Analysis
-
max time kernel
136s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 17:19
Behavioral task
behavioral1
Sample
NEAS.778c89d10ce196ccc89b977a35790778.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.778c89d10ce196ccc89b977a35790778.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.778c89d10ce196ccc89b977a35790778.exe
-
Size
113KB
-
MD5
778c89d10ce196ccc89b977a35790778
-
SHA1
82973cba81ddcaecc61d64d75a726a8c4d00486c
-
SHA256
7b0414d0afff06cb203e0829e12a3206535266f072509630807934733782e70a
-
SHA512
5850085b83c9c8300ec824022a5a3045f07d0bb5551fe9cfb4d0e83bc6675c39a1a5ee5aac6ac1ad9cfe6dcfe0145a840a41b7e499b926d537061e48c4eb01e4
-
SSDEEP
3072:aJXAxPa8ouoBVvbTOuGkZFfFSebHWrH8wTW0:aJXAxPa8o/vja7otSeWrP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okailj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpefaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfpecg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afghneoo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfedoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddhomdje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqpjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpika32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpika32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejlnfjbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfdmlcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diicml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjajeqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgdkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgolq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmagch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeekkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjnjcni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjaifp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgejpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajbaika.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlcikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clbdpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemkcnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqaffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epffbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkahddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkogqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaelc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alpnde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehbmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdgolq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihqoeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiodmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjgebf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaceghcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciknefmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfkfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dakacjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecpknke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkabind.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbbmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfcfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcbkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmanljfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppcpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfqngcg.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1912-0-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x00090000000222f4-6.dat family_berbew behavioral2/files/0x00090000000222f4-8.dat family_berbew behavioral2/memory/4524-7-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0008000000022df6-14.dat family_berbew behavioral2/memory/1760-15-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0008000000022df6-16.dat family_berbew behavioral2/files/0x0006000000022e11-22.dat family_berbew behavioral2/files/0x0006000000022e11-24.dat family_berbew behavioral2/memory/3844-23-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-30.dat family_berbew behavioral2/memory/4340-32-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e13-31.dat family_berbew behavioral2/files/0x0006000000022e15-38.dat family_berbew behavioral2/files/0x0006000000022e15-39.dat family_berbew behavioral2/memory/4724-40-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e17-46.dat family_berbew behavioral2/memory/4400-47-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e17-48.dat family_berbew behavioral2/files/0x0006000000022e1a-56.dat family_berbew behavioral2/memory/3532-55-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1a-54.dat family_berbew behavioral2/files/0x0008000000022df9-62.dat family_berbew behavioral2/memory/1584-64-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0008000000022df9-63.dat family_berbew behavioral2/files/0x0006000000022e1f-70.dat family_berbew behavioral2/memory/4408-71-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e1f-72.dat family_berbew behavioral2/files/0x0006000000022e22-78.dat family_berbew behavioral2/memory/3100-79-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e22-80.dat family_berbew behavioral2/files/0x0006000000022e24-81.dat family_berbew behavioral2/files/0x0006000000022e24-86.dat family_berbew behavioral2/memory/4972-88-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e24-87.dat family_berbew behavioral2/files/0x0006000000022e26-94.dat family_berbew behavioral2/files/0x0006000000022e26-95.dat family_berbew behavioral2/memory/1432-96-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e28-102.dat family_berbew behavioral2/files/0x0006000000022e28-103.dat family_berbew behavioral2/memory/380-104-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-109.dat family_berbew behavioral2/memory/3608-112-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2a-111.dat family_berbew behavioral2/files/0x0006000000022e2c-118.dat family_berbew behavioral2/memory/640-120-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2c-119.dat family_berbew behavioral2/files/0x0006000000022e2e-126.dat family_berbew behavioral2/memory/1036-127-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2e-128.dat family_berbew behavioral2/files/0x0006000000022e30-134.dat family_berbew behavioral2/files/0x0006000000022e30-135.dat family_berbew behavioral2/memory/644-136-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e32-142.dat family_berbew behavioral2/memory/1300-143-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e32-144.dat family_berbew behavioral2/files/0x0006000000022e34-150.dat family_berbew behavioral2/files/0x0006000000022e34-152.dat family_berbew behavioral2/memory/3628-151-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e36-153.dat family_berbew behavioral2/files/0x0006000000022e36-158.dat family_berbew behavioral2/memory/1488-159-0x0000000000400000-0x000000000043D000-memory.dmp family_berbew behavioral2/files/0x0006000000022e36-160.dat family_berbew behavioral2/files/0x0006000000022e38-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4524 Gfbibikg.exe 1760 Gfdfgiid.exe 3844 Gkaopp32.exe 4340 Hffcmh32.exe 4724 Hnagak32.exe 4400 Hkehkocf.exe 3532 Hkhdqoac.exe 1584 Hfpecg32.exe 4408 Hkmnln32.exe 3100 Ihqoeb32.exe 4972 Igfkfo32.exe 1432 Ibkpcg32.exe 380 Jgonlm32.exe 3608 Jbdbjf32.exe 640 Jnkcogno.exe 1036 Jeekkafl.exe 644 Jgfdmlcm.exe 1300 Jfgdkd32.exe 3628 Kgknhl32.exe 1488 Kngcje32.exe 2824 Knippe32.exe 1828 Kiodmn32.exe 2304 Kfcdfbqo.exe 2516 Lpkiph32.exe 4312 Lpneegel.exe 2912 Lldfjh32.exe 4876 Lemkcnaa.exe 1844 Loeolc32.exe 4448 Llipehgk.exe 1992 Mfjcnold.exe 5008 Ppopjp32.exe 456 Pjgebf32.exe 4360 Pcpikkge.exe 1704 Agbkmijg.exe 1884 Ahchda32.exe 4648 Afghneoo.exe 4444 Aopmfk32.exe 3024 Afjeceml.exe 1740 Acnemi32.exe 3852 Aqaffn32.exe 2864 Amhfkopc.exe 5060 Boipmj32.exe 4464 Biadeoce.exe 2288 Bfedoc32.exe 1920 Bidqko32.exe 1224 Bgeaifia.exe 2976 Bppfmigl.exe 4196 Bfjnjcni.exe 5068 Cpbbch32.exe 3276 Cjhfpa32.exe 3592 Cpeohh32.exe 1492 Cglgjeci.exe 2408 Cjaifp32.exe 3560 Dakacjdb.exe 2512 Dgejpd32.exe 5100 Dmbbhkjf.exe 1848 Dhhfedil.exe 652 Diicml32.exe 2348 Dcogje32.exe 2480 Djhpgofm.exe 4588 Dmglcj32.exe 3488 Ddadpdmn.exe 4236 Djklmo32.exe 236 Daediilg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Adljdi32.dll Acbmjcgd.exe File opened for modification C:\Windows\SysWOW64\Gfbibikg.exe NEAS.778c89d10ce196ccc89b977a35790778.exe File created C:\Windows\SysWOW64\Lpneegel.exe Lpkiph32.exe File opened for modification C:\Windows\SysWOW64\Pjgebf32.exe Ppopjp32.exe File created C:\Windows\SysWOW64\Hjjmaneh.dll Bmagch32.exe File created C:\Windows\SysWOW64\Hkehkocf.exe Hnagak32.exe File created C:\Windows\SysWOW64\Kfcdfbqo.exe Kiodmn32.exe File opened for modification C:\Windows\SysWOW64\Ohqpjo32.exe Enjfli32.exe File created C:\Windows\SysWOW64\Daollh32.exe Djgdkk32.exe File opened for modification C:\Windows\SysWOW64\Apddce32.exe Qkfkng32.exe File created C:\Windows\SysWOW64\Hkhdqoac.exe Hkehkocf.exe File created C:\Windows\SysWOW64\Boipmj32.exe Amhfkopc.exe File created C:\Windows\SysWOW64\Gekmam32.dll Ddcqedkk.exe File created C:\Windows\SysWOW64\Gpngef32.dll Ddqbbo32.exe File created C:\Windows\SysWOW64\Amhfkopc.exe Aqaffn32.exe File opened for modification C:\Windows\SysWOW64\Cglgjeci.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Aplpihjd.dll Dakacjdb.exe File created C:\Windows\SysWOW64\Cglgjeci.exe Cpeohh32.exe File created C:\Windows\SysWOW64\Ajaelc32.exe Mbdiknlb.exe File opened for modification C:\Windows\SysWOW64\Hkhdqoac.exe Hkehkocf.exe File created C:\Windows\SysWOW64\Hdijbplg.dll Hkhdqoac.exe File created C:\Windows\SysWOW64\Haffcnib.dll Bfedoc32.exe File created C:\Windows\SysWOW64\Agccao32.dll Bbalaoda.exe File created C:\Windows\SysWOW64\Ldhopqko.dll Beoimjce.exe File created C:\Windows\SysWOW64\Fmbcdide.dll Blnjecfl.exe File created C:\Windows\SysWOW64\Ogfapnkp.dll Biadeoce.exe File opened for modification C:\Windows\SysWOW64\Alkeifga.exe Aealll32.exe File created C:\Windows\SysWOW64\Bppcpc32.exe Bmagch32.exe File created C:\Windows\SysWOW64\Mjbaohka.dll Ajaelc32.exe File created C:\Windows\SysWOW64\Flpbbbdk.dll Ejlnfjbd.exe File opened for modification C:\Windows\SysWOW64\Cbmlmmjd.exe Clbdpc32.exe File opened for modification C:\Windows\SysWOW64\Ciknefmk.exe Cfmahknh.exe File created C:\Windows\SysWOW64\Akejpg32.dll Jbdbjf32.exe File opened for modification C:\Windows\SysWOW64\Lldfjh32.exe Lpneegel.exe File opened for modification C:\Windows\SysWOW64\Dcogje32.exe Diicml32.exe File created C:\Windows\SysWOW64\Dpaohckm.dll Dpefaq32.exe File opened for modification C:\Windows\SysWOW64\Okailj32.exe Ohcmpn32.exe File created C:\Windows\SysWOW64\Fobkem32.dll Apimodmh.exe File opened for modification C:\Windows\SysWOW64\Bbalaoda.exe Bpbpecen.exe File opened for modification C:\Windows\SysWOW64\Pijcpmhc.exe Oflfdbip.exe File created C:\Windows\SysWOW64\Kjfilbnn.dll NEAS.778c89d10ce196ccc89b977a35790778.exe File created C:\Windows\SysWOW64\Pqnalj32.dll Ibkpcg32.exe File created C:\Windows\SysWOW64\Fbfdbb32.dll Llipehgk.exe File created C:\Windows\SysWOW64\Cqgkec32.dll Igfkfo32.exe File opened for modification C:\Windows\SysWOW64\Bfedoc32.exe Biadeoce.exe File opened for modification C:\Windows\SysWOW64\Acgfec32.exe Alpnde32.exe File opened for modification C:\Windows\SysWOW64\Djgdkk32.exe Dgihop32.exe File created C:\Windows\SysWOW64\Ahkdgl32.dll Djgdkk32.exe File opened for modification C:\Windows\SysWOW64\Kngcje32.exe Kgknhl32.exe File created C:\Windows\SysWOW64\Bfedoc32.exe Biadeoce.exe File created C:\Windows\SysWOW64\Ejdocm32.exe Ehfcfb32.exe File created C:\Windows\SysWOW64\Fohogfgd.dll Djegekil.exe File created C:\Windows\SysWOW64\Ejlnfjbd.exe Egnajocq.exe File created C:\Windows\SysWOW64\Ndfchkio.dll Cdgolq32.exe File created C:\Windows\SysWOW64\Ciiaogon.exe Cbmlmmjd.exe File created C:\Windows\SysWOW64\Clgmkbna.exe Ciiaogon.exe File created C:\Windows\SysWOW64\Pokhnl32.dll Lpneegel.exe File created C:\Windows\SysWOW64\Ionqbdem.dll Pcpikkge.exe File created C:\Windows\SysWOW64\Ddcqedkk.exe Daediilg.exe File created C:\Windows\SysWOW64\Jgfdkj32.dll Ddcogo32.exe File opened for modification C:\Windows\SysWOW64\Ejpfhnpe.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Dnljkk32.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Pjcblekh.dll Dajbaika.exe File opened for modification C:\Windows\SysWOW64\Ajaelc32.exe Mbdiknlb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5916 5836 WerFault.exe 272 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfilbnn.dll" NEAS.778c89d10ce196ccc89b977a35790778.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himnbjpd.dll" Hnagak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjkmhmpl.dll" Dhhfedil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ookhfigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alkeifga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djklmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddklbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll" Ciiaogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.778c89d10ce196ccc89b977a35790778.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" NEAS.778c89d10ce196ccc89b977a35790778.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfdfgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpbbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdnkk32.dll" Cbmlmmjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgolif32.dll" Acnemi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppfmigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhhfedil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodcma32.dll" Debnjgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looknpmn.dll" Bidqko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdnljan.dll" Bgeaifia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmagch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjgidik.dll" Bimach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkjmn32.dll" Diicml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibinlbli.dll" Acgfec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll" Clgmkbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll" Dpllbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aofcga32.dll" Jnkcogno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokhnl32.dll" Lpneegel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abdagi32.dll" Aehbmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnpfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjgebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpcjeml.dll" Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgide32.dll" Bcbeqaia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpngef32.dll" Ddqbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmjhfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll" Piceflpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnjecfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejlnfjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbbhkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poidhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoomp32.dll" Mbdiknlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhfkopc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghdlf32.dll" Dgejpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggkcakg.dll" Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll" Bfhofnpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmahknh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfep32.dll" Ciknefmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aopmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeggngeb.dll" Ehfcfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdbop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjllnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpbbbdk.dll" Ejlnfjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecdbop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpbpecen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1912 wrote to memory of 4524 1912 NEAS.778c89d10ce196ccc89b977a35790778.exe 86 PID 1912 wrote to memory of 4524 1912 NEAS.778c89d10ce196ccc89b977a35790778.exe 86 PID 1912 wrote to memory of 4524 1912 NEAS.778c89d10ce196ccc89b977a35790778.exe 86 PID 4524 wrote to memory of 1760 4524 Gfbibikg.exe 87 PID 4524 wrote to memory of 1760 4524 Gfbibikg.exe 87 PID 4524 wrote to memory of 1760 4524 Gfbibikg.exe 87 PID 1760 wrote to memory of 3844 1760 Gfdfgiid.exe 88 PID 1760 wrote to memory of 3844 1760 Gfdfgiid.exe 88 PID 1760 wrote to memory of 3844 1760 Gfdfgiid.exe 88 PID 3844 wrote to memory of 4340 3844 Gkaopp32.exe 89 PID 3844 wrote to memory of 4340 3844 Gkaopp32.exe 89 PID 3844 wrote to memory of 4340 3844 Gkaopp32.exe 89 PID 4340 wrote to memory of 4724 4340 Hffcmh32.exe 90 PID 4340 wrote to memory of 4724 4340 Hffcmh32.exe 90 PID 4340 wrote to memory of 4724 4340 Hffcmh32.exe 90 PID 4724 wrote to memory of 4400 4724 Hnagak32.exe 91 PID 4724 wrote to memory of 4400 4724 Hnagak32.exe 91 PID 4724 wrote to memory of 4400 4724 Hnagak32.exe 91 PID 4400 wrote to memory of 3532 4400 Hkehkocf.exe 92 PID 4400 wrote to memory of 3532 4400 Hkehkocf.exe 92 PID 4400 wrote to memory of 3532 4400 Hkehkocf.exe 92 PID 3532 wrote to memory of 1584 3532 Hkhdqoac.exe 93 PID 3532 wrote to memory of 1584 3532 Hkhdqoac.exe 93 PID 3532 wrote to memory of 1584 3532 Hkhdqoac.exe 93 PID 1584 wrote to memory of 4408 1584 Hfpecg32.exe 95 PID 1584 wrote to memory of 4408 1584 Hfpecg32.exe 95 PID 1584 wrote to memory of 4408 1584 Hfpecg32.exe 95 PID 4408 wrote to memory of 3100 4408 Hkmnln32.exe 96 PID 4408 wrote to memory of 3100 4408 Hkmnln32.exe 96 PID 4408 wrote to memory of 3100 4408 Hkmnln32.exe 96 PID 3100 wrote to memory of 4972 3100 Ihqoeb32.exe 97 PID 3100 wrote to memory of 4972 3100 Ihqoeb32.exe 97 PID 3100 wrote to memory of 4972 3100 Ihqoeb32.exe 97 PID 4972 wrote to memory of 1432 4972 Igfkfo32.exe 98 PID 4972 wrote to memory of 1432 4972 Igfkfo32.exe 98 PID 4972 wrote to memory of 1432 4972 Igfkfo32.exe 98 PID 1432 wrote to memory of 380 1432 Ibkpcg32.exe 99 PID 1432 wrote to memory of 380 1432 Ibkpcg32.exe 99 PID 1432 wrote to memory of 380 1432 Ibkpcg32.exe 99 PID 380 wrote to memory of 3608 380 Jgonlm32.exe 100 PID 380 wrote to memory of 3608 380 Jgonlm32.exe 100 PID 380 wrote to memory of 3608 380 Jgonlm32.exe 100 PID 3608 wrote to memory of 640 3608 Jbdbjf32.exe 102 PID 3608 wrote to memory of 640 3608 Jbdbjf32.exe 102 PID 3608 wrote to memory of 640 3608 Jbdbjf32.exe 102 PID 640 wrote to memory of 1036 640 Jnkcogno.exe 103 PID 640 wrote to memory of 1036 640 Jnkcogno.exe 103 PID 640 wrote to memory of 1036 640 Jnkcogno.exe 103 PID 1036 wrote to memory of 644 1036 Jeekkafl.exe 104 PID 1036 wrote to memory of 644 1036 Jeekkafl.exe 104 PID 1036 wrote to memory of 644 1036 Jeekkafl.exe 104 PID 644 wrote to memory of 1300 644 Jgfdmlcm.exe 105 PID 644 wrote to memory of 1300 644 Jgfdmlcm.exe 105 PID 644 wrote to memory of 1300 644 Jgfdmlcm.exe 105 PID 1300 wrote to memory of 3628 1300 Jfgdkd32.exe 106 PID 1300 wrote to memory of 3628 1300 Jfgdkd32.exe 106 PID 1300 wrote to memory of 3628 1300 Jfgdkd32.exe 106 PID 3628 wrote to memory of 1488 3628 Kgknhl32.exe 107 PID 3628 wrote to memory of 1488 3628 Kgknhl32.exe 107 PID 3628 wrote to memory of 1488 3628 Kgknhl32.exe 107 PID 1488 wrote to memory of 2824 1488 Kngcje32.exe 108 PID 1488 wrote to memory of 2824 1488 Kngcje32.exe 108 PID 1488 wrote to memory of 2824 1488 Kngcje32.exe 108 PID 2824 wrote to memory of 1828 2824 Knippe32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.778c89d10ce196ccc89b977a35790778.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.778c89d10ce196ccc89b977a35790778.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Ihqoeb32.exeC:\Windows\system32\Ihqoeb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Jbdbjf32.exeC:\Windows\system32\Jbdbjf32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Jgfdmlcm.exeC:\Windows\system32\Jgfdmlcm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\Jfgdkd32.exeC:\Windows\system32\Jfgdkd32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Kngcje32.exeC:\Windows\system32\Kngcje32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Knippe32.exeC:\Windows\system32\Knippe32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe24⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe27⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe29⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Llipehgk.exeC:\Windows\system32\Llipehgk.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe31⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4360 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe35⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ahchda32.exeC:\Windows\system32\Ahchda32.exe36⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4444 -
C:\Windows\SysWOW64\Afjeceml.exeC:\Windows\system32\Afjeceml.exe39⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe43⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:5068 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe51⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3592 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe53⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:5100 -
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe60⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Dmglcj32.exeC:\Windows\system32\Dmglcj32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe63⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe66⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe67⤵PID:2604
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3652 -
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe69⤵PID:1412
-
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe70⤵PID:4152
-
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe72⤵
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4472 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe75⤵PID:3960
-
C:\Windows\SysWOW64\Aagkhd32.exeC:\Windows\system32\Aagkhd32.exe76⤵PID:2684
-
C:\Windows\SysWOW64\Mbdiknlb.exeC:\Windows\system32\Mbdiknlb.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Ajaelc32.exeC:\Windows\system32\Ajaelc32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5020 -
C:\Windows\SysWOW64\Dnljkk32.exeC:\Windows\system32\Dnljkk32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe80⤵PID:4280
-
C:\Windows\SysWOW64\Dcibca32.exeC:\Windows\system32\Dcibca32.exe81⤵PID:1956
-
C:\Windows\SysWOW64\Dickplko.exeC:\Windows\system32\Dickplko.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4892 -
C:\Windows\SysWOW64\Dajbaika.exeC:\Windows\system32\Dajbaika.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4608 -
C:\Windows\SysWOW64\Ddhomdje.exeC:\Windows\system32\Ddhomdje.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:456 -
C:\Windows\SysWOW64\Dggkipii.exeC:\Windows\system32\Dggkipii.exe85⤵PID:1968
-
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe86⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe87⤵PID:380
-
C:\Windows\SysWOW64\Ddklbd32.exeC:\Windows\system32\Ddklbd32.exe88⤵
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Dgihop32.exeC:\Windows\system32\Dgihop32.exe89⤵
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\Djgdkk32.exeC:\Windows\system32\Djgdkk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3232 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe91⤵PID:2268
-
C:\Windows\SysWOW64\Dcphdqmj.exeC:\Windows\system32\Dcphdqmj.exe92⤵PID:4416
-
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe93⤵PID:4504
-
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe94⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ecbeip32.exeC:\Windows\system32\Ecbeip32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe96⤵
- Drops file in System32 directory
PID:64 -
C:\Windows\SysWOW64\Ejlnfjbd.exeC:\Windows\system32\Ejlnfjbd.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Epffbd32.exeC:\Windows\system32\Epffbd32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe100⤵
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Enjfli32.exeC:\Windows\system32\Enjfli32.exe101⤵
- Drops file in System32 directory
PID:3076 -
C:\Windows\SysWOW64\Ohqpjo32.exeC:\Windows\system32\Ohqpjo32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Okolfj32.exeC:\Windows\system32\Okolfj32.exe103⤵PID:1840
-
C:\Windows\SysWOW64\Ookhfigk.exeC:\Windows\system32\Ookhfigk.exe104⤵
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Ohcmpn32.exeC:\Windows\system32\Ohcmpn32.exe105⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4460 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4596 -
C:\Windows\SysWOW64\Oheienli.exeC:\Windows\system32\Oheienli.exe108⤵PID:2288
-
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe109⤵PID:4876
-
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe110⤵PID:1508
-
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe111⤵PID:3532
-
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4448 -
C:\Windows\SysWOW64\Ocmjhfjl.exeC:\Windows\system32\Ocmjhfjl.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe114⤵
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Pijcpmhc.exeC:\Windows\system32\Pijcpmhc.exe115⤵PID:2700
-
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe116⤵PID:1992
-
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Pofhbgmn.exeC:\Windows\system32\Pofhbgmn.exe118⤵PID:1324
-
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe120⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe121⤵PID:4840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-