Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23/10/2023, 17:45
Behavioral task
behavioral1
Sample
NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe
-
Size
109KB
-
MD5
d2d98ac02fe8148f4e1c7e2d3d8cf9c0
-
SHA1
aa73493acf2b17ab370d1dc6a780b94eac6afa1d
-
SHA256
190c31206b5ff9122c348c81888f3bb6f2e57b45feb12f8897f439cc30dd5bae
-
SHA512
67563fbb39d2e4c91f4d3f95beeac1ba8c85a5a19871155c6fcb95e582a0b59b3f5c84fb6901e94ada950fcdbcd78adf7d357b3e85ed6cc8d83783491d65fdee
-
SSDEEP
3072:KYZYWE8E9iYenE8fo3PXl9Z7S/yCsKh2EzZA/z:zZYXfiYenEgo35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mokfja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Monjjgkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Neffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhnojl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkehkocf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddnfmqng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaindh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oifppdpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnddgjbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mplafeil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpclce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nelfeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holfoqcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjaqpbkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nemmoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkgkapm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnfhfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oogpjbbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehbnigjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kimghn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhijqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jngbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giljfddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goljqnpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niooqcad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifcgion.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqjdbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojbacd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfehh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noehba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefabkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjpijpdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakbehfe.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4180-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00090000000224ad-6.dat family_berbew behavioral2/files/0x00090000000224ad-8.dat family_berbew behavioral2/memory/1028-7-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1976-15-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e2f-16.dat family_berbew behavioral2/files/0x0006000000022e2f-14.dat family_berbew behavioral2/memory/4220-23-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e31-22.dat family_berbew behavioral2/files/0x0006000000022e31-24.dat family_berbew behavioral2/files/0x0006000000022e33-30.dat family_berbew behavioral2/memory/2640-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-38.dat family_berbew behavioral2/files/0x0006000000022e33-31.dat family_berbew behavioral2/memory/1472-39-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e35-40.dat family_berbew behavioral2/files/0x0006000000022e37-46.dat family_berbew behavioral2/memory/4628-47-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e37-48.dat family_berbew behavioral2/files/0x0006000000022e39-49.dat family_berbew behavioral2/files/0x0006000000022e39-54.dat family_berbew behavioral2/memory/4188-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e39-56.dat family_berbew behavioral2/files/0x0006000000022e3b-62.dat family_berbew behavioral2/memory/4608-64-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3b-63.dat family_berbew behavioral2/memory/3792-71-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e3e-72.dat family_berbew behavioral2/files/0x0006000000022e3e-70.dat family_berbew behavioral2/files/0x0008000000022e17-77.dat family_berbew behavioral2/memory/4180-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0008000000022e17-80.dat family_berbew behavioral2/memory/3048-81-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e41-82.dat family_berbew behavioral2/files/0x0006000000022e41-87.dat family_berbew behavioral2/memory/1116-90-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e41-89.dat family_berbew behavioral2/memory/1028-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e43-96.dat family_berbew behavioral2/files/0x0006000000022e43-98.dat family_berbew behavioral2/memory/1976-97-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2752-99-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e46-105.dat family_berbew behavioral2/files/0x0006000000022e46-107.dat family_berbew behavioral2/memory/4220-106-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/672-112-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2640-115-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e48-114.dat family_berbew behavioral2/files/0x0006000000022e48-116.dat family_berbew behavioral2/files/0x0006000000022e4a-123.dat family_berbew behavioral2/memory/1472-125-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4a-124.dat family_berbew behavioral2/files/0x0006000000022e4c-133.dat family_berbew behavioral2/memory/4628-134-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4c-132.dat family_berbew behavioral2/files/0x0006000000022e4e-140.dat family_berbew behavioral2/memory/1960-142-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4188-148-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4372-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e4e-141.dat family_berbew behavioral2/memory/1216-143-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1808-130-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4428-122-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000022e50-151.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1028 Ogifjcdp.exe 1976 Olfobjbg.exe 4220 Ogkcpbam.exe 2640 Opdghh32.exe 1472 Ognpebpj.exe 4628 Ocdqjceo.exe 4188 Oddmdf32.exe 4608 Ojaelm32.exe 3792 Pdfjifjo.exe 3048 Pdifoehl.exe 1116 Pdmpje32.exe 2752 Pmidog32.exe 672 Qceiaa32.exe 4428 Qmmnjfnl.exe 1808 Qgcbgo32.exe 1960 Ampkof32.exe 1216 Acjclpcf.exe 4372 Ambgef32.exe 2484 Agglboim.exe 2120 Afmhck32.exe 1264 Aeniabfd.exe 1612 Anfmjhmd.exe 2288 Bnhjohkb.exe 1108 Bjokdipf.exe 3216 Bffkij32.exe 4444 Bmpcfdmg.exe 4556 Bnpppgdj.exe 1280 Bclhhnca.exe 5032 Bmemac32.exe 1424 Cndikf32.exe 2808 Cnffqf32.exe 1708 Chokikeb.exe 1232 Ceckcp32.exe 2668 Cfdhkhjj.exe 1524 Cnkplejl.exe 1320 Cjbpaf32.exe 3732 Cegdnopg.exe 2852 Djdmffnn.exe 4980 Gdncmghi.exe 2832 Gnfhfl32.exe 2400 Gdppbfff.exe 4512 Gnhdkl32.exe 600 Ghniielm.exe 4292 Gohaeo32.exe 3148 Gfbibikg.exe 4524 Ggcfja32.exe 448 Gnmnfkia.exe 3820 Gfdfgiid.exe 4812 Goljqnpd.exe 3892 Hdicienl.exe 4440 Hkckeo32.exe 1744 Hbmcbime.exe 1628 Hdlpneli.exe 2644 Hkehkocf.exe 3952 Hnddgjbj.exe 824 Hdnldd32.exe 3264 Hhnbpb32.exe 760 Inkjhi32.exe 556 Igcoqocb.exe 3172 Inmgmijo.exe 2364 Iickkbje.exe 2656 Iomcgl32.exe 1120 Ibkpcg32.exe 216 Iiehpahb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgeaknci.dll Amnlme32.exe File created C:\Windows\SysWOW64\Afmhck32.exe Agglboim.exe File opened for modification C:\Windows\SysWOW64\Jnhpoamf.exe Jkjcbe32.exe File created C:\Windows\SysWOW64\Nliaao32.exe Nacmdf32.exe File opened for modification C:\Windows\SysWOW64\Ohnohn32.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Jhkbjd32.dll Eofgpikj.exe File created C:\Windows\SysWOW64\Jepjhg32.exe Jcanll32.exe File opened for modification C:\Windows\SysWOW64\Paeelgnj.exe Pnfiplog.exe File created C:\Windows\SysWOW64\Pdhkcb32.exe Paiogf32.exe File created C:\Windows\SysWOW64\Klkcdj32.exe Kimghn32.exe File opened for modification C:\Windows\SysWOW64\Ogmijllo.exe Oofaiokl.exe File created C:\Windows\SysWOW64\Gdgiklme.dll Hkbmqb32.exe File created C:\Windows\SysWOW64\Jcphab32.exe Ikdcmpnl.exe File created C:\Windows\SysWOW64\Fenhjedb.dll Hlnjbedi.exe File opened for modification C:\Windows\SysWOW64\Hoobdp32.exe Hlpfhe32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Coqncejg.exe File created C:\Windows\SysWOW64\Glfmgp32.exe Geldkfpi.exe File created C:\Windows\SysWOW64\Gikkfqmf.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Begfqa32.dll Ebkbbmqj.exe File created C:\Windows\SysWOW64\Gfbibikg.exe Gohaeo32.exe File created C:\Windows\SysWOW64\Igcoqocb.exe Inkjhi32.exe File created C:\Windows\SysWOW64\Hkajlm32.dll Aafemk32.exe File opened for modification C:\Windows\SysWOW64\Bebjdgmj.exe Blielbfi.exe File created C:\Windows\SysWOW64\Phelcc32.exe Ppjgoaoj.exe File opened for modification C:\Windows\SysWOW64\Jkjcbe32.exe Jhlgfj32.exe File opened for modification C:\Windows\SysWOW64\Nqoloc32.exe Nhhdnf32.exe File opened for modification C:\Windows\SysWOW64\Anclbkbp.exe Albpkc32.exe File created C:\Windows\SysWOW64\Bciehh32.exe Bjaqpbkh.exe File opened for modification C:\Windows\SysWOW64\Njiegl32.exe Nemmoe32.exe File created C:\Windows\SysWOW64\Dqboip32.dll Bbiado32.exe File created C:\Windows\SysWOW64\Gedapeof.dll Kkpbin32.exe File opened for modification C:\Windows\SysWOW64\Mebcop32.exe Mmkkmc32.exe File opened for modification C:\Windows\SysWOW64\Ojbacd32.exe Neclenfo.exe File opened for modification C:\Windows\SysWOW64\Pdmpje32.exe Pdifoehl.exe File opened for modification C:\Windows\SysWOW64\Idieem32.exe Iakiia32.exe File opened for modification C:\Windows\SysWOW64\Jjafok32.exe Jcgnbaeo.exe File opened for modification C:\Windows\SysWOW64\Aamknj32.exe Akccap32.exe File created C:\Windows\SysWOW64\Hedafk32.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Aijqqd32.dll Hoobdp32.exe File opened for modification C:\Windows\SysWOW64\Meamcg32.exe Mngegmbc.exe File created C:\Windows\SysWOW64\Lejomj32.dll Glengm32.exe File opened for modification C:\Windows\SysWOW64\Lqbncb32.exe Ljhefhha.exe File opened for modification C:\Windows\SysWOW64\Oeokal32.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bkaobnio.exe File created C:\Windows\SysWOW64\Mjfmcmai.dll Cnkkjh32.exe File created C:\Windows\SysWOW64\Mnmmboed.exe Mgbefe32.exe File opened for modification C:\Windows\SysWOW64\Fgmdec32.exe Fdnhih32.exe File created C:\Windows\SysWOW64\Fckjejfe.dll Gpmomo32.exe File created C:\Windows\SysWOW64\Pbpebh32.dll Llbidimc.exe File opened for modification C:\Windows\SysWOW64\Ohlimd32.exe Ohjlgefb.exe File created C:\Windows\SysWOW64\Phahglpk.dll Bbgeno32.exe File created C:\Windows\SysWOW64\Hmbfbn32.exe Hginecde.exe File created C:\Windows\SysWOW64\Eekgliip.dll Ckjknfnh.exe File opened for modification C:\Windows\SysWOW64\Ojnfihmo.exe Obgohklm.exe File opened for modification C:\Windows\SysWOW64\Gnhdkl32.exe Gdppbfff.exe File opened for modification C:\Windows\SysWOW64\Bkdcbd32.exe Bfgjjm32.exe File created C:\Windows\SysWOW64\Kcbnnpka.exe Kmieae32.exe File created C:\Windows\SysWOW64\Meiioonj.exe Mnpabe32.exe File opened for modification C:\Windows\SysWOW64\Hlnjbedi.exe Hedafk32.exe File created C:\Windows\SysWOW64\Mdgmickl.dll Poliea32.exe File opened for modification C:\Windows\SysWOW64\Mjcngpjh.exe Mgeakekd.exe File created C:\Windows\SysWOW64\Gbhhlfgd.dll Bnlhncgi.exe File created C:\Windows\SysWOW64\Fmbdpnaj.dll Gghdaa32.exe File created C:\Windows\SysWOW64\Mlkfgena.dll Keonap32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12444 12384 WerFault.exe 900 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gohaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koijai32.dll" Hkehkocf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" Eecphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggnadib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niooqcad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgnid32.dll" Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" Eicedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccchof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekellcop.dll" Egaejeej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Cfcqpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll" Mfnoqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnffqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcniglmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkilook.dll" Ebaplnie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gghdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbphglbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbmcbime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akccap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfodeohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngomin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaddoaap.dll" Fpjjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hifcgion.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qacameaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfmgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpcam32.dll" Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmjaa32.dll" Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcdeeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ghniielm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmcbhlp.dll" Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jidinqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pocfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpelhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdehlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiacacpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elnoopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnlmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klndfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhmjl32.dll" Pcegclgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oejbfmpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfihbk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1028 4180 NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe 86 PID 4180 wrote to memory of 1028 4180 NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe 86 PID 4180 wrote to memory of 1028 4180 NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe 86 PID 1028 wrote to memory of 1976 1028 Ogifjcdp.exe 87 PID 1028 wrote to memory of 1976 1028 Ogifjcdp.exe 87 PID 1028 wrote to memory of 1976 1028 Ogifjcdp.exe 87 PID 1976 wrote to memory of 4220 1976 Olfobjbg.exe 88 PID 1976 wrote to memory of 4220 1976 Olfobjbg.exe 88 PID 1976 wrote to memory of 4220 1976 Olfobjbg.exe 88 PID 4220 wrote to memory of 2640 4220 Ogkcpbam.exe 89 PID 4220 wrote to memory of 2640 4220 Ogkcpbam.exe 89 PID 4220 wrote to memory of 2640 4220 Ogkcpbam.exe 89 PID 2640 wrote to memory of 1472 2640 Opdghh32.exe 90 PID 2640 wrote to memory of 1472 2640 Opdghh32.exe 90 PID 2640 wrote to memory of 1472 2640 Opdghh32.exe 90 PID 1472 wrote to memory of 4628 1472 Ognpebpj.exe 92 PID 1472 wrote to memory of 4628 1472 Ognpebpj.exe 92 PID 1472 wrote to memory of 4628 1472 Ognpebpj.exe 92 PID 4628 wrote to memory of 4188 4628 Ocdqjceo.exe 93 PID 4628 wrote to memory of 4188 4628 Ocdqjceo.exe 93 PID 4628 wrote to memory of 4188 4628 Ocdqjceo.exe 93 PID 4188 wrote to memory of 4608 4188 Oddmdf32.exe 94 PID 4188 wrote to memory of 4608 4188 Oddmdf32.exe 94 PID 4188 wrote to memory of 4608 4188 Oddmdf32.exe 94 PID 4608 wrote to memory of 3792 4608 Ojaelm32.exe 95 PID 4608 wrote to memory of 3792 4608 Ojaelm32.exe 95 PID 4608 wrote to memory of 3792 4608 Ojaelm32.exe 95 PID 3792 wrote to memory of 3048 3792 Pdfjifjo.exe 96 PID 3792 wrote to memory of 3048 3792 Pdfjifjo.exe 96 PID 3792 wrote to memory of 3048 3792 Pdfjifjo.exe 96 PID 3048 wrote to memory of 1116 3048 Pdifoehl.exe 97 PID 3048 wrote to memory of 1116 3048 Pdifoehl.exe 97 PID 3048 wrote to memory of 1116 3048 Pdifoehl.exe 97 PID 1116 wrote to memory of 2752 1116 Pdmpje32.exe 99 PID 1116 wrote to memory of 2752 1116 Pdmpje32.exe 99 PID 1116 wrote to memory of 2752 1116 Pdmpje32.exe 99 PID 2752 wrote to memory of 672 2752 Pmidog32.exe 100 PID 2752 wrote to memory of 672 2752 Pmidog32.exe 100 PID 2752 wrote to memory of 672 2752 Pmidog32.exe 100 PID 672 wrote to memory of 4428 672 Qceiaa32.exe 101 PID 672 wrote to memory of 4428 672 Qceiaa32.exe 101 PID 672 wrote to memory of 4428 672 Qceiaa32.exe 101 PID 4428 wrote to memory of 1808 4428 Qmmnjfnl.exe 102 PID 4428 wrote to memory of 1808 4428 Qmmnjfnl.exe 102 PID 4428 wrote to memory of 1808 4428 Qmmnjfnl.exe 102 PID 1808 wrote to memory of 1960 1808 Qgcbgo32.exe 105 PID 1808 wrote to memory of 1960 1808 Qgcbgo32.exe 105 PID 1808 wrote to memory of 1960 1808 Qgcbgo32.exe 105 PID 1960 wrote to memory of 1216 1960 Ampkof32.exe 103 PID 1960 wrote to memory of 1216 1960 Ampkof32.exe 103 PID 1960 wrote to memory of 1216 1960 Ampkof32.exe 103 PID 1216 wrote to memory of 4372 1216 Acjclpcf.exe 104 PID 1216 wrote to memory of 4372 1216 Acjclpcf.exe 104 PID 1216 wrote to memory of 4372 1216 Acjclpcf.exe 104 PID 4372 wrote to memory of 2484 4372 Ambgef32.exe 106 PID 4372 wrote to memory of 2484 4372 Ambgef32.exe 106 PID 4372 wrote to memory of 2484 4372 Ambgef32.exe 106 PID 2484 wrote to memory of 2120 2484 Agglboim.exe 107 PID 2484 wrote to memory of 2120 2484 Agglboim.exe 107 PID 2484 wrote to memory of 2120 2484 Agglboim.exe 107 PID 2120 wrote to memory of 1264 2120 Afmhck32.exe 108 PID 2120 wrote to memory of 1264 2120 Afmhck32.exe 108 PID 2120 wrote to memory of 1264 2120 Afmhck32.exe 108 PID 1264 wrote to memory of 1612 1264 Aeniabfd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d2d98ac02fe8148f4e1c7e2d3d8cf9c0_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Acjclpcf.exeC:\Windows\system32\Acjclpcf.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe6⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe7⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe8⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe9⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe10⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe11⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe12⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Bmemac32.exeC:\Windows\system32\Bmemac32.exe13⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe14⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe15⤵
- Executes dropped EXE
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe16⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe17⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe18⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe19⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe20⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe21⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe22⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe23⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Gnhdkl32.exeC:\Windows\system32\Gnhdkl32.exe26⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe29⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe30⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe31⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe34⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe35⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe40⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe41⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe43⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe44⤵
- Executes dropped EXE
PID:3172 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe45⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe46⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe47⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe48⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe49⤵PID:3996
-
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe50⤵PID:4396
-
C:\Windows\SysWOW64\Ikfabm32.exeC:\Windows\system32\Ikfabm32.exe51⤵PID:3808
-
C:\Windows\SysWOW64\Indmnh32.exeC:\Windows\system32\Indmnh32.exe52⤵PID:1984
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe53⤵PID:1680
-
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe54⤵PID:2432
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe55⤵PID:4124
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe56⤵PID:2532
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe57⤵PID:4604
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe58⤵PID:4012
-
C:\Windows\SysWOW64\Joiccj32.exeC:\Windows\system32\Joiccj32.exe59⤵PID:1188
-
C:\Windows\SysWOW64\Jeekkafl.exeC:\Windows\system32\Jeekkafl.exe60⤵PID:1652
-
C:\Windows\SysWOW64\Jkodhk32.exeC:\Windows\system32\Jkodhk32.exe61⤵PID:4400
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe62⤵PID:3740
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe64⤵PID:5128
-
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Kbnepe32.exeC:\Windows\system32\Kbnepe32.exe66⤵PID:5216
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe67⤵PID:5260
-
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe68⤵PID:5304
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe69⤵
- Modifies registry class
PID:5348 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe70⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe71⤵PID:5436
-
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe72⤵PID:5480
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe74⤵PID:5568
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe75⤵PID:5612
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe76⤵PID:5656
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe77⤵PID:5700
-
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe78⤵PID:5744
-
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe79⤵PID:5788
-
C:\Windows\SysWOW64\Llbidimc.exeC:\Windows\system32\Llbidimc.exe80⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe81⤵PID:5880
-
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe82⤵PID:5924
-
C:\Windows\SysWOW64\Locbfd32.exeC:\Windows\system32\Locbfd32.exe83⤵PID:5964
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe84⤵PID:6008
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe85⤵PID:6052
-
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe86⤵PID:6096
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe87⤵PID:6140
-
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe88⤵PID:5148
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe89⤵PID:5232
-
C:\Windows\SysWOW64\Mpghkf32.exeC:\Windows\system32\Mpghkf32.exe90⤵PID:5296
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe91⤵PID:5376
-
C:\Windows\SysWOW64\Mlnipg32.exeC:\Windows\system32\Mlnipg32.exe92⤵PID:5448
-
C:\Windows\SysWOW64\Mfcmmp32.exeC:\Windows\system32\Mfcmmp32.exe93⤵PID:5504
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe94⤵PID:5580
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Midfokpm.exeC:\Windows\system32\Midfokpm.exe96⤵PID:5724
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe97⤵PID:5772
-
C:\Windows\SysWOW64\Mekgdl32.exeC:\Windows\system32\Mekgdl32.exe98⤵PID:5852
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe99⤵
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Nhlpfgbb.exeC:\Windows\system32\Nhlpfgbb.exe100⤵PID:5872
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe102⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe103⤵
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe104⤵PID:688
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe105⤵PID:5200
-
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe106⤵PID:5316
-
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe107⤵PID:5444
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe109⤵PID:5672
-
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe110⤵PID:5784
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe111⤵
- Drops file in System32 directory
PID:4052 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe112⤵PID:5864
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe113⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe114⤵PID:6104
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe116⤵PID:5384
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe117⤵PID:5536
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe118⤵PID:5756
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe119⤵PID:3084
-
C:\Windows\SysWOW64\Pgbbek32.exeC:\Windows\system32\Pgbbek32.exe120⤵PID:524
-
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe121⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-