Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 11:30
Behavioral task
behavioral1
Sample
NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe
-
Size
107KB
-
MD5
1c2248a2c207d90acb0b7c01a323cfa0
-
SHA1
94e8a39d5fc5af1cb55ce7e8ec47b3f7c266f1f2
-
SHA256
5903d2cbbec6db333aacb67ca200dc1181a15770dcc669a9256c51b4dac33ac9
-
SHA512
90462d44ec125cadeadf88c3dc2a3c581334a8c5b1d7b9f78ec2ed2347323fc5863d7baf6783c84a3031488199a0644bc794e477197686d20fc2c326942c9ed0
-
SSDEEP
1536:VDOqt4PiGDFUH997bW3p+2L8aIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:Vap6GDFUP7bW3pD8aMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfhdfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpkdkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plijimee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoompl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcbankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkegeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdfhdfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifmbmda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqcmmjko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeadap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkjbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohojmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aennba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmiig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pomhcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikhgqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffibkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfphcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcifpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajnpecbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdldnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnfcel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipehmebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmiig32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2196-0-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2196-6-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x000d000000012252-5.dat family_berbew behavioral1/files/0x000d000000012252-8.dat family_berbew behavioral1/files/0x000d000000012252-9.dat family_berbew behavioral1/files/0x000d000000012252-12.dat family_berbew behavioral1/files/0x000d000000012252-13.dat family_berbew behavioral1/files/0x0008000000015dcb-18.dat family_berbew behavioral1/files/0x0008000000015dcb-20.dat family_berbew behavioral1/files/0x0008000000015dcb-26.dat family_berbew behavioral1/files/0x0008000000015dcb-25.dat family_berbew behavioral1/files/0x0007000000015eb5-38.dat family_berbew behavioral1/files/0x0007000000015eb5-35.dat family_berbew behavioral1/files/0x0007000000015eb5-34.dat family_berbew behavioral1/memory/2300-33-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0007000000015eb5-31.dat family_berbew behavioral1/memory/2460-24-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0008000000015dcb-23.dat family_berbew behavioral1/files/0x0007000000015eb5-40.dat family_berbew behavioral1/memory/2868-39-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2300-46-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x000700000001605c-47.dat family_berbew behavioral1/memory/2868-49-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x000700000001605c-54.dat family_berbew behavioral1/files/0x000700000001605c-51.dat family_berbew behavioral1/files/0x000700000001605c-50.dat family_berbew behavioral1/files/0x000700000001605c-55.dat family_berbew behavioral1/files/0x000800000001626a-60.dat family_berbew behavioral1/files/0x000800000001626a-63.dat family_berbew behavioral1/files/0x000800000001626a-68.dat family_berbew behavioral1/files/0x000800000001626a-67.dat family_berbew behavioral1/memory/2196-66-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x000800000001626a-62.dat family_berbew behavioral1/files/0x0006000000016baa-74.dat family_berbew behavioral1/memory/2600-73-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000016baa-80.dat family_berbew behavioral1/files/0x0006000000016baa-81.dat family_berbew behavioral1/files/0x0006000000016c2c-87.dat family_berbew behavioral1/files/0x0006000000016baa-77.dat family_berbew behavioral1/files/0x0006000000016baa-76.dat family_berbew behavioral1/files/0x0006000000016c2c-90.dat family_berbew behavioral1/files/0x0006000000016c2c-89.dat family_berbew behavioral1/files/0x0006000000016c2c-95.dat family_berbew behavioral1/memory/2888-100-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2600-82-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0006000000016c2c-94.dat family_berbew behavioral1/memory/2524-93-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2460-107-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca4-110.dat family_berbew behavioral1/memory/2868-121-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x002f000000015cb3-117.dat family_berbew behavioral1/files/0x002f000000015cb3-115.dat family_berbew behavioral1/memory/2796-109-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca4-104.dat family_berbew behavioral1/files/0x0006000000016ca4-103.dat family_berbew behavioral1/files/0x0006000000016ca4-108.dat family_berbew behavioral1/files/0x0006000000016ca4-101.dat family_berbew behavioral1/files/0x002f000000015cb3-122.dat family_berbew behavioral1/files/0x0006000000016ce8-135.dat family_berbew behavioral1/files/0x0006000000016ce8-132.dat family_berbew behavioral1/files/0x0006000000016ce8-131.dat family_berbew behavioral1/files/0x0006000000016ce8-129.dat family_berbew behavioral1/files/0x002f000000015cb3-123.dat family_berbew behavioral1/files/0x002f000000015cb3-118.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2460 Ehakigbo.exe 2300 Fjjnan32.exe 2868 Fpffje32.exe 1752 Fafcdh32.exe 2600 Glpdde32.exe 2524 Gfehan32.exe 2888 Gpnmjd32.exe 2796 Gejebk32.exe 2664 Gnbjlpom.exe 1048 Glgjednf.exe 800 Gdboig32.exe 2256 Hafock32.exe 1516 Hhpgpebh.exe 2800 Hdfhdfgl.exe 1588 Hpmiig32.exe 1380 Hifmbmda.exe 1872 Hbnbkbja.exe 436 Hbqoqbho.exe 1056 Ipdojfgh.exe 1340 Ilkpogmm.exe 1668 Ioilkblq.exe 556 Idfdcijh.exe 2084 Ioliqbjn.exe 2544 Idiaii32.exe 1528 Ionefb32.exe 2996 Ippbnjni.exe 2272 Iihfgp32.exe 2412 Iaonhm32.exe 2876 Jnfomn32.exe 2540 Jcbhee32.exe 2740 Jeadap32.exe 2580 Jfcqgpfi.exe 2520 Jpiedieo.exe 2808 Jfemlpdf.exe 2756 Khiccj32.exe 580 Kgnpeg32.exe 2292 Kgpmjf32.exe 2184 Kddmdk32.exe 1792 Kmobhmnn.exe 2240 Konndhmb.exe 1060 Lfhfab32.exe 1692 Lifbmn32.exe 1772 Ljfogake.exe 1924 Lkgkoiqc.exe 628 Lflplbpi.exe 2336 Liklhmom.exe 1820 Lnhdqdnd.exe 2124 Liminmmk.exe 1384 Lpgajgeg.exe 1620 Lahmbo32.exe 1292 Mbhjlbbh.exe 736 Mcifdj32.exe 1932 Mjcoqdoc.exe 2656 Meicnm32.exe 2376 Mhgoji32.exe 2468 Mapccndn.exe 1148 Mfllkece.exe 2456 Mikhgqbi.exe 2836 Mdpldi32.exe 2728 Mfoiqe32.exe 2852 Mfaefd32.exe 2748 Nlnnnk32.exe 2576 Noljjglk.exe 848 Nlpkdkkd.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 2460 Ehakigbo.exe 2460 Ehakigbo.exe 2300 Fjjnan32.exe 2300 Fjjnan32.exe 2868 Fpffje32.exe 2868 Fpffje32.exe 1752 Fafcdh32.exe 1752 Fafcdh32.exe 2600 Glpdde32.exe 2600 Glpdde32.exe 2524 Gfehan32.exe 2524 Gfehan32.exe 2888 Gpnmjd32.exe 2888 Gpnmjd32.exe 2796 Gejebk32.exe 2796 Gejebk32.exe 2664 Gnbjlpom.exe 2664 Gnbjlpom.exe 1048 Glgjednf.exe 1048 Glgjednf.exe 800 Gdboig32.exe 800 Gdboig32.exe 2256 Hafock32.exe 2256 Hafock32.exe 1516 Hhpgpebh.exe 1516 Hhpgpebh.exe 2800 Hdfhdfgl.exe 2800 Hdfhdfgl.exe 1588 Hpmiig32.exe 1588 Hpmiig32.exe 1380 Hifmbmda.exe 1380 Hifmbmda.exe 1872 Hbnbkbja.exe 1872 Hbnbkbja.exe 436 Hbqoqbho.exe 436 Hbqoqbho.exe 1056 Ipdojfgh.exe 1056 Ipdojfgh.exe 1340 Ilkpogmm.exe 1340 Ilkpogmm.exe 1668 Ioilkblq.exe 1668 Ioilkblq.exe 556 Idfdcijh.exe 556 Idfdcijh.exe 2084 Ioliqbjn.exe 2084 Ioliqbjn.exe 2544 Idiaii32.exe 2544 Idiaii32.exe 1528 Ionefb32.exe 1528 Ionefb32.exe 2996 Ippbnjni.exe 2996 Ippbnjni.exe 2272 Iihfgp32.exe 2272 Iihfgp32.exe 2412 Iaonhm32.exe 2412 Iaonhm32.exe 2876 Jnfomn32.exe 2876 Jnfomn32.exe 2540 Jcbhee32.exe 2540 Jcbhee32.exe 2740 Jeadap32.exe 2740 Jeadap32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fhlkgj32.dll Ilkpogmm.exe File created C:\Windows\SysWOW64\Pdcpnn32.dll Mhgoji32.exe File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Fmcjhdbc.exe File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jnnnalph.exe File created C:\Windows\SysWOW64\Fidfcc32.dll Ekjgpm32.exe File created C:\Windows\SysWOW64\Clakmm32.dll Jnpkflne.exe File opened for modification C:\Windows\SysWOW64\Bnnaoe32.exe Bgdibkam.exe File opened for modification C:\Windows\SysWOW64\Demofaol.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Liempneg.dll Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Mbhjlbbh.exe Lahmbo32.exe File created C:\Windows\SysWOW64\Ficnqdac.dll Bcjqdmla.exe File opened for modification C:\Windows\SysWOW64\Oeckfndj.exe Obdojcef.exe File created C:\Windows\SysWOW64\Pdakniag.exe Pmgbao32.exe File created C:\Windows\SysWOW64\Qhadqf32.dll Amfognic.exe File created C:\Windows\SysWOW64\Fjjnan32.exe Ehakigbo.exe File created C:\Windows\SysWOW64\Ffncbeip.dll Kmobhmnn.exe File opened for modification C:\Windows\SysWOW64\Fbmfkkbm.exe Fqlicclo.exe File created C:\Windows\SysWOW64\Nlfmbibo.exe Nfidjbdg.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eclbcj32.exe File created C:\Windows\SysWOW64\Lpmfjcln.dll Glgjednf.exe File created C:\Windows\SysWOW64\Hlfplena.dll Nlpkdkkd.exe File opened for modification C:\Windows\SysWOW64\Bjoofhgc.exe Bagkmb32.exe File created C:\Windows\SysWOW64\Acfdnihk.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Ippbnjni.exe Ionefb32.exe File created C:\Windows\SysWOW64\Khiccj32.exe Jfemlpdf.exe File created C:\Windows\SysWOW64\Cgnein32.dll Cadjgf32.exe File opened for modification C:\Windows\SysWOW64\Jnpkflne.exe Jckgicnp.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File created C:\Windows\SysWOW64\Dkigoimd.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Jpiedieo.exe Jfcqgpfi.exe File created C:\Windows\SysWOW64\Fdeeaobo.dll Konndhmb.exe File opened for modification C:\Windows\SysWOW64\Mfllkece.exe Mapccndn.exe File created C:\Windows\SysWOW64\Fmcjhdbc.exe Fhgnge32.exe File opened for modification C:\Windows\SysWOW64\Gjicfk32.exe Gaqomeke.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Cjlheehe.exe File opened for modification C:\Windows\SysWOW64\Liminmmk.exe Lnhdqdnd.exe File created C:\Windows\SysWOW64\Ebfbbc32.dll Aennba32.exe File created C:\Windows\SysWOW64\Fpkjkkdg.dll Qdojgmfe.exe File created C:\Windows\SysWOW64\Glgjednf.exe Gnbjlpom.exe File opened for modification C:\Windows\SysWOW64\Jeadap32.exe Jcbhee32.exe File created C:\Windows\SysWOW64\Eipfohgn.dll Afajafoa.exe File created C:\Windows\SysWOW64\Ffhblm32.dll Filgbdfd.exe File created C:\Windows\SysWOW64\Lngnfnji.exe Ldoimh32.exe File created C:\Windows\SysWOW64\Dafmqb32.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Efcaci32.dll Mfllkece.exe File created C:\Windows\SysWOW64\Fdnolfon.exe Fcmben32.exe File opened for modification C:\Windows\SysWOW64\Pcbncfjd.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Oijoab32.dll Liklhmom.exe File created C:\Windows\SysWOW64\Ghiijc32.dll Mjcoqdoc.exe File opened for modification C:\Windows\SysWOW64\Nlnnnk32.exe Mfaefd32.exe File created C:\Windows\SysWOW64\Agjmim32.exe Aapemc32.exe File created C:\Windows\SysWOW64\Gdfmggec.dll Lpgajgeg.exe File created C:\Windows\SysWOW64\Fgadda32.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Aennba32.exe Aboaff32.exe File created C:\Windows\SysWOW64\Chlfnp32.exe Bpqain32.exe File created C:\Windows\SysWOW64\Jaipmp32.dll Gjicfk32.exe File created C:\Windows\SysWOW64\Ilabmedg.exe Iegjqk32.exe File created C:\Windows\SysWOW64\Jnnnalph.exe Jpjngh32.exe File created C:\Windows\SysWOW64\Jjjkclbf.dll Omcifpnp.exe File opened for modification C:\Windows\SysWOW64\Pgpgjepk.exe Pdakniag.exe File opened for modification C:\Windows\SysWOW64\Iihfgp32.exe Ippbnjni.exe File opened for modification C:\Windows\SysWOW64\Lahmbo32.exe Lpgajgeg.exe File created C:\Windows\SysWOW64\Oghhfg32.exe Olbchn32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Dmbcen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4488 4448 WerFault.exe 375 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lainhkdi.dll" Nkjapglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plaimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfknbfkf.dll" Mbhjlbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgfhpob.dll" Mfaefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaeafklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgkmbho.dll" Bfagpiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdbhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpkdkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlnipl32.dll" Lbicoamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhmcinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifdih32.dll" Gnbjlpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqmci32.dll" Fhgnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfkhk32.dll" Dknajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejddn32.dll" Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkjkkdg.dll" Qdojgmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cipdmc32.dll" Hifmbmda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbgkbdb.dll" Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaonhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnpeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eapfagno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnlcdfj.dll" Idfdcijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agjmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohjnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmffpom.dll" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhpgpebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpkflne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgeao32.dll" Eacljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goejop32.dll" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohojmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioilkblq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aapemc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbicoamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lahmbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkgela32.dll" Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqcakphj.dll" Nhlddkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehakigbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbaihlkd.dll" Ieigfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkgob32.dll" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacocpm.dll" Ejpdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geeemeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Konndhmb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2460 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 28 PID 2196 wrote to memory of 2460 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 28 PID 2196 wrote to memory of 2460 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 28 PID 2196 wrote to memory of 2460 2196 NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe 28 PID 2460 wrote to memory of 2300 2460 Ehakigbo.exe 29 PID 2460 wrote to memory of 2300 2460 Ehakigbo.exe 29 PID 2460 wrote to memory of 2300 2460 Ehakigbo.exe 29 PID 2460 wrote to memory of 2300 2460 Ehakigbo.exe 29 PID 2300 wrote to memory of 2868 2300 Fjjnan32.exe 30 PID 2300 wrote to memory of 2868 2300 Fjjnan32.exe 30 PID 2300 wrote to memory of 2868 2300 Fjjnan32.exe 30 PID 2300 wrote to memory of 2868 2300 Fjjnan32.exe 30 PID 2868 wrote to memory of 1752 2868 Fpffje32.exe 31 PID 2868 wrote to memory of 1752 2868 Fpffje32.exe 31 PID 2868 wrote to memory of 1752 2868 Fpffje32.exe 31 PID 2868 wrote to memory of 1752 2868 Fpffje32.exe 31 PID 1752 wrote to memory of 2600 1752 Fafcdh32.exe 32 PID 1752 wrote to memory of 2600 1752 Fafcdh32.exe 32 PID 1752 wrote to memory of 2600 1752 Fafcdh32.exe 32 PID 1752 wrote to memory of 2600 1752 Fafcdh32.exe 32 PID 2600 wrote to memory of 2524 2600 Glpdde32.exe 33 PID 2600 wrote to memory of 2524 2600 Glpdde32.exe 33 PID 2600 wrote to memory of 2524 2600 Glpdde32.exe 33 PID 2600 wrote to memory of 2524 2600 Glpdde32.exe 33 PID 2524 wrote to memory of 2888 2524 Gfehan32.exe 34 PID 2524 wrote to memory of 2888 2524 Gfehan32.exe 34 PID 2524 wrote to memory of 2888 2524 Gfehan32.exe 34 PID 2524 wrote to memory of 2888 2524 Gfehan32.exe 34 PID 2888 wrote to memory of 2796 2888 Gpnmjd32.exe 35 PID 2888 wrote to memory of 2796 2888 Gpnmjd32.exe 35 PID 2888 wrote to memory of 2796 2888 Gpnmjd32.exe 35 PID 2888 wrote to memory of 2796 2888 Gpnmjd32.exe 35 PID 2796 wrote to memory of 2664 2796 Gejebk32.exe 36 PID 2796 wrote to memory of 2664 2796 Gejebk32.exe 36 PID 2796 wrote to memory of 2664 2796 Gejebk32.exe 36 PID 2796 wrote to memory of 2664 2796 Gejebk32.exe 36 PID 2664 wrote to memory of 1048 2664 Gnbjlpom.exe 37 PID 2664 wrote to memory of 1048 2664 Gnbjlpom.exe 37 PID 2664 wrote to memory of 1048 2664 Gnbjlpom.exe 37 PID 2664 wrote to memory of 1048 2664 Gnbjlpom.exe 37 PID 1048 wrote to memory of 800 1048 Glgjednf.exe 38 PID 1048 wrote to memory of 800 1048 Glgjednf.exe 38 PID 1048 wrote to memory of 800 1048 Glgjednf.exe 38 PID 1048 wrote to memory of 800 1048 Glgjednf.exe 38 PID 800 wrote to memory of 2256 800 Gdboig32.exe 39 PID 800 wrote to memory of 2256 800 Gdboig32.exe 39 PID 800 wrote to memory of 2256 800 Gdboig32.exe 39 PID 800 wrote to memory of 2256 800 Gdboig32.exe 39 PID 2256 wrote to memory of 1516 2256 Hafock32.exe 40 PID 2256 wrote to memory of 1516 2256 Hafock32.exe 40 PID 2256 wrote to memory of 1516 2256 Hafock32.exe 40 PID 2256 wrote to memory of 1516 2256 Hafock32.exe 40 PID 1516 wrote to memory of 2800 1516 Hhpgpebh.exe 41 PID 1516 wrote to memory of 2800 1516 Hhpgpebh.exe 41 PID 1516 wrote to memory of 2800 1516 Hhpgpebh.exe 41 PID 1516 wrote to memory of 2800 1516 Hhpgpebh.exe 41 PID 2800 wrote to memory of 1588 2800 Hdfhdfgl.exe 42 PID 2800 wrote to memory of 1588 2800 Hdfhdfgl.exe 42 PID 2800 wrote to memory of 1588 2800 Hdfhdfgl.exe 42 PID 2800 wrote to memory of 1588 2800 Hdfhdfgl.exe 42 PID 1588 wrote to memory of 1380 1588 Hpmiig32.exe 43 PID 1588 wrote to memory of 1380 1588 Hpmiig32.exe 43 PID 1588 wrote to memory of 1380 1588 Hpmiig32.exe 43 PID 1588 wrote to memory of 1380 1588 Hpmiig32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1c2248a2c207d90acb0b7c01a323cfa0.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe34⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe36⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe38⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe42⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe43⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe44⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe45⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe46⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe49⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe53⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe60⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe61⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe63⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe64⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe66⤵PID:2012
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe68⤵PID:268
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe69⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe70⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe71⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe72⤵PID:332
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe75⤵PID:1644
-
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe76⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe77⤵PID:1996
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe78⤵PID:1660
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe80⤵PID:1812
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe82⤵PID:1764
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe83⤵PID:616
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe84⤵PID:1884
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe85⤵PID:1316
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe86⤵PID:2824
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe87⤵PID:1840
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe90⤵PID:2488
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe91⤵PID:3048
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe92⤵PID:3052
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe93⤵PID:2936
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe94⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe96⤵PID:756
-
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe97⤵PID:340
-
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe98⤵PID:1508
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe99⤵PID:2028
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe100⤵PID:2044
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe102⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe103⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe105⤵PID:2152
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe106⤵PID:1628
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe107⤵PID:2864
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe108⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe109⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe110⤵PID:2980
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe111⤵PID:2880
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe112⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe113⤵PID:1168
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe114⤵PID:2812
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe116⤵PID:1556
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe117⤵PID:2396
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe118⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe119⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe120⤵PID:1740
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe121⤵PID:1880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-