Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 03:14
Behavioral task
behavioral1
Sample
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe
-
Size
1024KB
-
MD5
589a2b3ae92eb9e43a27f420868bdb30
-
SHA1
641ec8c1530aed0e7ba0d575b545d3f04b162e78
-
SHA256
0ceefda3615308a8a12488b097a8eb7b6446f8ef30f94a7287ab4960c0c0ef35
-
SHA512
ac0b62eade08125ecf5d5e0bf5c384002461926759b2492726e196c4198deb185d5bfb9e898890fba76ac4fbb32c807ffa1ec6156d7de804e96774b5ae29c22b
-
SSDEEP
24576:HtaSHFaZRBEYyqmaf2qwiHPKgRC4gvGZl6snARe:NaSHFaZRBEYyqmS2DiHPKQgmN
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncahjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdjbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihqkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gogangdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbopgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcqaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mencccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkcojga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogblbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnomcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnobnmpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmhgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdilgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjqhmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmdoioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiakjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbggnhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbomfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcmjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhiffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagjnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnopfoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chemfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lapnnafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpndnei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnfamcoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlqdei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoajf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enakbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000d000000012334-5.dat family_berbew behavioral1/files/0x0008000000014971-18.dat family_berbew behavioral1/files/0x0007000000014b63-32.dat family_berbew behavioral1/files/0x0009000000014e51-53.dat family_berbew behavioral1/files/0x0006000000015ceb-67.dat family_berbew behavioral1/files/0x0006000000015d28-81.dat family_berbew behavioral1/files/0x0006000000015d56-94.dat family_berbew behavioral1/files/0x0006000000015d67-101.dat family_berbew behavioral1/files/0x002f000000014708-120.dat family_berbew behavioral1/files/0x0006000000015d87-137.dat family_berbew behavioral1/files/0x0006000000015eaf-156.dat family_berbew behavioral1/files/0x0006000000015fe9-177.dat family_berbew behavioral1/files/0x00060000000161e7-191.dat family_berbew behavioral1/files/0x00060000000164b2-202.dat family_berbew behavioral1/files/0x000600000001661c-217.dat family_berbew behavioral1/files/0x0006000000016a9a-228.dat family_berbew behavioral1/files/0x0006000000016c63-238.dat family_berbew behavioral1/files/0x0006000000016d0d-256.dat family_berbew behavioral1/files/0x0006000000016d7e-276.dat family_berbew behavioral1/memory/1600-302-0x0000000000280000-0x00000000002B3000-memory.dmp family_berbew behavioral1/files/0x0006000000016eb2-312.dat family_berbew behavioral1/memory/2308-352-0x0000000000290000-0x00000000002C3000-memory.dmp family_berbew behavioral1/files/0x000900000001864e-358.dat family_berbew behavioral1/files/0x00060000000190b6-397.dat family_berbew behavioral1/files/0x00050000000191cd-409.dat family_berbew behavioral1/files/0x000500000001923d-429.dat family_berbew behavioral1/files/0x0005000000019270-451.dat family_berbew behavioral1/files/0x000500000001935d-474.dat family_berbew behavioral1/files/0x000500000001940a-497.dat family_berbew behavioral1/files/0x0005000000019426-506.dat family_berbew behavioral1/files/0x000500000001943c-519.dat family_berbew behavioral1/files/0x000500000001944f-528.dat family_berbew behavioral1/files/0x00050000000194b4-551.dat family_berbew behavioral1/files/0x00050000000194e9-563.dat family_berbew behavioral1/files/0x0005000000019616-576.dat family_berbew behavioral1/files/0x0005000000019798-597.dat family_berbew behavioral1/files/0x0005000000019d61-642.dat family_berbew behavioral1/files/0x0005000000019c5c-631.dat family_berbew behavioral1/files/0x000500000001a2d6-677.dat family_berbew behavioral1/files/0x000500000001a417-698.dat family_berbew behavioral1/files/0x000500000001a419-710.dat family_berbew behavioral1/files/0x000500000001a466-720.dat family_berbew behavioral1/files/0x000500000001a475-732.dat family_berbew behavioral1/files/0x000500000001a497-750.dat family_berbew behavioral1/files/0x000500000001a48c-742.dat family_berbew behavioral1/files/0x000500000001a4a6-786.dat family_berbew behavioral1/files/0x000500000001a4ae-799.dat family_berbew behavioral1/files/0x000500000001a49d-773.dat family_berbew behavioral1/files/0x000500000001a49b-762.dat family_berbew behavioral1/files/0x000500000001a4b9-827.dat family_berbew behavioral1/files/0x000500000001a4bd-841.dat family_berbew behavioral1/files/0x000500000001a4c1-852.dat family_berbew behavioral1/files/0x000500000001a4c9-879.dat family_berbew behavioral1/files/0x000500000001a4cd-894.dat family_berbew behavioral1/files/0x000500000001a4d1-911.dat family_berbew behavioral1/files/0x000500000001a4d9-934.dat family_berbew behavioral1/files/0x000500000001adb4-1002.dat family_berbew behavioral1/files/0x000500000001c83c-1072.dat family_berbew behavioral1/files/0x000500000001c852-1100.dat family_berbew behavioral1/files/0x000500000001c84b-1085.dat family_berbew behavioral1/files/0x000500000001c856-1115.dat family_berbew behavioral1/files/0x000500000001c85e-1137.dat family_berbew behavioral1/files/0x000500000001c873-1190.dat family_berbew behavioral1/files/0x000500000001c883-1203.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2780 Blmdlhmp.exe 2980 Bdjefj32.exe 2636 Bpafkknm.exe 2580 Bcaomf32.exe 2616 Cpjiajeb.exe 2500 Cciemedf.exe 1268 Chemfl32.exe 2424 Ckdjbh32.exe 1656 Chhjkl32.exe 1884 Ejgcdb32.exe 908 Ebbgid32.exe 636 Eeqdep32.exe 1160 Epfhbign.exe 2632 Epieghdk.exe 596 Ebgacddo.exe 1624 Egdilkbf.exe 3024 Ealnephf.exe 1288 Fioija32.exe 2148 Fphafl32.exe 288 Feeiob32.exe 1840 Fmlapp32.exe 1500 Gbijhg32.exe 1600 Ghfbqn32.exe 1972 Gpmjak32.exe 1752 Gkgkbipp.exe 2832 Gelppaof.exe 2308 Geolea32.exe 2724 Gkkemh32.exe 2476 Gogangdc.exe 2624 Hcifgjgc.exe 1676 Hkpnhgge.exe 1548 Hdhbam32.exe 2604 Hiekid32.exe 2664 Hodpgjha.exe 1964 Hogmmjfo.exe 1300 Ihoafpmp.exe 2128 Idklfpon.exe 1948 Ikddbj32.exe 2232 Jqfffqpm.exe 1304 Jiakjb32.exe 1328 Jejhecaj.exe 3032 Kihqkagp.exe 796 Kgkafo32.exe 920 Kgnnln32.exe 1068 Kkijmm32.exe 1604 Kcdnao32.exe 2332 Kgpjanje.exe 1292 Knjbnh32.exe 2976 Kgbggnhc.exe 2160 Kiccofna.exe 2456 Kpmlkp32.exe 2528 Kifpdelo.exe 2420 Lldlqakb.exe 1572 Lbnemk32.exe 2668 Lfjqnjkh.exe 1504 Lihmjejl.exe 1748 Leonofpp.exe 2140 Lpdbloof.exe 2224 Lbcnhjnj.exe 2372 Leajdfnm.exe 540 Lhpfqama.exe 616 Lojomkdn.exe 2912 Lecgje32.exe 2068 Lhbcfa32.exe -
Loads dropped DLL 64 IoCs
pid Process 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 2780 Blmdlhmp.exe 2780 Blmdlhmp.exe 2980 Bdjefj32.exe 2980 Bdjefj32.exe 2636 Bpafkknm.exe 2636 Bpafkknm.exe 2580 Bcaomf32.exe 2580 Bcaomf32.exe 2616 Cpjiajeb.exe 2616 Cpjiajeb.exe 2500 Cciemedf.exe 2500 Cciemedf.exe 1268 Chemfl32.exe 1268 Chemfl32.exe 2424 Ckdjbh32.exe 2424 Ckdjbh32.exe 1656 Chhjkl32.exe 1656 Chhjkl32.exe 1884 Ejgcdb32.exe 1884 Ejgcdb32.exe 908 Ebbgid32.exe 908 Ebbgid32.exe 636 Eeqdep32.exe 636 Eeqdep32.exe 1160 Epfhbign.exe 1160 Epfhbign.exe 2632 Epieghdk.exe 2632 Epieghdk.exe 596 Ebgacddo.exe 596 Ebgacddo.exe 1624 Egdilkbf.exe 1624 Egdilkbf.exe 3024 Ealnephf.exe 3024 Ealnephf.exe 1288 Fioija32.exe 1288 Fioija32.exe 2148 Fphafl32.exe 2148 Fphafl32.exe 288 Feeiob32.exe 288 Feeiob32.exe 1840 Fmlapp32.exe 1840 Fmlapp32.exe 1500 Gbijhg32.exe 1500 Gbijhg32.exe 1600 Ghfbqn32.exe 1600 Ghfbqn32.exe 1972 Gpmjak32.exe 1972 Gpmjak32.exe 1752 Gkgkbipp.exe 1752 Gkgkbipp.exe 1588 Goddhg32.exe 1588 Goddhg32.exe 2308 Geolea32.exe 2308 Geolea32.exe 2724 Gkkemh32.exe 2724 Gkkemh32.exe 2476 Gogangdc.exe 2476 Gogangdc.exe 2624 Hcifgjgc.exe 2624 Hcifgjgc.exe 1676 Hkpnhgge.exe 1676 Hkpnhgge.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pfdmil32.dll Nodgel32.exe File created C:\Windows\SysWOW64\Cpnojioo.exe Cnobnmpl.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Ekhhadmk.exe File opened for modification C:\Windows\SysWOW64\Echfaf32.exe Eplkpgnh.exe File created C:\Windows\SysWOW64\Kfmjgeaj.exe Kocbkk32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Lccdel32.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Jonpde32.dll Pjcabmga.exe File created C:\Windows\SysWOW64\Pjenhm32.exe Pnomcl32.exe File created C:\Windows\SysWOW64\Ihjnom32.exe Idnaoohk.exe File created C:\Windows\SysWOW64\Akodpalp.dll Kgpjanje.exe File opened for modification C:\Windows\SysWOW64\Aamfnkai.exe Aibajhdn.exe File opened for modification C:\Windows\SysWOW64\Gffoldhp.exe Gdgcpi32.exe File created C:\Windows\SysWOW64\Iigpciig.dll Naajoinb.exe File created C:\Windows\SysWOW64\Bpgljfbl.exe Afohaa32.exe File created C:\Windows\SysWOW64\Clialdph.dll Enakbp32.exe File opened for modification C:\Windows\SysWOW64\Nkgbbo32.exe Nhiffc32.exe File created C:\Windows\SysWOW64\Afohaa32.exe Adpkee32.exe File created C:\Windows\SysWOW64\Ihclng32.dll Kjdilgpc.exe File created C:\Windows\SysWOW64\Nkkgfioo.dll Nncahjgl.exe File created C:\Windows\SysWOW64\Okikfagn.exe Odobjg32.exe File created C:\Windows\SysWOW64\Ofmbnkhg.exe Okgnab32.exe File created C:\Windows\SysWOW64\Jjbpgd32.exe Jgcdki32.exe File created C:\Windows\SysWOW64\Nhllob32.exe Ngkogj32.exe File created C:\Windows\SysWOW64\Nnplna32.dll Kgkafo32.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kgnnln32.exe File created C:\Windows\SysWOW64\Nfcijc32.dll Kiccofna.exe File opened for modification C:\Windows\SysWOW64\Fagjnn32.exe Fepiimfg.exe File opened for modification C:\Windows\SysWOW64\Lfjqnjkh.exe Lbnemk32.exe File opened for modification C:\Windows\SysWOW64\Monhhk32.exe Ldidkbpb.exe File created C:\Windows\SysWOW64\Emmcaafi.dll Maoajf32.exe File created C:\Windows\SysWOW64\Lfmnmlid.dll Cgcmlcja.exe File created C:\Windows\SysWOW64\Hhmkol32.dll Gedbdlbb.exe File opened for modification C:\Windows\SysWOW64\Gelppaof.exe Gkgkbipp.exe File created C:\Windows\SysWOW64\Dkmcgmjk.dll Onmdoioa.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pklhlael.exe File created C:\Windows\SysWOW64\Pikhak32.dll Lmebnb32.exe File opened for modification C:\Windows\SysWOW64\Ncjqhmkm.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jgcdki32.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Npdjje32.exe Naajoinb.exe File created C:\Windows\SysWOW64\Lfnbefhd.dll Njlockkm.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Mhjbjopf.exe File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe Epieghdk.exe File opened for modification C:\Windows\SysWOW64\Kkijmm32.exe Kgnnln32.exe File opened for modification C:\Windows\SysWOW64\Lecgje32.exe Lojomkdn.exe File created C:\Windows\SysWOW64\Nodgel32.exe Npagjpcd.exe File created C:\Windows\SysWOW64\Kcaipkch.dll Geolea32.exe File opened for modification C:\Windows\SysWOW64\Obcccl32.exe Onhgbmfb.exe File opened for modification C:\Windows\SysWOW64\Biicik32.exe Bbokmqie.exe File created C:\Windows\SysWOW64\Hodpgjha.exe Hiekid32.exe File created C:\Windows\SysWOW64\Mlaeonld.exe Mmneda32.exe File created C:\Windows\SysWOW64\Bneqdoee.dll Coelaaoi.exe File created C:\Windows\SysWOW64\Hgjefg32.exe Hlqdei32.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Gohjaf32.exe Gpejeihi.exe File opened for modification C:\Windows\SysWOW64\Egdilkbf.exe Ebgacddo.exe File opened for modification C:\Windows\SysWOW64\Aehboi32.exe Aamfnkai.exe File opened for modification C:\Windows\SysWOW64\Dnoomqbg.exe Dolnad32.exe File created C:\Windows\SysWOW64\Clnlnhop.dll Epieghdk.exe File created C:\Windows\SysWOW64\Nkgbbo32.exe Nhiffc32.exe File created C:\Windows\SysWOW64\Cmeidehe.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Qdkghm32.dll Idnaoohk.exe File created C:\Windows\SysWOW64\Negpnjgm.dll Mooaljkh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioaifhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" Mhhfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbnemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpfqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Nncahjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdlgpgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpajg32.dll" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpgggol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjoqjhi.dll" Lbcnhjnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelpgepb.dll" Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lecgje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebgacddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lihmjejl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffimglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gelppaof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonpde32.dll" Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnomcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnndn32.dll" Jofbag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebodiofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdmcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpafkknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnaeh32.dll" Jejhecaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddfocpb.dll" Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfjcc32.dll" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jocflgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll" Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecjiaic.dll" Ihjnom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccahbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfamcoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdqna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" Ebmgcohn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjefg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiqoh32.dll" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjenhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmcbbki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgogg32.dll" Monhhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbdjhmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2780 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 28 PID 1984 wrote to memory of 2780 1984 589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe 28 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 29 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 29 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 29 PID 2780 wrote to memory of 2980 2780 Blmdlhmp.exe 29 PID 2980 wrote to memory of 2636 2980 Bdjefj32.exe 30 PID 2980 wrote to memory of 2636 2980 Bdjefj32.exe 30 PID 2980 wrote to memory of 2636 2980 Bdjefj32.exe 30 PID 2980 wrote to memory of 2636 2980 Bdjefj32.exe 30 PID 2636 wrote to memory of 2580 2636 Bpafkknm.exe 31 PID 2636 wrote to memory of 2580 2636 Bpafkknm.exe 31 PID 2636 wrote to memory of 2580 2636 Bpafkknm.exe 31 PID 2636 wrote to memory of 2580 2636 Bpafkknm.exe 31 PID 2580 wrote to memory of 2616 2580 Bcaomf32.exe 32 PID 2580 wrote to memory of 2616 2580 Bcaomf32.exe 32 PID 2580 wrote to memory of 2616 2580 Bcaomf32.exe 32 PID 2580 wrote to memory of 2616 2580 Bcaomf32.exe 32 PID 2616 wrote to memory of 2500 2616 Cpjiajeb.exe 33 PID 2616 wrote to memory of 2500 2616 Cpjiajeb.exe 33 PID 2616 wrote to memory of 2500 2616 Cpjiajeb.exe 33 PID 2616 wrote to memory of 2500 2616 Cpjiajeb.exe 33 PID 2500 wrote to memory of 1268 2500 Cciemedf.exe 34 PID 2500 wrote to memory of 1268 2500 Cciemedf.exe 34 PID 2500 wrote to memory of 1268 2500 Cciemedf.exe 34 PID 2500 wrote to memory of 1268 2500 Cciemedf.exe 34 PID 1268 wrote to memory of 2424 1268 Chemfl32.exe 35 PID 1268 wrote to memory of 2424 1268 Chemfl32.exe 35 PID 1268 wrote to memory of 2424 1268 Chemfl32.exe 35 PID 1268 wrote to memory of 2424 1268 Chemfl32.exe 35 PID 2424 wrote to memory of 1656 2424 Ckdjbh32.exe 36 PID 2424 wrote to memory of 1656 2424 Ckdjbh32.exe 36 PID 2424 wrote to memory of 1656 2424 Ckdjbh32.exe 36 PID 2424 wrote to memory of 1656 2424 Ckdjbh32.exe 36 PID 1656 wrote to memory of 1884 1656 Chhjkl32.exe 37 PID 1656 wrote to memory of 1884 1656 Chhjkl32.exe 37 PID 1656 wrote to memory of 1884 1656 Chhjkl32.exe 37 PID 1656 wrote to memory of 1884 1656 Chhjkl32.exe 37 PID 1884 wrote to memory of 908 1884 Ejgcdb32.exe 38 PID 1884 wrote to memory of 908 1884 Ejgcdb32.exe 38 PID 1884 wrote to memory of 908 1884 Ejgcdb32.exe 38 PID 1884 wrote to memory of 908 1884 Ejgcdb32.exe 38 PID 908 wrote to memory of 636 908 Ebbgid32.exe 39 PID 908 wrote to memory of 636 908 Ebbgid32.exe 39 PID 908 wrote to memory of 636 908 Ebbgid32.exe 39 PID 908 wrote to memory of 636 908 Ebbgid32.exe 39 PID 636 wrote to memory of 1160 636 Eeqdep32.exe 40 PID 636 wrote to memory of 1160 636 Eeqdep32.exe 40 PID 636 wrote to memory of 1160 636 Eeqdep32.exe 40 PID 636 wrote to memory of 1160 636 Eeqdep32.exe 40 PID 1160 wrote to memory of 2632 1160 Epfhbign.exe 41 PID 1160 wrote to memory of 2632 1160 Epfhbign.exe 41 PID 1160 wrote to memory of 2632 1160 Epfhbign.exe 41 PID 1160 wrote to memory of 2632 1160 Epfhbign.exe 41 PID 2632 wrote to memory of 596 2632 Epieghdk.exe 42 PID 2632 wrote to memory of 596 2632 Epieghdk.exe 42 PID 2632 wrote to memory of 596 2632 Epieghdk.exe 42 PID 2632 wrote to memory of 596 2632 Epieghdk.exe 42 PID 596 wrote to memory of 1624 596 Ebgacddo.exe 43 PID 596 wrote to memory of 1624 596 Ebgacddo.exe 43 PID 596 wrote to memory of 1624 596 Ebgacddo.exe 43 PID 596 wrote to memory of 1624 596 Ebgacddo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe"C:\Users\Admin\AppData\Local\Temp\589a2b3ae92eb9e43a27f420868bdb30_NEAS.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe28⤵
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe34⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe36⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe37⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe38⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe39⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe41⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Jejhecaj.exeC:\Windows\system32\Jejhecaj.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Kihqkagp.exeC:\Windows\system32\Kihqkagp.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Kgnnln32.exeC:\Windows\system32\Kgnnln32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Knjbnh32.exeC:\Windows\system32\Knjbnh32.exe50⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Kgbggnhc.exeC:\Windows\system32\Kgbggnhc.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Kpmlkp32.exeC:\Windows\system32\Kpmlkp32.exe53⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Lldlqakb.exeC:\Windows\system32\Lldlqakb.exe55⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Lbnemk32.exeC:\Windows\system32\Lbnemk32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe57⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe59⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe60⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Lbcnhjnj.exeC:\Windows\system32\Lbcnhjnj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe66⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ldidkbpb.exeC:\Windows\system32\Ldidkbpb.exe67⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe68⤵
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe69⤵PID:800
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe70⤵PID:2900
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe73⤵PID:1616
-
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe74⤵PID:2480
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe75⤵PID:1892
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe76⤵PID:1536
-
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe77⤵PID:1828
-
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe78⤵
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe79⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Nehmdhja.exeC:\Windows\system32\Nehmdhja.exe81⤵PID:1684
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe82⤵PID:2064
-
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe84⤵PID:904
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe85⤵PID:2628
-
C:\Windows\SysWOW64\Nhiffc32.exeC:\Windows\system32\Nhiffc32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Nkgbbo32.exeC:\Windows\system32\Nkgbbo32.exe87⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe88⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe89⤵PID:2620
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe90⤵PID:2696
-
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2444 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe92⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Nacgdhlp.exeC:\Windows\system32\Nacgdhlp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2960 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe94⤵PID:384
-
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe95⤵PID:1708
-
C:\Windows\SysWOW64\Ogblbo32.exeC:\Windows\system32\Ogblbo32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Ojahnj32.exeC:\Windows\system32\Ojahnj32.exe97⤵PID:2508
-
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Olpdjf32.exeC:\Windows\system32\Olpdjf32.exe99⤵PID:1140
-
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe100⤵PID:564
-
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe101⤵PID:2716
-
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe102⤵PID:1612
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe103⤵PID:2872
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe104⤵
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe105⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe106⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe107⤵PID:2432
-
C:\Windows\SysWOW64\Onhgbmfb.exeC:\Windows\system32\Onhgbmfb.exe108⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe109⤵
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe110⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe111⤵PID:1340
-
C:\Windows\SysWOW64\Pkndaa32.exeC:\Windows\system32\Pkndaa32.exe112⤵PID:2380
-
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe113⤵PID:2408
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe114⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe115⤵PID:2256
-
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe116⤵PID:816
-
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Pnomcl32.exeC:\Windows\system32\Pnomcl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe119⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-