Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12/11/2023, 09:42
Behavioral task
behavioral1
Sample
NEAS.86a824fe3ec004a40c160cee0ec727d0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.86a824fe3ec004a40c160cee0ec727d0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.86a824fe3ec004a40c160cee0ec727d0.exe
-
Size
243KB
-
MD5
86a824fe3ec004a40c160cee0ec727d0
-
SHA1
a2d8239cf8f2b3685b1175863bc2dd070586c41f
-
SHA256
ccfd44812eb418244068be4cd3e461bb089851d8b20910c61f9b686222c17c2f
-
SHA512
af879ff94e7002a765825f96a292005120158286845cc8b6dbbd3186c660217a736aee31d795d7869205887e8358e44e32706fbbe13aaf9c08ae20eb820ddc66
-
SSDEEP
6144:AwC8r/UJxg/SrxzUNaDJvZUvxrQBZg3kFz2so48J:n7UJxlhUNaVvZhBZvz2V48J
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekbmgcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcnqanhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oagmmgdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpmjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egndgdai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjpeifj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjqgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnfbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofbag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomfkndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdaigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpdbohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimenapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apimacnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcagpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcjdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmccjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlkmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbnjhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbfabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednpej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqemdbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lonibk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjbihpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coelaaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddigjkid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egndgdai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oipcnieb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cicpch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgechbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mopbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hapicp32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2112-0-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-5.dat family_berbew behavioral1/memory/2112-6-0x0000000000450000-0x0000000000495000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-8.dat family_berbew behavioral1/files/0x00070000000120bd-9.dat family_berbew behavioral1/files/0x00070000000120bd-12.dat family_berbew behavioral1/memory/3000-18-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-13.dat family_berbew behavioral1/files/0x00070000000154ab-36.dat family_berbew behavioral1/files/0x00070000000154ab-35.dat family_berbew behavioral1/files/0x00070000000154ab-33.dat family_berbew behavioral1/memory/2700-32-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0032000000014ad8-27.dat family_berbew behavioral1/files/0x0032000000014ad8-26.dat family_berbew behavioral1/files/0x0032000000014ad8-22.dat family_berbew behavioral1/files/0x0032000000014ad8-21.dat family_berbew behavioral1/files/0x0032000000014ad8-19.dat family_berbew behavioral1/memory/2744-45-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x00070000000155af-46.dat family_berbew behavioral1/files/0x00070000000154ab-40.dat family_berbew behavioral1/files/0x00070000000154ab-39.dat family_berbew behavioral1/files/0x00070000000155af-49.dat family_berbew behavioral1/files/0x00070000000155af-52.dat family_berbew behavioral1/files/0x00070000000155af-48.dat family_berbew behavioral1/files/0x000700000001587a-65.dat family_berbew behavioral1/files/0x000700000001587a-62.dat family_berbew behavioral1/files/0x0008000000015c60-74.dat family_berbew behavioral1/files/0x0008000000015c60-72.dat family_berbew behavioral1/files/0x000700000001587a-67.dat family_berbew behavioral1/memory/2776-66-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x000700000001587a-61.dat family_berbew behavioral1/files/0x00070000000155af-53.dat family_berbew behavioral1/files/0x000700000001587a-59.dat family_berbew behavioral1/memory/2600-85-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/memory/2612-84-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000015c73-88.dat family_berbew behavioral1/files/0x0006000000015c73-86.dat family_berbew behavioral1/files/0x0008000000015c60-79.dat family_berbew behavioral1/files/0x0008000000015c60-78.dat family_berbew behavioral1/files/0x0008000000015c60-68.dat family_berbew behavioral1/memory/2872-93-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000015c73-94.dat family_berbew behavioral1/files/0x0006000000015c94-102.dat family_berbew behavioral1/files/0x0006000000015c94-101.dat family_berbew behavioral1/files/0x0006000000015c94-99.dat family_berbew behavioral1/files/0x0006000000015c73-92.dat family_berbew behavioral1/files/0x0006000000015c73-89.dat family_berbew behavioral1/memory/2656-108-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000015c94-107.dat family_berbew behavioral1/memory/2872-106-0x0000000000220000-0x0000000000265000-memory.dmp family_berbew behavioral1/files/0x0006000000015c94-105.dat family_berbew behavioral1/files/0x0006000000015ca9-113.dat family_berbew behavioral1/files/0x0006000000015ca9-116.dat family_berbew behavioral1/files/0x0006000000015ca9-115.dat family_berbew behavioral1/files/0x0006000000015ca9-121.dat family_berbew behavioral1/files/0x0006000000015ca9-120.dat family_berbew behavioral1/memory/984-122-0x0000000000400000-0x0000000000445000-memory.dmp family_berbew behavioral1/files/0x0006000000015ce6-127.dat family_berbew behavioral1/files/0x0006000000015ce6-133.dat family_berbew behavioral1/files/0x0006000000015ce6-134.dat family_berbew behavioral1/files/0x0006000000015ce6-130.dat family_berbew behavioral1/files/0x0006000000015ce6-129.dat family_berbew behavioral1/files/0x0006000000015de1-139.dat family_berbew behavioral1/files/0x0006000000015de1-147.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3000 Mlkopcge.exe 2700 Najdnj32.exe 2744 Nondgn32.exe 2776 Namqci32.exe 2612 Naajoinb.exe 2600 Ngnbgplj.exe 2872 Ndbcpd32.exe 2656 Oddpfc32.exe 984 Ocimgp32.exe 2176 Okikfagn.exe 1944 Pklhlael.exe 760 Pgbhabjp.exe 328 Pclfkc32.exe 2172 Pjenhm32.exe 2308 Qabcjgkh.exe 2356 Qlkdkd32.exe 2260 Apimacnn.exe 2156 Alpmfdcb.exe 2484 Ajejgp32.exe 1664 Aemkjiem.exe 1832 Bdbhke32.exe 1608 Bafidiio.exe 1324 Blpjegfm.exe 1948 Bekkcljk.exe 2152 Bbokmqie.exe 1928 Coelaaoi.exe 1592 Cnkicn32.exe 2436 Cgcmlcja.exe 2948 Chbjffad.exe 2732 Caknol32.exe 2616 Cdlgpgef.exe 3036 Dpbheh32.exe 2244 Dbfabp32.exe 1976 Ddgjdk32.exe 2688 Ddigjkid.exe 1908 Ehgppi32.exe 1676 Ednpej32.exe 676 Ekhhadmk.exe 572 Edpmjj32.exe 1620 Egoife32.exe 900 Ecejkf32.exe 2292 Eqijej32.exe 2312 Fjaonpnn.exe 1840 Fpngfgle.exe 2472 Fmbhok32.exe 616 Fncdgcqm.exe 1036 Flgeqgog.exe 1648 Fikejl32.exe 1656 Fbdjbaea.exe 2880 Fhqbkhch.exe 1536 Gdgcpi32.exe 2056 Gjakmc32.exe 2168 Gdjpeifj.exe 2724 Gjdhbc32.exe 2716 Gfjhgdck.exe 2756 Gmdadnkh.exe 3040 Gbaileio.exe 1176 Gpejeihi.exe 2016 Ghqnjk32.exe 2920 Hedocp32.exe 1988 Hbhomd32.exe 2188 Hlqdei32.exe 364 Hanlnp32.exe 932 Hhgdkjol.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 3000 Mlkopcge.exe 3000 Mlkopcge.exe 2700 Najdnj32.exe 2700 Najdnj32.exe 2744 Nondgn32.exe 2744 Nondgn32.exe 2776 Namqci32.exe 2776 Namqci32.exe 2612 Naajoinb.exe 2612 Naajoinb.exe 2600 Ngnbgplj.exe 2600 Ngnbgplj.exe 2872 Ndbcpd32.exe 2872 Ndbcpd32.exe 2656 Oddpfc32.exe 2656 Oddpfc32.exe 984 Ocimgp32.exe 984 Ocimgp32.exe 2176 Okikfagn.exe 2176 Okikfagn.exe 1944 Pklhlael.exe 1944 Pklhlael.exe 760 Pgbhabjp.exe 760 Pgbhabjp.exe 328 Pclfkc32.exe 328 Pclfkc32.exe 2172 Pjenhm32.exe 2172 Pjenhm32.exe 2308 Qabcjgkh.exe 2308 Qabcjgkh.exe 2356 Qlkdkd32.exe 2356 Qlkdkd32.exe 2260 Apimacnn.exe 2260 Apimacnn.exe 2156 Alpmfdcb.exe 2156 Alpmfdcb.exe 2484 Ajejgp32.exe 2484 Ajejgp32.exe 1664 Aemkjiem.exe 1664 Aemkjiem.exe 1832 Bdbhke32.exe 1832 Bdbhke32.exe 1608 Bafidiio.exe 1608 Bafidiio.exe 1324 Blpjegfm.exe 1324 Blpjegfm.exe 1948 Bekkcljk.exe 1948 Bekkcljk.exe 2152 Bbokmqie.exe 2152 Bbokmqie.exe 1928 Coelaaoi.exe 1928 Coelaaoi.exe 1592 Cnkicn32.exe 1592 Cnkicn32.exe 2436 Cgcmlcja.exe 2436 Cgcmlcja.exe 2948 Chbjffad.exe 2948 Chbjffad.exe 2732 Caknol32.exe 2732 Caknol32.exe 2616 Cdlgpgef.exe 2616 Cdlgpgef.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dokfme32.exe Dbdehdfc.exe File created C:\Windows\SysWOW64\Mpioaoic.dll Qabcjgkh.exe File created C:\Windows\SysWOW64\Eeieql32.dll Keednado.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Pllhib32.exe File opened for modification C:\Windows\SysWOW64\Mlkopcge.exe NEAS.86a824fe3ec004a40c160cee0ec727d0.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Belhfdmi.dll Hegpjaac.exe File created C:\Windows\SysWOW64\Nflchkii.exe Jgkphj32.exe File opened for modification C:\Windows\SysWOW64\Fpngfgle.exe Fjaonpnn.exe File created C:\Windows\SysWOW64\Lafcif32.dll Ilqpdm32.exe File created C:\Windows\SysWOW64\Niikceid.exe Nodgel32.exe File opened for modification C:\Windows\SysWOW64\Nadpgggp.exe Niikceid.exe File created C:\Windows\SysWOW64\Aeenochi.exe Anlfbi32.exe File opened for modification C:\Windows\SysWOW64\Ipomlm32.exe Iejiodbl.exe File created C:\Windows\SysWOW64\Bifjqh32.dll Okikfagn.exe File opened for modification C:\Windows\SysWOW64\Blpjegfm.exe Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Iahceq32.exe File created C:\Windows\SysWOW64\Iahceq32.exe Igoomk32.exe File created C:\Windows\SysWOW64\Dkgippgb.exe Cielhh32.exe File created C:\Windows\SysWOW64\Eiilephi.dll Lnecigcp.exe File created C:\Windows\SysWOW64\Mbnipnaf.dll Ghqnjk32.exe File created C:\Windows\SysWOW64\Nacehmno.dll Qeohnd32.exe File created C:\Windows\SysWOW64\Bbeded32.exe Fnndan32.exe File opened for modification C:\Windows\SysWOW64\Lpflkb32.exe Ljldnhid.exe File opened for modification C:\Windows\SysWOW64\Jbdonb32.exe Jofbag32.exe File created C:\Windows\SysWOW64\Nadpgggp.exe Niikceid.exe File created C:\Windows\SysWOW64\Hnnhngjf.exe Hiqoeplo.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Fcdele32.exe File opened for modification C:\Windows\SysWOW64\Jghmfhmb.exe Jqnejn32.exe File created C:\Windows\SysWOW64\Pgbafl32.exe Pqhijbog.exe File created C:\Windows\SysWOW64\Ghqnjk32.exe Gpejeihi.exe File opened for modification C:\Windows\SysWOW64\Mopbgn32.exe Mhfjjdjf.exe File opened for modification C:\Windows\SysWOW64\Cielhh32.exe Cckdlnjg.exe File created C:\Windows\SysWOW64\Lpmbdjfi.dll Egonhf32.exe File opened for modification C:\Windows\SysWOW64\Legaoehg.exe Lonibk32.exe File created C:\Windows\SysWOW64\Gfbliabl.dll Nggggoda.exe File created C:\Windows\SysWOW64\Oakomajq.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Cpkkjc32.exe Ciqcmiei.exe File created C:\Windows\SysWOW64\Dhcihn32.dll Gafcahil.exe File opened for modification C:\Windows\SysWOW64\Kijkje32.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Eqijej32.exe Ecejkf32.exe File created C:\Windows\SysWOW64\Ilqpdm32.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Bajomhbl.exe Aaolidlk.exe File opened for modification C:\Windows\SysWOW64\Gnnlocgk.exe Gkoobhhg.exe File created C:\Windows\SysWOW64\Lonibk32.exe Ldheebad.exe File created C:\Windows\SysWOW64\Mlkopcge.exe NEAS.86a824fe3ec004a40c160cee0ec727d0.exe File created C:\Windows\SysWOW64\Hlnbfd32.dll NEAS.86a824fe3ec004a40c160cee0ec727d0.exe File created C:\Windows\SysWOW64\Ddgjdk32.exe Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Ipgbjl32.exe Iimjmbae.exe File opened for modification C:\Windows\SysWOW64\Oadkej32.exe Fajbke32.exe File created C:\Windows\SysWOW64\Pjkkpmda.dll Hgkfal32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pclfkc32.exe File created C:\Windows\SysWOW64\Ecdjal32.dll Dpbheh32.exe File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe Legmbd32.exe File opened for modification C:\Windows\SysWOW64\Cmjbhh32.exe Cklfll32.exe File created C:\Windows\SysWOW64\Bpbbfi32.dll Ehgppi32.exe File created C:\Windows\SysWOW64\Bdkgocpm.exe Blobjaba.exe File created C:\Windows\SysWOW64\Dchdgl32.dll Mkfclo32.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Ddigjkid.exe File opened for modification C:\Windows\SysWOW64\Idnaoohk.exe Iapebchh.exe File created C:\Windows\SysWOW64\Lcagpl32.exe Labkdack.exe File opened for modification C:\Windows\SysWOW64\Lcfqkl32.exe Lbfdaigg.exe File created C:\Windows\SysWOW64\Jgafgmqa.dll Pmojocel.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1240 432 WerFault.exe 518 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkqmaqbm.dll" Jcjdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcdele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egndgdai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eflill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcdele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgoj32.dll" Dciceaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oipcnieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll" Mholen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfndckhj.dll" Ddomif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpdoo32.dll" Ekknjcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmcaf32.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgapag32.dll" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifjqh32.dll" Okikfagn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgcja32.dll" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjplobo.dll" Ipmqgmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbliabl.dll" Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpbmi32.dll" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdbmfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nondgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddgloho.dll" Dpdpkfga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhcihn32.dll" Gafcahil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccdbl32.dll" Iompkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" Pbnoliap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilcfe32.dll" Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iefhhbef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemqjmkp.dll" Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbghho.dll" Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddhpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gagkjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmemln32.dll" Hghillnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimjmbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll" Pgbafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnleiipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjdhbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdpndnei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfnje32.dll" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldheebad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfgkcdoe.dll" Jnffgd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 3000 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 28 PID 2112 wrote to memory of 3000 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 28 PID 2112 wrote to memory of 3000 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 28 PID 2112 wrote to memory of 3000 2112 NEAS.86a824fe3ec004a40c160cee0ec727d0.exe 28 PID 3000 wrote to memory of 2700 3000 Mlkopcge.exe 29 PID 3000 wrote to memory of 2700 3000 Mlkopcge.exe 29 PID 3000 wrote to memory of 2700 3000 Mlkopcge.exe 29 PID 3000 wrote to memory of 2700 3000 Mlkopcge.exe 29 PID 2700 wrote to memory of 2744 2700 Najdnj32.exe 30 PID 2700 wrote to memory of 2744 2700 Najdnj32.exe 30 PID 2700 wrote to memory of 2744 2700 Najdnj32.exe 30 PID 2700 wrote to memory of 2744 2700 Najdnj32.exe 30 PID 2744 wrote to memory of 2776 2744 Nondgn32.exe 31 PID 2744 wrote to memory of 2776 2744 Nondgn32.exe 31 PID 2744 wrote to memory of 2776 2744 Nondgn32.exe 31 PID 2744 wrote to memory of 2776 2744 Nondgn32.exe 31 PID 2776 wrote to memory of 2612 2776 Namqci32.exe 32 PID 2776 wrote to memory of 2612 2776 Namqci32.exe 32 PID 2776 wrote to memory of 2612 2776 Namqci32.exe 32 PID 2776 wrote to memory of 2612 2776 Namqci32.exe 32 PID 2612 wrote to memory of 2600 2612 Naajoinb.exe 33 PID 2612 wrote to memory of 2600 2612 Naajoinb.exe 33 PID 2612 wrote to memory of 2600 2612 Naajoinb.exe 33 PID 2612 wrote to memory of 2600 2612 Naajoinb.exe 33 PID 2600 wrote to memory of 2872 2600 Ngnbgplj.exe 34 PID 2600 wrote to memory of 2872 2600 Ngnbgplj.exe 34 PID 2600 wrote to memory of 2872 2600 Ngnbgplj.exe 34 PID 2600 wrote to memory of 2872 2600 Ngnbgplj.exe 34 PID 2872 wrote to memory of 2656 2872 Ndbcpd32.exe 35 PID 2872 wrote to memory of 2656 2872 Ndbcpd32.exe 35 PID 2872 wrote to memory of 2656 2872 Ndbcpd32.exe 35 PID 2872 wrote to memory of 2656 2872 Ndbcpd32.exe 35 PID 2656 wrote to memory of 984 2656 Oddpfc32.exe 36 PID 2656 wrote to memory of 984 2656 Oddpfc32.exe 36 PID 2656 wrote to memory of 984 2656 Oddpfc32.exe 36 PID 2656 wrote to memory of 984 2656 Oddpfc32.exe 36 PID 984 wrote to memory of 2176 984 Ocimgp32.exe 37 PID 984 wrote to memory of 2176 984 Ocimgp32.exe 37 PID 984 wrote to memory of 2176 984 Ocimgp32.exe 37 PID 984 wrote to memory of 2176 984 Ocimgp32.exe 37 PID 2176 wrote to memory of 1944 2176 Okikfagn.exe 38 PID 2176 wrote to memory of 1944 2176 Okikfagn.exe 38 PID 2176 wrote to memory of 1944 2176 Okikfagn.exe 38 PID 2176 wrote to memory of 1944 2176 Okikfagn.exe 38 PID 1944 wrote to memory of 760 1944 Pklhlael.exe 39 PID 1944 wrote to memory of 760 1944 Pklhlael.exe 39 PID 1944 wrote to memory of 760 1944 Pklhlael.exe 39 PID 1944 wrote to memory of 760 1944 Pklhlael.exe 39 PID 760 wrote to memory of 328 760 Pgbhabjp.exe 40 PID 760 wrote to memory of 328 760 Pgbhabjp.exe 40 PID 760 wrote to memory of 328 760 Pgbhabjp.exe 40 PID 760 wrote to memory of 328 760 Pgbhabjp.exe 40 PID 328 wrote to memory of 2172 328 Pclfkc32.exe 41 PID 328 wrote to memory of 2172 328 Pclfkc32.exe 41 PID 328 wrote to memory of 2172 328 Pclfkc32.exe 41 PID 328 wrote to memory of 2172 328 Pclfkc32.exe 41 PID 2172 wrote to memory of 2308 2172 Pjenhm32.exe 42 PID 2172 wrote to memory of 2308 2172 Pjenhm32.exe 42 PID 2172 wrote to memory of 2308 2172 Pjenhm32.exe 42 PID 2172 wrote to memory of 2308 2172 Pjenhm32.exe 42 PID 2308 wrote to memory of 2356 2308 Qabcjgkh.exe 43 PID 2308 wrote to memory of 2356 2308 Qabcjgkh.exe 43 PID 2308 wrote to memory of 2356 2308 Qabcjgkh.exe 43 PID 2308 wrote to memory of 2356 2308 Qabcjgkh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.86a824fe3ec004a40c160cee0ec727d0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.86a824fe3ec004a40c160cee0ec727d0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Najdnj32.exeC:\Windows\system32\Najdnj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Pclfkc32.exeC:\Windows\system32\Pclfkc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Ajejgp32.exeC:\Windows\system32\Ajejgp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Coelaaoi.exeC:\Windows\system32\Coelaaoi.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Chbjffad.exeC:\Windows\system32\Chbjffad.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe39⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe41⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Ecejkf32.exeC:\Windows\system32\Ecejkf32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe47⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe49⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe50⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe51⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe52⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe58⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe61⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Hlqdei32.exeC:\Windows\system32\Hlqdei32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1132 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe67⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe68⤵PID:1876
-
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe69⤵PID:792
-
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe71⤵PID:1528
-
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe72⤵PID:1852
-
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe73⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe75⤵
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe76⤵PID:1196
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe78⤵PID:1964
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe79⤵PID:2876
-
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe80⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe83⤵PID:2904
-
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe84⤵PID:2664
-
C:\Windows\SysWOW64\Jdehon32.exeC:\Windows\system32\Jdehon32.exe85⤵PID:2640
-
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe86⤵PID:1728
-
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe87⤵PID:2536
-
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jfiale32.exeC:\Windows\system32\Jfiale32.exe89⤵PID:852
-
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe90⤵
- Drops file in System32 directory
PID:608 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe91⤵PID:2372
-
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe92⤵PID:2396
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe93⤵PID:1768
-
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe94⤵PID:1128
-
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe95⤵PID:2412
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe96⤵
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe97⤵
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe98⤵PID:2888
-
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe99⤵PID:1496
-
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe100⤵PID:2080
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe101⤵PID:1148
-
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe102⤵PID:2736
-
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe103⤵PID:2708
-
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe104⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe108⤵PID:1956
-
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe109⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe110⤵PID:2940
-
C:\Windows\SysWOW64\Mholen32.exeC:\Windows\system32\Mholen32.exe111⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe112⤵PID:1052
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe113⤵PID:1816
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe114⤵PID:432
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe115⤵PID:896
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe116⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1232 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe118⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe119⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe120⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe121⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-