family_berbew behavioral1/memory/2704-31-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000186cf-38.dat family_berbew behavioral1/memory/2732-44-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00060000000186cf-39.dat family_berbew behavioral1/files/0x00060000000186cf-35.dat family_berbew behavioral1/files/0x0007000000018b10-53.dat family_berbew behavioral1/memory/2524-52-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0008000000018b43-64.dat family_berbew behavioral1/memory/2552-69-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0008000000018b43-65.dat family_berbew behavioral1/files/0x0008000000018b43-60.dat family_berbew behavioral1/files/0x0008000000018b43-58.dat family_berbew behavioral1/files/0x0007000000018b10-51.dat family_berbew behavioral1/files/0x0006000000018bc0-71.dat family_berbew behavioral1/files/0x0006000000018bc0-73.dat family_berbew behavioral1/files/0x0006000000018f90-90.dat family_berbew behavioral1/memory/616-96-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000018f90-91.dat family_berbew behavioral1/files/0x0006000000018f90-86.dat family_berbew behavioral1/files/0x000500000001932c-103.dat family_berbew behavioral1/files/0x000500000001932c-100.dat family_berbew behavioral1/files/0x000500000001932c-99.dat family_berbew behavioral1/files/0x000500000001932c-97.dat family_berbew behavioral1/files/0x0006000000018f90-84.dat family_berbew behavioral1/files/0x0006000000018f90-80.dat family_berbew behavioral1/files/0x0006000000018bc0-79.dat family_berbew behavioral1/memory/2552-78-0x00000000001B0000-0x00000000001F7000-memory.dmp family_berbew behavioral1/files/0x0006000000018bc0-74.dat family_berbew behavioral1/files/0x0006000000018bc0-77.dat family_berbew behavioral1/files/0x0007000000018b10-48.dat family_berbew behavioral1/files/0x0008000000018b43-54.dat family_berbew behavioral1/files/0x0007000000018b10-47.dat family_berbew behavioral1/files/0x0007000000018b10-45.dat family_berbew behavioral1/files/0x00060000000186cf-34.dat family_berbew behavioral1/memory/980-110-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2960-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x000500000001932c-105.dat family_berbew behavioral1/memory/616-104-0x0000000000270000-0x00000000002B7000-memory.dmp family_berbew behavioral1/files/0x00060000000186cf-32.dat family_berbew behavioral1/files/0x0035000000016fda-26.dat family_berbew behavioral1/files/0x0035000000016fda-25.dat family_berbew behavioral1/files/0x0035000000016fda-20.dat family_berbew behavioral1/files/0x0005000000019396-112.dat family_berbew behavioral1/files/0x0005000000019396-115.dat family_berbew behavioral1/files/0x0005000000019396-118.dat family_berbew behavioral1/files/0x0005000000019396-120.dat family_berbew behavioral1/memory/2856-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0005000000019396-114.dat family_berbew behavioral1/files/0x0035000000016fda-18.dat family_berbew behavioral1/files/0x00050000000193c5-131.dat family_berbew behavioral1/files/0x00050000000193c5-128.dat family_berbew behavioral1/files/0x00050000000193c5-127.dat family_berbew behavioral1/files/0x00050000000193c5-125.dat family_berbew behavioral1/memory/2168-137-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x00050000000193c5-132.dat family_berbew behavioral1/files/0x0005000000019480-146.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2284 Gjdhbc32.exe 2704 Giieco32.exe 2732 Gpcmpijk.exe 2524 Gikaio32.exe 2552 Gbcfadgl.exe 2960 Ghqnjk32.exe 616 Hipkdnmf.exe 980 Homclekn.exe 2856 Hoopae32.exe 2168 Hhgdkjol.exe 2192 Hapicp32.exe 2564 Hkhnle32.exe 628 Icfofg32.exe 1184 Inkccpgk.exe 2828 Ijbdha32.exe 2176 Icjhagdp.exe 556 Ilcmjl32.exe 2124 Ifkacb32.exe 540 Jocflgga.exe 1780 Jgojpjem.exe 1084 Jofbag32.exe 1004 Jdehon32.exe 2260 Jjbpgd32.exe 1480 Jjdmmdnh.exe 1500 Jghmfhmb.exe 2080 Kocbkk32.exe 1612 Kfmjgeaj.exe 2644 Kebgia32.exe 2884 Kklpekno.exe 2504 Kgcpjmcb.exe 2740 Kaldcb32.exe 2500 Kbkameaf.exe 1860 Lclnemgd.exe 576 Leljop32.exe 2780 Lgjfkk32.exe 564 Lmgocb32.exe 1532 Lcagpl32.exe 2180 Linphc32.exe 2744 Lphhenhc.exe 1204 Lfbpag32.exe 1324 Lmlhnagm.exe 2332 Lpjdjmfp.exe 1172 Legmbd32.exe 2400 Mpmapm32.exe 2172 Mffimglk.exe 444 Mhhfdo32.exe 836 Mbmjah32.exe 1292 Mhjbjopf.exe 1100 Modkfi32.exe 2076 Mencccop.exe 3028 Mkklljmg.exe 1668 Maedhd32.exe 3032 Mkmhaj32.exe 2652 Magqncba.exe 2600 Nhaikn32.exe 1720 Nmnace32.exe 2972 Nplmop32.exe 780 Ncpcfkbg.exe 2820 Npccpo32.exe 2592 Oagmmgdm.exe 1736 Oegbheiq.exe 1568 Okdkal32.exe 1348 Oancnfoe.exe 2008 Onecbg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 2284 Gjdhbc32.exe 2284 Gjdhbc32.exe 2704 Giieco32.exe 2704 Giieco32.exe 2732 Gpcmpijk.exe 2732 Gpcmpijk.exe 2524 Gikaio32.exe 2524 Gikaio32.exe 2552 Gbcfadgl.exe 2552 Gbcfadgl.exe 2960 Ghqnjk32.exe 2960 Ghqnjk32.exe 616 Hipkdnmf.exe 616 Hipkdnmf.exe 980 Homclekn.exe 980 Homclekn.exe 2856 Hoopae32.exe 2856 Hoopae32.exe 2168 Hhgdkjol.exe 2168 Hhgdkjol.exe 2192 Hapicp32.exe 2192 Hapicp32.exe 2564 Hkhnle32.exe 2564 Hkhnle32.exe 628 Icfofg32.exe 628 Icfofg32.exe 1184 Inkccpgk.exe 1184 Inkccpgk.exe 2828 Ijbdha32.exe 2828 Ijbdha32.exe 2176 Icjhagdp.exe 2176 Icjhagdp.exe 556 Ilcmjl32.exe 556 Ilcmjl32.exe 2124 Ifkacb32.exe 2124 Ifkacb32.exe 540 Jocflgga.exe 540 Jocflgga.exe 1780 Jgojpjem.exe 1780 Jgojpjem.exe 1084 Jofbag32.exe 1084 Jofbag32.exe 1004 Jdehon32.exe 1004 Jdehon32.exe 2260 Jjbpgd32.exe 2260 Jjbpgd32.exe 1480 Jjdmmdnh.exe 1480 Jjdmmdnh.exe 1500 Jghmfhmb.exe 1500 Jghmfhmb.exe 2080 Kocbkk32.exe 2080 Kocbkk32.exe 1612 Kfmjgeaj.exe 1612 Kfmjgeaj.exe 2644 Kebgia32.exe 2644 Kebgia32.exe 2884 Kklpekno.exe 2884 Kklpekno.exe 2504 Kgcpjmcb.exe 2504 Kgcpjmcb.exe 2740 Kaldcb32.exe 2740 Kaldcb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbdipkfe.dll Agdjkogm.exe File created C:\Windows\SysWOW64\Dgmbkk32.exe Dpcjnabn.exe File created C:\Windows\SysWOW64\Ejkkfjkj.exe Ehjona32.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Degiggjm.exe Dkadjn32.exe File opened for modification C:\Windows\SysWOW64\Knmdeioh.exe Kjokokha.exe File created C:\Windows\SysWOW64\Eioojl32.dll Poapfn32.exe File created C:\Windows\SysWOW64\Jglgpdcc.exe Idmkdh32.exe File opened for modification C:\Windows\SysWOW64\Jjaimn32.exe Jcgapdeb.exe File created C:\Windows\SysWOW64\Meffhnal.exe Lnlnlc32.exe File created C:\Windows\SysWOW64\Acekjjmk.exe Akncimmh.exe File created C:\Windows\SysWOW64\Lkgkdjfb.dll Meicnm32.exe File created C:\Windows\SysWOW64\Bjoofhgc.exe Bgqcjlhp.exe File created C:\Windows\SysWOW64\Clgipm32.dll Dpqnhadq.exe File created C:\Windows\SysWOW64\Hgmamfed.dll Fmkilb32.exe File opened for modification C:\Windows\SysWOW64\Lgjfkk32.exe Leljop32.exe File created C:\Windows\SysWOW64\Pfpfldpo.dll Chfpoeja.exe File opened for modification C:\Windows\SysWOW64\Gbcfadgl.exe Gikaio32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Bemkcnno.dll Daejhjkj.exe File opened for modification C:\Windows\SysWOW64\Dahgni32.exe Dhobddbf.exe File opened for modification C:\Windows\SysWOW64\Hicqmmfc.exe Hfedqagp.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Fbmfkkbm.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Anignn32.dll Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Ilcmjl32.exe Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Bbllnlfd.exe Bkbdabog.exe File opened for modification C:\Windows\SysWOW64\Aipfmane.exe Afajafoa.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hemqpf32.exe File opened for modification C:\Windows\SysWOW64\Odebolpe.exe Oionacqo.exe File opened for modification C:\Windows\SysWOW64\Behgcf32.exe Bjbcfn32.exe File opened for modification C:\Windows\SysWOW64\Agljom32.exe Aennba32.exe File created C:\Windows\SysWOW64\Eheecbia.exe Degiggjm.exe File opened for modification C:\Windows\SysWOW64\Fpffje32.exe Fmhjni32.exe File opened for modification C:\Windows\SysWOW64\Hdfhdfgl.exe Hahlhkhi.exe File opened for modification C:\Windows\SysWOW64\Lklejh32.exe Liminmmk.exe File opened for modification C:\Windows\SysWOW64\Nkhdkgnj.exe Nhiholof.exe File created C:\Windows\SysWOW64\Gncldi32.exe Gkephn32.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Khghgchk.exe File created C:\Windows\SysWOW64\Lfbpag32.exe Lphhenhc.exe File created C:\Windows\SysWOW64\Bhdeag32.dll Jliohkak.exe File created C:\Windows\SysWOW64\Kmhflfhh.dll Kjmnjkjd.exe File created C:\Windows\SysWOW64\Kglehp32.exe Kekiphge.exe File created C:\Windows\SysWOW64\Icfofg32.exe Hkhnle32.exe File created C:\Windows\SysWOW64\Llnaoh32.exe Ledibnco.exe File created C:\Windows\SysWOW64\Lpgflbcg.dll Bepjha32.exe File created C:\Windows\SysWOW64\Knjegqif.exe Kgpmjf32.exe File created C:\Windows\SysWOW64\Mlpneh32.exe Meffhnal.exe File opened for modification C:\Windows\SysWOW64\Ejkkfjkj.exe Ehjona32.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Bhdgjb32.exe File opened for modification C:\Windows\SysWOW64\Gnkmqkbi.exe Fkmqdpce.exe File created C:\Windows\SysWOW64\Gjjmijme.exe Giipab32.exe File created C:\Windows\SysWOW64\Lhiakf32.exe Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Locjhqpa.exe File opened for modification C:\Windows\SysWOW64\Iajemnia.exe Ioliqbjn.exe File created C:\Windows\SysWOW64\Iliebpfc.exe Iflmjihl.exe File created C:\Windows\SysWOW64\Giegfm32.dll Kocbkk32.exe File created C:\Windows\SysWOW64\Kqfdnljm.exe Knhhaaki.exe File created C:\Windows\SysWOW64\Eddmlhaq.dll Lnhgim32.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Kklpekno.exe File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe Bkglameg.exe File opened for modification C:\Windows\SysWOW64\Knhhaaki.exe Kgnpeg32.exe File created C:\Windows\SysWOW64\Ibebjn32.dll Hibjbgbh.exe File created C:\Windows\SysWOW64\Jliohkak.exe Jjjclobg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amelne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npgihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjbafi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpqnhadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll" Annbhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkihdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjaelaok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akncimmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhnji32.dll" Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binoil32.dll" Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diibag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckolek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeiloh32.dll" Jcbhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmnbl32.dll" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkbfdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldoqge32.dll" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfpnmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjhpemb.dll" Nhgkil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefpcolp.dll" Qcqaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqjmncna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dedlag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" Mdiefffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmccjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limigjac.dll" Bgqcjlhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedime32.dll" Efjlgmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfplhjm.dll" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihdmihpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giacpp32.dll" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejgemkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbqnb32.dll" Bmphhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgqkbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcqf32.dll" Peoalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanlcl32.dll" Gqlhkofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekpheb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hajinjff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onocmadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjbmelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaemhl32.dll" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2284 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 28 PID 1692 wrote to memory of 2284 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 28 PID 1692 wrote to memory of 2284 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 28 PID 1692 wrote to memory of 2284 1692 NEAS.b83167734464e7c3c7b91335ab150b80.exe 28 PID 2284 wrote to memory of 2704 2284 Gjdhbc32.exe 29 PID 2284 wrote to memory of 2704 2284 Gjdhbc32.exe 29 PID 2284 wrote to memory of 2704 2284 Gjdhbc32.exe 29 PID 2284 wrote to memory of 2704 2284 Gjdhbc32.exe 29 PID 2704 wrote to memory of 2732 2704 Giieco32.exe 35 PID 2704 wrote to memory of 2732 2704 Giieco32.exe 35 PID 2704 wrote to memory of 2732 2704 Giieco32.exe 35 PID 2704 wrote to memory of 2732 2704 Giieco32.exe 35 PID 2732 wrote to memory of 2524 2732 Gpcmpijk.exe 30 PID 2732 wrote to memory of 2524 2732 Gpcmpijk.exe 30 PID 2732 wrote to memory of 2524 2732 Gpcmpijk.exe 30 PID 2732 wrote to memory of 2524 2732 Gpcmpijk.exe 30 PID 2524 wrote to memory of 2552 2524 Gikaio32.exe 34 PID 2524 wrote to memory of 2552 2524 Gikaio32.exe 34 PID 2524 wrote to memory of 2552 2524 Gikaio32.exe 34 PID 2524 wrote to memory of 2552 2524 Gikaio32.exe 34 PID 2552 wrote to memory of 2960 2552 Gbcfadgl.exe 31 PID 2552 wrote to memory of 2960 2552 Gbcfadgl.exe 31 PID 2552 wrote to memory of 2960 2552 Gbcfadgl.exe 31 PID 2552 wrote to memory of 2960 2552 Gbcfadgl.exe 31 PID 2960 wrote to memory of 616 2960 Ghqnjk32.exe 33 PID 2960 wrote to memory of 616 2960 Ghqnjk32.exe 33 PID 2960 wrote to memory of 616 2960 Ghqnjk32.exe 33 PID 2960 wrote to memory of 616 2960 Ghqnjk32.exe 33 PID 616 wrote to memory of 980 616 Hipkdnmf.exe 32 PID 616 wrote to memory of 980 616 Hipkdnmf.exe 32 PID 616 wrote to memory of 980 616 Hipkdnmf.exe 32 PID 616 wrote to memory of 980 616 Hipkdnmf.exe 32 PID 980 wrote to memory of 2856 980 Homclekn.exe 36 PID 980 wrote to memory of 2856 980 Homclekn.exe 36 PID 980 wrote to memory of 2856 980 Homclekn.exe 36 PID 980 wrote to memory of 2856 980 Homclekn.exe 36 PID 2856 wrote to memory of 2168 2856 Hoopae32.exe 37 PID 2856 wrote to memory of 2168 2856 Hoopae32.exe 37 PID 2856 wrote to memory of 2168 2856 Hoopae32.exe 37 PID 2856 wrote to memory of 2168 2856 Hoopae32.exe 37 PID 2168 wrote to memory of 2192 2168 Hhgdkjol.exe 38 PID 2168 wrote to memory of 2192 2168 Hhgdkjol.exe 38 PID 2168 wrote to memory of 2192 2168 Hhgdkjol.exe 38 PID 2168 wrote to memory of 2192 2168 Hhgdkjol.exe 38 PID 2192 wrote to memory of 2564 2192 Hapicp32.exe 39 PID 2192 wrote to memory of 2564 2192 Hapicp32.exe 39 PID 2192 wrote to memory of 2564 2192 Hapicp32.exe 39 PID 2192 wrote to memory of 2564 2192 Hapicp32.exe 39 PID 2564 wrote to memory of 628 2564 Hkhnle32.exe 40 PID 2564 wrote to memory of 628 2564 Hkhnle32.exe 40 PID 2564 wrote to memory of 628 2564 Hkhnle32.exe 40 PID 2564 wrote to memory of 628 2564 Hkhnle32.exe 40 PID 628 wrote to memory of 1184 628 Icfofg32.exe 41 PID 628 wrote to memory of 1184 628 Icfofg32.exe 41 PID 628 wrote to memory of 1184 628 Icfofg32.exe 41 PID 628 wrote to memory of 1184 628 Icfofg32.exe 41 PID 1184 wrote to memory of 2828 1184 Inkccpgk.exe 42 PID 1184 wrote to memory of 2828 1184 Inkccpgk.exe 42 PID 1184 wrote to memory of 2828 1184 Inkccpgk.exe 42 PID 1184 wrote to memory of 2828 1184 Inkccpgk.exe 42 PID 2828 wrote to memory of 2176 2828 Ijbdha32.exe 43 PID 2828 wrote to memory of 2176 2828 Ijbdha32.exe 43 PID 2828 wrote to memory of 2176 2828 Ijbdha32.exe 43 PID 2828 wrote to memory of 2176 2828 Ijbdha32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.b83167734464e7c3c7b91335ab150b80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.b83167734464e7c3c7b91335ab150b80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe5⤵PID:2772
-
-
-
-
-
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
-
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616
-
-
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe25⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe26⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe28⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe29⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe30⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe31⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe33⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe35⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe36⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe37⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe39⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe41⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe42⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe45⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe46⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe47⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe49⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe50⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe51⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe52⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe54⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe55⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe56⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe57⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe58⤵PID:1964
-
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe59⤵PID:2348
-
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe60⤵PID:2064
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe61⤵PID:1060
-
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe63⤵PID:3044
-
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe64⤵PID:1680
-
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe65⤵PID:2228
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe66⤵PID:880
-
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe68⤵PID:2640
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe69⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe70⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe71⤵PID:3000
-
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe72⤵PID:2920
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Qiladcdh.exeC:\Windows\system32\Qiladcdh.exe74⤵PID:1476
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe75⤵PID:1968
-
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:332 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe78⤵PID:2900
-
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe79⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe80⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe81⤵PID:1560
-
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe82⤵PID:1428
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe83⤵PID:2292
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe84⤵PID:2100
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe85⤵PID:2924
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe86⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe87⤵PID:2696
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe88⤵PID:2532
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe89⤵PID:2948
-
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe90⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe91⤵PID:268
-
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe92⤵PID:1484
-
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe93⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe94⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe95⤵PID:840
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe97⤵PID:1940
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe98⤵PID:1396
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe99⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe100⤵PID:1092
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe101⤵PID:1900
-
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe102⤵PID:2248
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe103⤵PID:2680
-
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe104⤵PID:2612
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe105⤵PID:2632
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe106⤵PID:296
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe107⤵PID:2808
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe108⤵PID:2160
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe109⤵PID:1524
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe110⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe111⤵PID:2444
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe114⤵PID:1592
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe115⤵PID:2952
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe117⤵PID:2660
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe118⤵PID:2092
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe119⤵
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe120⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe121⤵PID:1276
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-