Analysis
-
max time kernel
132s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
03/11/2023, 09:31
Behavioral task
behavioral1
Sample
NEAS.885e87c9ca07b98e84e67bf2574652f0.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.885e87c9ca07b98e84e67bf2574652f0.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.885e87c9ca07b98e84e67bf2574652f0.exe
-
Size
67KB
-
MD5
885e87c9ca07b98e84e67bf2574652f0
-
SHA1
85918c2cfd8486b5b5b90916fe2c3453f031a995
-
SHA256
adab85bf16c950b231b7d5aa96a5e76a955750ee399f5be9a55244bd4e219e66
-
SHA512
b527e9f5f0810704182b54133d1b7c81c1794b0f175b1cbe9a95c8f51f6526e0a8196cf7dc487f80e7459f14b11eee3b2fa3ac13175349c5a610e9f700dd7393
-
SSDEEP
768:1uLrL1xjBZXfBcad278etcEDhNPqXBGSAyLLKX/1H5r7EVErME/feYvn1q/D2Zu4:1uLlxtkaAvrV4gVsJifTduD4oTxw
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dciceaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dooqceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inebpgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echlmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkbfcck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnadkic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapjdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdlnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milaecdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmoaoikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celbik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljkaeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejgemkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbjfcnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfnjnin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heijidbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcdcgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcenlceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgalndh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmaick32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbbpmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpngmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqbeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdhbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpqpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjjnan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapjdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqcqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfnlcnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdhbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjinaco.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2284-0-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x00070000000120bd-5.dat family_berbew behavioral1/files/0x00070000000120bd-9.dat family_berbew behavioral1/files/0x0033000000015ca9-21.dat family_berbew behavioral1/memory/2824-18-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0033000000015ca9-14.dat family_berbew behavioral1/files/0x00070000000120bd-13.dat family_berbew behavioral1/files/0x00070000000120bd-8.dat family_berbew behavioral1/files/0x00070000000120bd-12.dat family_berbew behavioral1/files/0x0033000000015ca9-19.dat family_berbew behavioral1/memory/2284-6-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/files/0x0008000000015e70-38.dat family_berbew behavioral1/files/0x0008000000015e70-34.dat family_berbew behavioral1/files/0x0008000000015e70-33.dat family_berbew behavioral1/files/0x0007000000016059-40.dat family_berbew behavioral1/files/0x000800000001627d-57.dat family_berbew behavioral1/files/0x0008000000015e70-39.dat family_berbew behavioral1/files/0x0033000000015ca9-26.dat family_berbew behavioral1/files/0x0033000000015ca9-25.dat family_berbew behavioral1/files/0x0008000000015e70-31.dat family_berbew behavioral1/files/0x000800000001627d-60.dat family_berbew behavioral1/memory/2684-56-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0007000000016059-51.dat family_berbew behavioral1/files/0x0007000000016059-50.dat family_berbew behavioral1/files/0x000800000001627d-59.dat family_berbew behavioral1/files/0x0007000000016059-46.dat family_berbew behavioral1/files/0x0007000000016059-44.dat family_berbew behavioral1/files/0x0006000000016ba8-66.dat family_berbew behavioral1/files/0x000800000001627d-65.dat family_berbew behavioral1/files/0x000800000001627d-64.dat family_berbew behavioral1/memory/2560-63-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016ba8-73.dat family_berbew behavioral1/files/0x0006000000016ca2-97.dat family_berbew behavioral1/memory/2568-90-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca2-93.dat family_berbew behavioral1/files/0x0006000000016c2a-92.dat family_berbew behavioral1/files/0x0006000000016c2a-91.dat family_berbew behavioral1/files/0x0006000000016ba8-79.dat family_berbew behavioral1/memory/2700-78-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016ba8-77.dat family_berbew behavioral1/files/0x0006000000016c2a-87.dat family_berbew behavioral1/files/0x0006000000016c2a-86.dat family_berbew behavioral1/memory/2632-72-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016ba8-70.dat family_berbew behavioral1/files/0x0006000000016c2a-84.dat family_berbew behavioral1/files/0x0006000000016cde-111.dat family_berbew behavioral1/files/0x0006000000016ca2-104.dat family_berbew behavioral1/files/0x0006000000016cde-108.dat family_berbew behavioral1/files/0x0006000000016cde-117.dat family_berbew behavioral1/files/0x0006000000016ca2-106.dat family_berbew behavioral1/memory/2932-105-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/memory/2064-101-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016ca2-99.dat family_berbew behavioral1/files/0x0006000000016cde-113.dat family_berbew behavioral1/files/0x0006000000016cde-119.dat family_berbew behavioral1/memory/3044-118-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/memory/2064-124-0x0000000000220000-0x000000000025B000-memory.dmp family_berbew behavioral1/memory/2124-136-0x0000000000400000-0x000000000043B000-memory.dmp family_berbew behavioral1/files/0x0006000000016cf9-132.dat family_berbew behavioral1/files/0x0006000000016cf9-131.dat family_berbew behavioral1/files/0x0006000000016d01-138.dat family_berbew behavioral1/files/0x0006000000016cf9-128.dat family_berbew behavioral1/files/0x0006000000016cf9-127.dat family_berbew behavioral1/files/0x0006000000016cf9-125.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2824 Cgejac32.exe 2684 Cpnojioo.exe 2632 Cjfccn32.exe 2560 Dgjclbdi.exe 2700 Dndlim32.exe 2568 Dglpbbbg.exe 2064 Dpeekh32.exe 2932 Djmicm32.exe 3044 Dcenlceh.exe 2124 Dnoomqbg.exe 2204 Dhdcji32.exe 2836 Ebmgcohn.exe 568 Egjpkffe.exe 1804 Egllae32.exe 1164 Enfenplo.exe 2388 Edpmjj32.exe 1060 Eqijej32.exe 2036 Ffhpbacb.exe 620 Flehkhai.exe 956 Fiihdlpc.exe 1644 Fpcqaf32.exe 2164 Fnhnbb32.exe 2020 Fagjnn32.exe 2112 Fhqbkhch.exe 2340 Fjongcbl.exe 772 Faigdn32.exe 2096 Gjakmc32.exe 2656 Gdjpeifj.exe 2672 Gjdhbc32.exe 2688 Gpqpjj32.exe 2708 Gjfdhbld.exe 2544 Gdniqh32.exe 2520 Gbcfadgl.exe 2888 Ginnnooi.exe 2828 Hbfbgd32.exe 3048 Hipkdnmf.exe 3004 Heglio32.exe 1916 Hhehek32.exe 112 Hoopae32.exe 676 Hhgdkjol.exe 584 Hoamgd32.exe 2856 Hapicp32.exe 1284 Hdnepk32.exe 2348 Hiknhbcg.exe 1852 Hmfjha32.exe 2040 Hdqbekcm.exe 1320 Igonafba.exe 2428 Iimjmbae.exe 1384 Inifnq32.exe 2120 Ipgbjl32.exe 3008 Igakgfpn.exe 2420 Iompkh32.exe 1512 Igchlf32.exe 1816 Iefhhbef.exe 2268 Ilqpdm32.exe 1720 Ioolqh32.exe 1716 Ilcmjl32.exe 2652 Idnaoohk.exe 2948 Jocflgga.exe 2752 Jdpndnei.exe 2104 Jofbag32.exe 2392 Jhngjmlo.exe 528 Jjpcbe32.exe 696 Jqilooij.exe -
Loads dropped DLL 64 IoCs
pid Process 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 2824 Cgejac32.exe 2824 Cgejac32.exe 2684 Cpnojioo.exe 2684 Cpnojioo.exe 2632 Cjfccn32.exe 2632 Cjfccn32.exe 2560 Dgjclbdi.exe 2560 Dgjclbdi.exe 2700 Dndlim32.exe 2700 Dndlim32.exe 2568 Dglpbbbg.exe 2568 Dglpbbbg.exe 2064 Dpeekh32.exe 2064 Dpeekh32.exe 2932 Djmicm32.exe 2932 Djmicm32.exe 3044 Dcenlceh.exe 3044 Dcenlceh.exe 2124 Dnoomqbg.exe 2124 Dnoomqbg.exe 2204 Dhdcji32.exe 2204 Dhdcji32.exe 2836 Ebmgcohn.exe 2836 Ebmgcohn.exe 568 Egjpkffe.exe 568 Egjpkffe.exe 1804 Egllae32.exe 1804 Egllae32.exe 1164 Enfenplo.exe 1164 Enfenplo.exe 2388 Edpmjj32.exe 2388 Edpmjj32.exe 1060 Eqijej32.exe 1060 Eqijej32.exe 2036 Ffhpbacb.exe 2036 Ffhpbacb.exe 620 Flehkhai.exe 620 Flehkhai.exe 956 Fiihdlpc.exe 956 Fiihdlpc.exe 1644 Fpcqaf32.exe 1644 Fpcqaf32.exe 2164 Fnhnbb32.exe 2164 Fnhnbb32.exe 2020 Fagjnn32.exe 2020 Fagjnn32.exe 2112 Fhqbkhch.exe 2112 Fhqbkhch.exe 2340 Fjongcbl.exe 2340 Fjongcbl.exe 772 Faigdn32.exe 772 Faigdn32.exe 2096 Gjakmc32.exe 2096 Gjakmc32.exe 2656 Gdjpeifj.exe 2656 Gdjpeifj.exe 2672 Gjdhbc32.exe 2672 Gjdhbc32.exe 2688 Gpqpjj32.exe 2688 Gpqpjj32.exe 2708 Gjfdhbld.exe 2708 Gjfdhbld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eecafd32.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Ibkhak32.dll Elfaifaq.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Ioienjgm.dll Fmbjjp32.exe File opened for modification C:\Windows\SysWOW64\Lneaqn32.exe Lgkhdddo.exe File opened for modification C:\Windows\SysWOW64\Celbik32.exe Cppjadhk.exe File opened for modification C:\Windows\SysWOW64\Caepdk32.exe Cogdhpkp.exe File created C:\Windows\SysWOW64\Bjnhnn32.exe Bjlkhn32.exe File created C:\Windows\SysWOW64\Chkoef32.exe Celbik32.exe File created C:\Windows\SysWOW64\Ibcnojnp.exe Ipeaco32.exe File opened for modification C:\Windows\SysWOW64\Ibejdjln.exe Ijnbcmkk.exe File created C:\Windows\SysWOW64\Cldcdi32.dll Kioiffcn.exe File opened for modification C:\Windows\SysWOW64\Jgfqaiod.exe Jqlhdo32.exe File created C:\Windows\SysWOW64\Kbnclf32.dll Jaeafklf.exe File opened for modification C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Oihdjk32.exe Ogjhnp32.exe File created C:\Windows\SysWOW64\Bimolnei.dll Afhpca32.exe File created C:\Windows\SysWOW64\Koogbk32.exe Kheofahm.exe File created C:\Windows\SysWOW64\Ailboh32.exe Abbjbnoq.exe File created C:\Windows\SysWOW64\Kjllab32.exe Khkpijma.exe File created C:\Windows\SysWOW64\Ojklfdgh.dll Kgpmjf32.exe File created C:\Windows\SysWOW64\Llbnnq32.exe Lehfafgp.exe File opened for modification C:\Windows\SysWOW64\Lajmkhai.exe Kioiffcn.exe File opened for modification C:\Windows\SysWOW64\Qnciiq32.exe Qgiplffm.exe File created C:\Windows\SysWOW64\Bijnecld.dll Ajmfca32.exe File created C:\Windows\SysWOW64\Ncndladm.dll Ejfnda32.exe File created C:\Windows\SysWOW64\Kqqdjceh.exe Koogbk32.exe File opened for modification C:\Windows\SysWOW64\Iimjmbae.exe Igonafba.exe File created C:\Windows\SysWOW64\Gdfjcc32.dll Ijdqna32.exe File created C:\Windows\SysWOW64\Bihmcd32.dll Ldjpbign.exe File created C:\Windows\SysWOW64\Kmjaddii.exe Kngaig32.exe File created C:\Windows\SysWOW64\Dilddl32.exe Dlhdjh32.exe File created C:\Windows\SysWOW64\Bnekcm32.exe Bgkbfcck.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Kkoncdcp.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Mggabaea.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Lloimaiq.dll Komjmk32.exe File created C:\Windows\SysWOW64\Kgefefnd.exe Kjaelaok.exe File created C:\Windows\SysWOW64\Ihdjpd32.dll Qhjfgl32.exe File opened for modification C:\Windows\SysWOW64\Lpddgd32.exe Lncgollm.exe File opened for modification C:\Windows\SysWOW64\Efjmbaba.exe Mdmkoepk.exe File created C:\Windows\SysWOW64\Mdmhfpkg.exe Migdig32.exe File created C:\Windows\SysWOW64\Gbqbaofc.exe Gjijqa32.exe File created C:\Windows\SysWOW64\Diaaeepi.exe Dgbeiiqe.exe File opened for modification C:\Windows\SysWOW64\Hhjgll32.exe Gnabcf32.exe File opened for modification C:\Windows\SysWOW64\Denknngk.exe Dmcgik32.exe File created C:\Windows\SysWOW64\Ocbjdb32.dll Ghkndf32.exe File created C:\Windows\SysWOW64\Ocbhagfe.dll Hhbdee32.exe File created C:\Windows\SysWOW64\Ofdqhh32.dll Pgacaaij.exe File created C:\Windows\SysWOW64\Mmogmjmn.exe Mfdopp32.exe File opened for modification C:\Windows\SysWOW64\Bfqpecma.exe Bimoloog.exe File created C:\Windows\SysWOW64\Bglbcj32.dll Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Lncgollm.exe Ljgkom32.exe File created C:\Windows\SysWOW64\Mjaaedaj.dll Midnqh32.exe File opened for modification C:\Windows\SysWOW64\Jqlhdo32.exe Jjbpgd32.exe File created C:\Windows\SysWOW64\Oiklkjgo.dll Fcpfedki.exe File opened for modification C:\Windows\SysWOW64\Kjllab32.exe Khkpijma.exe File opened for modification C:\Windows\SysWOW64\Ffkncf32.exe Fghngimj.exe File opened for modification C:\Windows\SysWOW64\Koogbk32.exe Kheofahm.exe File created C:\Windows\SysWOW64\Glbqje32.exe Gehhmkko.exe File created C:\Windows\SysWOW64\Bikppe32.dll Jpfhoi32.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hmjlhfof.exe File opened for modification C:\Windows\SysWOW64\Ecobmg32.exe Ehinpnpm.exe File created C:\Windows\SysWOW64\Iamabm32.exe Ikbifcpb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2312 2976 WerFault.exe 656 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figmjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgiobadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfnlcnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpeij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqggnndf.dll" Ncfoch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inebpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll" Dpflqfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojklfdgh.dll" Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdqhh32.dll" Pgacaaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aofklbnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdplfflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnllnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekcffem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghenamai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmlacdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkpabqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddjiql.dll" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elookl32.dll" Ceacoqfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggjeedg.dll" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqklqhpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kioiffcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epiqdk32.dll" Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhghcb32.dll" Fagjnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epkepakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Celbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Iickckcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphiff32.dll" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgjak32.dll" Ohjmlaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeefofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijcmo32.dll" Iabhdefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oomlfpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhgpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dacpkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bflbigdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjgfp32.dll" Dilddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijhgopb.dll" Chohqebq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfbma32.dll" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchl32.dll" Jpeafo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2824 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 28 PID 2284 wrote to memory of 2824 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 28 PID 2284 wrote to memory of 2824 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 28 PID 2284 wrote to memory of 2824 2284 NEAS.885e87c9ca07b98e84e67bf2574652f0.exe 28 PID 2824 wrote to memory of 2684 2824 Cgejac32.exe 30 PID 2824 wrote to memory of 2684 2824 Cgejac32.exe 30 PID 2824 wrote to memory of 2684 2824 Cgejac32.exe 30 PID 2824 wrote to memory of 2684 2824 Cgejac32.exe 30 PID 2684 wrote to memory of 2632 2684 Cpnojioo.exe 29 PID 2684 wrote to memory of 2632 2684 Cpnojioo.exe 29 PID 2684 wrote to memory of 2632 2684 Cpnojioo.exe 29 PID 2684 wrote to memory of 2632 2684 Cpnojioo.exe 29 PID 2632 wrote to memory of 2560 2632 Cjfccn32.exe 31 PID 2632 wrote to memory of 2560 2632 Cjfccn32.exe 31 PID 2632 wrote to memory of 2560 2632 Cjfccn32.exe 31 PID 2632 wrote to memory of 2560 2632 Cjfccn32.exe 31 PID 2560 wrote to memory of 2700 2560 Dgjclbdi.exe 32 PID 2560 wrote to memory of 2700 2560 Dgjclbdi.exe 32 PID 2560 wrote to memory of 2700 2560 Dgjclbdi.exe 32 PID 2560 wrote to memory of 2700 2560 Dgjclbdi.exe 32 PID 2700 wrote to memory of 2568 2700 Dndlim32.exe 33 PID 2700 wrote to memory of 2568 2700 Dndlim32.exe 33 PID 2700 wrote to memory of 2568 2700 Dndlim32.exe 33 PID 2700 wrote to memory of 2568 2700 Dndlim32.exe 33 PID 2568 wrote to memory of 2064 2568 Dglpbbbg.exe 34 PID 2568 wrote to memory of 2064 2568 Dglpbbbg.exe 34 PID 2568 wrote to memory of 2064 2568 Dglpbbbg.exe 34 PID 2568 wrote to memory of 2064 2568 Dglpbbbg.exe 34 PID 2064 wrote to memory of 2932 2064 Dpeekh32.exe 35 PID 2064 wrote to memory of 2932 2064 Dpeekh32.exe 35 PID 2064 wrote to memory of 2932 2064 Dpeekh32.exe 35 PID 2064 wrote to memory of 2932 2064 Dpeekh32.exe 35 PID 2932 wrote to memory of 3044 2932 Djmicm32.exe 36 PID 2932 wrote to memory of 3044 2932 Djmicm32.exe 36 PID 2932 wrote to memory of 3044 2932 Djmicm32.exe 36 PID 2932 wrote to memory of 3044 2932 Djmicm32.exe 36 PID 3044 wrote to memory of 2124 3044 Dcenlceh.exe 37 PID 3044 wrote to memory of 2124 3044 Dcenlceh.exe 37 PID 3044 wrote to memory of 2124 3044 Dcenlceh.exe 37 PID 3044 wrote to memory of 2124 3044 Dcenlceh.exe 37 PID 2124 wrote to memory of 2204 2124 Dnoomqbg.exe 38 PID 2124 wrote to memory of 2204 2124 Dnoomqbg.exe 38 PID 2124 wrote to memory of 2204 2124 Dnoomqbg.exe 38 PID 2124 wrote to memory of 2204 2124 Dnoomqbg.exe 38 PID 2204 wrote to memory of 2836 2204 Dhdcji32.exe 39 PID 2204 wrote to memory of 2836 2204 Dhdcji32.exe 39 PID 2204 wrote to memory of 2836 2204 Dhdcji32.exe 39 PID 2204 wrote to memory of 2836 2204 Dhdcji32.exe 39 PID 2836 wrote to memory of 568 2836 Ebmgcohn.exe 40 PID 2836 wrote to memory of 568 2836 Ebmgcohn.exe 40 PID 2836 wrote to memory of 568 2836 Ebmgcohn.exe 40 PID 2836 wrote to memory of 568 2836 Ebmgcohn.exe 40 PID 568 wrote to memory of 1804 568 Egjpkffe.exe 41 PID 568 wrote to memory of 1804 568 Egjpkffe.exe 41 PID 568 wrote to memory of 1804 568 Egjpkffe.exe 41 PID 568 wrote to memory of 1804 568 Egjpkffe.exe 41 PID 1804 wrote to memory of 1164 1804 Egllae32.exe 42 PID 1804 wrote to memory of 1164 1804 Egllae32.exe 42 PID 1804 wrote to memory of 1164 1804 Egllae32.exe 42 PID 1804 wrote to memory of 1164 1804 Egllae32.exe 42 PID 1164 wrote to memory of 2388 1164 Enfenplo.exe 43 PID 1164 wrote to memory of 2388 1164 Enfenplo.exe 43 PID 1164 wrote to memory of 2388 1164 Enfenplo.exe 43 PID 1164 wrote to memory of 2388 1164 Enfenplo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.885e87c9ca07b98e84e67bf2574652f0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.885e87c9ca07b98e84e67bf2574652f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Cpnojioo.exeC:\Windows\system32\Cpnojioo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684
-
-
-
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Djmicm32.exeC:\Windows\system32\Djmicm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Dcenlceh.exeC:\Windows\system32\Dcenlceh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dnoomqbg.exeC:\Windows\system32\Dnoomqbg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Egllae32.exeC:\Windows\system32\Egllae32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Flehkhai.exeC:\Windows\system32\Flehkhai.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Gpqpjj32.exeC:\Windows\system32\Gpqpjj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe30⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe31⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe32⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe33⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Hipkdnmf.exeC:\Windows\system32\Hipkdnmf.exe34⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe35⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe36⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe37⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe38⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe39⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Hapicp32.exeC:\Windows\system32\Hapicp32.exe40⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Hdnepk32.exeC:\Windows\system32\Hdnepk32.exe41⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe44⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Igonafba.exeC:\Windows\system32\Igonafba.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Inifnq32.exeC:\Windows\system32\Inifnq32.exe47⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe48⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe49⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe50⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe51⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe52⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe53⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe54⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe55⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe56⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe57⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Jdpndnei.exeC:\Windows\system32\Jdpndnei.exe59⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe60⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe61⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jjpcbe32.exeC:\Windows\system32\Jjpcbe32.exe62⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe63⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe64⤵PID:2604
-
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe66⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe67⤵PID:1572
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe68⤵PID:2876
-
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe70⤵PID:1212
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe71⤵PID:1580
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe72⤵PID:1308
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe73⤵PID:1112
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe74⤵PID:1160
-
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe75⤵PID:1552
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe76⤵PID:1660
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:900 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe78⤵PID:1700
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe79⤵PID:1788
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe80⤵PID:992
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe81⤵PID:2224
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe84⤵PID:2572
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe86⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe87⤵PID:2904
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe88⤵PID:3036
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe90⤵PID:1960
-
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe91⤵PID:2000
-
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe93⤵
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe94⤵PID:588
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe95⤵PID:524
-
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe97⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:832 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe99⤵PID:2056
-
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe100⤵PID:1052
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe101⤵PID:2896
-
C:\Windows\SysWOW64\Fjlkgn32.exeC:\Windows\system32\Fjlkgn32.exe102⤵PID:2336
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2636 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe104⤵PID:2960
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe105⤵PID:2532
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2692 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe107⤵PID:1696
-
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe108⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe109⤵PID:2440
-
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe110⤵PID:2844
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe111⤵PID:1952
-
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe112⤵PID:1668
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe113⤵PID:368
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe114⤵PID:440
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe115⤵PID:1776
-
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe116⤵
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe117⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe118⤵PID:1368
-
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe119⤵PID:392
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe121⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-