Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2023, 21:16
Behavioral task
behavioral1
Sample
NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe
-
Size
88KB
-
MD5
2f3169e2626b6e678f47f5aa09c4add0
-
SHA1
a533539d9a9b1e6a5e563f56cb411712b290be85
-
SHA256
58905d83d3fd3feb89ad7f9627566840aac67d7e6bfa387090cde1cf47c0c478
-
SHA512
582feb10a1f354781312bf757452b2c27b945e75cb0067ada4fb60517b4eadb409499880469fee411c6a4f18a42dab12b26c1ff1b62f388e625aa05918c819a3
-
SSDEEP
1536:aX/PZzAO8JNGKPh3ZHwFL8QOVXtE1ukVd71rFZO7+90vT:6AxdZILi9EIIJ15ZO7Vr
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgqblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geqlhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakkplbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jchaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbfmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbmifdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npipnjmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcoqdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqajjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhdeoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmfpgmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcflch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icakofel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cckmklac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndgpnogo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmaakpfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilkkq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjcbljf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldccid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoiihcde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohggm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnoggoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgalc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhppa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpllgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhdeoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gooqfkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olndnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlfcqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilpfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omigmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neeifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqccbkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfpgmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcaoahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikepg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inflio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikhghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdlghgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goamlkpk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndhkmfe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihdnloc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcflch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadimkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdobhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmaakpfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkfjgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gadimkpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmiagbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omigmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppepkmhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihfglhfp.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/2980-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c6d-6.dat family_berbew behavioral2/files/0x0006000000022c6d-8.dat family_berbew behavioral2/memory/1268-7-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c6f-14.dat family_berbew behavioral2/memory/1272-15-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c6f-16.dat family_berbew behavioral2/files/0x0007000000022c6c-22.dat family_berbew behavioral2/files/0x0007000000022c6c-24.dat family_berbew behavioral2/memory/4384-23-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4120-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c74-31.dat family_berbew behavioral2/files/0x0006000000022c74-30.dat family_berbew behavioral2/files/0x0006000000022c77-38.dat family_berbew behavioral2/files/0x0006000000022c77-39.dat family_berbew behavioral2/memory/4560-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c79-46.dat family_berbew behavioral2/files/0x0006000000022c79-47.dat family_berbew behavioral2/memory/2536-48-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c7f-54.dat family_berbew behavioral2/files/0x0006000000022c7f-56.dat family_berbew behavioral2/memory/560-55-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c82-62.dat family_berbew behavioral2/files/0x0006000000022c82-63.dat family_berbew behavioral2/memory/4848-64-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c84-70.dat family_berbew behavioral2/files/0x0006000000022c84-71.dat family_berbew behavioral2/memory/3528-76-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c88-78.dat family_berbew behavioral2/memory/436-84-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c88-79.dat family_berbew behavioral2/files/0x0007000000022c7b-86.dat family_berbew behavioral2/memory/2656-87-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022c7b-88.dat family_berbew behavioral2/files/0x0007000000022c7d-94.dat family_berbew behavioral2/memory/2680-95-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0007000000022c7d-96.dat family_berbew behavioral2/files/0x0008000000022c81-102.dat family_berbew behavioral2/memory/440-103-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0008000000022c81-104.dat family_berbew behavioral2/files/0x0008000000022c8b-110.dat family_berbew behavioral2/files/0x0008000000022c8b-112.dat family_berbew behavioral2/memory/1128-111-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c8d-118.dat family_berbew behavioral2/files/0x0006000000022c8d-120.dat family_berbew behavioral2/memory/4624-119-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c8f-126.dat family_berbew behavioral2/memory/5112-127-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c8f-128.dat family_berbew behavioral2/files/0x0006000000022c91-129.dat family_berbew behavioral2/files/0x0006000000022c91-134.dat family_berbew behavioral2/files/0x0006000000022c91-136.dat family_berbew behavioral2/memory/4376-135-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c93-142.dat family_berbew behavioral2/memory/3584-143-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c93-144.dat family_berbew behavioral2/files/0x0006000000022c95-150.dat family_berbew behavioral2/memory/3644-151-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c95-152.dat family_berbew behavioral2/files/0x0006000000022c97-153.dat family_berbew behavioral2/files/0x0006000000022c97-158.dat family_berbew behavioral2/memory/760-160-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/files/0x0006000000022c97-159.dat family_berbew behavioral2/files/0x0006000000022c99-166.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1268 Gooqfkan.exe 1272 Goamlkpk.exe 4384 Hcofbifb.exe 4120 Hkjjfkcm.exe 4560 Hcflch32.exe 2536 Ilqmam32.exe 560 Ieiajckh.exe 4848 Ikhghi32.exe 3528 Ifnkeb32.exe 436 Icakofel.exe 2656 Jbghpc32.exe 2680 Jcfejfag.exe 440 Jchaoe32.exe 1128 Jfikaqme.exe 4624 Joaojf32.exe 5112 Jhjcbljf.exe 4376 Kfndlphp.exe 3584 Kkofofbb.exe 3644 Kfggbope.exe 760 Lckglc32.exe 2864 Lkflpe32.exe 392 Lkiiee32.exe 3960 Lpgalc32.exe 4708 Ljleil32.exe 548 Liabjh32.exe 4952 Mmokpglb.exe 2128 Mcicma32.exe 484 Mjehok32.exe 2512 Mikepg32.exe 3828 Nbefolao.exe 3500 Nfcoekhe.exe 4716 Ndgpnogo.exe 1108 Njceqili.exe 3240 Olgnnqpe.exe 3532 Obccpj32.exe 948 Omigmc32.exe 1256 Olndnp32.exe 2620 Oplmdnpc.exe 3896 Okaabg32.exe 4460 Pbmffi32.exe 664 Plejoode.exe 1844 Pcaoahio.exe 2408 Ppepkmhi.exe 4528 Pcdlghgl.exe 4936 Pmipdq32.exe 944 Qpjifl32.exe 1384 Qibmoa32.exe 2060 Adjnaj32.exe 2624 Ajjcoqdl.exe 232 Angleokb.exe 2988 Almifk32.exe 3516 Bgbmdd32.exe 1468 Bcinie32.exe 1504 Bdhkchlg.exe 2368 Bldogjib.exe 4332 Bgicdc32.exe 1020 Bglpjb32.exe 3884 Bdpqcg32.exe 648 Cdbmifdl.exe 4432 Cnjbbl32.exe 1284 Cqkkcghn.exe 3456 Cdicje32.exe 1136 Cqpdof32.exe 2192 Ddnmeejo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mmokpglb.exe Liabjh32.exe File created C:\Windows\SysWOW64\Jmfjhp32.dll Cnjbbl32.exe File created C:\Windows\SysWOW64\Einmdadf.dll Endnohdp.exe File created C:\Windows\SysWOW64\Bgkipl32.exe Bnbeggmi.exe File created C:\Windows\SysWOW64\Imobclfe.dll Kfndlphp.exe File created C:\Windows\SysWOW64\Lkflpe32.exe Lckglc32.exe File created C:\Windows\SysWOW64\Gaglma32.exe Goipae32.exe File created C:\Windows\SysWOW64\Ihfglhfp.exe Imabnofj.exe File created C:\Windows\SysWOW64\Hjmajnph.dll NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe File created C:\Windows\SysWOW64\Dnfgdc32.dll Jakkplbc.exe File opened for modification C:\Windows\SysWOW64\Blqlgdhi.exe Bgdcom32.exe File created C:\Windows\SysWOW64\Qhhgib32.dll Dgieajgj.exe File opened for modification C:\Windows\SysWOW64\Egnhcgeb.exe Emhdeoel.exe File opened for modification C:\Windows\SysWOW64\Nbefolao.exe Mikepg32.exe File created C:\Windows\SysWOW64\Knagdd32.dll Njceqili.exe File created C:\Windows\SysWOW64\Oeahap32.exe Opdpih32.exe File created C:\Windows\SysWOW64\Fnhppa32.exe Egnhcgeb.exe File opened for modification C:\Windows\SysWOW64\Ljleil32.exe Lpgalc32.exe File created C:\Windows\SysWOW64\Cnjbbl32.exe Cdbmifdl.exe File created C:\Windows\SysWOW64\Geqlhp32.exe Glhgojef.exe File opened for modification C:\Windows\SysWOW64\Opiidhoj.exe Ofadlbhj.exe File created C:\Windows\SysWOW64\Npnbgk32.dll Obccpj32.exe File created C:\Windows\SysWOW64\Bjqjbanf.dll Elhnhm32.exe File opened for modification C:\Windows\SysWOW64\Fhchhm32.exe Fmndkd32.exe File created C:\Windows\SysWOW64\Oihkgo32.exe Nldjnk32.exe File opened for modification C:\Windows\SysWOW64\Cqkkcghn.exe Cnjbbl32.exe File opened for modification C:\Windows\SysWOW64\Mmaakpfd.exe Lfbpcgbl.exe File created C:\Windows\SysWOW64\Knndpffi.dll Qibfdkgh.exe File opened for modification C:\Windows\SysWOW64\Ejjgic32.exe Eqbcqnph.exe File opened for modification C:\Windows\SysWOW64\Hcflch32.exe Hkjjfkcm.exe File created C:\Windows\SysWOW64\Einnfgmg.dll Gonilenb.exe File created C:\Windows\SysWOW64\Haeino32.exe Haclio32.exe File created C:\Windows\SysWOW64\Mlolhd32.dll Kfbfmi32.exe File created C:\Windows\SysWOW64\Clqcll32.dll Pppoeg32.exe File opened for modification C:\Windows\SysWOW64\Fcibchgq.exe Fnmjkahi.exe File created C:\Windows\SysWOW64\Jeoiagbk.dll Fhchhm32.exe File created C:\Windows\SysWOW64\Fdiqcb32.dll Ljleil32.exe File opened for modification C:\Windows\SysWOW64\Olndnp32.exe Omigmc32.exe File created C:\Windows\SysWOW64\Oplmdnpc.exe Olndnp32.exe File created C:\Windows\SysWOW64\Abodhpic.exe Amblpikl.exe File opened for modification C:\Windows\SysWOW64\Bcfkiock.exe Accnco32.exe File opened for modification C:\Windows\SysWOW64\Cckmklac.exe Cjbhbf32.exe File created C:\Windows\SysWOW64\Emhdeoel.exe Ejjgic32.exe File created C:\Windows\SysWOW64\Gmdkgn32.dll Icakofel.exe File opened for modification C:\Windows\SysWOW64\Fnjmea32.exe Fceihh32.exe File created C:\Windows\SysWOW64\Hcofbifb.exe Goamlkpk.exe File created C:\Windows\SysWOW64\Njceqili.exe Ndgpnogo.exe File created C:\Windows\SysWOW64\Hodioegj.dll Bglpjb32.exe File opened for modification C:\Windows\SysWOW64\Glhgojef.exe Fdobhm32.exe File created C:\Windows\SysWOW64\Fblhbnpk.dll Glhgojef.exe File opened for modification C:\Windows\SysWOW64\Jakkplbc.exe Jkqccbkf.exe File created C:\Windows\SysWOW64\Mmfjfp32.exe Mmcnap32.exe File created C:\Windows\SysWOW64\Dhlhei32.dll Bcfkiock.exe File created C:\Windows\SysWOW64\Nlbkfqkc.dll Goamlkpk.exe File created C:\Windows\SysWOW64\Fgpijd32.dll Fdobhm32.exe File created C:\Windows\SysWOW64\Pfhklabb.exe Ppnbpg32.exe File created C:\Windows\SysWOW64\Gmcidg32.dll Cqpdof32.exe File created C:\Windows\SysWOW64\Qgnmff32.dll Kdgcne32.exe File opened for modification C:\Windows\SysWOW64\Nilkkq32.exe Mmfjfp32.exe File created C:\Windows\SysWOW64\Epkijdie.dll Onecof32.exe File opened for modification C:\Windows\SysWOW64\Pehnboko.exe Opkfjgmh.exe File created C:\Windows\SysWOW64\Eocpmlgp.dll Fapobl32.exe File created C:\Windows\SysWOW64\Jhpjbgne.exe Inhion32.exe File opened for modification C:\Windows\SysWOW64\Bglpjb32.exe Bgicdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmajnph.dll" NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjehok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjneikmp.dll" Ppepkmhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdpqcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcofbifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opdpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppoeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcicma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndgpnogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjmea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljleil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjmjebk.dll" Nfcoekhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbage32.dll" Dqigee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdkdbgpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppldflod.dll" Knhbflbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onecof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofadlbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libadidb.dll" Ajjcoqdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnmeejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnpjdfpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqafj32.dll" Fnhppa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadimkpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gooqfkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppepkmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omneeicm.dll" Fhfenmbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnmnf32.dll" Ihfglhfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldccid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaamh32.dll" Oplmdnpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdobhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fceihh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefhkm32.dll" Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkgn32.dll" Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glmqjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damneiak.dll" Lkfeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkfjgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiadbknf.dll" Gadimkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oianmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pihdnloc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfejfag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmipdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oophoc32.dll" Eghimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fblhbnpk.dll" Glhgojef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhddce32.dll" Inhion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbepdfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmodc32.dll" Bidlqhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfodpbpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkiiee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnhppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liabjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plejoode.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhaclqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilkkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeahap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjpllgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkflpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkflmkn.dll" Goipae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijicm32.dll" Kfmmajed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdgcne32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1268 2980 NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe 88 PID 2980 wrote to memory of 1268 2980 NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe 88 PID 2980 wrote to memory of 1268 2980 NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe 88 PID 1268 wrote to memory of 1272 1268 Gooqfkan.exe 90 PID 1268 wrote to memory of 1272 1268 Gooqfkan.exe 90 PID 1268 wrote to memory of 1272 1268 Gooqfkan.exe 90 PID 1272 wrote to memory of 4384 1272 Goamlkpk.exe 91 PID 1272 wrote to memory of 4384 1272 Goamlkpk.exe 91 PID 1272 wrote to memory of 4384 1272 Goamlkpk.exe 91 PID 4384 wrote to memory of 4120 4384 Hcofbifb.exe 92 PID 4384 wrote to memory of 4120 4384 Hcofbifb.exe 92 PID 4384 wrote to memory of 4120 4384 Hcofbifb.exe 92 PID 4120 wrote to memory of 4560 4120 Hkjjfkcm.exe 93 PID 4120 wrote to memory of 4560 4120 Hkjjfkcm.exe 93 PID 4120 wrote to memory of 4560 4120 Hkjjfkcm.exe 93 PID 4560 wrote to memory of 2536 4560 Hcflch32.exe 94 PID 4560 wrote to memory of 2536 4560 Hcflch32.exe 94 PID 4560 wrote to memory of 2536 4560 Hcflch32.exe 94 PID 2536 wrote to memory of 560 2536 Ilqmam32.exe 95 PID 2536 wrote to memory of 560 2536 Ilqmam32.exe 95 PID 2536 wrote to memory of 560 2536 Ilqmam32.exe 95 PID 560 wrote to memory of 4848 560 Ieiajckh.exe 97 PID 560 wrote to memory of 4848 560 Ieiajckh.exe 97 PID 560 wrote to memory of 4848 560 Ieiajckh.exe 97 PID 4848 wrote to memory of 3528 4848 Ikhghi32.exe 98 PID 4848 wrote to memory of 3528 4848 Ikhghi32.exe 98 PID 4848 wrote to memory of 3528 4848 Ikhghi32.exe 98 PID 3528 wrote to memory of 436 3528 Ifnkeb32.exe 99 PID 3528 wrote to memory of 436 3528 Ifnkeb32.exe 99 PID 3528 wrote to memory of 436 3528 Ifnkeb32.exe 99 PID 436 wrote to memory of 2656 436 Icakofel.exe 100 PID 436 wrote to memory of 2656 436 Icakofel.exe 100 PID 436 wrote to memory of 2656 436 Icakofel.exe 100 PID 2656 wrote to memory of 2680 2656 Jbghpc32.exe 101 PID 2656 wrote to memory of 2680 2656 Jbghpc32.exe 101 PID 2656 wrote to memory of 2680 2656 Jbghpc32.exe 101 PID 2680 wrote to memory of 440 2680 Jcfejfag.exe 102 PID 2680 wrote to memory of 440 2680 Jcfejfag.exe 102 PID 2680 wrote to memory of 440 2680 Jcfejfag.exe 102 PID 440 wrote to memory of 1128 440 Jchaoe32.exe 103 PID 440 wrote to memory of 1128 440 Jchaoe32.exe 103 PID 440 wrote to memory of 1128 440 Jchaoe32.exe 103 PID 1128 wrote to memory of 4624 1128 Jfikaqme.exe 104 PID 1128 wrote to memory of 4624 1128 Jfikaqme.exe 104 PID 1128 wrote to memory of 4624 1128 Jfikaqme.exe 104 PID 4624 wrote to memory of 5112 4624 Joaojf32.exe 105 PID 4624 wrote to memory of 5112 4624 Joaojf32.exe 105 PID 4624 wrote to memory of 5112 4624 Joaojf32.exe 105 PID 5112 wrote to memory of 4376 5112 Jhjcbljf.exe 106 PID 5112 wrote to memory of 4376 5112 Jhjcbljf.exe 106 PID 5112 wrote to memory of 4376 5112 Jhjcbljf.exe 106 PID 4376 wrote to memory of 3584 4376 Kfndlphp.exe 107 PID 4376 wrote to memory of 3584 4376 Kfndlphp.exe 107 PID 4376 wrote to memory of 3584 4376 Kfndlphp.exe 107 PID 3584 wrote to memory of 3644 3584 Kkofofbb.exe 108 PID 3584 wrote to memory of 3644 3584 Kkofofbb.exe 108 PID 3584 wrote to memory of 3644 3584 Kkofofbb.exe 108 PID 3644 wrote to memory of 760 3644 Kfggbope.exe 109 PID 3644 wrote to memory of 760 3644 Kfggbope.exe 109 PID 3644 wrote to memory of 760 3644 Kfggbope.exe 109 PID 760 wrote to memory of 2864 760 Lckglc32.exe 110 PID 760 wrote to memory of 2864 760 Lckglc32.exe 110 PID 760 wrote to memory of 2864 760 Lckglc32.exe 110 PID 2864 wrote to memory of 392 2864 Lkflpe32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2f3169e2626b6e678f47f5aa09c4add0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gooqfkan.exeC:\Windows\system32\Gooqfkan.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Goamlkpk.exeC:\Windows\system32\Goamlkpk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Hcofbifb.exeC:\Windows\system32\Hcofbifb.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Hcflch32.exeC:\Windows\system32\Hcflch32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ieiajckh.exeC:\Windows\system32\Ieiajckh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jcfejfag.exeC:\Windows\system32\Jcfejfag.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jchaoe32.exeC:\Windows\system32\Jchaoe32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Jfikaqme.exeC:\Windows\system32\Jfikaqme.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Joaojf32.exeC:\Windows\system32\Joaojf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Jhjcbljf.exeC:\Windows\system32\Jhjcbljf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Kfndlphp.exeC:\Windows\system32\Kfndlphp.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Kfggbope.exeC:\Windows\system32\Kfggbope.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Lckglc32.exeC:\Windows\system32\Lckglc32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Lkflpe32.exeC:\Windows\system32\Lkflpe32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Lpgalc32.exeC:\Windows\system32\Lpgalc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Ljleil32.exeC:\Windows\system32\Ljleil32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Liabjh32.exeC:\Windows\system32\Liabjh32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe27⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Mjehok32.exeC:\Windows\system32\Mjehok32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Mikepg32.exeC:\Windows\system32\Mikepg32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Nbefolao.exeC:\Windows\system32\Nbefolao.exe31⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\Nfcoekhe.exeC:\Windows\system32\Nfcoekhe.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Ndgpnogo.exeC:\Windows\system32\Ndgpnogo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Njceqili.exeC:\Windows\system32\Njceqili.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Olgnnqpe.exeC:\Windows\system32\Olgnnqpe.exe35⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Obccpj32.exeC:\Windows\system32\Obccpj32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Omigmc32.exeC:\Windows\system32\Omigmc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Olndnp32.exeC:\Windows\system32\Olndnp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Oplmdnpc.exeC:\Windows\system32\Oplmdnpc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Okaabg32.exeC:\Windows\system32\Okaabg32.exe40⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Pbmffi32.exeC:\Windows\system32\Pbmffi32.exe41⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Plejoode.exeC:\Windows\system32\Plejoode.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Pcaoahio.exeC:\Windows\system32\Pcaoahio.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ppepkmhi.exeC:\Windows\system32\Ppepkmhi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Pcdlghgl.exeC:\Windows\system32\Pcdlghgl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe47⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Qibmoa32.exeC:\Windows\system32\Qibmoa32.exe48⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Adjnaj32.exeC:\Windows\system32\Adjnaj32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Angleokb.exeC:\Windows\system32\Angleokb.exe51⤵
- Executes dropped EXE
PID:232 -
C:\Windows\SysWOW64\Almifk32.exeC:\Windows\system32\Almifk32.exe52⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Bgbmdd32.exeC:\Windows\system32\Bgbmdd32.exe53⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Bcinie32.exeC:\Windows\system32\Bcinie32.exe54⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Bdhkchlg.exeC:\Windows\system32\Bdhkchlg.exe55⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe56⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Bgicdc32.exeC:\Windows\system32\Bgicdc32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Bglpjb32.exeC:\Windows\system32\Bglpjb32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Bdpqcg32.exeC:\Windows\system32\Bdpqcg32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Cdbmifdl.exeC:\Windows\system32\Cdbmifdl.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:648 -
C:\Windows\SysWOW64\Cnjbbl32.exeC:\Windows\system32\Cnjbbl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Cqkkcghn.exeC:\Windows\system32\Cqkkcghn.exe62⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Cdicje32.exeC:\Windows\system32\Cdicje32.exe63⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Cqpdof32.exeC:\Windows\system32\Cqpdof32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Ddnmeejo.exeC:\Windows\system32\Ddnmeejo.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Ddpjjd32.exeC:\Windows\system32\Ddpjjd32.exe66⤵PID:976
-
C:\Windows\SysWOW64\Dgqblp32.exeC:\Windows\system32\Dgqblp32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Dqigee32.exeC:\Windows\system32\Dqigee32.exe68⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Eghimo32.exeC:\Windows\system32\Eghimo32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4492 -
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe70⤵
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe71⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Elhnhm32.exeC:\Windows\system32\Elhnhm32.exe72⤵
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Eaegqc32.exeC:\Windows\system32\Eaegqc32.exe73⤵PID:1960
-
C:\Windows\SysWOW64\Eljknl32.exeC:\Windows\system32\Eljknl32.exe74⤵PID:1552
-
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe75⤵PID:1508
-
C:\Windows\SysWOW64\Fmndkd32.exeC:\Windows\system32\Fmndkd32.exe76⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Fhchhm32.exeC:\Windows\system32\Fhchhm32.exe77⤵
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Fhfenmbe.exeC:\Windows\system32\Fhfenmbe.exe78⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Fjdajhbi.exeC:\Windows\system32\Fjdajhbi.exe79⤵PID:1776
-
C:\Windows\SysWOW64\Fhhaclqc.exeC:\Windows\system32\Fhhaclqc.exe80⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fdobhm32.exeC:\Windows\system32\Fdobhm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Glhgojef.exeC:\Windows\system32\Glhgojef.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Geqlhp32.exeC:\Windows\system32\Geqlhp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4516 -
C:\Windows\SysWOW64\Goipae32.exeC:\Windows\system32\Goipae32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Gaglma32.exeC:\Windows\system32\Gaglma32.exe85⤵PID:3220
-
C:\Windows\SysWOW64\Glmqjj32.exeC:\Windows\system32\Glmqjj32.exe86⤵
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ghdaokfe.exeC:\Windows\system32\Ghdaokfe.exe87⤵PID:2488
-
C:\Windows\SysWOW64\Gonilenb.exeC:\Windows\system32\Gonilenb.exe88⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Gdkbdllj.exeC:\Windows\system32\Gdkbdllj.exe89⤵PID:3488
-
C:\Windows\SysWOW64\Haobnpkc.exeC:\Windows\system32\Haobnpkc.exe90⤵PID:740
-
C:\Windows\SysWOW64\Hldgkiki.exeC:\Windows\system32\Hldgkiki.exe91⤵PID:4920
-
C:\Windows\SysWOW64\Helkdnaj.exeC:\Windows\system32\Helkdnaj.exe92⤵PID:2228
-
C:\Windows\SysWOW64\Hlfcqh32.exeC:\Windows\system32\Hlfcqh32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Haclio32.exeC:\Windows\system32\Haclio32.exe94⤵
- Drops file in System32 directory
PID:5144 -
C:\Windows\SysWOW64\Haeino32.exeC:\Windows\system32\Haeino32.exe95⤵PID:5192
-
C:\Windows\SysWOW64\Hoiihcde.exeC:\Windows\system32\Hoiihcde.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Hlmiagbo.exeC:\Windows\system32\Hlmiagbo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Iajbinaf.exeC:\Windows\system32\Iajbinaf.exe98⤵PID:5324
-
C:\Windows\SysWOW64\Ilpfgg32.exeC:\Windows\system32\Ilpfgg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5368 -
C:\Windows\SysWOW64\Imabnofj.exeC:\Windows\system32\Imabnofj.exe100⤵
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Ihfglhfp.exeC:\Windows\system32\Ihfglhfp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Inflio32.exeC:\Windows\system32\Inflio32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5492 -
C:\Windows\SysWOW64\Ihkpgg32.exeC:\Windows\system32\Ihkpgg32.exe103⤵PID:5540
-
C:\Windows\SysWOW64\Inhion32.exeC:\Windows\system32\Inhion32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5588 -
C:\Windows\SysWOW64\Jhpjbgne.exeC:\Windows\system32\Jhpjbgne.exe105⤵PID:5632
-
C:\Windows\SysWOW64\Jojboa32.exeC:\Windows\system32\Jojboa32.exe106⤵PID:5676
-
C:\Windows\SysWOW64\Jkqccbkf.exeC:\Windows\system32\Jkqccbkf.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Jakkplbc.exeC:\Windows\system32\Jakkplbc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5764 -
C:\Windows\SysWOW64\Jkcpia32.exeC:\Windows\system32\Jkcpia32.exe109⤵PID:5808
-
C:\Windows\SysWOW64\Jdkdbgpd.exeC:\Windows\system32\Jdkdbgpd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Jndhkmfe.exeC:\Windows\system32\Jndhkmfe.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Kfmmajed.exeC:\Windows\system32\Kfmmajed.exe112⤵
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Khlinedh.exeC:\Windows\system32\Khlinedh.exe113⤵PID:5980
-
C:\Windows\SysWOW64\Knhbflbp.exeC:\Windows\system32\Knhbflbp.exe114⤵
- Modifies registry class
PID:6028 -
C:\Windows\SysWOW64\Kfbfmi32.exeC:\Windows\system32\Kfbfmi32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6076 -
C:\Windows\SysWOW64\Kkooep32.exeC:\Windows\system32\Kkooep32.exe116⤵PID:6120
-
C:\Windows\SysWOW64\Kdgcne32.exeC:\Windows\system32\Kdgcne32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
PID:4972 -
C:\Windows\SysWOW64\Lhelddln.exeC:\Windows\system32\Lhelddln.exe118⤵PID:5176
-
C:\Windows\SysWOW64\Lkfeeo32.exeC:\Windows\system32\Lkfeeo32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Lfkich32.exeC:\Windows\system32\Lfkich32.exe120⤵PID:5300
-
C:\Windows\SysWOW64\Ldqfddml.exeC:\Windows\system32\Ldqfddml.exe121⤵PID:5388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-