Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06/11/2023, 19:47
Behavioral task
behavioral1
Sample
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
NEAS.07b281de7f0088f2d04e523043aaebe0.exe
-
Size
109KB
-
MD5
07b281de7f0088f2d04e523043aaebe0
-
SHA1
d23d3c04dad84fda8e366bd522c77cf77ed365f0
-
SHA256
e4efdb10953f697e76e224a0bdaa14fb662312c25fe31b8a4604dd7a06dae480
-
SHA512
34458cd4f3530637748b8dbf7e519ec799b08b15732d188e0f2ef3b4a8a2926f9d9021546b04eb0de934530906f055d65e39d074051cc40bf643212a3c5df26a
-
SSDEEP
3072:pN5gxZMaOWIe7wIu9uspYD8VJ9PLCqwzBu1DjHLMVDqqkSpR:pNUZJpwHQD8VJ9jwtu1DjrFqhz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efnfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjhhld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpicm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnnho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdihiook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicpch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchcpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddblgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napbjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmgelil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfbfjdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeielfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppcbgkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgfhjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgajgeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabcggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kokjdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpoolael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behgcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmfdhojb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphjcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknlofim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffodjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhfhigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpcoib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Namclbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idknoi32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1988-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1988-6-0x0000000000260000-0x00000000002A4000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-5.dat family_berbew behavioral1/files/0x000e00000001201d-8.dat family_berbew behavioral1/files/0x000e00000001201d-9.dat family_berbew behavioral1/files/0x000e00000001201d-12.dat family_berbew behavioral1/files/0x000e00000001201d-13.dat family_berbew behavioral1/files/0x0027000000015c70-21.dat family_berbew behavioral1/files/0x0027000000015c70-25.dat family_berbew behavioral1/memory/2288-31-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0007000000015ce9-39.dat family_berbew behavioral1/files/0x0007000000015ce9-38.dat family_berbew behavioral1/files/0x0007000000015ce9-34.dat family_berbew behavioral1/files/0x0007000000015ce9-32.dat family_berbew behavioral1/files/0x0009000000015dc1-50.dat family_berbew behavioral1/files/0x0009000000015dc1-47.dat family_berbew behavioral1/files/0x0009000000015dc1-46.dat family_berbew behavioral1/files/0x0009000000015dc1-44.dat family_berbew behavioral1/files/0x0007000000015ce9-29.dat family_berbew behavioral1/files/0x0027000000015c70-26.dat family_berbew behavioral1/files/0x0027000000015c70-20.dat family_berbew behavioral1/files/0x0027000000015c70-18.dat family_berbew behavioral1/files/0x0008000000015ecd-61.dat family_berbew behavioral1/memory/2744-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0008000000015ecd-66.dat family_berbew behavioral1/files/0x0008000000015ecd-65.dat family_berbew behavioral1/files/0x0008000000015ecd-60.dat family_berbew behavioral1/files/0x0008000000015ecd-58.dat family_berbew behavioral1/memory/2764-53-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0009000000015dc1-52.dat family_berbew behavioral1/files/0x00060000000162c0-78.dat family_berbew behavioral1/files/0x00060000000162c0-75.dat family_berbew behavioral1/files/0x00060000000162c0-74.dat family_berbew behavioral1/memory/2756-73-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/files/0x00060000000162c0-71.dat family_berbew behavioral1/files/0x000600000001658b-85.dat family_berbew behavioral1/files/0x000600000001658b-89.dat family_berbew behavioral1/files/0x000600000001658b-93.dat family_berbew behavioral1/files/0x000600000001658b-92.dat family_berbew behavioral1/files/0x000600000001658b-88.dat family_berbew behavioral1/memory/2568-86-0x0000000000220000-0x0000000000264000-memory.dmp family_berbew behavioral1/memory/2756-82-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x00060000000162c0-79.dat family_berbew behavioral1/files/0x00060000000167f8-104.dat family_berbew behavioral1/files/0x00060000000167f8-101.dat family_berbew behavioral1/files/0x00060000000167f8-100.dat family_berbew behavioral1/files/0x00060000000167f8-98.dat family_berbew behavioral1/files/0x0006000000016ba9-113.dat family_berbew behavioral1/files/0x0006000000016ba9-118.dat family_berbew behavioral1/memory/2736-137-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca3-144.dat family_berbew behavioral1/files/0x0006000000016cdf-150.dat family_berbew behavioral1/memory/2252-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/1924-163-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0006000000016d05-176.dat family_berbew behavioral1/memory/1432-182-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/files/0x0029000000015c7c-185.dat family_berbew behavioral1/files/0x0029000000015c7c-191.dat family_berbew behavioral1/files/0x0029000000015c7c-196.dat family_berbew behavioral1/files/0x0029000000015c7c-195.dat family_berbew behavioral1/files/0x0029000000015c7c-189.dat family_berbew behavioral1/files/0x0006000000016d39-208.dat family_berbew behavioral1/files/0x0006000000016d39-205.dat family_berbew behavioral1/files/0x0006000000016d39-204.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2328 Apoooa32.exe 2288 Apalea32.exe 2764 Amelne32.exe 2744 Apdhjq32.exe 2756 Blkioa32.exe 2568 Bfpnmj32.exe 3052 Beejng32.exe 520 Bjbcfn32.exe 1308 Behgcf32.exe 2736 Bhfcpb32.exe 2252 Boplllob.exe 1924 Bdmddc32.exe 1432 Bmeimhdj.exe 1652 Ckiigmcd.exe 1520 Cdanpb32.exe 2380 Cinfhigl.exe 2944 Ciqcmiei.exe 2352 Cpkkjc32.exe 2072 Ccigfn32.exe 2460 Cicpch32.exe 1220 Clalod32.exe 1824 Cckdlnjg.exe 2300 Dldhdc32.exe 2112 Dcnqanhd.exe 2272 Dhkiid32.exe 1748 Dacnbjml.exe 876 Dhmfod32.exe 2932 Dnjngk32.exe 1692 Dknoaoaj.exe 2276 Dahgni32.exe 2808 Dpjgifpa.exe 2440 Dkpkfooh.exe 2676 Dpmdofno.exe 3040 Egglkp32.exe 2556 Ejehgkdp.exe 1720 Epoqde32.exe 2308 Egiiapci.exe 2372 Ehjehh32.exe 576 Eodnebpd.exe 1280 Efnfbl32.exe 2868 Ejjbbkpj.exe 1672 Eogjka32.exe 2844 Efqbglen.exe 1940 Emkkdf32.exe 480 Enlglnci.exe 2980 Edfpih32.exe 2184 Fnndan32.exe 1580 Fdhlnhhc.exe 1356 Fgfhjcgg.exe 1160 Fblmglgm.exe 1684 Fcmiod32.exe 2064 Fjgalndh.exe 2076 Fmfnhj32.exe 2480 Fgkbeb32.exe 2456 Fjjnan32.exe 2920 Fmhjni32.exe 2468 Fpffje32.exe 1752 Ffqofohj.exe 2524 Fmjgcipg.exe 2232 Fbgpkpnn.exe 856 Gjngmmnp.exe 2752 Glpdde32.exe 2828 Gehhmkko.exe 3032 Gmoqnhla.exe -
Loads dropped DLL 64 IoCs
pid Process 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 2328 Apoooa32.exe 2328 Apoooa32.exe 2288 Apalea32.exe 2288 Apalea32.exe 2764 Amelne32.exe 2764 Amelne32.exe 2744 Apdhjq32.exe 2744 Apdhjq32.exe 2756 Blkioa32.exe 2756 Blkioa32.exe 2568 Bfpnmj32.exe 2568 Bfpnmj32.exe 3052 Beejng32.exe 3052 Beejng32.exe 520 Bjbcfn32.exe 520 Bjbcfn32.exe 1308 Behgcf32.exe 1308 Behgcf32.exe 2736 Bhfcpb32.exe 2736 Bhfcpb32.exe 2252 Boplllob.exe 2252 Boplllob.exe 1924 Bdmddc32.exe 1924 Bdmddc32.exe 1432 Bmeimhdj.exe 1432 Bmeimhdj.exe 1652 Ckiigmcd.exe 1652 Ckiigmcd.exe 1520 Cdanpb32.exe 1520 Cdanpb32.exe 2380 Cinfhigl.exe 2380 Cinfhigl.exe 2944 Ciqcmiei.exe 2944 Ciqcmiei.exe 2352 Cpkkjc32.exe 2352 Cpkkjc32.exe 2072 Ccigfn32.exe 2072 Ccigfn32.exe 2460 Cicpch32.exe 2460 Cicpch32.exe 1220 Clalod32.exe 1220 Clalod32.exe 1824 Cckdlnjg.exe 1824 Cckdlnjg.exe 2300 Dldhdc32.exe 2300 Dldhdc32.exe 2112 Dcnqanhd.exe 2112 Dcnqanhd.exe 2272 Dhkiid32.exe 2272 Dhkiid32.exe 1748 Dacnbjml.exe 1748 Dacnbjml.exe 876 Dhmfod32.exe 876 Dhmfod32.exe 2500 Dphjcf32.exe 2500 Dphjcf32.exe 1692 Dknoaoaj.exe 1692 Dknoaoaj.exe 2276 Dahgni32.exe 2276 Dahgni32.exe 2808 Dpjgifpa.exe 2808 Dpjgifpa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mmdgbp32.exe Mjekfd32.exe File created C:\Windows\SysWOW64\Fpkbeabf.dll Fchijone.exe File opened for modification C:\Windows\SysWOW64\Pkmlmbcd.exe Phnpagdp.exe File created C:\Windows\SysWOW64\Edfpih32.exe Enlglnci.exe File opened for modification C:\Windows\SysWOW64\Hihjhl32.exe Hbnbkbja.exe File opened for modification C:\Windows\SysWOW64\Hcigco32.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mqpflg32.exe File created C:\Windows\SysWOW64\Afoddn32.dll Ppcbgkka.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qododfek.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Eogjka32.exe Ejjbbkpj.exe File opened for modification C:\Windows\SysWOW64\Pggdejno.exe Pdihiook.exe File created C:\Windows\SysWOW64\Fppnga32.dll Cebcmdlg.exe File opened for modification C:\Windows\SysWOW64\Ljieppcb.exe Lkfddc32.exe File created C:\Windows\SysWOW64\Gbfiaj32.exe Fgadda32.exe File opened for modification C:\Windows\SysWOW64\Dicnkdnf.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Gbohehoj.exe Goplilpf.exe File created C:\Windows\SysWOW64\Qpceaipi.dll Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Kdbpnk32.exe Knhhaaki.exe File created C:\Windows\SysWOW64\Lghlndfa.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Opihgfop.exe Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Gblkoham.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Pjdjea32.dll Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Knekla32.exe Kkgopf32.exe File opened for modification C:\Windows\SysWOW64\Aollokco.exe Amnocpdk.exe File created C:\Windows\SysWOW64\Fkfklboi.dll Mlkjne32.exe File opened for modification C:\Windows\SysWOW64\Qkffng32.exe Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Lhknaf32.exe Lfmbek32.exe File created C:\Windows\SysWOW64\Cpognm32.dll Cicpch32.exe File created C:\Windows\SysWOW64\Lhblch32.dll Fdnolfon.exe File created C:\Windows\SysWOW64\Ciajik32.dll Hhhgcc32.exe File created C:\Windows\SysWOW64\Epphbb32.dll Kgfoie32.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe Coacbfii.exe File created C:\Windows\SysWOW64\Obgkhnpd.dll Lbackc32.exe File created C:\Windows\SysWOW64\Flaehkpo.dll Lfolaang.exe File opened for modification C:\Windows\SysWOW64\Ocgbji32.exe Opifnm32.exe File created C:\Windows\SysWOW64\Mngjeamd.exe Mgmahg32.exe File created C:\Windows\SysWOW64\Jabdql32.exe Jodhdp32.exe File created C:\Windows\SysWOW64\Boljgg32.exe Bjpaop32.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Dacnbjml.exe Dhkiid32.exe File created C:\Windows\SysWOW64\Kjnmgq32.dll Ljghjpfe.exe File opened for modification C:\Windows\SysWOW64\Necogkbo.exe Nagbgl32.exe File created C:\Windows\SysWOW64\Hihlqeib.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Olgmcmgh.exe Oihqgbhd.exe File created C:\Windows\SysWOW64\Afajafoa.exe Accnekon.exe File created C:\Windows\SysWOW64\Hbiaemkk.exe Hpjeialg.exe File opened for modification C:\Windows\SysWOW64\Jdaqmg32.exe Jabdql32.exe File created C:\Windows\SysWOW64\Agacqb32.dll Hegnahjo.exe File created C:\Windows\SysWOW64\Idcacc32.exe Iaeegh32.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lohccp32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File opened for modification C:\Windows\SysWOW64\Ljcbaamh.exe Kcijeg32.exe File created C:\Windows\SysWOW64\Lfjgop32.dll Lgpiij32.exe File created C:\Windows\SysWOW64\Ieljfpdl.dll Ckolek32.exe File created C:\Windows\SysWOW64\Dohgomgf.exe Dljkcb32.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Fjgalndh.exe Fcmiod32.exe File opened for modification C:\Windows\SysWOW64\Dkigoimd.exe Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe Pmkhjncg.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe -
Program crash 1 IoCs
pid pid_target Process 7572 7568 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnjacmq.dll" Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kffldlne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ninmfc32.dll" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkkjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cbajkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipiljgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifigco32.dll" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gembhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogekpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadafg32.dll" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Apedah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgfhjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Naopaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpeip32.dll" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djniek32.dll" Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhbdee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknbpmpk.dll" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilllcm.dll" Gbnflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peipigfb.dll" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblhki32.dll" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclckn32.dll" Fpffje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpdgbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeapkom.dll" Igijkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcohg32.dll" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpgconp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdihiook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikmgj32.dll" Dacnbjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghkndf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2328 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 28 PID 1988 wrote to memory of 2328 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 28 PID 1988 wrote to memory of 2328 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 28 PID 1988 wrote to memory of 2328 1988 NEAS.07b281de7f0088f2d04e523043aaebe0.exe 28 PID 2328 wrote to memory of 2288 2328 Apoooa32.exe 31 PID 2328 wrote to memory of 2288 2328 Apoooa32.exe 31 PID 2328 wrote to memory of 2288 2328 Apoooa32.exe 31 PID 2328 wrote to memory of 2288 2328 Apoooa32.exe 31 PID 2288 wrote to memory of 2764 2288 Apalea32.exe 30 PID 2288 wrote to memory of 2764 2288 Apalea32.exe 30 PID 2288 wrote to memory of 2764 2288 Apalea32.exe 30 PID 2288 wrote to memory of 2764 2288 Apalea32.exe 30 PID 2764 wrote to memory of 2744 2764 Amelne32.exe 29 PID 2764 wrote to memory of 2744 2764 Amelne32.exe 29 PID 2764 wrote to memory of 2744 2764 Amelne32.exe 29 PID 2764 wrote to memory of 2744 2764 Amelne32.exe 29 PID 2744 wrote to memory of 2756 2744 Apdhjq32.exe 32 PID 2744 wrote to memory of 2756 2744 Apdhjq32.exe 32 PID 2744 wrote to memory of 2756 2744 Apdhjq32.exe 32 PID 2744 wrote to memory of 2756 2744 Apdhjq32.exe 32 PID 2756 wrote to memory of 2568 2756 Blkioa32.exe 33 PID 2756 wrote to memory of 2568 2756 Blkioa32.exe 33 PID 2756 wrote to memory of 2568 2756 Blkioa32.exe 33 PID 2756 wrote to memory of 2568 2756 Blkioa32.exe 33 PID 2568 wrote to memory of 3052 2568 Bfpnmj32.exe 34 PID 2568 wrote to memory of 3052 2568 Bfpnmj32.exe 34 PID 2568 wrote to memory of 3052 2568 Bfpnmj32.exe 34 PID 2568 wrote to memory of 3052 2568 Bfpnmj32.exe 34 PID 3052 wrote to memory of 520 3052 Beejng32.exe 35 PID 3052 wrote to memory of 520 3052 Beejng32.exe 35 PID 3052 wrote to memory of 520 3052 Beejng32.exe 35 PID 3052 wrote to memory of 520 3052 Beejng32.exe 35 PID 520 wrote to memory of 1308 520 Bjbcfn32.exe 36 PID 520 wrote to memory of 1308 520 Bjbcfn32.exe 36 PID 520 wrote to memory of 1308 520 Bjbcfn32.exe 36 PID 520 wrote to memory of 1308 520 Bjbcfn32.exe 36 PID 1308 wrote to memory of 2736 1308 Behgcf32.exe 43 PID 1308 wrote to memory of 2736 1308 Behgcf32.exe 43 PID 1308 wrote to memory of 2736 1308 Behgcf32.exe 43 PID 1308 wrote to memory of 2736 1308 Behgcf32.exe 43 PID 2736 wrote to memory of 2252 2736 Bhfcpb32.exe 42 PID 2736 wrote to memory of 2252 2736 Bhfcpb32.exe 42 PID 2736 wrote to memory of 2252 2736 Bhfcpb32.exe 42 PID 2736 wrote to memory of 2252 2736 Bhfcpb32.exe 42 PID 2252 wrote to memory of 1924 2252 Boplllob.exe 41 PID 2252 wrote to memory of 1924 2252 Boplllob.exe 41 PID 2252 wrote to memory of 1924 2252 Boplllob.exe 41 PID 2252 wrote to memory of 1924 2252 Boplllob.exe 41 PID 1924 wrote to memory of 1432 1924 Bdmddc32.exe 37 PID 1924 wrote to memory of 1432 1924 Bdmddc32.exe 37 PID 1924 wrote to memory of 1432 1924 Bdmddc32.exe 37 PID 1924 wrote to memory of 1432 1924 Bdmddc32.exe 37 PID 1432 wrote to memory of 1652 1432 Bmeimhdj.exe 40 PID 1432 wrote to memory of 1652 1432 Bmeimhdj.exe 40 PID 1432 wrote to memory of 1652 1432 Bmeimhdj.exe 40 PID 1432 wrote to memory of 1652 1432 Bmeimhdj.exe 40 PID 1652 wrote to memory of 1520 1652 Ckiigmcd.exe 39 PID 1652 wrote to memory of 1520 1652 Ckiigmcd.exe 39 PID 1652 wrote to memory of 1520 1652 Ckiigmcd.exe 39 PID 1652 wrote to memory of 1520 1652 Ckiigmcd.exe 39 PID 1520 wrote to memory of 2380 1520 Cdanpb32.exe 38 PID 1520 wrote to memory of 2380 1520 Cdanpb32.exe 38 PID 1520 wrote to memory of 2380 1520 Cdanpb32.exe 38 PID 1520 wrote to memory of 2380 1520 Cdanpb32.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.07b281de7f0088f2d04e523043aaebe0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.07b281de7f0088f2d04e523043aaebe0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288
-
-
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
-
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe13⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe18⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe19⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe20⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe21⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe22⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe23⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe24⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe25⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe28⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe29⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe30⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:480 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe32⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe33⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe34⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe36⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe38⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe39⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe40⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe45⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe46⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe47⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe48⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe49⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe50⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe51⤵PID:2604
-
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe52⤵PID:3012
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe53⤵PID:2536
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe54⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe55⤵
- Modifies registry class
PID:984 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe56⤵
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe57⤵PID:284
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe58⤵PID:2180
-
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe59⤵PID:1088
-
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe60⤵PID:1584
-
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe61⤵PID:1776
-
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe62⤵PID:2656
-
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe63⤵PID:1476
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe64⤵PID:2196
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe65⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe66⤵PID:1656
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe67⤵PID:1384
-
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe68⤵PID:2484
-
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe69⤵PID:1140
-
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe70⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe71⤵PID:2688
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe72⤵PID:2776
-
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe73⤵PID:2784
-
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe74⤵PID:2696
-
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe76⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe77⤵PID:2888
-
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe78⤵PID:1620
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe80⤵PID:1904
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe81⤵PID:1528
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe82⤵PID:1564
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe83⤵PID:2400
-
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe84⤵
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe85⤵PID:2464
-
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe86⤵PID:2952
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe87⤵PID:2356
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe88⤵PID:2100
-
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe89⤵PID:2992
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe90⤵PID:2080
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe91⤵PID:800
-
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe92⤵PID:2360
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe93⤵PID:2924
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe94⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe95⤵PID:2244
-
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe96⤵PID:1196
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe97⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe98⤵PID:2008
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe100⤵PID:2996
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe101⤵PID:2512
-
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe102⤵PID:2044
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe103⤵PID:1488
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe104⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe105⤵PID:1232
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe106⤵PID:1048
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe107⤵PID:1788
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe108⤵PID:2820
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe109⤵PID:2508
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe110⤵PID:2012
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe111⤵
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe112⤵PID:340
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe113⤵PID:1908
-
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe114⤵PID:2004
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe115⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe116⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe118⤵PID:1472
-
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe119⤵PID:2212
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe120⤵PID:2700
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe121⤵PID:2652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-