Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 08:40
Behavioral task
behavioral1
Sample
NEAS.e705bcc8da40c4d254451bc740e69958.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e705bcc8da40c4d254451bc740e69958.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.e705bcc8da40c4d254451bc740e69958.exe
-
Size
229KB
-
MD5
e705bcc8da40c4d254451bc740e69958
-
SHA1
e857a5660eb04600e3acacb8f7782cbfbd7fdc23
-
SHA256
c8ea247f2e0d011f90ec54eaca967b6f02c19749d6d48a955659468b86379433
-
SHA512
1888754521b99f5d40fa164420e1ba14c6026418442f45b97637fcf45e53cdad217b37801d3700c257d3ba9cadc5e254f082e6bdd87f54c5076604c29e5b4630
-
SSDEEP
6144:4LosO4Fssssssssssssssssssssssssssssssssfss4XsvsssssscsNsFIPCsssP:2mJH7AIfFfvav
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkghjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckajqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Habili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadcemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmbenc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijenpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mngjeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmbjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdchneko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnkhfnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klamohhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndiomdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Einlmkhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oolelj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbapgknp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpagbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiecgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnmme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodlfmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pelpgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heliepmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gocnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okolfkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hegpjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heliepmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alhaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iceiibef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hijhhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joblkegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koelibnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imjmhkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pamnnemo.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000a00000001228c-5.dat family_berbew behavioral1/files/0x000a00000001228c-8.dat family_berbew behavioral1/files/0x000a00000001228c-11.dat family_berbew behavioral1/files/0x000a00000001228c-14.dat family_berbew behavioral1/files/0x00310000000186c9-19.dat family_berbew behavioral1/files/0x00310000000186c9-25.dat family_berbew behavioral1/files/0x00310000000186c9-22.dat family_berbew behavioral1/files/0x00310000000186c9-21.dat family_berbew behavioral1/files/0x000a00000001228c-12.dat family_berbew behavioral1/files/0x00310000000186c9-28.dat family_berbew behavioral1/files/0x0007000000018b63-47.dat family_berbew behavioral1/files/0x0007000000018b63-50.dat family_berbew behavioral1/files/0x0007000000018b63-54.dat family_berbew behavioral1/files/0x0007000000018b73-62.dat family_berbew behavioral1/files/0x0007000000018b73-55.dat family_berbew behavioral1/files/0x0007000000018b73-68.dat family_berbew behavioral1/files/0x0007000000018b73-66.dat family_berbew behavioral1/files/0x000500000001935e-74.dat family_berbew behavioral1/files/0x000500000001935e-77.dat family_berbew behavioral1/files/0x000500000001935e-82.dat family_berbew behavioral1/files/0x000500000001938f-93.dat family_berbew behavioral1/memory/2428-98-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew behavioral1/files/0x000500000001938f-94.dat family_berbew behavioral1/files/0x000500000001938f-83.dat family_berbew behavioral1/files/0x000500000001938f-89.dat family_berbew behavioral1/files/0x000500000001938f-87.dat family_berbew behavioral1/files/0x0005000000019447-101.dat family_berbew behavioral1/files/0x0005000000019447-104.dat family_berbew behavioral1/files/0x0005000000019447-108.dat family_berbew behavioral1/files/0x0005000000019447-109.dat family_berbew behavioral1/memory/680-114-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew behavioral1/memory/680-107-0x0000000000450000-0x0000000000492000-memory.dmp family_berbew behavioral1/files/0x0005000000019447-103.dat family_berbew behavioral1/files/0x000500000001935e-80.dat family_berbew behavioral1/files/0x000500000001935e-76.dat family_berbew behavioral1/files/0x0007000000018b73-59.dat family_berbew behavioral1/files/0x0007000000018b63-53.dat family_berbew behavioral1/files/0x000800000001871c-41.dat family_berbew behavioral1/files/0x000800000001871c-40.dat family_berbew behavioral1/files/0x0007000000018b63-49.dat family_berbew behavioral1/files/0x000800000001871c-37.dat family_berbew behavioral1/files/0x000800000001871c-36.dat family_berbew behavioral1/files/0x000800000001871c-34.dat family_berbew behavioral1/files/0x0005000000019475-116.dat family_berbew behavioral1/files/0x0005000000019475-120.dat family_berbew behavioral1/files/0x0005000000019475-123.dat family_berbew behavioral1/files/0x0005000000019475-119.dat family_berbew behavioral1/files/0x0005000000019475-124.dat family_berbew behavioral1/files/0x0005000000019484-129.dat family_berbew behavioral1/files/0x0005000000019484-132.dat family_berbew behavioral1/files/0x0005000000019484-133.dat family_berbew behavioral1/files/0x0005000000019484-136.dat family_berbew behavioral1/files/0x0005000000019484-137.dat family_berbew behavioral1/files/0x000500000001949c-144.dat family_berbew behavioral1/files/0x000500000001949c-150.dat family_berbew behavioral1/files/0x000500000001949c-149.dat family_berbew behavioral1/files/0x000500000001949c-147.dat family_berbew behavioral1/files/0x000500000001949c-142.dat family_berbew behavioral1/files/0x0005000000019514-162.dat family_berbew behavioral1/files/0x0005000000019514-159.dat family_berbew behavioral1/files/0x0005000000019514-158.dat family_berbew behavioral1/files/0x0005000000019514-156.dat family_berbew behavioral1/files/0x0005000000019514-164.dat family_berbew behavioral1/files/0x0005000000019576-169.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2096 Cmpdgf32.exe 2680 Hipmmg32.exe 2312 Hjdfjo32.exe 2644 Heikgh32.exe 2524 Hhhgcc32.exe 2428 Hapklimq.exe 680 Imiigiab.exe 716 Iipiljgf.exe 2892 Iiecgjba.exe 1580 Jlhhndno.exe 2148 Jpjngh32.exe 1712 Jaijak32.exe 840 Kfkpknkq.exe 1988 Kfnmpn32.exe 2920 Khoebi32.exe 1452 Lnpgeopa.exe 1812 Lcomce32.exe 2120 Ljieppcb.exe 1500 Lqcmmjko.exe 976 Lmjnak32.exe 2328 Micklk32.exe 2132 Mmadbjkk.exe 2356 Mnbpjb32.exe 3044 Mgjebg32.exe 1676 Mngjeamd.exe 2168 Mjnjjbbh.exe 2956 Necogkbo.exe 1612 Najpll32.exe 2628 Niedqnen.exe 2752 Nigafnck.exe 2580 Npdfhhhe.exe 2492 Ohojmjep.exe 2460 Opfbngfb.exe 2536 Olmcchlg.exe 1192 Obgkpb32.exe 1664 Oalhqohl.exe 2964 Ogiaif32.exe 1340 Ohhmcinf.exe 1440 Oijjka32.exe 2724 Pkifdd32.exe 1968 Pljcllqe.exe 1116 Pgpgjepk.exe 2056 Idkpganf.exe 1956 Ijehdl32.exe 1868 Jdnmma32.exe 1244 Mimgeigj.exe 1572 Oplelf32.exe 1912 Debadpeg.exe 2220 Dmijfmfi.exe 2164 Dokfme32.exe 2788 Dfbnoc32.exe 1880 Dhckfkbh.exe 1560 Dpjbgh32.exe 2912 Eakooqih.exe 2612 Eheglk32.exe 2720 Eopphehb.exe 2700 Ebklic32.exe 1728 Ehhdaj32.exe 1376 Emdmjamj.exe 1276 Edoefl32.exe 2836 Ekhmcelc.exe 1620 Epeekmjk.exe 1280 Egonhf32.exe 2548 Eaebeoan.exe -
Loads dropped DLL 64 IoCs
pid Process 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 2096 Cmpdgf32.exe 2096 Cmpdgf32.exe 2680 Hipmmg32.exe 2680 Hipmmg32.exe 2312 Hjdfjo32.exe 2312 Hjdfjo32.exe 2644 Heikgh32.exe 2644 Heikgh32.exe 2524 Hhhgcc32.exe 2524 Hhhgcc32.exe 2428 Hapklimq.exe 2428 Hapklimq.exe 680 Imiigiab.exe 680 Imiigiab.exe 716 Iipiljgf.exe 716 Iipiljgf.exe 2892 Iiecgjba.exe 2892 Iiecgjba.exe 1580 Jlhhndno.exe 1580 Jlhhndno.exe 2148 Jpjngh32.exe 2148 Jpjngh32.exe 1712 Jaijak32.exe 1712 Jaijak32.exe 840 Kfkpknkq.exe 840 Kfkpknkq.exe 1988 Kfnmpn32.exe 1988 Kfnmpn32.exe 2920 Khoebi32.exe 2920 Khoebi32.exe 1452 Lnpgeopa.exe 1452 Lnpgeopa.exe 1812 Lcomce32.exe 1812 Lcomce32.exe 2120 Ljieppcb.exe 2120 Ljieppcb.exe 1500 Lqcmmjko.exe 1500 Lqcmmjko.exe 976 Lmjnak32.exe 976 Lmjnak32.exe 2328 Micklk32.exe 2328 Micklk32.exe 2132 Mmadbjkk.exe 2132 Mmadbjkk.exe 2356 Mnbpjb32.exe 2356 Mnbpjb32.exe 3044 Mgjebg32.exe 3044 Mgjebg32.exe 1676 Mngjeamd.exe 1676 Mngjeamd.exe 2168 Mjnjjbbh.exe 2168 Mjnjjbbh.exe 2956 Necogkbo.exe 2956 Necogkbo.exe 1612 Najpll32.exe 1612 Najpll32.exe 2628 Niedqnen.exe 2628 Niedqnen.exe 2752 Nigafnck.exe 2752 Nigafnck.exe 2580 Npdfhhhe.exe 2580 Npdfhhhe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Caphpgkj.dll Lcomce32.exe File created C:\Windows\SysWOW64\Lkicbk32.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Khjkiikl.exe Kapbmo32.exe File opened for modification C:\Windows\SysWOW64\Dmcgik32.exe Bfeibo32.exe File opened for modification C:\Windows\SysWOW64\Fhifmcfa.exe Fclmem32.exe File created C:\Windows\SysWOW64\Dmcibdad.exe Dckdio32.exe File opened for modification C:\Windows\SysWOW64\Hkahgk32.exe Hegpjaac.exe File created C:\Windows\SysWOW64\Fdlhbc32.dll Jjlqpp32.exe File created C:\Windows\SysWOW64\Lageje32.dll Gcljdpke.exe File opened for modification C:\Windows\SysWOW64\Llomfpag.exe Keeeje32.exe File created C:\Windows\SysWOW64\Jnifaajh.exe Jgpndg32.exe File opened for modification C:\Windows\SysWOW64\Hchoop32.exe Hganjo32.exe File created C:\Windows\SysWOW64\Jdbfjmik.dll Mbdcepcm.exe File created C:\Windows\SysWOW64\Lmjnak32.exe Lqcmmjko.exe File opened for modification C:\Windows\SysWOW64\Ehhdaj32.exe Ebklic32.exe File opened for modification C:\Windows\SysWOW64\Ichmgl32.exe Iladfn32.exe File opened for modification C:\Windows\SysWOW64\Goiafp32.exe Ggbieb32.exe File opened for modification C:\Windows\SysWOW64\Hkmaed32.exe Hjlemlnk.exe File opened for modification C:\Windows\SysWOW64\Komjmk32.exe Klonqpbi.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Hcjilgdb.exe File created C:\Windows\SysWOW64\Ipodji32.dll Kbbakc32.exe File created C:\Windows\SysWOW64\Jgkjfeka.dll Ibeloo32.exe File created C:\Windows\SysWOW64\Ibibfa32.exe Iqhfnifq.exe File created C:\Windows\SysWOW64\Cfkkam32.exe Cancif32.exe File opened for modification C:\Windows\SysWOW64\Kokmmkcm.exe Khadpa32.exe File opened for modification C:\Windows\SysWOW64\Gfadcemm.exe Gfogneop.exe File created C:\Windows\SysWOW64\Jjkiijpa.dll Okolfkjg.exe File created C:\Windows\SysWOW64\Kbmfgk32.exe Kpojkp32.exe File created C:\Windows\SysWOW64\Debadpeg.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Jaeehmko.exe Jgmaog32.exe File opened for modification C:\Windows\SysWOW64\Alhaho32.exe Pelpgb32.exe File created C:\Windows\SysWOW64\Kddifg32.dll Hgbhibio.exe File created C:\Windows\SysWOW64\Komlabbb.dll Diqmcgca.exe File created C:\Windows\SysWOW64\Egcpbc32.dll Jgpklb32.exe File opened for modification C:\Windows\SysWOW64\Kdjenkgh.exe Kaliaphd.exe File created C:\Windows\SysWOW64\Homdlljo.dll Kfnmpn32.exe File opened for modification C:\Windows\SysWOW64\Dpmlcpdm.exe Dnlolhoo.exe File opened for modification C:\Windows\SysWOW64\Mkaeob32.exe Mokdja32.exe File created C:\Windows\SysWOW64\Boeppomj.exe Bmgddcnf.exe File opened for modification C:\Windows\SysWOW64\Pgpgjepk.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Hfpfdeon.exe Hofngkga.exe File created C:\Windows\SysWOW64\Fihbcdgp.dll Glckihcg.exe File created C:\Windows\SysWOW64\Imdjlida.exe Ijenpn32.exe File opened for modification C:\Windows\SysWOW64\Hnljkf32.exe Hgbanlfc.exe File created C:\Windows\SysWOW64\Ampncd32.exe Agcekn32.exe File opened for modification C:\Windows\SysWOW64\Hqochjnk.exe Hgfooe32.exe File created C:\Windows\SysWOW64\Klhioioc.exe Keoabo32.exe File created C:\Windows\SysWOW64\Cmolej32.dll Jmhpfl32.exe File created C:\Windows\SysWOW64\Cejnde32.dll Hgbanlfc.exe File created C:\Windows\SysWOW64\Gkmcmbma.dll Ljieppcb.exe File created C:\Windows\SysWOW64\Gqnfackh.dll Necogkbo.exe File created C:\Windows\SysWOW64\Pkhmod32.dll Kbnhpdke.exe File opened for modification C:\Windows\SysWOW64\Jpcdqpqj.exe Ilhlan32.exe File created C:\Windows\SysWOW64\Hchoop32.exe Hganjo32.exe File created C:\Windows\SysWOW64\Ejjglk32.dll Gaajfi32.exe File created C:\Windows\SysWOW64\Cjoohi32.dll Hhaanh32.exe File created C:\Windows\SysWOW64\Kqcqpc32.exe Kdlpkb32.exe File opened for modification C:\Windows\SysWOW64\Ddhaie32.exe Cmqihg32.exe File created C:\Windows\SysWOW64\Cmjjmp32.dll Djicmk32.exe File created C:\Windows\SysWOW64\Ndiomdde.exe Nkqjdo32.exe File opened for modification C:\Windows\SysWOW64\Himkgf32.exe Hbccklmj.exe File created C:\Windows\SysWOW64\Dfinam32.exe Ddhaie32.exe File created C:\Windows\SysWOW64\Jfjjkhhg.exe Jclnnmic.exe File created C:\Windows\SysWOW64\Olfknedh.dll Hkolakkb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1960 1768 WerFault.exe 545 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mokdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfeibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhmpeom.dll" Ckajqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdailaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfflopbf.dll" Ilhlan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlpadaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndiaem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmidlmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khoebi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaeehmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjoohi32.dll" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiplp32.dll" Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhoeadlm.dll" Gnjhaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaoblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbdeb32.dll" Kgdgpfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keodflee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfeq32.dll" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpbc32.dll" Jgpklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjbdfbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iejiodbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbeghn32.dll" Hqpjndio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjqcd32.dll" Decdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hganjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfjjkhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilhlan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nebgoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnend32.dll" Phgfko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koipglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhngem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egonhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahobdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fclmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfifeml.dll" Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjmoj32.dll" Kccian32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbfghckb.dll" Kpafapbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgcbgmg.dll" Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbnmienj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmgoif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgbof32.dll" Ocqhcqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhpbkob.dll" Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkkfi32.dll" Deikhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaonn32.dll" Kdlbckee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnecigcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbbhobn.dll" Dkjpdcfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2096 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 28 PID 2896 wrote to memory of 2096 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 28 PID 2896 wrote to memory of 2096 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 28 PID 2896 wrote to memory of 2096 2896 NEAS.e705bcc8da40c4d254451bc740e69958.exe 28 PID 2096 wrote to memory of 2680 2096 Cmpdgf32.exe 29 PID 2096 wrote to memory of 2680 2096 Cmpdgf32.exe 29 PID 2096 wrote to memory of 2680 2096 Cmpdgf32.exe 29 PID 2096 wrote to memory of 2680 2096 Cmpdgf32.exe 29 PID 2680 wrote to memory of 2312 2680 Hipmmg32.exe 35 PID 2680 wrote to memory of 2312 2680 Hipmmg32.exe 35 PID 2680 wrote to memory of 2312 2680 Hipmmg32.exe 35 PID 2680 wrote to memory of 2312 2680 Hipmmg32.exe 35 PID 2312 wrote to memory of 2644 2312 Hjdfjo32.exe 34 PID 2312 wrote to memory of 2644 2312 Hjdfjo32.exe 34 PID 2312 wrote to memory of 2644 2312 Hjdfjo32.exe 34 PID 2312 wrote to memory of 2644 2312 Hjdfjo32.exe 34 PID 2644 wrote to memory of 2524 2644 Heikgh32.exe 33 PID 2644 wrote to memory of 2524 2644 Heikgh32.exe 33 PID 2644 wrote to memory of 2524 2644 Heikgh32.exe 33 PID 2644 wrote to memory of 2524 2644 Heikgh32.exe 33 PID 2524 wrote to memory of 2428 2524 Hhhgcc32.exe 30 PID 2524 wrote to memory of 2428 2524 Hhhgcc32.exe 30 PID 2524 wrote to memory of 2428 2524 Hhhgcc32.exe 30 PID 2524 wrote to memory of 2428 2524 Hhhgcc32.exe 30 PID 2428 wrote to memory of 680 2428 Hapklimq.exe 32 PID 2428 wrote to memory of 680 2428 Hapklimq.exe 32 PID 2428 wrote to memory of 680 2428 Hapklimq.exe 32 PID 2428 wrote to memory of 680 2428 Hapklimq.exe 32 PID 680 wrote to memory of 716 680 Imiigiab.exe 31 PID 680 wrote to memory of 716 680 Imiigiab.exe 31 PID 680 wrote to memory of 716 680 Imiigiab.exe 31 PID 680 wrote to memory of 716 680 Imiigiab.exe 31 PID 716 wrote to memory of 2892 716 Iipiljgf.exe 36 PID 716 wrote to memory of 2892 716 Iipiljgf.exe 36 PID 716 wrote to memory of 2892 716 Iipiljgf.exe 36 PID 716 wrote to memory of 2892 716 Iipiljgf.exe 36 PID 2892 wrote to memory of 1580 2892 Iiecgjba.exe 37 PID 2892 wrote to memory of 1580 2892 Iiecgjba.exe 37 PID 2892 wrote to memory of 1580 2892 Iiecgjba.exe 37 PID 2892 wrote to memory of 1580 2892 Iiecgjba.exe 37 PID 1580 wrote to memory of 2148 1580 Jlhhndno.exe 38 PID 1580 wrote to memory of 2148 1580 Jlhhndno.exe 38 PID 1580 wrote to memory of 2148 1580 Jlhhndno.exe 38 PID 1580 wrote to memory of 2148 1580 Jlhhndno.exe 38 PID 2148 wrote to memory of 1712 2148 Jpjngh32.exe 39 PID 2148 wrote to memory of 1712 2148 Jpjngh32.exe 39 PID 2148 wrote to memory of 1712 2148 Jpjngh32.exe 39 PID 2148 wrote to memory of 1712 2148 Jpjngh32.exe 39 PID 1712 wrote to memory of 840 1712 Jaijak32.exe 40 PID 1712 wrote to memory of 840 1712 Jaijak32.exe 40 PID 1712 wrote to memory of 840 1712 Jaijak32.exe 40 PID 1712 wrote to memory of 840 1712 Jaijak32.exe 40 PID 840 wrote to memory of 1988 840 Kfkpknkq.exe 41 PID 840 wrote to memory of 1988 840 Kfkpknkq.exe 41 PID 840 wrote to memory of 1988 840 Kfkpknkq.exe 41 PID 840 wrote to memory of 1988 840 Kfkpknkq.exe 41 PID 1988 wrote to memory of 2920 1988 Kfnmpn32.exe 42 PID 1988 wrote to memory of 2920 1988 Kfnmpn32.exe 42 PID 1988 wrote to memory of 2920 1988 Kfnmpn32.exe 42 PID 1988 wrote to memory of 2920 1988 Kfnmpn32.exe 42 PID 2920 wrote to memory of 1452 2920 Khoebi32.exe 43 PID 2920 wrote to memory of 1452 2920 Khoebi32.exe 43 PID 2920 wrote to memory of 1452 2920 Khoebi32.exe 43 PID 2920 wrote to memory of 1452 2920 Khoebi32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e705bcc8da40c4d254451bc740e69958.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e705bcc8da40c4d254451bc740e69958.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312
-
-
-
-
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680
-
-
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe25⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe26⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe28⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe29⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe30⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe35⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe36⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe37⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe38⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe39⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe41⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe42⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe43⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe44⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe45⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe46⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe47⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe48⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe49⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe52⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1276 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe55⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe57⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe58⤵PID:1416
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe59⤵PID:1184
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe60⤵PID:1752
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe61⤵PID:3064
-
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe62⤵PID:2928
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe63⤵PID:1952
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe64⤵PID:948
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe65⤵PID:328
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe66⤵PID:488
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe67⤵PID:968
-
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe68⤵PID:1128
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe69⤵PID:1484
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe70⤵PID:2224
-
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe71⤵PID:1564
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe72⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2676 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe74⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe75⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe76⤵PID:2616
-
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe77⤵PID:584
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe78⤵PID:440
-
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe79⤵PID:1344
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2820
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe74⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe75⤵PID:3564
-
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe78⤵PID:3812
-
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2696 -
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe80⤵PID:1600
-
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe81⤵PID:2016
-
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe82⤵PID:2352
-
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe83⤵PID:3892
-
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe84⤵PID:2036
-
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe85⤵PID:560
-
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe86⤵PID:2320
-
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe87⤵PID:3000
-
C:\Windows\SysWOW64\Njjfli32.exeC:\Windows\system32\Njjfli32.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe89⤵PID:1612
-
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe90⤵
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe91⤵PID:1432
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe92⤵
- Modifies registry class
PID:4024 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe93⤵PID:2264
-
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe94⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe95⤵PID:2240
-
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe97⤵PID:1028
-
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe98⤵PID:576
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe99⤵PID:2196
-
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe100⤵PID:1148
-
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe101⤵PID:936
-
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3144 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe104⤵PID:2316
-
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe105⤵PID:1936
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe106⤵PID:2492
-
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe107⤵PID:1664
-
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3256 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe109⤵
- Modifies registry class
PID:3340 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe110⤵PID:1644
-
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe111⤵PID:1816
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe112⤵PID:3320
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe113⤵PID:3388
-
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe114⤵PID:3288
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe115⤵PID:2224
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe116⤵PID:3740
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe117⤵PID:1012
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe118⤵PID:3860
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe119⤵PID:1968
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe120⤵PID:3936
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe121⤵PID:3692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-