Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 10:08
Behavioral task
behavioral1
Sample
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe
-
Size
161KB
-
MD5
006e06d4cf163ed88285cd11f54c1ee0
-
SHA1
605b1a007a759fb925b25085e8b1c7c6722633f4
-
SHA256
5b3c5f42b2ed4715328ceeac690fd352873fde16dc6bf32910afad9fbcbeb2fa
-
SHA512
4729393a547c487e067deaddcac31af2dbfea98828de9842b64986beb4850548427dbac990964aa86a9c238d620be2c40b6bce5fe6e6104a6c55425344b21f82
-
SSDEEP
3072:pPaVOIrXCVGXRZsYSlRh0VWkhtIymk/VwtCJXeex7rrIRZK8K8/kv:pisrGXRKYSlRh0V9tIBk/VwtmeetrIyR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akkokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dljkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fchijone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfalaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ancdgcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkdckgpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jffhec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnemlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqnbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Niedqnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkadjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imleli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnjdpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpelnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafahdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmgbbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfjdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkegimk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbnhmjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggcaiqhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdggofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchpjddc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dafmqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fokfqflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0008000000012027-5.dat family_berbew behavioral1/files/0x0008000000012027-8.dat family_berbew behavioral1/files/0x0008000000012027-12.dat family_berbew behavioral1/files/0x0008000000012027-9.dat family_berbew behavioral1/files/0x0008000000012027-13.dat family_berbew behavioral1/files/0x001b000000015c2f-21.dat family_berbew behavioral1/files/0x001b000000015c2f-27.dat family_berbew behavioral1/files/0x0007000000015c9f-39.dat family_berbew behavioral1/files/0x0007000000015c9f-36.dat family_berbew behavioral1/files/0x0007000000015c9f-40.dat family_berbew behavioral1/files/0x0009000000015cc4-52.dat family_berbew behavioral1/files/0x0009000000015cc4-49.dat family_berbew behavioral1/files/0x0009000000015cc4-48.dat family_berbew behavioral1/files/0x0009000000015cc4-46.dat family_berbew behavioral1/files/0x0007000000015c9f-35.dat family_berbew behavioral1/files/0x0007000000015c9f-33.dat family_berbew behavioral1/files/0x001b000000015c2f-26.dat family_berbew behavioral1/files/0x001b000000015c2f-24.dat family_berbew behavioral1/files/0x001b000000015c2f-18.dat family_berbew behavioral1/files/0x0009000000015cc4-53.dat family_berbew behavioral1/files/0x0009000000015eb8-58.dat family_berbew behavioral1/files/0x0009000000015eb8-61.dat family_berbew behavioral1/files/0x0009000000015eb8-60.dat family_berbew behavioral1/files/0x0009000000015eb8-64.dat family_berbew behavioral1/files/0x0009000000015eb8-65.dat family_berbew behavioral1/files/0x0006000000016057-72.dat family_berbew behavioral1/files/0x0006000000016057-77.dat family_berbew behavioral1/files/0x0006000000016057-76.dat family_berbew behavioral1/files/0x0006000000016057-73.dat family_berbew behavioral1/files/0x00060000000162d5-85.dat family_berbew behavioral1/files/0x00060000000162d5-89.dat family_berbew behavioral1/files/0x00060000000162d5-88.dat family_berbew behavioral1/files/0x00060000000162d5-84.dat family_berbew behavioral1/files/0x00060000000162d5-82.dat family_berbew behavioral1/files/0x0006000000016057-70.dat family_berbew behavioral1/files/0x0006000000016594-96.dat family_berbew behavioral1/files/0x0006000000016594-100.dat family_berbew behavioral1/files/0x00060000000167ef-102.dat family_berbew behavioral1/files/0x00060000000167ef-112.dat family_berbew behavioral1/files/0x00060000000167ef-113.dat family_berbew behavioral1/files/0x00060000000167ef-108.dat family_berbew behavioral1/files/0x00060000000167ef-106.dat family_berbew behavioral1/files/0x0006000000016ba2-118.dat family_berbew behavioral1/files/0x0006000000016594-101.dat family_berbew behavioral1/files/0x0006000000016594-97.dat family_berbew behavioral1/files/0x0006000000016594-94.dat family_berbew behavioral1/files/0x0006000000016ba2-125.dat family_berbew behavioral1/files/0x0006000000016c24-130.dat family_berbew behavioral1/files/0x0006000000016c24-134.dat family_berbew behavioral1/files/0x0006000000016c24-137.dat family_berbew behavioral1/files/0x0006000000016c24-136.dat family_berbew behavioral1/files/0x0006000000016c24-132.dat family_berbew behavioral1/files/0x0006000000016ba2-124.dat family_berbew behavioral1/files/0x0006000000016ba2-121.dat family_berbew behavioral1/files/0x0006000000016ba2-120.dat family_berbew behavioral1/files/0x001b000000015c40-149.dat family_berbew behavioral1/files/0x001b000000015c40-148.dat family_berbew behavioral1/files/0x001b000000015c40-145.dat family_berbew behavioral1/files/0x001b000000015c40-144.dat family_berbew behavioral1/files/0x001b000000015c40-142.dat family_berbew behavioral1/files/0x0006000000016cb7-160.dat family_berbew behavioral1/files/0x0006000000016cb7-161.dat family_berbew behavioral1/files/0x0006000000016cb7-158.dat family_berbew behavioral1/files/0x0006000000016cb7-156.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2332 Dljkcb32.exe 2132 Dojddmec.exe 2732 Dkadjn32.exe 2736 Dakmfh32.exe 2860 Edlfhc32.exe 2480 Eoajel32.exe 2544 Epbfmd32.exe 2464 Ekhkjm32.exe 2808 Epecbd32.exe 2144 Ejmhkiig.exe 2008 Ecfldoph.exe 2588 Enkpahon.exe 384 Fchijone.exe 1660 Flqmbd32.exe 1064 Fhgnge32.exe 768 Fcmben32.exe 3012 Fkhgip32.exe 1648 Fnfcel32.exe 840 Ffmkfifa.exe 1880 Fgohna32.exe 280 Fdbhge32.exe 2040 Fkmqdpce.exe 2124 Ggcaiqhj.exe 1052 Ggfnopfg.exe 1456 Gqnbhf32.exe 3032 Gfkkpmko.exe 2252 Giiglhjb.exe 1460 Gfmgelil.exe 2200 Gmgpbf32.exe 2416 Gpelnb32.exe 2896 Hebdfind.exe 2576 Hllmcc32.exe 2700 Hnkion32.exe 2460 Hipmmg32.exe 2644 Hpjeialg.exe 2508 Hegnahjo.exe 2548 Hlafnbal.exe 2500 Hanogipc.exe 3040 Hdlkcdog.exe 2776 Hmeolj32.exe 1384 Helgmg32.exe 2472 Hjipenda.exe 2180 Hmglajcd.exe 1948 Idadnd32.exe 780 Ijklknbn.exe 1472 Iphecepe.exe 1048 Ifampo32.exe 1664 Imleli32.exe 1032 Ipjahd32.exe 2872 Iegjqk32.exe 2076 Imnbbi32.exe 2936 Ioooiack.exe 1696 Ieigfk32.exe 2244 Ihhcbf32.exe 2024 Ipokcdjn.exe 1708 Ielclkhe.exe 1992 Jlelhe32.exe 2368 Jbpdeogo.exe 892 Jhlmmfef.exe 1960 Jkkija32.exe 2208 Jaeafklf.exe 2392 Jhoice32.exe 2108 Jnkakl32.exe 2696 Jhafhe32.exe -
Loads dropped DLL 64 IoCs
pid Process 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 2332 Dljkcb32.exe 2332 Dljkcb32.exe 2132 Dojddmec.exe 2132 Dojddmec.exe 2732 Dkadjn32.exe 2732 Dkadjn32.exe 2736 Dakmfh32.exe 2736 Dakmfh32.exe 2860 Edlfhc32.exe 2860 Edlfhc32.exe 2480 Eoajel32.exe 2480 Eoajel32.exe 2544 Epbfmd32.exe 2544 Epbfmd32.exe 2464 Ekhkjm32.exe 2464 Ekhkjm32.exe 2808 Epecbd32.exe 2808 Epecbd32.exe 2144 Ejmhkiig.exe 2144 Ejmhkiig.exe 2008 Ecfldoph.exe 2008 Ecfldoph.exe 2588 Enkpahon.exe 2588 Enkpahon.exe 384 Fchijone.exe 384 Fchijone.exe 1660 Flqmbd32.exe 1660 Flqmbd32.exe 1064 Fhgnge32.exe 1064 Fhgnge32.exe 768 Fcmben32.exe 768 Fcmben32.exe 3012 Fkhgip32.exe 3012 Fkhgip32.exe 1648 Fnfcel32.exe 1648 Fnfcel32.exe 840 Ffmkfifa.exe 840 Ffmkfifa.exe 1880 Fgohna32.exe 1880 Fgohna32.exe 280 Fdbhge32.exe 280 Fdbhge32.exe 2040 Fkmqdpce.exe 2040 Fkmqdpce.exe 2124 Ggcaiqhj.exe 2124 Ggcaiqhj.exe 1052 Ggfnopfg.exe 1052 Ggfnopfg.exe 1456 Gqnbhf32.exe 1456 Gqnbhf32.exe 3032 Gfkkpmko.exe 3032 Gfkkpmko.exe 2252 Giiglhjb.exe 2252 Giiglhjb.exe 1460 Gfmgelil.exe 1460 Gfmgelil.exe 2200 Gmgpbf32.exe 2200 Gmgpbf32.exe 2416 Gpelnb32.exe 2416 Gpelnb32.exe 2896 Hebdfind.exe 2896 Hebdfind.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dkadjn32.exe Dojddmec.exe File created C:\Windows\SysWOW64\Dcfmdh32.dll Popeif32.exe File created C:\Windows\SysWOW64\Jkpjmlfb.dll Jnkakl32.exe File opened for modification C:\Windows\SysWOW64\Panaeb32.exe Popeif32.exe File created C:\Windows\SysWOW64\Mbginggd.dll Almjcobe.exe File opened for modification C:\Windows\SysWOW64\Dfjaej32.exe Dckdio32.exe File created C:\Windows\SysWOW64\Gopnca32.exe Gnoaliln.exe File created C:\Windows\SysWOW64\Cabjhddb.dll Hiehbl32.exe File created C:\Windows\SysWOW64\Jpccfogk.dll Idadnd32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qqfkln32.exe File created C:\Windows\SysWOW64\Hlafnbal.exe Hegnahjo.exe File created C:\Windows\SysWOW64\Bmhkmm32.exe Beackp32.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Boidnh32.exe File created C:\Windows\SysWOW64\Nlcgpm32.dll Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Gkchpcoc.exe Gielchpp.exe File created C:\Windows\SysWOW64\Ipjahd32.exe Imleli32.exe File opened for modification C:\Windows\SysWOW64\Eddeladm.exe Eeaepd32.exe File created C:\Windows\SysWOW64\Mgedmb32.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Nanbnb32.dll Fcmben32.exe File created C:\Windows\SysWOW64\Oagoep32.exe Opfbngfb.exe File created C:\Windows\SysWOW64\Knnpkl32.dll Iedfqeka.exe File created C:\Windows\SysWOW64\Cljoegei.dll Lqipkhbj.exe File created C:\Windows\SysWOW64\Ambcga32.dll Edhkpcdb.exe File created C:\Windows\SysWOW64\Lppjddce.dll Edlfhc32.exe File created C:\Windows\SysWOW64\Knhjjj32.exe Kkjnnn32.exe File created C:\Windows\SysWOW64\Hbhmfk32.exe Hojqjp32.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Eekdmk32.exe Ecmhqp32.exe File created C:\Windows\SysWOW64\Hbnqln32.exe Gkchpcoc.exe File opened for modification C:\Windows\SysWOW64\Kokppd32.exe Jinghn32.exe File created C:\Windows\SysWOW64\Bnhjae32.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Fchijone.exe Enkpahon.exe File created C:\Windows\SysWOW64\Emclhigi.dll Pldebkhj.exe File created C:\Windows\SysWOW64\Mfjann32.exe Mdiefffn.exe File opened for modification C:\Windows\SysWOW64\Jjlqpp32.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Ilnmeelc.dll Afjjed32.exe File created C:\Windows\SysWOW64\Kkfmcc32.dll Gneijien.exe File opened for modification C:\Windows\SysWOW64\Iedfqeka.exe Ibejdjln.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Fhdmph32.exe File opened for modification C:\Windows\SysWOW64\Gkiooocb.exe Gdpfbd32.exe File created C:\Windows\SysWOW64\Nfdgdh32.dll Kmbclj32.exe File opened for modification C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Gdkjdl32.exe Gefmcp32.exe File opened for modification C:\Windows\SysWOW64\Khkdmh32.exe Kgjgepqm.exe File created C:\Windows\SysWOW64\Ngafdepl.exe Nqgngk32.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Ofmiea32.exe File created C:\Windows\SysWOW64\Mlkegimk.exe Mjmiknng.exe File created C:\Windows\SysWOW64\Jkjlciol.dll NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe File created C:\Windows\SysWOW64\Ekhkjm32.exe Epbfmd32.exe File created C:\Windows\SysWOW64\Ohagbj32.exe Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Dafmqb32.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Dmlfacbk.dll Lghgocek.exe File opened for modification C:\Windows\SysWOW64\Gfkkpmko.exe Gqnbhf32.exe File created C:\Windows\SysWOW64\Fgocmc32.exe Fpdkpiik.exe File opened for modification C:\Windows\SysWOW64\Gkaljdaf.exe Gicpnhbb.exe File created C:\Windows\SysWOW64\Hqpahkmj.exe Hbnqln32.exe File created C:\Windows\SysWOW64\Hgjieedg.exe Hqpahkmj.exe File opened for modification C:\Windows\SysWOW64\Jffhec32.exe Jdhlih32.exe File created C:\Windows\SysWOW64\Lbcbjlmb.exe Loefnpnn.exe File created C:\Windows\SysWOW64\Fdfqfd32.dll Didgig32.exe File opened for modification C:\Windows\SysWOW64\Nlnpgd32.exe Nipdkieg.exe File opened for modification C:\Windows\SysWOW64\Hebdfind.exe Gpelnb32.exe File opened for modification C:\Windows\SysWOW64\Iphecepe.exe Ijklknbn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4100 1984 WerFault.exe 693 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chgimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbfpfoc.dll" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabalojc.dll" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffaaoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfgpgmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihaldgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll" Nmpkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbgjmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhlmmfef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Hblgnkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdjenkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmdcngbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hamgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhhigm32.dll" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqimphik.dll" Hjcppidk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgffe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mplfpn32.dll" Fgohna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdnmfb.dll" Gfgpgmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjldp32.dll" Kdgane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjgkiddo.dll" Bmmgbbeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feedfo32.dll" Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iegjqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaeafklf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennnogo.dll" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmdocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpccfogk.dll" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmfaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anadojlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gicpnhbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmalmdcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idejihgk.dll" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hboddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flqmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Fgocmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apapcnaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkkija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll" Inajql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fclkldqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caaggpdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdlad32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 2332 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 27 PID 540 wrote to memory of 2332 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 27 PID 540 wrote to memory of 2332 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 27 PID 540 wrote to memory of 2332 540 NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe 27 PID 2332 wrote to memory of 2132 2332 Dljkcb32.exe 28 PID 2332 wrote to memory of 2132 2332 Dljkcb32.exe 28 PID 2332 wrote to memory of 2132 2332 Dljkcb32.exe 28 PID 2332 wrote to memory of 2132 2332 Dljkcb32.exe 28 PID 2132 wrote to memory of 2732 2132 Dojddmec.exe 30 PID 2132 wrote to memory of 2732 2132 Dojddmec.exe 30 PID 2132 wrote to memory of 2732 2132 Dojddmec.exe 30 PID 2132 wrote to memory of 2732 2132 Dojddmec.exe 30 PID 2732 wrote to memory of 2736 2732 Dkadjn32.exe 29 PID 2732 wrote to memory of 2736 2732 Dkadjn32.exe 29 PID 2732 wrote to memory of 2736 2732 Dkadjn32.exe 29 PID 2732 wrote to memory of 2736 2732 Dkadjn32.exe 29 PID 2736 wrote to memory of 2860 2736 Dakmfh32.exe 31 PID 2736 wrote to memory of 2860 2736 Dakmfh32.exe 31 PID 2736 wrote to memory of 2860 2736 Dakmfh32.exe 31 PID 2736 wrote to memory of 2860 2736 Dakmfh32.exe 31 PID 2860 wrote to memory of 2480 2860 Edlfhc32.exe 32 PID 2860 wrote to memory of 2480 2860 Edlfhc32.exe 32 PID 2860 wrote to memory of 2480 2860 Edlfhc32.exe 32 PID 2860 wrote to memory of 2480 2860 Edlfhc32.exe 32 PID 2480 wrote to memory of 2544 2480 Eoajel32.exe 33 PID 2480 wrote to memory of 2544 2480 Eoajel32.exe 33 PID 2480 wrote to memory of 2544 2480 Eoajel32.exe 33 PID 2480 wrote to memory of 2544 2480 Eoajel32.exe 33 PID 2544 wrote to memory of 2464 2544 Epbfmd32.exe 34 PID 2544 wrote to memory of 2464 2544 Epbfmd32.exe 34 PID 2544 wrote to memory of 2464 2544 Epbfmd32.exe 34 PID 2544 wrote to memory of 2464 2544 Epbfmd32.exe 34 PID 2464 wrote to memory of 2808 2464 Ekhkjm32.exe 36 PID 2464 wrote to memory of 2808 2464 Ekhkjm32.exe 36 PID 2464 wrote to memory of 2808 2464 Ekhkjm32.exe 36 PID 2464 wrote to memory of 2808 2464 Ekhkjm32.exe 36 PID 2808 wrote to memory of 2144 2808 Epecbd32.exe 35 PID 2808 wrote to memory of 2144 2808 Epecbd32.exe 35 PID 2808 wrote to memory of 2144 2808 Epecbd32.exe 35 PID 2808 wrote to memory of 2144 2808 Epecbd32.exe 35 PID 2144 wrote to memory of 2008 2144 Ejmhkiig.exe 37 PID 2144 wrote to memory of 2008 2144 Ejmhkiig.exe 37 PID 2144 wrote to memory of 2008 2144 Ejmhkiig.exe 37 PID 2144 wrote to memory of 2008 2144 Ejmhkiig.exe 37 PID 2008 wrote to memory of 2588 2008 Ecfldoph.exe 38 PID 2008 wrote to memory of 2588 2008 Ecfldoph.exe 38 PID 2008 wrote to memory of 2588 2008 Ecfldoph.exe 38 PID 2008 wrote to memory of 2588 2008 Ecfldoph.exe 38 PID 2588 wrote to memory of 384 2588 Enkpahon.exe 39 PID 2588 wrote to memory of 384 2588 Enkpahon.exe 39 PID 2588 wrote to memory of 384 2588 Enkpahon.exe 39 PID 2588 wrote to memory of 384 2588 Enkpahon.exe 39 PID 384 wrote to memory of 1660 384 Fchijone.exe 40 PID 384 wrote to memory of 1660 384 Fchijone.exe 40 PID 384 wrote to memory of 1660 384 Fchijone.exe 40 PID 384 wrote to memory of 1660 384 Fchijone.exe 40 PID 1660 wrote to memory of 1064 1660 Flqmbd32.exe 41 PID 1660 wrote to memory of 1064 1660 Flqmbd32.exe 41 PID 1660 wrote to memory of 1064 1660 Flqmbd32.exe 41 PID 1660 wrote to memory of 1064 1660 Flqmbd32.exe 41 PID 1064 wrote to memory of 768 1064 Fhgnge32.exe 42 PID 1064 wrote to memory of 768 1064 Fhgnge32.exe 42 PID 1064 wrote to memory of 768 1064 Fhgnge32.exe 42 PID 1064 wrote to memory of 768 1064 Fhgnge32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.006e06d4cf163ed88285cd11f54c1ee0.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
-
-
-
-
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808
-
-
-
-
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe4⤵PID:2544
-
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4256 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe6⤵PID:4332
-
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe7⤵PID:436
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe23⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe24⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe25⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe26⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe28⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe29⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe30⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe31⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe32⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe33⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe37⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe38⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe43⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe44⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe45⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe46⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe48⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe49⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe53⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe56⤵PID:2684
-
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe57⤵PID:3048
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe58⤵PID:1700
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe59⤵PID:3052
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe60⤵PID:2072
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe61⤵PID:2552
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe62⤵PID:276
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe64⤵PID:1536
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe65⤵PID:832
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe66⤵PID:2840
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe67⤵PID:2400
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe68⤵PID:3016
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe69⤵PID:1280
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe70⤵PID:2580
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe72⤵PID:2020
-
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe73⤵PID:3056
-
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe74⤵PID:2912
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe75⤵PID:588
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe76⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe77⤵PID:1464
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe79⤵PID:2688
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe80⤵PID:2908
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe81⤵PID:2484
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe82⤵PID:2992
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe83⤵PID:1704
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe84⤵PID:2800
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe85⤵PID:1860
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe86⤵PID:1988
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe87⤵PID:592
-
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe88⤵PID:2744
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe89⤵PID:920
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2876 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe91⤵PID:2920
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe92⤵PID:2080
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe93⤵PID:2216
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:792 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe95⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe96⤵PID:904
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe97⤵PID:3028
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe98⤵PID:2692
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe99⤵PID:2628
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe100⤵PID:2720
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe101⤵PID:2652
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe102⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe104⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe105⤵PID:572
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe106⤵PID:2836
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe107⤵PID:1044
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe108⤵PID:1244
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe109⤵PID:2248
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe110⤵PID:368
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe111⤵PID:2328
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe112⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe113⤵PID:856
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe114⤵PID:2612
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe115⤵PID:2804
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe116⤵PID:2540
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe117⤵PID:2516
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe118⤵PID:1972
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe119⤵PID:680
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe120⤵PID:1600
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe121⤵PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-