Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05/11/2023, 08:21
Behavioral task
behavioral1
Sample
NEAS.e9e0d789b12837d13ea2e40972784420.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e9e0d789b12837d13ea2e40972784420.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e9e0d789b12837d13ea2e40972784420.exe
-
Size
199KB
-
MD5
e9e0d789b12837d13ea2e40972784420
-
SHA1
dbc8cbc5dd8520fc4cfb846f9c54b76c750f516a
-
SHA256
711b58efb8b2c5cf7a7c8750bd7ea7a26943be0d9896d8d886c765ccc0eb1158
-
SHA512
28c81dc06bf8d26bf55d49ca97c2f8300389950ded0d5322104d85a34fe3085a97a7669514cf261f94b3767d5dfed10e580aac8eb38d764008f00c972e8448b0
-
SSDEEP
6144:Z39+lsUSZSCZj81+jq4peBK034YOmFz1h:76iZSCG1+jheBbOmFxh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeohnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcqlkjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndemjoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cicpch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoebpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domqjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjnamh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgjednf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiiapci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efcomkcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikefkcmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjeialg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdacop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibehla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmamp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkacpihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbplbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpabcbdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcahoqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghmfhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoebpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cakqgeoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklfll32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000012024-5.dat family_berbew behavioral1/files/0x0009000000012024-9.dat family_berbew behavioral1/files/0x0009000000012024-8.dat family_berbew behavioral1/files/0x00310000000144a1-23.dat family_berbew behavioral1/files/0x00310000000144a1-26.dat family_berbew behavioral1/files/0x00310000000144a1-22.dat family_berbew behavioral1/files/0x00310000000144a1-20.dat family_berbew behavioral1/files/0x0009000000012024-14.dat family_berbew behavioral1/files/0x0009000000012024-13.dat family_berbew behavioral1/files/0x00310000000144a1-28.dat family_berbew behavioral1/files/0x0007000000014f1a-48.dat family_berbew behavioral1/files/0x0007000000014f1a-46.dat family_berbew behavioral1/files/0x0008000000014b59-36.dat family_berbew behavioral1/files/0x0008000000014b59-35.dat family_berbew behavioral1/files/0x0008000000014b59-33.dat family_berbew behavioral1/files/0x0007000000014f1a-42.dat family_berbew behavioral1/files/0x0008000000014b59-41.dat family_berbew behavioral1/files/0x0007000000014f1a-53.dat family_berbew behavioral1/files/0x0007000000014f1a-52.dat family_berbew behavioral1/files/0x0008000000014b59-39.dat family_berbew behavioral1/files/0x00080000000152d1-60.dat family_berbew behavioral1/files/0x00080000000152d1-68.dat family_berbew behavioral1/files/0x00080000000152d1-66.dat family_berbew behavioral1/files/0x00080000000152d1-63.dat family_berbew behavioral1/files/0x00080000000152d1-62.dat family_berbew behavioral1/files/0x0006000000015c14-80.dat family_berbew behavioral1/files/0x0006000000015c14-81.dat family_berbew behavioral1/files/0x0006000000015c14-76.dat family_berbew behavioral1/files/0x0006000000015c14-75.dat family_berbew behavioral1/files/0x0006000000015c41-86.dat family_berbew behavioral1/files/0x0006000000015c14-73.dat family_berbew behavioral1/files/0x0006000000015c63-107.dat family_berbew behavioral1/files/0x0006000000015c63-106.dat family_berbew behavioral1/files/0x0006000000015c63-96.dat family_berbew behavioral1/files/0x0006000000015c63-102.dat family_berbew behavioral1/files/0x0006000000015c41-95.dat family_berbew behavioral1/files/0x0006000000015c63-100.dat family_berbew behavioral1/files/0x0006000000015c41-89.dat family_berbew behavioral1/files/0x0006000000015c41-88.dat family_berbew behavioral1/files/0x0006000000015c41-93.dat family_berbew behavioral1/files/0x0006000000015c74-113.dat family_berbew behavioral1/files/0x0006000000015c74-116.dat family_berbew behavioral1/files/0x0006000000015c74-119.dat family_berbew behavioral1/files/0x0006000000015c74-120.dat family_berbew behavioral1/files/0x0006000000015c74-121.dat family_berbew behavioral1/files/0x0006000000015c95-126.dat family_berbew behavioral1/files/0x0006000000015c95-130.dat family_berbew behavioral1/files/0x0006000000015c95-134.dat family_berbew behavioral1/files/0x0006000000015cad-146.dat family_berbew behavioral1/files/0x0006000000015ce0-159.dat family_berbew behavioral1/files/0x0006000000015ce0-158.dat family_berbew behavioral1/files/0x0006000000015ce0-155.dat family_berbew behavioral1/files/0x0006000000015ce0-154.dat family_berbew behavioral1/files/0x0006000000015ce0-152.dat family_berbew behavioral1/files/0x0006000000015cad-147.dat family_berbew behavioral1/files/0x0006000000015cad-143.dat family_berbew behavioral1/files/0x0006000000015cad-142.dat family_berbew behavioral1/files/0x0006000000015cad-140.dat family_berbew behavioral1/files/0x0006000000015c95-129.dat family_berbew behavioral1/files/0x0006000000015c95-133.dat family_berbew behavioral1/memory/324-171-0x0000000000220000-0x000000000025E000-memory.dmp family_berbew behavioral1/files/0x0006000000015dcb-167.dat family_berbew behavioral1/files/0x0006000000015e41-186.dat family_berbew behavioral1/files/0x0006000000015ec8-192.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1700 Ofhick32.exe 2744 Ocnfbo32.exe 2824 Okikfagn.exe 2712 Pdaoog32.exe 2648 Pogclp32.exe 2668 Pbhmnkjf.exe 2576 Pggbla32.exe 2944 Pjhknm32.exe 1628 Qcpofbjl.exe 2012 Ahdaee32.exe 324 Aidnohbk.exe 448 Anafhopc.exe 3028 Adnopfoj.exe 1760 Bdbhke32.exe 1732 Bmkmdk32.exe 2284 Bbhela32.exe 1864 Bghjhp32.exe 2568 Baakhm32.exe 400 Cadhnmnm.exe 1780 Cnkicn32.exe 936 Chpmpg32.exe 1268 Caknol32.exe 684 Cldooj32.exe 1720 Dlgldibq.exe 1680 Dliijipn.exe 880 Dogefd32.exe 2068 Dcenlceh.exe 2852 Dkcofe32.exe 2620 Ekelld32.exe 1328 Emieil32.exe 2596 Eccmffjf.exe 2696 Emkaol32.exe 2380 Efcfga32.exe 1920 Fekpnn32.exe 2900 Fenmdm32.exe 2260 Fadminnn.exe 612 Fjmaaddo.exe 1992 Fnkjhb32.exe 1324 Gedbdlbb.exe 1968 Ghelfg32.exe 1876 Ganpomec.exe 1648 Gfjhgdck.exe 2104 Gdniqh32.exe 2692 Gfmemc32.exe 1000 Gmgninie.exe 2400 Ghqnjk32.exe 1704 Hpgfki32.exe 2324 Hakphqja.exe 1368 Hmbpmapf.exe 1528 Hdnepk32.exe 836 Hkhnle32.exe 840 Illgimph.exe 3016 Igakgfpn.exe 1768 Iefhhbef.exe 2424 Ilqpdm32.exe 1724 Iamimc32.exe 1152 Ilcmjl32.exe 2748 Jnffgd32.exe 2776 Jdpndnei.exe 1592 Jkjfah32.exe 2196 Jhngjmlo.exe 2604 Jjpcbe32.exe 2120 Jchhkjhn.exe 2716 Jkoplhip.exe -
Loads dropped DLL 64 IoCs
pid Process 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 1700 Ofhick32.exe 1700 Ofhick32.exe 2744 Ocnfbo32.exe 2744 Ocnfbo32.exe 2824 Okikfagn.exe 2824 Okikfagn.exe 2712 Pdaoog32.exe 2712 Pdaoog32.exe 2648 Pogclp32.exe 2648 Pogclp32.exe 2668 Pbhmnkjf.exe 2668 Pbhmnkjf.exe 2576 Pggbla32.exe 2576 Pggbla32.exe 2944 Pjhknm32.exe 2944 Pjhknm32.exe 1628 Qcpofbjl.exe 1628 Qcpofbjl.exe 2012 Ahdaee32.exe 2012 Ahdaee32.exe 324 Aidnohbk.exe 324 Aidnohbk.exe 448 Anafhopc.exe 448 Anafhopc.exe 3028 Adnopfoj.exe 3028 Adnopfoj.exe 1760 Bdbhke32.exe 1760 Bdbhke32.exe 1732 Bmkmdk32.exe 1732 Bmkmdk32.exe 2284 Bbhela32.exe 2284 Bbhela32.exe 1864 Bghjhp32.exe 1864 Bghjhp32.exe 2568 Baakhm32.exe 2568 Baakhm32.exe 400 Cadhnmnm.exe 400 Cadhnmnm.exe 1780 Cnkicn32.exe 1780 Cnkicn32.exe 936 Chpmpg32.exe 936 Chpmpg32.exe 1268 Caknol32.exe 1268 Caknol32.exe 684 Cldooj32.exe 684 Cldooj32.exe 1720 Dlgldibq.exe 1720 Dlgldibq.exe 1680 Dliijipn.exe 1680 Dliijipn.exe 880 Dogefd32.exe 880 Dogefd32.exe 2960 Dkqbaecc.exe 2960 Dkqbaecc.exe 2852 Dkcofe32.exe 2852 Dkcofe32.exe 2620 Ekelld32.exe 2620 Ekelld32.exe 1328 Emieil32.exe 1328 Emieil32.exe 2596 Eccmffjf.exe 2596 Eccmffjf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lbackc32.exe Lobgoh32.exe File created C:\Windows\SysWOW64\Fkaamgeg.dll Injqmdki.exe File created C:\Windows\SysWOW64\Hahmbk32.dll Jdpgjhbm.exe File opened for modification C:\Windows\SysWOW64\Omkjbb32.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Qfngfgqe.dll Gcheib32.exe File created C:\Windows\SysWOW64\Ibeogebm.dll Hdnepk32.exe File created C:\Windows\SysWOW64\Dkkbkp32.exe Deojci32.exe File created C:\Windows\SysWOW64\Gdfaom32.dll Jfhjbobc.exe File created C:\Windows\SysWOW64\Emoldlmc.exe Ejaphpnp.exe File opened for modification C:\Windows\SysWOW64\Jaecod32.exe Jlfnangf.exe File opened for modification C:\Windows\SysWOW64\Mmccqbpm.exe Mkdffoij.exe File created C:\Windows\SysWOW64\Objjnkie.exe Ojbbmnhc.exe File opened for modification C:\Windows\SysWOW64\Gfehan32.exe Gcglec32.exe File opened for modification C:\Windows\SysWOW64\Dmdnbecj.exe Dkfbfjdf.exe File opened for modification C:\Windows\SysWOW64\Ekcaonhe.exe Eheecbia.exe File created C:\Windows\SysWOW64\Qdaglmcb.exe Qqfkln32.exe File created C:\Windows\SysWOW64\Olebgfao.exe Oplelf32.exe File created C:\Windows\SysWOW64\Pacajg32.exe Piliii32.exe File created C:\Windows\SysWOW64\Mdacop32.exe Mbpgggol.exe File created C:\Windows\SysWOW64\Nfocik32.dll Fnejbmko.exe File opened for modification C:\Windows\SysWOW64\Bjoofhgc.exe Bfccei32.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Kaajei32.exe File created C:\Windows\SysWOW64\Gdhdkn32.exe Gjbpne32.exe File created C:\Windows\SysWOW64\Ijkocg32.exe Imgnjb32.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gedbdlbb.exe File created C:\Windows\SysWOW64\Cipdmc32.dll Hmaick32.exe File opened for modification C:\Windows\SysWOW64\Fbdlkj32.exe Ffmkfifa.exe File opened for modification C:\Windows\SysWOW64\Mamgmofp.exe Mlpneh32.exe File created C:\Windows\SysWOW64\Kphnnlag.dll Gcahoqhf.exe File created C:\Windows\SysWOW64\Kfcgie32.dll Bgllgedi.exe File created C:\Windows\SysWOW64\Jfohgepi.exe Jcqlkjae.exe File created C:\Windows\SysWOW64\Fdoahk32.dll Dkiefp32.exe File created C:\Windows\SysWOW64\Pdefbe32.dll Dknoaoaj.exe File created C:\Windows\SysWOW64\Ohapgocp.dll Fjeefofk.exe File created C:\Windows\SysWOW64\Chiimh32.dll Makjho32.exe File created C:\Windows\SysWOW64\Jenghkhk.dll Helgmg32.exe File opened for modification C:\Windows\SysWOW64\Jhoklnkg.exe Jaecod32.exe File created C:\Windows\SysWOW64\Ogbogkjn.dll Ifolhann.exe File created C:\Windows\SysWOW64\Bdbhke32.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Cklfll32.exe Cdanpb32.exe File created C:\Windows\SysWOW64\Lgeajlgp.dll Jkgcab32.exe File opened for modification C:\Windows\SysWOW64\Fgnokb32.exe Fqcfnhjb.exe File opened for modification C:\Windows\SysWOW64\Ikefkcmo.exe Ippbnjni.exe File created C:\Windows\SysWOW64\Gkoobhhg.exe Gpjkeoha.exe File opened for modification C:\Windows\SysWOW64\Gdhdkn32.exe Gjbpne32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Opfdll32.dll Chpmpg32.exe File created C:\Windows\SysWOW64\Bipikqbi.dll Jqnejn32.exe File opened for modification C:\Windows\SysWOW64\Kqiaclhj.exe Knjegqif.exe File created C:\Windows\SysWOW64\Koipglep.exe Kljdkpfl.exe File opened for modification C:\Windows\SysWOW64\Lgngbmjp.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Mndofg32.dll Dnhbmpkn.exe File opened for modification C:\Windows\SysWOW64\Jnffgd32.exe Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Gcokiaji.exe Gmecmg32.exe File opened for modification C:\Windows\SysWOW64\Iabhah32.exe Hndlem32.exe File created C:\Windows\SysWOW64\Debplg32.exe Dohgomgf.exe File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Iclbpj32.exe Iamfdo32.exe File created C:\Windows\SysWOW64\Pfdabino.exe Pqhijbog.exe File opened for modification C:\Windows\SysWOW64\Phpjnnki.exe Pddnnp32.exe File created C:\Windows\SysWOW64\Bfkifhib.exe Bmbemb32.exe File created C:\Windows\SysWOW64\Knjegqif.exe Kjoifb32.exe File created C:\Windows\SysWOW64\Kpieengb.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Fioeja32.dll NEAS.e9e0d789b12837d13ea2e40972784420.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 340 3592 WerFault.exe 770 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklfll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Gkalhgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljigih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjchig32.dll" Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eheecbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" Dlgldibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoenh32.dll" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqhpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aajbne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neklbppb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqpqcoj.dll" Pdaoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Maefamlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjapamid.dll" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll" Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdlkim32.dll" Ejgemkbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcaiqm32.dll" Ocnfbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll" Jqlhdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahjegok.dll" Lipecm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oioipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdnepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpccfogk.dll" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liminmmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Konndhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbojdmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hembkl32.dll" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngdjmc32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kbmome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egahen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lklgbadb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1700 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 28 PID 1696 wrote to memory of 1700 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 28 PID 1696 wrote to memory of 1700 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 28 PID 1696 wrote to memory of 1700 1696 NEAS.e9e0d789b12837d13ea2e40972784420.exe 28 PID 1700 wrote to memory of 2744 1700 Ofhick32.exe 29 PID 1700 wrote to memory of 2744 1700 Ofhick32.exe 29 PID 1700 wrote to memory of 2744 1700 Ofhick32.exe 29 PID 1700 wrote to memory of 2744 1700 Ofhick32.exe 29 PID 2744 wrote to memory of 2824 2744 Ocnfbo32.exe 30 PID 2744 wrote to memory of 2824 2744 Ocnfbo32.exe 30 PID 2744 wrote to memory of 2824 2744 Ocnfbo32.exe 30 PID 2744 wrote to memory of 2824 2744 Ocnfbo32.exe 30 PID 2824 wrote to memory of 2712 2824 Okikfagn.exe 31 PID 2824 wrote to memory of 2712 2824 Okikfagn.exe 31 PID 2824 wrote to memory of 2712 2824 Okikfagn.exe 31 PID 2824 wrote to memory of 2712 2824 Okikfagn.exe 31 PID 2712 wrote to memory of 2648 2712 Pdaoog32.exe 32 PID 2712 wrote to memory of 2648 2712 Pdaoog32.exe 32 PID 2712 wrote to memory of 2648 2712 Pdaoog32.exe 32 PID 2712 wrote to memory of 2648 2712 Pdaoog32.exe 32 PID 2648 wrote to memory of 2668 2648 Pogclp32.exe 33 PID 2648 wrote to memory of 2668 2648 Pogclp32.exe 33 PID 2648 wrote to memory of 2668 2648 Pogclp32.exe 33 PID 2648 wrote to memory of 2668 2648 Pogclp32.exe 33 PID 2668 wrote to memory of 2576 2668 Pbhmnkjf.exe 34 PID 2668 wrote to memory of 2576 2668 Pbhmnkjf.exe 34 PID 2668 wrote to memory of 2576 2668 Pbhmnkjf.exe 34 PID 2668 wrote to memory of 2576 2668 Pbhmnkjf.exe 34 PID 2576 wrote to memory of 2944 2576 Pggbla32.exe 35 PID 2576 wrote to memory of 2944 2576 Pggbla32.exe 35 PID 2576 wrote to memory of 2944 2576 Pggbla32.exe 35 PID 2576 wrote to memory of 2944 2576 Pggbla32.exe 35 PID 2944 wrote to memory of 1628 2944 Pjhknm32.exe 36 PID 2944 wrote to memory of 1628 2944 Pjhknm32.exe 36 PID 2944 wrote to memory of 1628 2944 Pjhknm32.exe 36 PID 2944 wrote to memory of 1628 2944 Pjhknm32.exe 36 PID 1628 wrote to memory of 2012 1628 Qcpofbjl.exe 37 PID 1628 wrote to memory of 2012 1628 Qcpofbjl.exe 37 PID 1628 wrote to memory of 2012 1628 Qcpofbjl.exe 37 PID 1628 wrote to memory of 2012 1628 Qcpofbjl.exe 37 PID 2012 wrote to memory of 324 2012 Ahdaee32.exe 38 PID 2012 wrote to memory of 324 2012 Ahdaee32.exe 38 PID 2012 wrote to memory of 324 2012 Ahdaee32.exe 38 PID 2012 wrote to memory of 324 2012 Ahdaee32.exe 38 PID 324 wrote to memory of 448 324 Aidnohbk.exe 39 PID 324 wrote to memory of 448 324 Aidnohbk.exe 39 PID 324 wrote to memory of 448 324 Aidnohbk.exe 39 PID 324 wrote to memory of 448 324 Aidnohbk.exe 39 PID 448 wrote to memory of 3028 448 Anafhopc.exe 40 PID 448 wrote to memory of 3028 448 Anafhopc.exe 40 PID 448 wrote to memory of 3028 448 Anafhopc.exe 40 PID 448 wrote to memory of 3028 448 Anafhopc.exe 40 PID 3028 wrote to memory of 1760 3028 Adnopfoj.exe 42 PID 3028 wrote to memory of 1760 3028 Adnopfoj.exe 42 PID 3028 wrote to memory of 1760 3028 Adnopfoj.exe 42 PID 3028 wrote to memory of 1760 3028 Adnopfoj.exe 42 PID 1760 wrote to memory of 1732 1760 Bdbhke32.exe 41 PID 1760 wrote to memory of 1732 1760 Bdbhke32.exe 41 PID 1760 wrote to memory of 1732 1760 Bdbhke32.exe 41 PID 1760 wrote to memory of 1732 1760 Bdbhke32.exe 41 PID 1732 wrote to memory of 2284 1732 Bmkmdk32.exe 43 PID 1732 wrote to memory of 2284 1732 Bmkmdk32.exe 43 PID 1732 wrote to memory of 2284 1732 Bmkmdk32.exe 43 PID 1732 wrote to memory of 2284 1732 Bmkmdk32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e9e0d789b12837d13ea2e40972784420.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e9e0d789b12837d13ea2e40972784420.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Cadhnmnm.exeC:\Windows\system32\Cadhnmnm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe14⤵
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe20⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe21⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe22⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe23⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe24⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe25⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe27⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe29⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe30⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe32⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe33⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe34⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe35⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Hmbpmapf.exeC:\Windows\system32\Hmbpmapf.exe36⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe39⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe40⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe42⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe43⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe45⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe46⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe47⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe48⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe49⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe50⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe51⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe52⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe53⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Jghmfhmb.exeC:\Windows\system32\Jghmfhmb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Kmefooki.exeC:\Windows\system32\Kmefooki.exe55⤵PID:1448
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe56⤵PID:2500
-
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe57⤵PID:1976
-
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe59⤵PID:2156
-
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe60⤵PID:1484
-
C:\Windows\SysWOW64\Kgcpjmcb.exeC:\Windows\system32\Kgcpjmcb.exe61⤵PID:2264
-
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe63⤵PID:2128
-
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe64⤵PID:900
-
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe65⤵PID:1928
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe66⤵PID:1348
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe67⤵PID:3024
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe68⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:776 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe70⤵PID:3020
-
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe71⤵PID:1744
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe72⤵PID:2780
-
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe73⤵PID:2688
-
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe74⤵PID:1560
-
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe75⤵PID:2972
-
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe76⤵PID:2616
-
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe77⤵PID:2096
-
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe78⤵PID:1832
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe79⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe81⤵PID:1192
-
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe82⤵PID:2228
-
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe84⤵PID:2372
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe85⤵PID:2952
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe86⤵PID:2632
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe87⤵PID:2360
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe88⤵PID:2412
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe89⤵PID:1344
-
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe90⤵PID:2436
-
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe91⤵PID:2540
-
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe92⤵PID:2968
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe93⤵PID:344
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe94⤵PID:2736
-
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe96⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe98⤵PID:2344
-
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe99⤵PID:2608
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe100⤵PID:1800
-
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe101⤵PID:1532
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe102⤵PID:1008
-
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1252 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe106⤵PID:2384
-
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe107⤵PID:2336
-
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe108⤵PID:1304
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe109⤵PID:1044
-
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe110⤵
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe111⤵PID:2056
-
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe112⤵PID:2740
-
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe113⤵PID:2288
-
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe114⤵PID:2820
-
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe115⤵
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2772 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe117⤵PID:2524
-
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe118⤵PID:1804
-
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe119⤵PID:920
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe120⤵PID:1852
-
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe121⤵PID:2920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-