Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
04/11/2023, 15:57
Behavioral task
behavioral1
Sample
NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.a7a0385a1323f5972c266428ea1e3574.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.a7a0385a1323f5972c266428ea1e3574.exe
-
Size
96KB
-
MD5
a7a0385a1323f5972c266428ea1e3574
-
SHA1
01bec230143f38f45b68a7e21447a1986510ebda
-
SHA256
02fdcd4d194c1640dd90886a796a95e24ae109cb4fb9d5f0a4b768f29c801fde
-
SHA512
e8b23ee50ad0760284a7b4809141c7a339fd26faf98f93a4752f55af6f14fec4dc8e25d8389938aaf3cb531c9215654709a20b796fe09dc2af673a7e03353b78
-
SSDEEP
1536:H4LLl7lVY3vUSeedRd39yaiYNZGGG1rY4uVcdZ2JVQBKoC/CKniTCvVAva61hLDF:YLLl7lufU63UIos4uVqZ2fQkbn1vVAv7
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joaeeklp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgojpjem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfaocal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfdhbld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpjakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgjqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghmfhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepiimfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbcbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndemjoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.a7a0385a1323f5972c266428ea1e3574.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kincipnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbiqfied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgjqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncdgcqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplmop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbeflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhllob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaiibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajomhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gikaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmbddgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghelfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoafmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igonafba.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2168-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2168-6-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x000d00000001201d-5.dat family_berbew behavioral1/files/0x000d00000001201d-8.dat family_berbew behavioral1/files/0x000d00000001201d-14.dat family_berbew behavioral1/files/0x000d00000001201d-13.dat family_berbew behavioral1/files/0x000d00000001201d-9.dat family_berbew behavioral1/files/0x003500000001564c-25.dat family_berbew behavioral1/files/0x003500000001564c-26.dat family_berbew behavioral1/files/0x003500000001564c-22.dat family_berbew behavioral1/files/0x003500000001564c-21.dat family_berbew behavioral1/files/0x003500000001564c-19.dat family_berbew behavioral1/memory/2940-31-0x00000000003B0000-0x00000000003F4000-memory.dmp family_berbew behavioral1/files/0x0007000000015caf-33.dat family_berbew behavioral1/files/0x0007000000015caf-35.dat family_berbew behavioral1/files/0x0007000000015caf-36.dat family_berbew behavioral1/files/0x0007000000015caf-41.dat family_berbew behavioral1/memory/2940-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2956-46-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2720-60-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015ce9-55.dat family_berbew behavioral1/files/0x0007000000015ce9-54.dat family_berbew behavioral1/files/0x0007000000015ce9-50.dat family_berbew behavioral1/files/0x0007000000015ce9-49.dat family_berbew behavioral1/files/0x0007000000015ce9-47.dat family_berbew behavioral1/files/0x0007000000015caf-39.dat family_berbew behavioral1/memory/2752-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0008000000015dc1-61.dat family_berbew behavioral1/memory/2720-63-0x0000000001BA0000-0x0000000001BE4000-memory.dmp family_berbew behavioral1/memory/2720-68-0x0000000001BA0000-0x0000000001BE4000-memory.dmp family_berbew behavioral1/files/0x0008000000015dc1-69.dat family_berbew behavioral1/files/0x0008000000015dc1-70.dat family_berbew behavioral1/files/0x0008000000015dc1-65.dat family_berbew behavioral1/files/0x0008000000015dc1-64.dat family_berbew behavioral1/files/0x000600000001626b-77.dat family_berbew behavioral1/memory/2552-81-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001626b-83.dat family_berbew behavioral1/memory/2304-87-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x000600000001626b-82.dat family_berbew behavioral1/files/0x000600000001626b-78.dat family_berbew behavioral1/files/0x000600000001626b-75.dat family_berbew behavioral1/files/0x0006000000016455-92.dat family_berbew behavioral1/memory/2852-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016455-96.dat family_berbew behavioral1/files/0x00060000000165f8-108.dat family_berbew behavioral1/files/0x00060000000165f8-105.dat family_berbew behavioral1/files/0x00060000000165f8-104.dat family_berbew behavioral1/files/0x00060000000165f8-102.dat family_berbew behavioral1/files/0x0006000000016455-91.dat family_berbew behavioral1/files/0x0006000000016455-89.dat family_berbew behavioral1/files/0x0006000000016455-95.dat family_berbew behavioral1/files/0x00060000000165f8-109.dat family_berbew behavioral1/files/0x0006000000016ad4-117.dat family_berbew behavioral1/files/0x0006000000016ad4-121.dat family_berbew behavioral1/files/0x0006000000016ad4-120.dat family_berbew behavioral1/files/0x0006000000016ad4-116.dat family_berbew behavioral1/files/0x0006000000016ad4-114.dat family_berbew behavioral1/files/0x0006000000016c25-126.dat family_berbew behavioral1/files/0x0006000000016c25-129.dat family_berbew behavioral1/files/0x0006000000016c25-133.dat family_berbew behavioral1/files/0x0006000000016c25-128.dat family_berbew behavioral1/files/0x0006000000016c25-132.dat family_berbew behavioral1/files/0x0006000000016c34-141.dat family_berbew behavioral1/files/0x0006000000016c34-145.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2940 Enakbp32.exe 2752 Ekelld32.exe 2956 Endhhp32.exe 2720 Emieil32.exe 2552 Egoife32.exe 2304 Ejobhppq.exe 2852 Ebjglbml.exe 2732 Fpngfgle.exe 536 Fncdgcqm.exe 1516 Fenmdm32.exe 1596 Fnfamcoj.exe 888 Fepiimfg.exe 1332 Fljafg32.exe 1908 Fagjnn32.exe 1648 Fjongcbl.exe 2060 Fmmkcoap.exe 2412 Gdgcpi32.exe 1744 Gjakmc32.exe 1880 Gmpgio32.exe 2460 Gpncej32.exe 1076 Ghelfg32.exe 996 Gifhnpea.exe 1584 Gpqpjj32.exe 1636 Gjfdhbld.exe 1544 Glgaok32.exe 964 Gikaio32.exe 3048 Ghqnjk32.exe 1372 Hbfbgd32.exe 2140 Hhckpk32.exe 1512 Hkaglf32.exe 2088 Heglio32.exe 3044 Hhehek32.exe 2236 Hoopae32.exe 2676 Heihnoph.exe 2660 Hgjefg32.exe 2840 Hoamgd32.exe 2652 Hpbiommg.exe 2592 Hgmalg32.exe 2588 Hmfjha32.exe 2440 Hdqbekcm.exe 2768 Igonafba.exe 2924 Iimjmbae.exe 600 Icfofg32.exe 2044 Inkccpgk.exe 2100 Iompkh32.exe 1784 Igchlf32.exe 2008 Iheddndj.exe 1472 Ipllekdl.exe 2784 Ieidmbcc.exe 1612 Icmegf32.exe 2336 Idnaoohk.exe 2504 Ikhjki32.exe 2896 Jabbhcfe.exe 2716 Jgojpjem.exe 2308 Jnicmdli.exe 1748 Jdbkjn32.exe 1924 Jgagfi32.exe 1448 Jnkpbcjg.exe 3064 Jdehon32.exe 1804 Jkoplhip.exe 900 Jmplcp32.exe 1984 Jcjdpj32.exe 2120 Jjdmmdnh.exe 2016 Joaeeklp.exe -
Loads dropped DLL 64 IoCs
pid Process 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 2940 Enakbp32.exe 2940 Enakbp32.exe 2752 Ekelld32.exe 2752 Ekelld32.exe 2956 Endhhp32.exe 2956 Endhhp32.exe 2720 Emieil32.exe 2720 Emieil32.exe 2552 Egoife32.exe 2552 Egoife32.exe 2304 Ejobhppq.exe 2304 Ejobhppq.exe 2852 Ebjglbml.exe 2852 Ebjglbml.exe 2732 Fpngfgle.exe 2732 Fpngfgle.exe 536 Fncdgcqm.exe 536 Fncdgcqm.exe 1516 Fenmdm32.exe 1516 Fenmdm32.exe 1596 Fnfamcoj.exe 1596 Fnfamcoj.exe 888 Fepiimfg.exe 888 Fepiimfg.exe 1332 Fljafg32.exe 1332 Fljafg32.exe 1908 Fagjnn32.exe 1908 Fagjnn32.exe 1648 Fjongcbl.exe 1648 Fjongcbl.exe 2060 Fmmkcoap.exe 2060 Fmmkcoap.exe 2412 Gdgcpi32.exe 2412 Gdgcpi32.exe 1744 Gjakmc32.exe 1744 Gjakmc32.exe 1880 Gmpgio32.exe 1880 Gmpgio32.exe 2460 Gpncej32.exe 2460 Gpncej32.exe 1076 Ghelfg32.exe 1076 Ghelfg32.exe 996 Gifhnpea.exe 996 Gifhnpea.exe 1584 Gpqpjj32.exe 1584 Gpqpjj32.exe 1636 Gjfdhbld.exe 1636 Gjfdhbld.exe 1544 Glgaok32.exe 1544 Glgaok32.exe 964 Gikaio32.exe 964 Gikaio32.exe 3048 Ghqnjk32.exe 3048 Ghqnjk32.exe 1372 Hbfbgd32.exe 1372 Hbfbgd32.exe 2140 Hhckpk32.exe 2140 Hhckpk32.exe 1512 Hkaglf32.exe 1512 Hkaglf32.exe 2088 Heglio32.exe 2088 Heglio32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pmccjbaf.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Poocpnbm.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Pmccjbaf.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Jfoagoic.dll Jghmfhmb.exe File created C:\Windows\SysWOW64\Blobjaba.exe Bajomhbl.exe File created C:\Windows\SysWOW64\Ekgednng.dll Egoife32.exe File created C:\Windows\SysWOW64\Hgjefg32.exe Heihnoph.exe File created C:\Windows\SysWOW64\Aeaceffc.dll Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Ojigbhlp.exe Onbgmg32.exe File created C:\Windows\SysWOW64\Imogmg32.dll Pjbjhgde.exe File opened for modification C:\Windows\SysWOW64\Ajbggjfq.exe Achojp32.exe File created C:\Windows\SysWOW64\Ebjglbml.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Ghqnjk32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Neplhf32.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Hhppho32.dll Ncbplk32.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Ojigbhlp.exe File created C:\Windows\SysWOW64\Pmjqcc32.exe Ogmhkmki.exe File opened for modification C:\Windows\SysWOW64\Hbfbgd32.exe Ghqnjk32.exe File created C:\Windows\SysWOW64\Hoamgd32.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Gmpgio32.exe Gjakmc32.exe File created C:\Windows\SysWOW64\Iddnkn32.dll Jnkpbcjg.exe File opened for modification C:\Windows\SysWOW64\Pdaheq32.exe Pmjqcc32.exe File opened for modification C:\Windows\SysWOW64\Qngmgjeb.exe Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe Ajbggjfq.exe File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe Abbeflpf.exe File opened for modification C:\Windows\SysWOW64\Gdgcpi32.exe Fmmkcoap.exe File opened for modification C:\Windows\SysWOW64\Hoamgd32.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Cpdcnhnl.dll Jkoplhip.exe File created C:\Windows\SysWOW64\Poapfn32.exe Pmccjbaf.exe File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe Qqeicede.exe File created C:\Windows\SysWOW64\Jmogdj32.dll Qgoapp32.exe File opened for modification C:\Windows\SysWOW64\Jnicmdli.exe Jgojpjem.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jnkpbcjg.exe File created C:\Windows\SysWOW64\Becnhgmg.exe Bbdallnd.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Joaeeklp.exe File created C:\Windows\SysWOW64\Ndemjoae.exe Moidahcn.exe File created C:\Windows\SysWOW64\Oalfhf32.exe Oomjlk32.exe File created C:\Windows\SysWOW64\Doojhgfa.dll Qflhbhgg.exe File opened for modification C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Fihicd32.dll Gmpgio32.exe File created C:\Windows\SysWOW64\Heglio32.exe Hkaglf32.exe File created C:\Windows\SysWOW64\Enakbp32.exe NEAS.a7a0385a1323f5972c266428ea1e3574.exe File created C:\Windows\SysWOW64\Kincipnk.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Adagkoae.dll Pfdabino.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Boplllob.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Ekelld32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Inkccpgk.exe File opened for modification C:\Windows\SysWOW64\Jdbkjn32.exe Jnicmdli.exe File opened for modification C:\Windows\SysWOW64\Pjbjhgde.exe Pomfkndo.exe File created C:\Windows\SysWOW64\Hjphijco.dll Afkdakjb.exe File created C:\Windows\SysWOW64\Dgaqoq32.dll Hoopae32.exe File opened for modification C:\Windows\SysWOW64\Jgojpjem.exe Jabbhcfe.exe File created C:\Windows\SysWOW64\Oagcgibo.dll Gjfdhbld.exe File opened for modification C:\Windows\SysWOW64\Gpqpjj32.exe Gifhnpea.exe File created C:\Windows\SysWOW64\Mdcpdp32.exe Mkklljmg.exe File opened for modification C:\Windows\SysWOW64\Ogmhkmki.exe Ocalkn32.exe File created C:\Windows\SysWOW64\Ocdneocc.dll Ogmhkmki.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Apalea32.exe File created C:\Windows\SysWOW64\Jdehon32.exe Jnkpbcjg.exe File created C:\Windows\SysWOW64\Cjakbabj.dll Pgpeal32.exe File created C:\Windows\SysWOW64\Blkioa32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Cinekb32.dll Icfofg32.exe File created C:\Windows\SysWOW64\Nhllob32.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Lbiqfied.exe Lmikibio.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2584 2844 WerFault.exe 201 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngibaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpjlnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Endhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll" Pfdabino.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fepiimfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmefooki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higeofeq.dll" Gdgcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifhnpea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll" Kohkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecjiaic.dll" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmplcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceojp32.dll" Hkaglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokjlf32.dll" Hgmalg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iompkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.a7a0385a1323f5972c266428ea1e3574.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iieipa32.dll" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glgaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmhkmki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll" Jgojpjem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" Cgpjlnhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfbcbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll" Nkbalifo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbggjfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqjacl.dll" Kocbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaieh32.dll" Neplhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcjpocnf.dll" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddaaf32.dll" Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmfea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Hdqbekcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baohhgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkoplhip.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2940 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 28 PID 2168 wrote to memory of 2940 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 28 PID 2168 wrote to memory of 2940 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 28 PID 2168 wrote to memory of 2940 2168 NEAS.a7a0385a1323f5972c266428ea1e3574.exe 28 PID 2940 wrote to memory of 2752 2940 Enakbp32.exe 29 PID 2940 wrote to memory of 2752 2940 Enakbp32.exe 29 PID 2940 wrote to memory of 2752 2940 Enakbp32.exe 29 PID 2940 wrote to memory of 2752 2940 Enakbp32.exe 29 PID 2752 wrote to memory of 2956 2752 Ekelld32.exe 30 PID 2752 wrote to memory of 2956 2752 Ekelld32.exe 30 PID 2752 wrote to memory of 2956 2752 Ekelld32.exe 30 PID 2752 wrote to memory of 2956 2752 Ekelld32.exe 30 PID 2956 wrote to memory of 2720 2956 Endhhp32.exe 31 PID 2956 wrote to memory of 2720 2956 Endhhp32.exe 31 PID 2956 wrote to memory of 2720 2956 Endhhp32.exe 31 PID 2956 wrote to memory of 2720 2956 Endhhp32.exe 31 PID 2720 wrote to memory of 2552 2720 Emieil32.exe 32 PID 2720 wrote to memory of 2552 2720 Emieil32.exe 32 PID 2720 wrote to memory of 2552 2720 Emieil32.exe 32 PID 2720 wrote to memory of 2552 2720 Emieil32.exe 32 PID 2552 wrote to memory of 2304 2552 Egoife32.exe 33 PID 2552 wrote to memory of 2304 2552 Egoife32.exe 33 PID 2552 wrote to memory of 2304 2552 Egoife32.exe 33 PID 2552 wrote to memory of 2304 2552 Egoife32.exe 33 PID 2304 wrote to memory of 2852 2304 Ejobhppq.exe 34 PID 2304 wrote to memory of 2852 2304 Ejobhppq.exe 34 PID 2304 wrote to memory of 2852 2304 Ejobhppq.exe 34 PID 2304 wrote to memory of 2852 2304 Ejobhppq.exe 34 PID 2852 wrote to memory of 2732 2852 Ebjglbml.exe 35 PID 2852 wrote to memory of 2732 2852 Ebjglbml.exe 35 PID 2852 wrote to memory of 2732 2852 Ebjglbml.exe 35 PID 2852 wrote to memory of 2732 2852 Ebjglbml.exe 35 PID 2732 wrote to memory of 536 2732 Fpngfgle.exe 36 PID 2732 wrote to memory of 536 2732 Fpngfgle.exe 36 PID 2732 wrote to memory of 536 2732 Fpngfgle.exe 36 PID 2732 wrote to memory of 536 2732 Fpngfgle.exe 36 PID 536 wrote to memory of 1516 536 Fncdgcqm.exe 37 PID 536 wrote to memory of 1516 536 Fncdgcqm.exe 37 PID 536 wrote to memory of 1516 536 Fncdgcqm.exe 37 PID 536 wrote to memory of 1516 536 Fncdgcqm.exe 37 PID 1516 wrote to memory of 1596 1516 Fenmdm32.exe 38 PID 1516 wrote to memory of 1596 1516 Fenmdm32.exe 38 PID 1516 wrote to memory of 1596 1516 Fenmdm32.exe 38 PID 1516 wrote to memory of 1596 1516 Fenmdm32.exe 38 PID 1596 wrote to memory of 888 1596 Fnfamcoj.exe 39 PID 1596 wrote to memory of 888 1596 Fnfamcoj.exe 39 PID 1596 wrote to memory of 888 1596 Fnfamcoj.exe 39 PID 1596 wrote to memory of 888 1596 Fnfamcoj.exe 39 PID 888 wrote to memory of 1332 888 Fepiimfg.exe 40 PID 888 wrote to memory of 1332 888 Fepiimfg.exe 40 PID 888 wrote to memory of 1332 888 Fepiimfg.exe 40 PID 888 wrote to memory of 1332 888 Fepiimfg.exe 40 PID 1332 wrote to memory of 1908 1332 Fljafg32.exe 41 PID 1332 wrote to memory of 1908 1332 Fljafg32.exe 41 PID 1332 wrote to memory of 1908 1332 Fljafg32.exe 41 PID 1332 wrote to memory of 1908 1332 Fljafg32.exe 41 PID 1908 wrote to memory of 1648 1908 Fagjnn32.exe 42 PID 1908 wrote to memory of 1648 1908 Fagjnn32.exe 42 PID 1908 wrote to memory of 1648 1908 Fagjnn32.exe 42 PID 1908 wrote to memory of 1648 1908 Fagjnn32.exe 42 PID 1648 wrote to memory of 2060 1648 Fjongcbl.exe 43 PID 1648 wrote to memory of 2060 1648 Fjongcbl.exe 43 PID 1648 wrote to memory of 2060 1648 Fjongcbl.exe 43 PID 1648 wrote to memory of 2060 1648 Fjongcbl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.a7a0385a1323f5972c266428ea1e3574.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.a7a0385a1323f5972c266428ea1e3574.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Gpncej32.exeC:\Windows\system32\Gpncej32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Hgjefg32.exeC:\Windows\system32\Hgjefg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe47⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe48⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe50⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe57⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Jgagfi32.exeC:\Windows\system32\Jgagfi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe63⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe67⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe68⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe69⤵PID:2672
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe70⤵PID:1476
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe71⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe73⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe75⤵PID:268
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe76⤵PID:2404
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe77⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1100 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe79⤵PID:572
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe82⤵PID:1220
-
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe83⤵PID:2972
-
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe84⤵PID:1200
-
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe85⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe86⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe87⤵PID:1568
-
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:240 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe91⤵PID:876
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe93⤵PID:3060
-
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe94⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe96⤵PID:2836
-
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe97⤵PID:2872
-
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe98⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe99⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe100⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe103⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe104⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe105⤵PID:2772
-
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe106⤵PID:548
-
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe107⤵PID:2312
-
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1900 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Ohcaoajg.exeC:\Windows\system32\Ohcaoajg.exe110⤵PID:1164
-
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe111⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe112⤵PID:1948
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe114⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe115⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe119⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe120⤵PID:2916
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe121⤵
- Drops file in System32 directory
PID:680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-