Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
38s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 17:14
Behavioral task
behavioral1
Sample
e8f1a290a6f92c80eed0feedc6946180_NEAS.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e8f1a290a6f92c80eed0feedc6946180_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e8f1a290a6f92c80eed0feedc6946180_NEAS.exe
-
Size
844KB
-
MD5
e8f1a290a6f92c80eed0feedc6946180
-
SHA1
2ce79e7d02e1717e2786a2fdf48802d113fc0143
-
SHA256
653da7dc2e4318279f3e188c80191d7904f3b67ee166d1f179311eb7af8298aa
-
SHA512
a3f833bd2887c2b25431a5f83febd9cfd1b0bd84775a8092aeb32bd93afd794f0931cbeafa406eae10ce6b124a1047270a5a7760e65bcb0dd088f61a3708ca87
-
SSDEEP
24576:kDH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:kDH5W3TbQihw+cdX2x46uhqllMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjamgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kigndekn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acicla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhqjen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppkjac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mojbaham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieofkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmflee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnhhjjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oekmceaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agbbgqhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqocbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabopjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhonjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000016332-5.dat family_berbew behavioral1/files/0x0008000000016c90-20.dat family_berbew behavioral1/files/0x0009000000016ccf-43.dat family_berbew behavioral1/files/0x0009000000016ccf-38.dat family_berbew behavioral1/files/0x000700000001704f-56.dat family_berbew behavioral1/files/0x0005000000019473-65.dat family_berbew behavioral1/files/0x0010000000016c10-85.dat family_berbew behavioral1/files/0x00040000000194d6-92.dat family_berbew behavioral1/files/0x00040000000194dc-113.dat family_berbew behavioral1/files/0x00050000000194ea-123.dat family_berbew behavioral1/files/0x00050000000194ef-137.dat family_berbew behavioral1/files/0x00050000000194f4-154.dat family_berbew behavioral1/files/0x0005000000019521-161.dat family_berbew behavioral1/files/0x0005000000019570-182.dat family_berbew behavioral1/files/0x000500000001959e-187.dat family_berbew behavioral1/files/0x00050000000195a4-206.dat family_berbew behavioral1/files/0x00050000000195a7-219.dat family_berbew behavioral1/memory/1036-241-0x00000000002A0000-0x00000000002E3000-memory.dmp family_berbew behavioral1/files/0x00050000000195ba-238.dat family_berbew behavioral1/files/0x00050000000195a9-229.dat family_berbew behavioral1/files/0x0005000000019646-249.dat family_berbew behavioral1/files/0x0005000000019ce6-293.dat family_berbew behavioral1/files/0x0005000000019f60-315.dat family_berbew behavioral1/files/0x000500000001a2d0-337.dat family_berbew behavioral1/files/0x000500000001a3d4-370.dat family_berbew behavioral1/memory/2584-373-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/files/0x000500000001a431-392.dat family_berbew behavioral1/files/0x000500000001a43b-403.dat family_berbew behavioral1/files/0x000500000001a443-414.dat family_berbew behavioral1/memory/2692-433-0x0000000000260000-0x00000000002A3000-memory.dmp family_berbew behavioral1/memory/2692-430-0x0000000000260000-0x00000000002A3000-memory.dmp family_berbew behavioral1/files/0x000500000001a447-422.dat family_berbew behavioral1/memory/2860-400-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/memory/2860-399-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/files/0x000500000001a44f-447.dat family_berbew behavioral1/files/0x000500000001a44b-436.dat family_berbew behavioral1/files/0x000500000001a453-460.dat family_berbew behavioral1/files/0x000500000001a457-466.dat family_berbew behavioral1/files/0x000500000001a45f-491.dat family_berbew behavioral1/files/0x000500000001a463-502.dat family_berbew behavioral1/files/0x000500000001a467-515.dat family_berbew behavioral1/files/0x000500000001a45b-481.dat family_berbew behavioral1/files/0x000500000001a470-535.dat family_berbew behavioral1/files/0x000500000001a474-548.dat family_berbew behavioral1/files/0x000500000001a479-561.dat family_berbew behavioral1/files/0x000500000001a47d-573.dat family_berbew behavioral1/files/0x000500000001a484-583.dat family_berbew behavioral1/files/0x000500000001a489-595.dat family_berbew behavioral1/files/0x000500000001ad1c-615.dat family_berbew behavioral1/files/0x000500000001c288-623.dat family_berbew behavioral1/files/0x000500000001c6d5-636.dat family_berbew behavioral1/memory/936-450-0x0000000000290000-0x00000000002D3000-memory.dmp family_berbew behavioral1/files/0x000500000001a429-382.dat family_berbew behavioral1/files/0x000500000001c78b-658.dat family_berbew behavioral1/memory/2584-374-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/memory/2656-362-0x0000000000220000-0x0000000000263000-memory.dmp family_berbew behavioral1/files/0x000500000001c82d-670.dat family_berbew behavioral1/files/0x000500000001a3c8-359.dat family_berbew behavioral1/files/0x000500000001c837-691.dat family_berbew behavioral1/files/0x000500000001c83b-701.dat family_berbew behavioral1/files/0x000500000001c843-724.dat family_berbew behavioral1/files/0x000500000001c847-735.dat family_berbew behavioral1/files/0x000500000001c84b-750.dat family_berbew behavioral1/files/0x000500000001c84f-763.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2896 Dlgnmb32.exe 3028 Dhplhc32.exe 2672 Daipqhdg.exe 2620 Ednbncmb.exe 2536 Edqocbkp.exe 2856 Eolmip32.exe 1480 Gegabegc.exe 2004 Gghkdp32.exe 2616 Gmecmg32.exe 1072 Gildahhp.exe 1208 Hdlkcdog.exe 524 Ifoqjo32.exe 2348 Jhjphfgi.exe 1776 Jdaqmg32.exe 2124 Jgaiobjn.exe 1496 Jkbojpna.exe 1036 Kfkpknkq.exe 1720 Kcopdb32.exe 1808 Kpcqnf32.exe 956 Kgfoie32.exe 1492 Lnbdko32.exe 1736 Ljieppcb.exe 2188 Lfpeeqig.exe 2100 Lcdfnehp.exe 1760 Lqhfhigj.exe 1692 Mjpkqonj.exe 1616 Mmadbjkk.exe 2656 Mpamde32.exe 2584 Mijamjnm.exe 2480 Mngjeamd.exe 2860 Njpgpbpf.exe 2596 Niedqnen.exe 1148 Nbniid32.exe 2692 Nlhjhi32.exe 2420 Ohojmjep.exe 936 Obdojcef.exe 2200 Piqpkpml.exe 1540 Phfmllbd.exe 2356 Qnebjc32.exe 588 Qgmfchei.exe 3064 Qhmcmk32.exe 2948 Adcdbl32.exe 1764 Amohfo32.exe 952 Afgmodel.exe 624 Amcbankf.exe 2152 Abpjjeim.exe 1676 Akiobk32.exe 1260 Bkklhjnk.exe 632 Bkmhnjlh.exe 2556 Bjbeofpp.exe 1404 Bckjhl32.exe 2892 Baojapfj.exe 2424 Cjgoje32.exe 2644 Cacclpae.exe 2680 Cpkmcldj.exe 2952 Dobgihgp.exe 2552 Dhmhhmlm.exe 3016 Dmmmfc32.exe 1440 Epmfgo32.exe 2396 Eejopecj.exe 1956 Egikjh32.exe 2968 Ecploipa.exe 1884 Eaeipfei.exe 1624 Ehpalp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 2896 Dlgnmb32.exe 2896 Dlgnmb32.exe 3028 Dhplhc32.exe 3028 Dhplhc32.exe 2672 Daipqhdg.exe 2672 Daipqhdg.exe 2620 Ednbncmb.exe 2620 Ednbncmb.exe 2536 Edqocbkp.exe 2536 Edqocbkp.exe 2856 Eolmip32.exe 2856 Eolmip32.exe 1480 Gegabegc.exe 1480 Gegabegc.exe 2004 Gghkdp32.exe 2004 Gghkdp32.exe 2616 Gmecmg32.exe 2616 Gmecmg32.exe 1072 Gildahhp.exe 1072 Gildahhp.exe 1208 Hdlkcdog.exe 1208 Hdlkcdog.exe 524 Ifoqjo32.exe 524 Ifoqjo32.exe 2348 Jhjphfgi.exe 2348 Jhjphfgi.exe 1776 Jdaqmg32.exe 1776 Jdaqmg32.exe 2124 Jgaiobjn.exe 2124 Jgaiobjn.exe 1496 Jkbojpna.exe 1496 Jkbojpna.exe 1036 Kfkpknkq.exe 1036 Kfkpknkq.exe 1720 Kcopdb32.exe 1720 Kcopdb32.exe 1808 Kpcqnf32.exe 1808 Kpcqnf32.exe 956 Kgfoie32.exe 956 Kgfoie32.exe 1492 Lnbdko32.exe 1492 Lnbdko32.exe 1736 Ljieppcb.exe 1736 Ljieppcb.exe 2188 Lfpeeqig.exe 2188 Lfpeeqig.exe 2100 Lcdfnehp.exe 2100 Lcdfnehp.exe 1760 Lqhfhigj.exe 1760 Lqhfhigj.exe 1692 Mjpkqonj.exe 1692 Mjpkqonj.exe 1616 Mmadbjkk.exe 1616 Mmadbjkk.exe 2656 Mpamde32.exe 2656 Mpamde32.exe 2584 Mijamjnm.exe 2584 Mijamjnm.exe 2480 Mngjeamd.exe 2480 Mngjeamd.exe 2860 Njpgpbpf.exe 2860 Njpgpbpf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Elcmpi32.dll Difqji32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Jhgikm32.dll Eogolc32.exe File created C:\Windows\SysWOW64\Obmhmmga.dll Qpamoa32.exe File created C:\Windows\SysWOW64\Amgjnepn.exe Aepbmhpl.exe File opened for modification C:\Windows\SysWOW64\Ednbncmb.exe Daipqhdg.exe File created C:\Windows\SysWOW64\Pbbldf32.dll Edqocbkp.exe File created C:\Windows\SysWOW64\Hiqoeplo.exe Hcdgmimg.exe File created C:\Windows\SysWOW64\Lfmiff32.dll Hbnmienj.exe File created C:\Windows\SysWOW64\Omlncc32.exe Ofafgipc.exe File created C:\Windows\SysWOW64\Qmhahkdj.exe Qlfdac32.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Eicpcm32.exe File created C:\Windows\SysWOW64\Jfaeme32.exe Jfohgepi.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Amohfo32.exe File opened for modification C:\Windows\SysWOW64\Hakkgc32.exe Hpkompgg.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hcldhnkk.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Ckhdggom.exe File opened for modification C:\Windows\SysWOW64\Kigndekn.exe Jeclebja.exe File created C:\Windows\SysWOW64\Dohindnd.dll Coicfd32.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Egikjh32.exe File created C:\Windows\SysWOW64\Cnlpnk32.dll Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Piieicgl.exe Pbomli32.exe File created C:\Windows\SysWOW64\Afmjbf32.dll Jkbojpna.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Mjpkqonj.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Ecploipa.exe File created C:\Windows\SysWOW64\Chnlno32.dll Ggagmjbq.exe File created C:\Windows\SysWOW64\Mcodqkbi.exe Mnblhddb.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Eeagimdf.exe File created C:\Windows\SysWOW64\Kapohbfp.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Cjhkej32.dll Ghdgfbkl.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Ldbofgme.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Nomdjlpi.dll Ifdlng32.exe File created C:\Windows\SysWOW64\Ncmglp32.exe Nihcog32.exe File created C:\Windows\SysWOW64\Ahmefdcp.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Mhqjen32.exe Lohelidp.exe File created C:\Windows\SysWOW64\Ednbncmb.exe Daipqhdg.exe File created C:\Windows\SysWOW64\Mmadbjkk.exe Mjpkqonj.exe File created C:\Windows\SysWOW64\Obokcqhk.exe Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Jjnhhjjk.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Fchopn32.dll Nihcog32.exe File created C:\Windows\SysWOW64\Dognqkje.dll Abpjjeim.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nnmlcp32.exe File created C:\Windows\SysWOW64\Imdbjp32.dll Nameek32.exe File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qlfdac32.exe File opened for modification C:\Windows\SysWOW64\Hqiqjlga.exe Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Lcdfnehp.exe Lfpeeqig.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cfmhdpnc.exe File created C:\Windows\SysWOW64\Hccadd32.dll Cfanmogq.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Jlqjkk32.exe File created C:\Windows\SysWOW64\Mfnnbf32.dll Fncpef32.exe File created C:\Windows\SysWOW64\Pljlbf32.exe Pepcelel.exe File created C:\Windows\SysWOW64\Ckjamgmk.exe Cfmhdpnc.exe File created C:\Windows\SysWOW64\Fckhhgcf.exe Fmnopp32.exe File opened for modification C:\Windows\SysWOW64\Ggkibhjf.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Eencfjlb.dll Omlncc32.exe File created C:\Windows\SysWOW64\Mklcadfn.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Hnpdcf32.exe Hiclkp32.exe File opened for modification C:\Windows\SysWOW64\Oimmjffj.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Ncfjajma.exe Nllbdp32.exe File created C:\Windows\SysWOW64\Mjceldap.dll Ohojmjep.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cfmhdpnc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4912 4184 WerFault.exe 744 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhckfkbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddiakkl.dll" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojijh32.dll" Dmmmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifdlng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbampij.dll" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlhjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjfnnajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhgnaehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eencfjlb.dll" Omlncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bniipnpc.dll" Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikidod32.dll" Hkiicmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkmghhf.dll" Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhknco32.dll" Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Iocgfhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbid32.dll" Eaeipfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbpqmfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmhahkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkklhjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anogijnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll" Lcohahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnebjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlpnk32.dll" Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlecok32.dll" Nbkgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojcqog32.dll" Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konijaag.dll" Niedqnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpkl32.dll" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnjjadh.dll" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieqili32.dll" Qdofep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhiiop32.dll" Aepbmhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eejopecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeagimdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" Nbmaon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2896 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 518 PID 2908 wrote to memory of 2896 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 518 PID 2908 wrote to memory of 2896 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 518 PID 2908 wrote to memory of 2896 2908 e8f1a290a6f92c80eed0feedc6946180_NEAS.exe 518 PID 2896 wrote to memory of 3028 2896 Dlgnmb32.exe 382 PID 2896 wrote to memory of 3028 2896 Dlgnmb32.exe 382 PID 2896 wrote to memory of 3028 2896 Dlgnmb32.exe 382 PID 2896 wrote to memory of 3028 2896 Dlgnmb32.exe 382 PID 3028 wrote to memory of 2672 3028 Dhplhc32.exe 349 PID 3028 wrote to memory of 2672 3028 Dhplhc32.exe 349 PID 3028 wrote to memory of 2672 3028 Dhplhc32.exe 349 PID 3028 wrote to memory of 2672 3028 Dhplhc32.exe 349 PID 2672 wrote to memory of 2620 2672 Daipqhdg.exe 31 PID 2672 wrote to memory of 2620 2672 Daipqhdg.exe 31 PID 2672 wrote to memory of 2620 2672 Daipqhdg.exe 31 PID 2672 wrote to memory of 2620 2672 Daipqhdg.exe 31 PID 2620 wrote to memory of 2536 2620 Ednbncmb.exe 351 PID 2620 wrote to memory of 2536 2620 Ednbncmb.exe 351 PID 2620 wrote to memory of 2536 2620 Ednbncmb.exe 351 PID 2620 wrote to memory of 2536 2620 Ednbncmb.exe 351 PID 2536 wrote to memory of 2856 2536 Edqocbkp.exe 33 PID 2536 wrote to memory of 2856 2536 Edqocbkp.exe 33 PID 2536 wrote to memory of 2856 2536 Edqocbkp.exe 33 PID 2536 wrote to memory of 2856 2536 Edqocbkp.exe 33 PID 2856 wrote to memory of 1480 2856 Eolmip32.exe 34 PID 2856 wrote to memory of 1480 2856 Eolmip32.exe 34 PID 2856 wrote to memory of 1480 2856 Eolmip32.exe 34 PID 2856 wrote to memory of 1480 2856 Eolmip32.exe 34 PID 1480 wrote to memory of 2004 1480 Gegabegc.exe 35 PID 1480 wrote to memory of 2004 1480 Gegabegc.exe 35 PID 1480 wrote to memory of 2004 1480 Gegabegc.exe 35 PID 1480 wrote to memory of 2004 1480 Gegabegc.exe 35 PID 2004 wrote to memory of 2616 2004 Gghkdp32.exe 36 PID 2004 wrote to memory of 2616 2004 Gghkdp32.exe 36 PID 2004 wrote to memory of 2616 2004 Gghkdp32.exe 36 PID 2004 wrote to memory of 2616 2004 Gghkdp32.exe 36 PID 2616 wrote to memory of 1072 2616 Gmecmg32.exe 37 PID 2616 wrote to memory of 1072 2616 Gmecmg32.exe 37 PID 2616 wrote to memory of 1072 2616 Gmecmg32.exe 37 PID 2616 wrote to memory of 1072 2616 Gmecmg32.exe 37 PID 1072 wrote to memory of 1208 1072 Gildahhp.exe 404 PID 1072 wrote to memory of 1208 1072 Gildahhp.exe 404 PID 1072 wrote to memory of 1208 1072 Gildahhp.exe 404 PID 1072 wrote to memory of 1208 1072 Gildahhp.exe 404 PID 1208 wrote to memory of 524 1208 Hdlkcdog.exe 527 PID 1208 wrote to memory of 524 1208 Hdlkcdog.exe 527 PID 1208 wrote to memory of 524 1208 Hdlkcdog.exe 527 PID 1208 wrote to memory of 524 1208 Hdlkcdog.exe 527 PID 524 wrote to memory of 2348 524 Ifoqjo32.exe 499 PID 524 wrote to memory of 2348 524 Ifoqjo32.exe 499 PID 524 wrote to memory of 2348 524 Ifoqjo32.exe 499 PID 524 wrote to memory of 2348 524 Ifoqjo32.exe 499 PID 2348 wrote to memory of 1776 2348 Jhjphfgi.exe 41 PID 2348 wrote to memory of 1776 2348 Jhjphfgi.exe 41 PID 2348 wrote to memory of 1776 2348 Jhjphfgi.exe 41 PID 2348 wrote to memory of 1776 2348 Jhjphfgi.exe 41 PID 1776 wrote to memory of 2124 1776 Jdaqmg32.exe 42 PID 1776 wrote to memory of 2124 1776 Jdaqmg32.exe 42 PID 1776 wrote to memory of 2124 1776 Jdaqmg32.exe 42 PID 1776 wrote to memory of 2124 1776 Jdaqmg32.exe 42 PID 2124 wrote to memory of 1496 2124 Jgaiobjn.exe 486 PID 2124 wrote to memory of 1496 2124 Jgaiobjn.exe 486 PID 2124 wrote to memory of 1496 2124 Jgaiobjn.exe 486 PID 2124 wrote to memory of 1496 2124 Jgaiobjn.exe 486
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8f1a290a6f92c80eed0feedc6946180_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\e8f1a290a6f92c80eed0feedc6946180_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe34⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe37⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe38⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe39⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe41⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe42⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe43⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe46⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe52⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe53⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe54⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe57⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe58⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe65⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe66⤵PID:1376
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe67⤵PID:1372
-
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe68⤵PID:2212
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe69⤵PID:2944
-
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe70⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe71⤵PID:2612
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe72⤵PID:1936
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe73⤵PID:2372
-
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe74⤵PID:2608
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe76⤵PID:1584
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe77⤵PID:2324
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe78⤵PID:2360
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe80⤵PID:2368
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe81⤵PID:2132
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe82⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:836 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe86⤵PID:3048
-
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe88⤵PID:1652
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe89⤵PID:1512
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe90⤵PID:2164
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe91⤵PID:2664
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe92⤵PID:2836
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe94⤵PID:2364
-
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:520 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe97⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe98⤵PID:1424
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe99⤵PID:2052
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe100⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe103⤵PID:2984
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe105⤵PID:944
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe108⤵PID:2332
-
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe110⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe111⤵PID:1392
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe112⤵PID:752
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe113⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe114⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe115⤵PID:2712
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe116⤵PID:880
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe118⤵
- Drops file in System32 directory
PID:1216 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe119⤵PID:2128
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe120⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe121⤵
- Modifies registry class
PID:2168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-