Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
241s -
max time network
275s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
16/11/2023, 16:58
Behavioral task
behavioral1
Sample
NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe
-
Size
346KB
-
MD5
aecf072e7766e27a1591703fcdd7d7f0
-
SHA1
598c438cd54e91134d1dd2789192275c5dc4be44
-
SHA256
1162f7ebbe806004a321d6ae4c85152db0d8cbb37510a7405775e85bf213b753
-
SHA512
6afa738e45f2d0f1fd49e9c477649fb0ff996031978333e66b187f03bcf56392db0bffcbdeacafcc910a83ef61ba3ad58513b0b1c3e5aef013be6ded8bef78b3
-
SSDEEP
6144:lRqreT4I5hdsFj5t13LJhrmMsFj5tzOvfFOM6:/Bxhds15tFrls15tz4FT6
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdkagga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anepooja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmmjeic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olablfbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diackmif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbonnjpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hheimpfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqimfdni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhggld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnhbkmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelcjkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkimgflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiobh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hglcclhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deckeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geddla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccdhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklamq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlogk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gialihan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npbpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigkjmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbohomdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nelgkhdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmllf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heijfdeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moapinnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhkjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oobkna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmllf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiobh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfijkij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkffpoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmmjeic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbcio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knogdkml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgpfqad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhihl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baeepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfkpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdcqacf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbfed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnifia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjamdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lancqglp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edfcif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopibdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcbcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmlbc32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2880-0-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0004000000004ed7-5.dat family_berbew behavioral1/memory/2880-6-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0004000000004ed7-8.dat family_berbew behavioral1/files/0x0004000000004ed7-10.dat family_berbew behavioral1/files/0x0004000000004ed7-13.dat family_berbew behavioral1/files/0x0004000000004ed7-12.dat family_berbew behavioral1/files/0x000a000000012273-24.dat family_berbew behavioral1/files/0x000a000000012273-21.dat family_berbew behavioral1/files/0x000a000000012273-20.dat family_berbew behavioral1/files/0x000a000000012273-18.dat family_berbew behavioral1/files/0x000a000000012273-26.dat family_berbew behavioral1/memory/2652-31-0x0000000000230000-0x000000000026C000-memory.dmp family_berbew behavioral1/memory/1636-32-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2652-25-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0027000000015c86-33.dat family_berbew behavioral1/files/0x0027000000015c86-40.dat family_berbew behavioral1/files/0x0027000000015c86-42.dat family_berbew behavioral1/files/0x0027000000015c86-37.dat family_berbew behavioral1/files/0x0027000000015c86-36.dat family_berbew behavioral1/files/0x0007000000015db7-47.dat family_berbew behavioral1/memory/1636-35-0x00000000001B0000-0x00000000001EC000-memory.dmp family_berbew behavioral1/files/0x0007000000015db7-49.dat family_berbew behavioral1/files/0x0007000000015db7-50.dat family_berbew behavioral1/files/0x0007000000015db7-53.dat family_berbew behavioral1/files/0x0007000000015db7-55.dat family_berbew behavioral1/memory/2964-54-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0007000000015ea9-60.dat family_berbew behavioral1/files/0x0007000000015ea9-63.dat family_berbew behavioral1/files/0x0007000000015ea9-69.dat family_berbew behavioral1/memory/588-68-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0009000000015fea-80.dat family_berbew behavioral1/files/0x0009000000015fea-77.dat family_berbew behavioral1/files/0x0009000000015fea-76.dat family_berbew behavioral1/files/0x0009000000015fea-74.dat family_berbew behavioral1/files/0x0007000000015ea9-67.dat family_berbew behavioral1/files/0x0007000000015ea9-62.dat family_berbew behavioral1/files/0x0009000000015fea-82.dat family_berbew behavioral1/files/0x00060000000165ee-84.dat family_berbew behavioral1/files/0x00060000000165ee-94.dat family_berbew behavioral1/memory/860-101-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/588-102-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0006000000016ae2-110.dat family_berbew behavioral1/files/0x0006000000016ae2-109.dat family_berbew behavioral1/files/0x0006000000016ae2-106.dat family_berbew behavioral1/files/0x0006000000016ae2-105.dat family_berbew behavioral1/files/0x0006000000016ae2-103.dat family_berbew behavioral1/files/0x00060000000165ee-95.dat family_berbew behavioral1/files/0x00060000000165ee-90.dat family_berbew behavioral1/files/0x00060000000165ee-88.dat family_berbew behavioral1/memory/2988-83-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/588-81-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/memory/2988-115-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/memory/2652-117-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/1988-116-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000016c12-118.dat family_berbew behavioral1/files/0x0006000000016c12-124.dat family_berbew behavioral1/files/0x0006000000016c12-121.dat family_berbew behavioral1/files/0x0006000000016c12-125.dat family_berbew behavioral1/files/0x0006000000016c12-120.dat family_berbew behavioral1/files/0x0006000000016c67-132.dat family_berbew behavioral1/files/0x0006000000016c67-138.dat family_berbew behavioral1/files/0x0006000000016c67-134.dat family_berbew behavioral1/files/0x0006000000016c67-135.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2652 Fadmenpg.exe 1636 Hopibdfd.exe 2536 Hhkjpi32.exe 2964 Hcdkagga.exe 588 Iomhkgkb.exe 2988 Ikfffh32.exe 860 Iogkaf32.exe 1988 Iqhhin32.exe 592 Jqjdon32.exe 1964 Kcbcah32.exe 1768 Kfcmcckn.exe 2816 Kejfio32.exe 896 Kgkokjjd.exe 640 Laacmc32.exe 2804 Mhpeem32.exe 1104 Mkqnghfk.exe 2168 Npbpjn32.exe 616 Oqfeda32.exe 1680 Polbemck.exe 1512 Pidgnc32.exe 2936 Oehmamnn.exe 1120 Mnbbpkjg.exe 1728 Mkmlbc32.exe 2212 Mfbqol32.exe 2192 Mloigc32.exe 2596 Mfdmdlaj.exe 2500 Nannejni.exe 3040 Nnboonmb.exe 2548 Nelgkhdp.exe 2320 Niqijkel.exe 2976 Olablfbm.exe 472 Oejfelin.exe 2956 Oobkna32.exe 1416 Oelcjkgk.exe 548 Opaggdfa.exe 1944 Ohmllf32.exe 1344 Obbpio32.exe 1956 Pgdfbb32.exe 2052 Pdhflg32.exe 2072 Pkboiamh.exe 2892 Pcmcmcjc.exe 2136 Pigkjmap.exe 2480 Pdmpgfae.exe 2024 Qagiio32.exe 2028 Qhabfibb.exe 2008 Adhbkj32.exe 1800 Afgoem32.exe 2428 Akdgmd32.exe 2288 Anbcio32.exe 2880 Agkhbece.exe 2996 Anepooja.exe 1908 Angmdoho.exe 2600 Adaeai32.exe 928 Anjjjn32.exe 2188 Bfeonq32.exe 1568 Bfldopno.exe 2520 Bkimgflg.exe 1488 Baeepm32.exe 2756 Cnifia32.exe 1528 Deckeo32.exe 2948 Dpiobh32.exe 2236 Diackmif.exe 2160 Dehdpnok.exe 436 Dkelhemb.exe -
Loads dropped DLL 64 IoCs
pid Process 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 2652 Fadmenpg.exe 2652 Fadmenpg.exe 1636 Hopibdfd.exe 1636 Hopibdfd.exe 2536 Hhkjpi32.exe 2536 Hhkjpi32.exe 2964 Hcdkagga.exe 2964 Hcdkagga.exe 588 Iomhkgkb.exe 588 Iomhkgkb.exe 2988 Ikfffh32.exe 2988 Ikfffh32.exe 860 Iogkaf32.exe 860 Iogkaf32.exe 1988 Iqhhin32.exe 1988 Iqhhin32.exe 592 Jqjdon32.exe 592 Jqjdon32.exe 1964 Kcbcah32.exe 1964 Kcbcah32.exe 1768 Kfcmcckn.exe 1768 Kfcmcckn.exe 2816 Kejfio32.exe 2816 Kejfio32.exe 896 Kgkokjjd.exe 896 Kgkokjjd.exe 640 Laacmc32.exe 640 Laacmc32.exe 2804 Mhpeem32.exe 2804 Mhpeem32.exe 1104 Mkqnghfk.exe 1104 Mkqnghfk.exe 2168 Npbpjn32.exe 2168 Npbpjn32.exe 616 Oqfeda32.exe 616 Oqfeda32.exe 1680 Polbemck.exe 1680 Polbemck.exe 1512 Pidgnc32.exe 1512 Pidgnc32.exe 2936 Oehmamnn.exe 2936 Oehmamnn.exe 1120 Mnbbpkjg.exe 1120 Mnbbpkjg.exe 1728 Mkmlbc32.exe 1728 Mkmlbc32.exe 2212 Mfbqol32.exe 2212 Mfbqol32.exe 2192 Mloigc32.exe 2192 Mloigc32.exe 2596 Mfdmdlaj.exe 2596 Mfdmdlaj.exe 2500 Nannejni.exe 2500 Nannejni.exe 3040 Nnboonmb.exe 3040 Nnboonmb.exe 2548 Nelgkhdp.exe 2548 Nelgkhdp.exe 2320 Niqijkel.exe 2320 Niqijkel.exe 2976 Olablfbm.exe 2976 Olablfbm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hcdkagga.exe Hhkjpi32.exe File created C:\Windows\SysWOW64\Onocfgga.dll Edfcif32.exe File created C:\Windows\SysWOW64\Eepjboco.dll Hopibdfd.exe File created C:\Windows\SysWOW64\Nnboonmb.exe Nannejni.exe File opened for modification C:\Windows\SysWOW64\Fmmlkdeo.exe Fllpcl32.exe File created C:\Windows\SysWOW64\Oqknikcm.dll Qhabfibb.exe File opened for modification C:\Windows\SysWOW64\Geogpemb.exe Gdnkhm32.exe File created C:\Windows\SysWOW64\Mklfiilm.dll Gpekmnmh.exe File created C:\Windows\SysWOW64\Klphjg32.dll Gemfihbm.exe File opened for modification C:\Windows\SysWOW64\Iomhkgkb.exe Hcdkagga.exe File opened for modification C:\Windows\SysWOW64\Angmdoho.exe Anepooja.exe File created C:\Windows\SysWOW64\Mhggld32.exe Mlqggcqc.exe File opened for modification C:\Windows\SysWOW64\Hpbfed32.exe Hckepcoj.exe File created C:\Windows\SysWOW64\Jlmkdf32.dll Kejfio32.exe File opened for modification C:\Windows\SysWOW64\Nnboonmb.exe Nannejni.exe File opened for modification C:\Windows\SysWOW64\Baeepm32.exe Bkimgflg.exe File created C:\Windows\SysWOW64\Fqoacfjk.exe Fkbhkplc.exe File created C:\Windows\SysWOW64\Gdhlni32.exe Gcgpfqad.exe File opened for modification C:\Windows\SysWOW64\Fadmenpg.exe NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe File opened for modification C:\Windows\SysWOW64\Diackmif.exe Dpiobh32.exe File created C:\Windows\SysWOW64\Pfnkbg32.dll Heijfdeg.exe File created C:\Windows\SysWOW64\Lgjjkiin.exe Ejkmnopi.exe File created C:\Windows\SysWOW64\Kgkokjjd.exe Kejfio32.exe File created C:\Windows\SysWOW64\Mkmlbc32.exe Mnbbpkjg.exe File opened for modification C:\Windows\SysWOW64\Fjlogk32.exe Ffqcgmdm.exe File created C:\Windows\SysWOW64\Oobkna32.exe Oejfelin.exe File created C:\Windows\SysWOW64\Olablfbm.exe Niqijkel.exe File created C:\Windows\SysWOW64\Anbckadf.dll Jqjdon32.exe File opened for modification C:\Windows\SysWOW64\Mloigc32.exe Mfbqol32.exe File opened for modification C:\Windows\SysWOW64\Pdhflg32.exe Pgdfbb32.exe File created C:\Windows\SysWOW64\Pomdkf32.dll Gpnemo32.exe File created C:\Windows\SysWOW64\Nmiapobg.dll Hhkjpi32.exe File created C:\Windows\SysWOW64\Edfcif32.exe Eldidd32.exe File created C:\Windows\SysWOW64\Jckflh32.dll NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe File created C:\Windows\SysWOW64\Ibolep32.dll Dkelhemb.exe File opened for modification C:\Windows\SysWOW64\Gpnemo32.exe Gjamdh32.exe File opened for modification C:\Windows\SysWOW64\Ilnegb32.exe Idbpbpej.exe File created C:\Windows\SysWOW64\Dakcnakc.dll Knogdkml.exe File opened for modification C:\Windows\SysWOW64\Oqfeda32.exe Npbpjn32.exe File created C:\Windows\SysWOW64\Iqhhin32.exe Iogkaf32.exe File created C:\Windows\SysWOW64\Hehjgf32.dll Lancqglp.exe File opened for modification C:\Windows\SysWOW64\Fnnhbkmj.exe Edfcif32.exe File opened for modification C:\Windows\SysWOW64\Flfaigpo.exe Fqoacfjk.exe File opened for modification C:\Windows\SysWOW64\Hfehao32.exe Hfcllpdf.exe File created C:\Windows\SysWOW64\Mkkmcoaf.exe Menekhco.exe File created C:\Windows\SysWOW64\Pdmpgfae.exe Pigkjmap.exe File created C:\Windows\SysWOW64\Kajedlom.dll Fmmlkdeo.exe File opened for modification C:\Windows\SysWOW64\Hpghcn32.exe Gpekmnmh.exe File opened for modification C:\Windows\SysWOW64\Lgjjkiin.exe Ejkmnopi.exe File created C:\Windows\SysWOW64\Laacmc32.exe Kgkokjjd.exe File opened for modification C:\Windows\SysWOW64\Laacmc32.exe Kgkokjjd.exe File opened for modification C:\Windows\SysWOW64\Moapinnd.exe Mhggld32.exe File created C:\Windows\SysWOW64\Fmhnngnl.exe Fgkffpoe.exe File opened for modification C:\Windows\SysWOW64\Kcbcah32.exe Jqjdon32.exe File created C:\Windows\SysWOW64\Qkpmkopd.dll Nannejni.exe File opened for modification C:\Windows\SysWOW64\Dkelhemb.exe Dehdpnok.exe File opened for modification C:\Windows\SysWOW64\Kegbkffk.exe Kbfijkij.exe File created C:\Windows\SysWOW64\Pidgnc32.exe Polbemck.exe File opened for modification C:\Windows\SysWOW64\Iccdhm32.exe Hnfkpf32.exe File opened for modification C:\Windows\SysWOW64\Migdfg32.exe Moapinnd.exe File created C:\Windows\SysWOW64\Mbohomdk.exe Migdfg32.exe File created C:\Windows\SysWOW64\Mkqnghfk.exe Mhpeem32.exe File opened for modification C:\Windows\SysWOW64\Fgkffpoe.exe Flfaigpo.exe File created C:\Windows\SysWOW64\Gkbdjc32.exe Gdhlni32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2812 1472 WerFault.exe 184 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laacmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klphjg32.dll" Gemfihbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajedlom.dll" Fmmlkdeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmabegde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmabegde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoaooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpplcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmmlkdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmgikfm.dll" Hpghcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhnngnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opaggdfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbeeolfd.dll" Boblbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhimaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfffqpc.dll" Gbonnjpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedhg32.dll" Mhggld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfbqol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfckfblc.dll" Moapinnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdenaded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fadmenpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqjdon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbonnjpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qagiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immhck32.dll" Pigkjmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbogkp32.dll" Bkimgflg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdnielg.dll" Emhbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchfpi32.dll" Jcjfho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mloigc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdhflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkimgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajimked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkmcoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjjkiin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqhhin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dehdpnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfeonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbohomdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcgpfqad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmjcemh.dll" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidgnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbfggdo.dll" Mnbbpkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhjhdem.dll" Pgdfbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajimked.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iomhkgkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anepooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baifeggh.dll" Faflfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejkmnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hblifphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oejfelin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklljn32.dll" Anjjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfeonq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooncic32.dll" Gdhlni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmkdf32.dll" Kejfio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhplgonm.dll" Pdhflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbkgbaf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2652 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 28 PID 2880 wrote to memory of 2652 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 28 PID 2880 wrote to memory of 2652 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 28 PID 2880 wrote to memory of 2652 2880 NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe 28 PID 2652 wrote to memory of 1636 2652 Fadmenpg.exe 29 PID 2652 wrote to memory of 1636 2652 Fadmenpg.exe 29 PID 2652 wrote to memory of 1636 2652 Fadmenpg.exe 29 PID 2652 wrote to memory of 1636 2652 Fadmenpg.exe 29 PID 1636 wrote to memory of 2536 1636 Hopibdfd.exe 30 PID 1636 wrote to memory of 2536 1636 Hopibdfd.exe 30 PID 1636 wrote to memory of 2536 1636 Hopibdfd.exe 30 PID 1636 wrote to memory of 2536 1636 Hopibdfd.exe 30 PID 2536 wrote to memory of 2964 2536 Hhkjpi32.exe 31 PID 2536 wrote to memory of 2964 2536 Hhkjpi32.exe 31 PID 2536 wrote to memory of 2964 2536 Hhkjpi32.exe 31 PID 2536 wrote to memory of 2964 2536 Hhkjpi32.exe 31 PID 2964 wrote to memory of 588 2964 Hcdkagga.exe 32 PID 2964 wrote to memory of 588 2964 Hcdkagga.exe 32 PID 2964 wrote to memory of 588 2964 Hcdkagga.exe 32 PID 2964 wrote to memory of 588 2964 Hcdkagga.exe 32 PID 588 wrote to memory of 2988 588 Iomhkgkb.exe 33 PID 588 wrote to memory of 2988 588 Iomhkgkb.exe 33 PID 588 wrote to memory of 2988 588 Iomhkgkb.exe 33 PID 588 wrote to memory of 2988 588 Iomhkgkb.exe 33 PID 2988 wrote to memory of 860 2988 Ikfffh32.exe 35 PID 2988 wrote to memory of 860 2988 Ikfffh32.exe 35 PID 2988 wrote to memory of 860 2988 Ikfffh32.exe 35 PID 2988 wrote to memory of 860 2988 Ikfffh32.exe 35 PID 860 wrote to memory of 1988 860 Iogkaf32.exe 34 PID 860 wrote to memory of 1988 860 Iogkaf32.exe 34 PID 860 wrote to memory of 1988 860 Iogkaf32.exe 34 PID 860 wrote to memory of 1988 860 Iogkaf32.exe 34 PID 1988 wrote to memory of 592 1988 Iqhhin32.exe 36 PID 1988 wrote to memory of 592 1988 Iqhhin32.exe 36 PID 1988 wrote to memory of 592 1988 Iqhhin32.exe 36 PID 1988 wrote to memory of 592 1988 Iqhhin32.exe 36 PID 592 wrote to memory of 1964 592 Jqjdon32.exe 37 PID 592 wrote to memory of 1964 592 Jqjdon32.exe 37 PID 592 wrote to memory of 1964 592 Jqjdon32.exe 37 PID 592 wrote to memory of 1964 592 Jqjdon32.exe 37 PID 1964 wrote to memory of 1768 1964 Kcbcah32.exe 38 PID 1964 wrote to memory of 1768 1964 Kcbcah32.exe 38 PID 1964 wrote to memory of 1768 1964 Kcbcah32.exe 38 PID 1964 wrote to memory of 1768 1964 Kcbcah32.exe 38 PID 1768 wrote to memory of 2816 1768 Kfcmcckn.exe 39 PID 1768 wrote to memory of 2816 1768 Kfcmcckn.exe 39 PID 1768 wrote to memory of 2816 1768 Kfcmcckn.exe 39 PID 1768 wrote to memory of 2816 1768 Kfcmcckn.exe 39 PID 2816 wrote to memory of 896 2816 Kejfio32.exe 40 PID 2816 wrote to memory of 896 2816 Kejfio32.exe 40 PID 2816 wrote to memory of 896 2816 Kejfio32.exe 40 PID 2816 wrote to memory of 896 2816 Kejfio32.exe 40 PID 896 wrote to memory of 640 896 Kgkokjjd.exe 41 PID 896 wrote to memory of 640 896 Kgkokjjd.exe 41 PID 896 wrote to memory of 640 896 Kgkokjjd.exe 41 PID 896 wrote to memory of 640 896 Kgkokjjd.exe 41 PID 640 wrote to memory of 2804 640 Laacmc32.exe 42 PID 640 wrote to memory of 2804 640 Laacmc32.exe 42 PID 640 wrote to memory of 2804 640 Laacmc32.exe 42 PID 640 wrote to memory of 2804 640 Laacmc32.exe 42 PID 2804 wrote to memory of 1104 2804 Mhpeem32.exe 43 PID 2804 wrote to memory of 1104 2804 Mhpeem32.exe 43 PID 2804 wrote to memory of 1104 2804 Mhpeem32.exe 43 PID 2804 wrote to memory of 1104 2804 Mhpeem32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.aecf072e7766e27a1591703fcdd7d7f0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Oehmamnn.exeC:\Windows\system32\Oehmamnn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Mkmlbc32.exeC:\Windows\system32\Mkmlbc32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Mfbqol32.exeC:\Windows\system32\Mfbqol32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Mloigc32.exeC:\Windows\system32\Mloigc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Mfdmdlaj.exeC:\Windows\system32\Mfdmdlaj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Nannejni.exeC:\Windows\system32\Nannejni.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Nnboonmb.exeC:\Windows\system32\Nnboonmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Nelgkhdp.exeC:\Windows\system32\Nelgkhdp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Niqijkel.exeC:\Windows\system32\Niqijkel.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Olablfbm.exeC:\Windows\system32\Olablfbm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Oejfelin.exeC:\Windows\system32\Oejfelin.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Oobkna32.exeC:\Windows\system32\Oobkna32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oelcjkgk.exeC:\Windows\system32\Oelcjkgk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Opaggdfa.exeC:\Windows\system32\Opaggdfa.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Ohmllf32.exeC:\Windows\system32\Ohmllf32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Obbpio32.exeC:\Windows\system32\Obbpio32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Pgdfbb32.exeC:\Windows\system32\Pgdfbb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Pdhflg32.exeC:\Windows\system32\Pdhflg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Pkboiamh.exeC:\Windows\system32\Pkboiamh.exe33⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pcmcmcjc.exeC:\Windows\system32\Pcmcmcjc.exe34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Pigkjmap.exeC:\Windows\system32\Pigkjmap.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Pdmpgfae.exeC:\Windows\system32\Pdmpgfae.exe36⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Qhabfibb.exeC:\Windows\system32\Qhabfibb.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Adhbkj32.exeC:\Windows\system32\Adhbkj32.exe39⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Afgoem32.exeC:\Windows\system32\Afgoem32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Akdgmd32.exeC:\Windows\system32\Akdgmd32.exe41⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Anbcio32.exeC:\Windows\system32\Anbcio32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Agkhbece.exeC:\Windows\system32\Agkhbece.exe43⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Anepooja.exeC:\Windows\system32\Anepooja.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Angmdoho.exeC:\Windows\system32\Angmdoho.exe45⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Adaeai32.exeC:\Windows\system32\Adaeai32.exe46⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Anjjjn32.exeC:\Windows\system32\Anjjjn32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Bfeonq32.exeC:\Windows\system32\Bfeonq32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Boblbe32.exeC:\Windows\system32\Boblbe32.exe49⤵
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bfldopno.exeC:\Windows\system32\Bfldopno.exe50⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Bkimgflg.exeC:\Windows\system32\Bkimgflg.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Baeepm32.exeC:\Windows\system32\Baeepm32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cnifia32.exeC:\Windows\system32\Cnifia32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Deckeo32.exeC:\Windows\system32\Deckeo32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Dpiobh32.exeC:\Windows\system32\Dpiobh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Diackmif.exeC:\Windows\system32\Diackmif.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Dehdpnok.exeC:\Windows\system32\Dehdpnok.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Dkelhemb.exeC:\Windows\system32\Dkelhemb.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Dhimaill.exeC:\Windows\system32\Dhimaill.exe59⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Ehkjgi32.exeC:\Windows\system32\Ehkjgi32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:940 -
C:\Windows\SysWOW64\Emhbop32.exeC:\Windows\system32\Emhbop32.exe61⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Ghmach32.exeC:\Windows\system32\Ghmach32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2128 -
C:\Windows\SysWOW64\Faflfc32.exeC:\Windows\system32\Faflfc32.exe63⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Fllpcl32.exeC:\Windows\system32\Fllpcl32.exe64⤵
- Drops file in System32 directory
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Fmmlkdeo.exeC:\Windows\system32\Fmmlkdeo.exe65⤵
- Drops file in System32 directory
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Geddla32.exeC:\Windows\system32\Geddla32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Gjamdh32.exeC:\Windows\system32\Gjamdh32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Gpnemo32.exeC:\Windows\system32\Gpnemo32.exe68⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Gjcijh32.exeC:\Windows\system32\Gjcijh32.exe69⤵PID:856
-
C:\Windows\SysWOW64\Gbonnjpq.exeC:\Windows\system32\Gbonnjpq.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Gfjjoi32.exeC:\Windows\system32\Gfjjoi32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Glgbgp32.exeC:\Windows\system32\Glgbgp32.exe72⤵PID:1332
-
C:\Windows\SysWOW64\Gdnkhm32.exeC:\Windows\system32\Gdnkhm32.exe73⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Geogpemb.exeC:\Windows\system32\Geogpemb.exe74⤵PID:2776
-
C:\Windows\SysWOW64\Gpekmnmh.exeC:\Windows\system32\Gpekmnmh.exe75⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Hpghcn32.exeC:\Windows\system32\Hpghcn32.exe76⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Hheimpfm.exeC:\Windows\system32\Hheimpfm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Hmabegde.exeC:\Windows\system32\Hmabegde.exe78⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Heijfdeg.exeC:\Windows\system32\Heijfdeg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Hoaooj32.exeC:\Windows\system32\Hoaooj32.exe80⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Hpbkgbaf.exeC:\Windows\system32\Hpbkgbaf.exe81⤵
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Hglcclhb.exeC:\Windows\system32\Hglcclhb.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Hnfkpf32.exeC:\Windows\system32\Hnfkpf32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Iccdhm32.exeC:\Windows\system32\Iccdhm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Idbpbpej.exeC:\Windows\system32\Idbpbpej.exe85⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Ilnegb32.exeC:\Windows\system32\Ilnegb32.exe86⤵PID:2592
-
C:\Windows\SysWOW64\Igcidk32.exeC:\Windows\system32\Igcidk32.exe87⤵PID:772
-
C:\Windows\SysWOW64\Jdpplcjh.exeC:\Windows\system32\Jdpplcjh.exe88⤵
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Jnhddiqh.exeC:\Windows\system32\Jnhddiqh.exe89⤵PID:2268
-
C:\Windows\SysWOW64\Jbdpeh32.exeC:\Windows\system32\Jbdpeh32.exe90⤵PID:932
-
C:\Windows\SysWOW64\Jhnibbpn.exeC:\Windows\system32\Jhnibbpn.exe91⤵PID:2412
-
C:\Windows\SysWOW64\Jqimfdni.exeC:\Windows\system32\Jqimfdni.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Jkoacm32.exeC:\Windows\system32\Jkoacm32.exe93⤵PID:1748
-
C:\Windows\SysWOW64\Jqljld32.exeC:\Windows\system32\Jqljld32.exe94⤵PID:828
-
C:\Windows\SysWOW64\Jcjfho32.exeC:\Windows\system32\Jcjfho32.exe95⤵
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Kklamq32.exeC:\Windows\system32\Kklamq32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Kbfijkij.exeC:\Windows\system32\Kbfijkij.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Kegbkffk.exeC:\Windows\system32\Kegbkffk.exe98⤵PID:1940
-
C:\Windows\SysWOW64\Kibnld32.exeC:\Windows\system32\Kibnld32.exe99⤵PID:2292
-
C:\Windows\SysWOW64\Knogdkml.exeC:\Windows\system32\Knogdkml.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Lancqglp.exeC:\Windows\system32\Lancqglp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Ljfgil32.exeC:\Windows\system32\Ljfgil32.exe102⤵PID:2836
-
C:\Windows\SysWOW64\Lcnlbbiq.exeC:\Windows\system32\Lcnlbbiq.exe103⤵PID:1696
-
C:\Windows\SysWOW64\Labllf32.exeC:\Windows\system32\Labllf32.exe104⤵PID:1156
-
C:\Windows\SysWOW64\Linaph32.exeC:\Windows\system32\Linaph32.exe105⤵PID:2016
-
C:\Windows\SysWOW64\Mlqggcqc.exeC:\Windows\system32\Mlqggcqc.exe106⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Mhggld32.exeC:\Windows\system32\Mhggld32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Moapinnd.exeC:\Windows\system32\Moapinnd.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Migdfg32.exeC:\Windows\system32\Migdfg32.exe109⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Mbohomdk.exeC:\Windows\system32\Mbohomdk.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Menekhco.exeC:\Windows\system32\Menekhco.exe111⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Mkkmcoaf.exeC:\Windows\system32\Mkkmcoaf.exe112⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Madepihc.exeC:\Windows\system32\Madepihc.exe113⤵PID:2224
-
C:\Windows\SysWOW64\Mhonmc32.exeC:\Windows\system32\Mhonmc32.exe114⤵PID:1056
-
C:\Windows\SysWOW64\Mmkfej32.exeC:\Windows\system32\Mmkfej32.exe115⤵PID:1564
-
C:\Windows\SysWOW64\Mdenaded.exeC:\Windows\system32\Mdenaded.exe116⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Edndehaa.exeC:\Windows\system32\Edndehaa.exe117⤵PID:2512
-
C:\Windows\SysWOW64\Ejkmnopi.exeC:\Windows\system32\Ejkmnopi.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Lgjjkiin.exeC:\Windows\system32\Lgjjkiin.exe119⤵
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Eldidd32.exeC:\Windows\system32\Eldidd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Edfcif32.exeC:\Windows\system32\Edfcif32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-