Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02-11-2023 16:53
Behavioral task
behavioral1
Sample
NEAS.fd00e56db412361202c8ac60d6220920.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.fd00e56db412361202c8ac60d6220920.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.fd00e56db412361202c8ac60d6220920.exe
-
Size
75KB
-
MD5
fd00e56db412361202c8ac60d6220920
-
SHA1
c97f36dc01a8ba534758575d20d5332dd0902322
-
SHA256
2bc757491363c0b85183c8a43e1120578412ece55bc82eac142ceffe93e6d806
-
SHA512
ff49f0e2802566bc6b9db05a712b0cf4a93218bc7a5229c0a1d432a5c6cb7080742c38eca40a41de71521c978bbc6572b9b49e7ecfbdaceff8fef5dc68575d47
-
SSDEEP
1536:nCDgSroow8CFasdMrhFoSl00000000000000R9C5UU5O53q52IrFH:CkATwjwXUo000000000000003ZYg3qv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjffbhnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfjjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpogjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agqfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmkhmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnbhcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epaodjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibeofaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfnjkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epopff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigano32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gednek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejnpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghpgbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpoeoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibnodj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpcngnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmigdend.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dipjkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmacpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhifooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immkiodb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqlhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moomgmpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmaphdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faefim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbnmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpkbbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekkjheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbckagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgjflof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hejaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfbcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnbeokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blcmbmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiehilaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnofng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoqhncgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqilppic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealbcngg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihpcn32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2504-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-5.dat family_berbew behavioral1/memory/2504-6-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000e00000001201d-8.dat family_berbew behavioral1/files/0x000e00000001201d-12.dat family_berbew behavioral1/files/0x000e00000001201d-9.dat family_berbew behavioral1/files/0x000e00000001201d-13.dat family_berbew behavioral1/files/0x001b000000016c2b-18.dat family_berbew behavioral1/files/0x001b000000016c2b-21.dat family_berbew behavioral1/files/0x001b000000016c2b-22.dat family_berbew behavioral1/files/0x001b000000016c2b-27.dat family_berbew behavioral1/files/0x0007000000016d39-41.dat family_berbew behavioral1/memory/2772-40-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0007000000016d39-39.dat family_berbew behavioral1/files/0x0007000000016d39-36.dat family_berbew behavioral1/files/0x0007000000016d39-35.dat family_berbew behavioral1/files/0x0007000000016d64-49.dat family_berbew behavioral1/files/0x0007000000016d64-52.dat family_berbew behavioral1/files/0x0007000000016d64-54.dat family_berbew behavioral1/memory/2776-53-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0008000000016d77-65.dat family_berbew behavioral1/files/0x0008000000016d77-67.dat family_berbew behavioral1/memory/2688-66-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0008000000016d77-62.dat family_berbew behavioral1/files/0x0008000000016d77-61.dat family_berbew behavioral1/files/0x0008000000016d77-59.dat family_berbew behavioral1/files/0x0007000000016d64-48.dat family_berbew behavioral1/files/0x0007000000016d64-46.dat family_berbew behavioral1/files/0x001b000000016c2b-26.dat family_berbew behavioral1/files/0x0007000000016d39-33.dat family_berbew behavioral1/memory/2752-32-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/2740-20-0x0000000000440000-0x0000000000480000-memory.dmp family_berbew behavioral1/files/0x0006000000017568-72.dat family_berbew behavioral1/memory/2316-79-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000017568-78.dat family_berbew behavioral1/files/0x0006000000017568-75.dat family_berbew behavioral1/files/0x0006000000017568-74.dat family_berbew behavioral1/files/0x0006000000017568-80.dat family_berbew behavioral1/files/0x000500000001869a-85.dat family_berbew behavioral1/files/0x000500000001869a-88.dat family_berbew behavioral1/files/0x000500000001869a-93.dat family_berbew behavioral1/files/0x000500000001869a-92.dat family_berbew behavioral1/memory/2316-87-0x0000000000220000-0x0000000000260000-memory.dmp family_berbew behavioral1/files/0x000500000001869a-91.dat family_berbew behavioral1/memory/3032-105-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b1a-107.dat family_berbew behavioral1/files/0x0006000000018b1a-117.dat family_berbew behavioral1/files/0x0006000000018b1a-113.dat family_berbew behavioral1/memory/1492-123-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x0006000000018b1a-118.dat family_berbew behavioral1/files/0x0006000000018b1a-111.dat family_berbew behavioral1/files/0x000500000001873d-106.dat family_berbew behavioral1/files/0x0006000000018b4d-124.dat family_berbew behavioral1/files/0x0006000000018b4d-126.dat family_berbew behavioral1/files/0x0006000000018b4d-130.dat family_berbew behavioral1/files/0x0006000000018b4d-127.dat family_berbew behavioral1/files/0x0006000000018b4d-132.dat family_berbew behavioral1/memory/292-131-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/files/0x000500000001873d-104.dat family_berbew behavioral1/files/0x000500000001873d-101.dat family_berbew behavioral1/files/0x000500000001873d-100.dat family_berbew behavioral1/files/0x000500000001873d-98.dat family_berbew behavioral1/files/0x0006000000018b7a-137.dat family_berbew behavioral1/files/0x0006000000018b7a-140.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2740 Cileqlmg.exe 2752 Ceebklai.exe 2772 Cnmfdb32.exe 2776 Cgfkmgnj.exe 2688 Danpemej.exe 2316 Djfdob32.exe 476 Djiqdb32.exe 3032 Dbdehdfc.exe 1492 Dinneo32.exe 292 Dokfme32.exe 1640 Dipjkn32.exe 3036 Domccejd.exe 240 Eegkpo32.exe 2520 Ekdchf32.exe 3000 Ehhdaj32.exe 2484 Emdmjamj.exe 1944 Ehjqgjmp.exe 2064 Epeekmjk.exe 1964 Ekkjheja.exe 1532 Edcnakpa.exe 2024 Ekmfne32.exe 996 Fdekgjno.exe 2496 Feggob32.exe 2372 Fplllkdc.exe 2164 Fgfdie32.exe 2888 Fpohakbp.exe 2744 Felajbpg.exe 2644 Fodebh32.exe 2384 Gnkoid32.exe 1360 Gcmamj32.exe 3044 Godaakic.exe 3048 Hbdjcffd.exe 584 Hiqoeplo.exe 2836 Homdhjai.exe 1164 Hqnapb32.exe 1924 Hkdemk32.exe 1784 Hcojam32.exe 1780 Ieofkp32.exe 2540 Iphgln32.exe 2184 Ijphofem.exe 1832 Ipomlm32.exe 2364 Jbpfnh32.exe 1388 Jbbccgmp.exe 3012 Jhahanie.exe 2056 Jajmjcoe.exe 1932 Jdhifooi.exe 2876 Pmhgba32.exe 2728 Knaeeo32.exe 2668 Aeenapck.exe 1588 Idmnga32.exe 324 Pibgfjdh.exe 1028 Polobd32.exe 2600 Pbjkop32.exe 2796 Qmpplh32.exe 2920 Qgiplffm.exe 2992 Qoqhncgp.exe 2956 Qbodjofc.exe 1708 Aiimfi32.exe 2068 Akgibd32.exe 2320 Amkbpm32.exe 2136 Acejlfhl.exe 1540 Agqfme32.exe 2100 Anjojphb.exe 704 Ammoel32.exe -
Loads dropped DLL 64 IoCs
pid Process 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 2740 Cileqlmg.exe 2740 Cileqlmg.exe 2752 Ceebklai.exe 2752 Ceebklai.exe 2772 Cnmfdb32.exe 2772 Cnmfdb32.exe 2776 Cgfkmgnj.exe 2776 Cgfkmgnj.exe 2688 Danpemej.exe 2688 Danpemej.exe 2316 Djfdob32.exe 2316 Djfdob32.exe 476 Djiqdb32.exe 476 Djiqdb32.exe 3032 Dbdehdfc.exe 3032 Dbdehdfc.exe 1492 Dinneo32.exe 1492 Dinneo32.exe 292 Dokfme32.exe 292 Dokfme32.exe 1640 Dipjkn32.exe 1640 Dipjkn32.exe 3036 Domccejd.exe 3036 Domccejd.exe 240 Eegkpo32.exe 240 Eegkpo32.exe 2520 Ekdchf32.exe 2520 Ekdchf32.exe 3000 Ehhdaj32.exe 3000 Ehhdaj32.exe 2484 Emdmjamj.exe 2484 Emdmjamj.exe 1944 Ehjqgjmp.exe 1944 Ehjqgjmp.exe 2064 Epeekmjk.exe 2064 Epeekmjk.exe 1964 Ekkjheja.exe 1964 Ekkjheja.exe 1532 Edcnakpa.exe 1532 Edcnakpa.exe 2024 Ekmfne32.exe 2024 Ekmfne32.exe 996 Fdekgjno.exe 996 Fdekgjno.exe 2496 Feggob32.exe 2496 Feggob32.exe 2372 Fplllkdc.exe 2372 Fplllkdc.exe 2164 Fgfdie32.exe 2164 Fgfdie32.exe 2888 Fpohakbp.exe 2888 Fpohakbp.exe 2744 Felajbpg.exe 2744 Felajbpg.exe 2644 Fodebh32.exe 2644 Fodebh32.exe 2384 Gnkoid32.exe 2384 Gnkoid32.exe 1360 Gcmamj32.exe 1360 Gcmamj32.exe 3044 Godaakic.exe 3044 Godaakic.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kagkebpb.exe Jjmchhhe.exe File opened for modification C:\Windows\SysWOW64\Nocgbl32.exe Nhjofbdk.exe File created C:\Windows\SysWOW64\Ldmchdcp.dll Eqejjj32.exe File opened for modification C:\Windows\SysWOW64\Mbjhlg32.exe Mkpppmko.exe File opened for modification C:\Windows\SysWOW64\Faefim32.exe Fpdjaeei.exe File opened for modification C:\Windows\SysWOW64\Jaamhb32.exe Jocalffk.exe File created C:\Windows\SysWOW64\Ipdaek32.exe Iocdmccp.exe File created C:\Windows\SysWOW64\Cllkkk32.exe Ceacoqfi.exe File created C:\Windows\SysWOW64\Hnmeeene.dll Gcchgini.exe File opened for modification C:\Windows\SysWOW64\Gihpcn32.exe Gfjcgc32.exe File opened for modification C:\Windows\SysWOW64\Ijelgemi.exe Idkcjk32.exe File created C:\Windows\SysWOW64\Klbdiokf.exe Kdgoelnk.exe File created C:\Windows\SysWOW64\Iccnmk32.exe Imifpagp.exe File created C:\Windows\SysWOW64\Komhoebi.dll Mcafbm32.exe File created C:\Windows\SysWOW64\Akgibd32.exe Aiimfi32.exe File opened for modification C:\Windows\SysWOW64\Eiehilaa.exe Efglmpbn.exe File opened for modification C:\Windows\SysWOW64\Gfpkbbmo.exe Goicaell.exe File created C:\Windows\SysWOW64\Mbqcclhb.dll Oindpd32.exe File opened for modification C:\Windows\SysWOW64\Fkoqmhii.exe Fipdqmje.exe File created C:\Windows\SysWOW64\Hiabjm32.exe Hajkip32.exe File opened for modification C:\Windows\SysWOW64\Gohjnf32.exe Fmfdppia.exe File opened for modification C:\Windows\SysWOW64\Kiifjd32.exe Kbonmjph.exe File opened for modification C:\Windows\SysWOW64\Gaoiol32.exe Gigano32.exe File created C:\Windows\SysWOW64\Lmmbhhfg.dll Dokfme32.exe File created C:\Windows\SysWOW64\Dpmeij32.exe Dkaihkih.exe File created C:\Windows\SysWOW64\Hljokk32.dll Dnbbjf32.exe File opened for modification C:\Windows\SysWOW64\Momqbm32.exe Miphjf32.exe File created C:\Windows\SysWOW64\Egcjkjmo.dll Ilolol32.exe File opened for modification C:\Windows\SysWOW64\Emdmjamj.exe Ehhdaj32.exe File created C:\Windows\SysWOW64\Gppkkikh.exe Gnoocq32.exe File opened for modification C:\Windows\SysWOW64\Hlkekilg.exe Heamno32.exe File opened for modification C:\Windows\SysWOW64\Polobd32.exe Pibgfjdh.exe File created C:\Windows\SysWOW64\Hejaon32.exe Hopibdfd.exe File opened for modification C:\Windows\SysWOW64\Ianambhc.exe Iopeagip.exe File created C:\Windows\SysWOW64\Deimaa32.exe Dbkaee32.exe File created C:\Windows\SysWOW64\Kdegnfli.dll Apnhggln.exe File created C:\Windows\SysWOW64\Dnfjiali.exe Dhibakmb.exe File created C:\Windows\SysWOW64\Lafgdfbm.exe Lljolodf.exe File created C:\Windows\SysWOW64\Geqnho32.exe Gbbbld32.exe File created C:\Windows\SysWOW64\Poabochn.dll Goicaell.exe File opened for modification C:\Windows\SysWOW64\Jajmjcoe.exe Jhahanie.exe File created C:\Windows\SysWOW64\Pljhmo32.dll Gnofng32.exe File created C:\Windows\SysWOW64\Deahcneh.exe Dmecokhm.exe File created C:\Windows\SysWOW64\Ecnpgj32.exe Eapcjo32.exe File created C:\Windows\SysWOW64\Fgqhgjbb.exe Fdblkoco.exe File created C:\Windows\SysWOW64\Gnnnmf32.dll Gkimff32.exe File opened for modification C:\Windows\SysWOW64\Gfjcgc32.exe Gppkkikh.exe File created C:\Windows\SysWOW64\Cedhac32.dll Cnpieceq.exe File opened for modification C:\Windows\SysWOW64\Hddoep32.exe Hkljljko.exe File created C:\Windows\SysWOW64\Jbgdcapi.exe Jjqlbdog.exe File created C:\Windows\SysWOW64\Enhcnd32.exe Ekjgbi32.exe File created C:\Windows\SysWOW64\Nlkgdg32.dll Pejnpe32.exe File created C:\Windows\SysWOW64\Dpeamj32.dll Ngolgn32.exe File opened for modification C:\Windows\SysWOW64\Idkdfo32.exe Ikcpmieg.exe File created C:\Windows\SysWOW64\Lceodl32.dll Kplhfo32.exe File opened for modification C:\Windows\SysWOW64\Mapjjdjb.exe Lkfbmj32.exe File created C:\Windows\SysWOW64\Ejnnbpol.exe Ecdffe32.exe File opened for modification C:\Windows\SysWOW64\Idojon32.exe Iaqnbb32.exe File created C:\Windows\SysWOW64\Cdgbec32.dll Gefjjk32.exe File opened for modification C:\Windows\SysWOW64\Foblaefj.exe Fmdpejgf.exe File opened for modification C:\Windows\SysWOW64\Cqqbgoba.exe Cjfjjd32.exe File created C:\Windows\SysWOW64\Ghofhlpo.dll Dapnfb32.exe File opened for modification C:\Windows\SysWOW64\Hkifld32.exe Hdonpjbi.exe File created C:\Windows\SysWOW64\Ihmcelkk.exe Ifngiqlg.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnmmidhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcihicad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpioaop.dll" Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkmokoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbmeg32.dll" Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcemeqqm.dll" Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmmbpjh.dll" Fgmaphdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcjkjmo.dll" Ilolol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Febmfcjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kleeqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godaakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkoqmhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkndofe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljccajl.dll" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojhmjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onipbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlmpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bboqgikn.dll" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gijncn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcabpb32.dll" Kobmkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enagnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnejjf32.dll" Dbighojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckdcepoh.dll" Fpdjaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkojcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcakg32.dll" Kgqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfafae32.dll" Felajbpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmipko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkqiadeq.dll" Fcgaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmjae32.dll" Imkndofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhnmpigi.dll" Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpogjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feggob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imifpagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fecado32.dll" Ppcoqbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdfqomom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enepnoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enepnoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbadfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdmaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflnei32.dll" Gfggbcdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjcaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdmekg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbbbld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcfbege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdlphnb.dll" Dpmeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfihk32.dll" Fmqpinlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbcfbege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbdiokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpmeij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eickdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hopibdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeekmjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiodkmcc.dll" Qoqhncgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjnigb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2740 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 30 PID 2504 wrote to memory of 2740 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 30 PID 2504 wrote to memory of 2740 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 30 PID 2504 wrote to memory of 2740 2504 NEAS.fd00e56db412361202c8ac60d6220920.exe 30 PID 2740 wrote to memory of 2752 2740 Cileqlmg.exe 31 PID 2740 wrote to memory of 2752 2740 Cileqlmg.exe 31 PID 2740 wrote to memory of 2752 2740 Cileqlmg.exe 31 PID 2740 wrote to memory of 2752 2740 Cileqlmg.exe 31 PID 2752 wrote to memory of 2772 2752 Ceebklai.exe 32 PID 2752 wrote to memory of 2772 2752 Ceebklai.exe 32 PID 2752 wrote to memory of 2772 2752 Ceebklai.exe 32 PID 2752 wrote to memory of 2772 2752 Ceebklai.exe 32 PID 2772 wrote to memory of 2776 2772 Cnmfdb32.exe 33 PID 2772 wrote to memory of 2776 2772 Cnmfdb32.exe 33 PID 2772 wrote to memory of 2776 2772 Cnmfdb32.exe 33 PID 2772 wrote to memory of 2776 2772 Cnmfdb32.exe 33 PID 2776 wrote to memory of 2688 2776 Cgfkmgnj.exe 34 PID 2776 wrote to memory of 2688 2776 Cgfkmgnj.exe 34 PID 2776 wrote to memory of 2688 2776 Cgfkmgnj.exe 34 PID 2776 wrote to memory of 2688 2776 Cgfkmgnj.exe 34 PID 2688 wrote to memory of 2316 2688 Danpemej.exe 35 PID 2688 wrote to memory of 2316 2688 Danpemej.exe 35 PID 2688 wrote to memory of 2316 2688 Danpemej.exe 35 PID 2688 wrote to memory of 2316 2688 Danpemej.exe 35 PID 2316 wrote to memory of 476 2316 Djfdob32.exe 36 PID 2316 wrote to memory of 476 2316 Djfdob32.exe 36 PID 2316 wrote to memory of 476 2316 Djfdob32.exe 36 PID 2316 wrote to memory of 476 2316 Djfdob32.exe 36 PID 476 wrote to memory of 3032 476 Djiqdb32.exe 37 PID 476 wrote to memory of 3032 476 Djiqdb32.exe 37 PID 476 wrote to memory of 3032 476 Djiqdb32.exe 37 PID 476 wrote to memory of 3032 476 Djiqdb32.exe 37 PID 3032 wrote to memory of 1492 3032 Dbdehdfc.exe 38 PID 3032 wrote to memory of 1492 3032 Dbdehdfc.exe 38 PID 3032 wrote to memory of 1492 3032 Dbdehdfc.exe 38 PID 3032 wrote to memory of 1492 3032 Dbdehdfc.exe 38 PID 1492 wrote to memory of 292 1492 Dinneo32.exe 39 PID 1492 wrote to memory of 292 1492 Dinneo32.exe 39 PID 1492 wrote to memory of 292 1492 Dinneo32.exe 39 PID 1492 wrote to memory of 292 1492 Dinneo32.exe 39 PID 292 wrote to memory of 1640 292 Dokfme32.exe 40 PID 292 wrote to memory of 1640 292 Dokfme32.exe 40 PID 292 wrote to memory of 1640 292 Dokfme32.exe 40 PID 292 wrote to memory of 1640 292 Dokfme32.exe 40 PID 1640 wrote to memory of 3036 1640 Dipjkn32.exe 41 PID 1640 wrote to memory of 3036 1640 Dipjkn32.exe 41 PID 1640 wrote to memory of 3036 1640 Dipjkn32.exe 41 PID 1640 wrote to memory of 3036 1640 Dipjkn32.exe 41 PID 3036 wrote to memory of 240 3036 Domccejd.exe 42 PID 3036 wrote to memory of 240 3036 Domccejd.exe 42 PID 3036 wrote to memory of 240 3036 Domccejd.exe 42 PID 3036 wrote to memory of 240 3036 Domccejd.exe 42 PID 240 wrote to memory of 2520 240 Eegkpo32.exe 43 PID 240 wrote to memory of 2520 240 Eegkpo32.exe 43 PID 240 wrote to memory of 2520 240 Eegkpo32.exe 43 PID 240 wrote to memory of 2520 240 Eegkpo32.exe 43 PID 2520 wrote to memory of 3000 2520 Ekdchf32.exe 44 PID 2520 wrote to memory of 3000 2520 Ekdchf32.exe 44 PID 2520 wrote to memory of 3000 2520 Ekdchf32.exe 44 PID 2520 wrote to memory of 3000 2520 Ekdchf32.exe 44 PID 3000 wrote to memory of 2484 3000 Ehhdaj32.exe 45 PID 3000 wrote to memory of 2484 3000 Ehhdaj32.exe 45 PID 3000 wrote to memory of 2484 3000 Ehhdaj32.exe 45 PID 3000 wrote to memory of 2484 3000 Ehhdaj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fd00e56db412361202c8ac60d6220920.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fd00e56db412361202c8ac60d6220920.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Dipjkn32.exeC:\Windows\system32\Dipjkn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2496 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe33⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe34⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe36⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe38⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe39⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe40⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe42⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe43⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe44⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe46⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pmhgba32.exeC:\Windows\system32\Pmhgba32.exe48⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe49⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe51⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Polobd32.exeC:\Windows\system32\Polobd32.exe53⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Pbjkop32.exeC:\Windows\system32\Pbjkop32.exe54⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Qmpplh32.exeC:\Windows\system32\Qmpplh32.exe55⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe56⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Qbodjofc.exeC:\Windows\system32\Qbodjofc.exe58⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe60⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe61⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe62⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe65⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe66⤵PID:1812
-
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Apnhggln.exeC:\Windows\system32\Apnhggln.exe68⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe69⤵PID:1324
-
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe70⤵PID:2352
-
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe71⤵PID:2760
-
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe74⤵PID:1896
-
C:\Windows\SysWOW64\Cdlmlidp.exeC:\Windows\system32\Cdlmlidp.exe75⤵PID:2332
-
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe76⤵PID:1012
-
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe77⤵PID:2828
-
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe78⤵PID:1360
-
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Cmfnjnin.exeC:\Windows\system32\Cmfnjnin.exe80⤵PID:1780
-
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe81⤵PID:2944
-
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe82⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe83⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe84⤵PID:2624
-
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe85⤵PID:2856
-
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe86⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe87⤵PID:3016
-
C:\Windows\SysWOW64\Dpdfemkm.exeC:\Windows\system32\Dpdfemkm.exe88⤵PID:1496
-
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe89⤵PID:2960
-
C:\Windows\SysWOW64\Djmknb32.exeC:\Windows\system32\Djmknb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe91⤵PID:1168
-
C:\Windows\SysWOW64\Edpoeoea.exeC:\Windows\system32\Edpoeoea.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe93⤵
- Drops file in System32 directory
PID:2708 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe94⤵PID:1696
-
C:\Windows\SysWOW64\Fdblkoco.exeC:\Windows\system32\Fdblkoco.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Fgqhgjbb.exeC:\Windows\system32\Fgqhgjbb.exe96⤵PID:1144
-
C:\Windows\SysWOW64\Fohphgce.exeC:\Windows\system32\Fohphgce.exe97⤵PID:1772
-
C:\Windows\SysWOW64\Fqilppic.exeC:\Windows\system32\Fqilppic.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe99⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Fkoqmhii.exeC:\Windows\system32\Fkoqmhii.exe100⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe101⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Fcjeakfd.exeC:\Windows\system32\Fcjeakfd.exe102⤵PID:2776
-
C:\Windows\SysWOW64\Fjdnne32.exeC:\Windows\system32\Fjdnne32.exe103⤵PID:476
-
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe104⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe105⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe106⤵PID:2892
-
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe107⤵PID:1928
-
C:\Windows\SysWOW64\Gnmihgkh.exeC:\Windows\system32\Gnmihgkh.exe108⤵PID:2340
-
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe109⤵PID:1832
-
C:\Windows\SysWOW64\Glaiak32.exeC:\Windows\system32\Glaiak32.exe110⤵PID:2364
-
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Geinjapb.exeC:\Windows\system32\Geinjapb.exe112⤵PID:1848
-
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:676 -
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe117⤵PID:1036
-
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe119⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe120⤵PID:804
-
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe121⤵PID:1892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-