Analysis
-
max time kernel
165s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 05:26
Behavioral task
behavioral1
Sample
NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe
Resource
win7-20231025-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe
-
Size
169KB
-
MD5
e0b7e832fafaf9e02910c9d8ecda6da0
-
SHA1
0e6e6b7076af55b545017929b1783dcde9ba147f
-
SHA256
362755deff35122f9087eeb3072b63c934d6fb133d14bc1038e917748291e0b4
-
SHA512
1de3826211028c45945e6c55ec9cd07c77c114c4092bdaa83606a7d40aec2fa39110f065b298c3b26f8fe04c2b215b240a3b8a1f3ca84b17ab824cd22ebb9f06
-
SSDEEP
3072:XiHuBSOOooIQm3K1lU2l7vCFyCYUsIBU4QXqMhT9z/EHh63OIBi:SHugooIT3K1lvl7HCYfF4QXxhT9z/jOJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcike32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olfgcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djomjfde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jncfmgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icoglp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djhifnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpkjnjqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmooak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaeem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjndpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocjokijf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maoionbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mceccbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epfflj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monpnbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjiljdaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcphpdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfpled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkgmmpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohobmke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nffljjfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmafpchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhainmlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amjalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbgbione.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgonfcnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eqmjen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiocde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbihdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbkbbkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkdoje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgemimck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdqgfbop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddjmkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbdgpfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcpcehko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdcpoid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdcpoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lagepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebejem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqihgcma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdfheal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnalfmhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbkck32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfeibf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgono32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhifnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkepeaaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfkhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klhdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbfaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plifea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmlkaela.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opiipkfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcqhcgqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnmblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebpqjmpd.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4952-0-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdf-6.dat family_berbew behavioral2/memory/2216-7-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022cdf-8.dat family_berbew behavioral2/files/0x0006000000022cf1-14.dat family_berbew behavioral2/files/0x0006000000022cf1-16.dat family_berbew behavioral2/memory/2600-15-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022ce4-17.dat family_berbew behavioral2/files/0x0009000000022ce4-21.dat family_berbew behavioral2/memory/692-24-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0009000000022ce4-23.dat family_berbew behavioral2/files/0x0007000000022ce6-30.dat family_berbew behavioral2/memory/3132-31-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce6-32.dat family_berbew behavioral2/files/0x0007000000022ce8-37.dat family_berbew behavioral2/memory/4952-39-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/4308-40-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0007000000022ce8-41.dat family_berbew behavioral2/files/0x0008000000022cec-47.dat family_berbew behavioral2/files/0x0008000000022cec-49.dat family_berbew behavioral2/memory/4700-48-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cee-55.dat family_berbew behavioral2/memory/3056-56-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cee-57.dat family_berbew behavioral2/files/0x0008000000022cf3-63.dat family_berbew behavioral2/memory/4516-64-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0008000000022cf3-65.dat family_berbew behavioral2/files/0x0006000000022cf5-71.dat family_berbew behavioral2/memory/4564-72-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf5-73.dat family_berbew behavioral2/files/0x0006000000022cf7-79.dat family_berbew behavioral2/memory/448-81-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf7-80.dat family_berbew behavioral2/files/0x0006000000022cf9-87.dat family_berbew behavioral2/memory/2216-88-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cf9-89.dat family_berbew behavioral2/memory/3512-90-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-91.dat family_berbew behavioral2/files/0x0006000000022cfb-96.dat family_berbew behavioral2/memory/2600-97-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfb-99.dat family_berbew behavioral2/memory/2364-98-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cfd-105.dat family_berbew behavioral2/files/0x0006000000022cfd-107.dat family_berbew behavioral2/memory/5048-108-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/692-106-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-116.dat family_berbew behavioral2/memory/5100-117-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/3132-115-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022cff-114.dat family_berbew behavioral2/files/0x0006000000022d01-125.dat family_berbew behavioral2/memory/3120-126-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-132.dat family_berbew behavioral2/memory/4308-124-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/4700-133-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d03-134.dat family_berbew behavioral2/files/0x0006000000022d01-123.dat family_berbew behavioral2/memory/4528-135-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-136.dat family_berbew behavioral2/memory/3056-143-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/memory/4300-144-0x0000000000400000-0x0000000000443000-memory.dmp family_berbew behavioral2/files/0x0006000000022d05-142.dat family_berbew behavioral2/files/0x0006000000022d05-141.dat family_berbew behavioral2/files/0x0006000000022d07-152.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2216 Pdngpo32.exe 2600 Amkabind.exe 692 Bedbhi32.exe 3132 Clpgkcdj.exe 4308 Cdlhgpag.exe 4700 Dlqpaafg.exe 3056 Dpoiho32.exe 4516 Emgblc32.exe 4564 Ephlnn32.exe 448 Flaiho32.exe 3512 Gnlenp32.exe 2364 Hqfqfj32.exe 5048 Inagpm32.exe 5100 Jgcooaah.exe 3120 Jcaeea32.exe 4528 Kejeebpl.exe 4300 Knbinhfl.exe 880 Ldanloba.exe 5008 Lkbmih32.exe 1904 Mhhjhlqm.exe 2072 Meadlo32.exe 1912 Mknlef32.exe 1920 Nnabladg.exe 3396 Ndpcdjho.exe 1668 Oklifdmi.exe 3116 Ogcike32.exe 3436 Ohbfeh32.exe 1632 Oggbfdog.exe 3560 Pfmlok32.exe 2740 Pklamb32.exe 1704 Qnpgdmjd.exe 5112 Qkchna32.exe 4028 Ainnhdbp.exe 3204 Afboah32.exe 4136 Bijncb32.exe 4496 Bgokdomj.exe 1936 Cpklql32.exe 1860 Cejaobel.exe 3232 Dhpdkm32.exe 2696 Decdeama.exe 2272 Dbjade32.exe 4876 Gegchl32.exe 3692 Hgmebnpd.exe 3556 Iiokacgp.exe 2268 Jcgldl32.exe 5096 Jqklnp32.exe 3544 Jqbbno32.exe 4520 Jfokff32.exe 3392 Kclnfi32.exe 4080 Ljffccjh.exe 2308 Lpbokjho.exe 4724 Lagepl32.exe 3092 Mmiealgc.exe 408 Nkpbpp32.exe 4356 Ndhgie32.exe 1828 Nmpkakak.exe 1020 Nhfoocaa.exe 3112 Nmbhgjoi.exe 5116 Ndmpddfe.exe 2356 Niihlkdm.exe 4224 Ogpfko32.exe 5000 Ohdlpa32.exe 4852 Oiehhjjp.exe 4280 Pkinmlnm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mdaedgdb.exe Ljlagndl.exe File created C:\Windows\SysWOW64\Oookbega.exe Oibbjoij.exe File created C:\Windows\SysWOW64\Gkkoeo32.dll Gflhie32.exe File created C:\Windows\SysWOW64\Kegbegqm.dll Fnofkdno.exe File created C:\Windows\SysWOW64\Nflbhm32.dll Ginnokej.exe File opened for modification C:\Windows\SysWOW64\Pmcbdb32.exe Omqeobjo.exe File opened for modification C:\Windows\SysWOW64\Kfbfmi32.exe Khnfce32.exe File created C:\Windows\SysWOW64\Cpojik32.dll Kmdqai32.exe File created C:\Windows\SysWOW64\Pajekb32.exe Pkpmnh32.exe File opened for modification C:\Windows\SysWOW64\Cnpbgajc.exe Ceeaim32.exe File created C:\Windows\SysWOW64\Hiofeigg.exe Hpfbmcaf.exe File created C:\Windows\SysWOW64\Gaklja32.dll Ppiklc32.exe File opened for modification C:\Windows\SysWOW64\Nedgfk32.exe Nkocib32.exe File created C:\Windows\SysWOW64\Ogpfko32.exe Niihlkdm.exe File created C:\Windows\SysWOW64\Hcblakmh.dll Iecmcpoj.exe File opened for modification C:\Windows\SysWOW64\Cahdhhep.exe Bgbpkoej.exe File created C:\Windows\SysWOW64\Kmdqai32.exe Kfjhdobb.exe File created C:\Windows\SysWOW64\Gckoleae.dll Bglefdke.exe File created C:\Windows\SysWOW64\Obgccn32.exe Nijeoikf.exe File created C:\Windows\SysWOW64\Flaaok32.exe Fnmqegle.exe File created C:\Windows\SysWOW64\Aekdolkj.exe Apnkfelb.exe File opened for modification C:\Windows\SysWOW64\Gijmlh32.exe Gqohge32.exe File created C:\Windows\SysWOW64\Ipljkjck.dll Dafbhkhl.exe File created C:\Windows\SysWOW64\Gkkndp32.exe Gdafgefe.exe File created C:\Windows\SysWOW64\Pfcchmlq.exe Ppiklc32.exe File created C:\Windows\SysWOW64\Monpnbeh.exe Mhdgqh32.exe File created C:\Windows\SysWOW64\Gdngihbo.dll Ainnhdbp.exe File created C:\Windows\SysWOW64\Hjnbag32.dll Ofjokc32.exe File created C:\Windows\SysWOW64\Leipbg32.exe Ljcldo32.exe File opened for modification C:\Windows\SysWOW64\Aimhfqmk.exe Acppniod.exe File created C:\Windows\SysWOW64\Pkpmnh32.exe Oeloebcb.exe File created C:\Windows\SysWOW64\Ldnhiemg.dll Kdkool32.exe File created C:\Windows\SysWOW64\Fdimglke.dll Plndma32.exe File opened for modification C:\Windows\SysWOW64\Phdngljk.exe Pajekb32.exe File created C:\Windows\SysWOW64\Idccaj32.dll Eoagdi32.exe File opened for modification C:\Windows\SysWOW64\Monpnbeh.exe Mhdgqh32.exe File created C:\Windows\SysWOW64\Jinbplpa.dll Haaocp32.exe File created C:\Windows\SysWOW64\Hckjjh32.exe Hiefmp32.exe File opened for modification C:\Windows\SysWOW64\Jgjnpm32.exe Jnaighhk.exe File created C:\Windows\SysWOW64\Mcpeehaj.dll Fffqjfom.exe File opened for modification C:\Windows\SysWOW64\Qnpgdmjd.exe Pklamb32.exe File created C:\Windows\SysWOW64\Homemqgo.dll Jflgfpkc.exe File opened for modification C:\Windows\SysWOW64\Hadkib32.exe Hcpjpn32.exe File created C:\Windows\SysWOW64\Fkempa32.exe Fnalfmhp.exe File opened for modification C:\Windows\SysWOW64\Mpoljg32.exe Mdhkefnj.exe File created C:\Windows\SysWOW64\Aoleqi32.dll Fllplajo.exe File created C:\Windows\SysWOW64\Epmopifb.dll Cjhfjg32.exe File opened for modification C:\Windows\SysWOW64\Keonke32.exe Kihnfdmj.exe File created C:\Windows\SysWOW64\Jekmmf32.dll Kcmfgimm.exe File created C:\Windows\SysWOW64\Mmgmmdep.dll Jjefao32.exe File opened for modification C:\Windows\SysWOW64\Blqlgdhi.exe Bgdcom32.exe File created C:\Windows\SysWOW64\Elojej32.exe Ebifha32.exe File opened for modification C:\Windows\SysWOW64\Bgdcom32.exe Bipcei32.exe File created C:\Windows\SysWOW64\Pgemimck.exe Pnmhqh32.exe File created C:\Windows\SysWOW64\Fccbldek.dll Mhknaghc.exe File created C:\Windows\SysWOW64\Iagqlkak.dll Iimjan32.exe File opened for modification C:\Windows\SysWOW64\Pcpnab32.exe Pbqago32.exe File opened for modification C:\Windows\SysWOW64\Pdngpo32.exe NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe File opened for modification C:\Windows\SysWOW64\Nldjnk32.exe Nlbnhkqo.exe File opened for modification C:\Windows\SysWOW64\Ipnaen32.exe Icgqqmib.exe File created C:\Windows\SysWOW64\Ppjjjpdm.dll Nffdkkqe.exe File opened for modification C:\Windows\SysWOW64\Ihnmlg32.exe Ikjmcc32.exe File created C:\Windows\SysWOW64\Edngdafi.dll Gdqgfbop.exe File created C:\Windows\SysWOW64\Kppphe32.exe Kekljlkp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkeiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cejaobel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haclio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omldnfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppjbfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoijp32.dll" Fmapag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecfjhpp.dll" Hienee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omldnfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plifea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nijeoikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeodapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onkimc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkkfj32.dll" Lknjbdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdnacbf.dll" Mdkhficp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogfccchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhmiqfma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdpicj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klhdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiopa32.dll" Amkabind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aalndaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohdpkpcl.dll" Olcklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdhcagnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbngfbdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbqlaea.dll" Menpgmap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfeekgjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qmphkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhdap32.dll" Pmipdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfpled32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqhbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbajnci.dll" Gmhfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapfed32.dll" Acnlqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giblae32.dll" Hgieipmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehdcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoplop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll" Cdlhgpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Delhpnop.dll" Jcgldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Giecojpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phhpic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plifea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoleqi32.dll" Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phqbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdafgefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbnpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqgecof.dll" Ohbfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eciilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocknmjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knbaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogffd32.dll" Cmkehicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnimia32.dll" Bodano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngdafi.dll" Gdqgfbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oookbega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqnbea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcphpdil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojfmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdpicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhph32.dll" Ojmqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjnen32.dll" Gppcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpjebcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olcklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apnkfelb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jklpakam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnhiemg.dll" Kdkool32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebpqjmpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giagjn32.dll" Hlkmlhea.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4952 wrote to memory of 2216 4952 NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe 93 PID 4952 wrote to memory of 2216 4952 NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe 93 PID 4952 wrote to memory of 2216 4952 NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe 93 PID 2216 wrote to memory of 2600 2216 Pdngpo32.exe 95 PID 2216 wrote to memory of 2600 2216 Pdngpo32.exe 95 PID 2216 wrote to memory of 2600 2216 Pdngpo32.exe 95 PID 2600 wrote to memory of 692 2600 Amkabind.exe 96 PID 2600 wrote to memory of 692 2600 Amkabind.exe 96 PID 2600 wrote to memory of 692 2600 Amkabind.exe 96 PID 692 wrote to memory of 3132 692 Bedbhi32.exe 97 PID 692 wrote to memory of 3132 692 Bedbhi32.exe 97 PID 692 wrote to memory of 3132 692 Bedbhi32.exe 97 PID 3132 wrote to memory of 4308 3132 Clpgkcdj.exe 98 PID 3132 wrote to memory of 4308 3132 Clpgkcdj.exe 98 PID 3132 wrote to memory of 4308 3132 Clpgkcdj.exe 98 PID 4308 wrote to memory of 4700 4308 Cdlhgpag.exe 99 PID 4308 wrote to memory of 4700 4308 Cdlhgpag.exe 99 PID 4308 wrote to memory of 4700 4308 Cdlhgpag.exe 99 PID 4700 wrote to memory of 3056 4700 Dlqpaafg.exe 100 PID 4700 wrote to memory of 3056 4700 Dlqpaafg.exe 100 PID 4700 wrote to memory of 3056 4700 Dlqpaafg.exe 100 PID 3056 wrote to memory of 4516 3056 Dpoiho32.exe 101 PID 3056 wrote to memory of 4516 3056 Dpoiho32.exe 101 PID 3056 wrote to memory of 4516 3056 Dpoiho32.exe 101 PID 4516 wrote to memory of 4564 4516 Emgblc32.exe 102 PID 4516 wrote to memory of 4564 4516 Emgblc32.exe 102 PID 4516 wrote to memory of 4564 4516 Emgblc32.exe 102 PID 4564 wrote to memory of 448 4564 Ephlnn32.exe 103 PID 4564 wrote to memory of 448 4564 Ephlnn32.exe 103 PID 4564 wrote to memory of 448 4564 Ephlnn32.exe 103 PID 448 wrote to memory of 3512 448 Flaiho32.exe 104 PID 448 wrote to memory of 3512 448 Flaiho32.exe 104 PID 448 wrote to memory of 3512 448 Flaiho32.exe 104 PID 3512 wrote to memory of 2364 3512 Gnlenp32.exe 105 PID 3512 wrote to memory of 2364 3512 Gnlenp32.exe 105 PID 3512 wrote to memory of 2364 3512 Gnlenp32.exe 105 PID 2364 wrote to memory of 5048 2364 Hqfqfj32.exe 106 PID 2364 wrote to memory of 5048 2364 Hqfqfj32.exe 106 PID 2364 wrote to memory of 5048 2364 Hqfqfj32.exe 106 PID 5048 wrote to memory of 5100 5048 Inagpm32.exe 107 PID 5048 wrote to memory of 5100 5048 Inagpm32.exe 107 PID 5048 wrote to memory of 5100 5048 Inagpm32.exe 107 PID 5100 wrote to memory of 3120 5100 Jgcooaah.exe 109 PID 5100 wrote to memory of 3120 5100 Jgcooaah.exe 109 PID 5100 wrote to memory of 3120 5100 Jgcooaah.exe 109 PID 3120 wrote to memory of 4528 3120 Jcaeea32.exe 108 PID 3120 wrote to memory of 4528 3120 Jcaeea32.exe 108 PID 3120 wrote to memory of 4528 3120 Jcaeea32.exe 108 PID 4528 wrote to memory of 4300 4528 Kejeebpl.exe 110 PID 4528 wrote to memory of 4300 4528 Kejeebpl.exe 110 PID 4528 wrote to memory of 4300 4528 Kejeebpl.exe 110 PID 4300 wrote to memory of 880 4300 Knbinhfl.exe 111 PID 4300 wrote to memory of 880 4300 Knbinhfl.exe 111 PID 4300 wrote to memory of 880 4300 Knbinhfl.exe 111 PID 880 wrote to memory of 5008 880 Ldanloba.exe 112 PID 880 wrote to memory of 5008 880 Ldanloba.exe 112 PID 880 wrote to memory of 5008 880 Ldanloba.exe 112 PID 5008 wrote to memory of 1904 5008 Lkbmih32.exe 114 PID 5008 wrote to memory of 1904 5008 Lkbmih32.exe 114 PID 5008 wrote to memory of 1904 5008 Lkbmih32.exe 114 PID 1904 wrote to memory of 2072 1904 Mhhjhlqm.exe 113 PID 1904 wrote to memory of 2072 1904 Mhhjhlqm.exe 113 PID 1904 wrote to memory of 2072 1904 Mhhjhlqm.exe 113 PID 2072 wrote to memory of 1912 2072 Meadlo32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e0b7e832fafaf9e02910c9d8ecda6da0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Cdlhgpag.exeC:\Windows\system32\Cdlhgpag.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Dpoiho32.exeC:\Windows\system32\Dpoiho32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Hqfqfj32.exeC:\Windows\system32\Hqfqfj32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Inagpm32.exeC:\Windows\system32\Inagpm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Jcaeea32.exeC:\Windows\system32\Jcaeea32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Kejeebpl.exeC:\Windows\system32\Kejeebpl.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Ldanloba.exeC:\Windows\system32\Ldanloba.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Lkbmih32.exeC:\Windows\system32\Lkbmih32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Mhhjhlqm.exeC:\Windows\system32\Mhhjhlqm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904
-
-
-
-
-
C:\Windows\SysWOW64\Meadlo32.exeC:\Windows\system32\Meadlo32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Mknlef32.exeC:\Windows\system32\Mknlef32.exe2⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Nnabladg.exeC:\Windows\system32\Nnabladg.exe3⤵
- Executes dropped EXE
PID:1920
-
-
-
C:\Windows\SysWOW64\Ohbfeh32.exeC:\Windows\system32\Ohbfeh32.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:3436 -
C:\Windows\SysWOW64\Oggbfdog.exeC:\Windows\system32\Oggbfdog.exe2⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Pfmlok32.exeC:\Windows\system32\Pfmlok32.exe3⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Pklamb32.exeC:\Windows\system32\Pklamb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Qnpgdmjd.exeC:\Windows\system32\Qnpgdmjd.exe5⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Qkchna32.exeC:\Windows\system32\Qkchna32.exe6⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\SysWOW64\Ainnhdbp.exeC:\Windows\system32\Ainnhdbp.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Afboah32.exeC:\Windows\system32\Afboah32.exe8⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Bijncb32.exeC:\Windows\system32\Bijncb32.exe9⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Bgokdomj.exeC:\Windows\system32\Bgokdomj.exe10⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Cpklql32.exeC:\Windows\system32\Cpklql32.exe11⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Cejaobel.exeC:\Windows\system32\Cejaobel.exe12⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Dhpdkm32.exeC:\Windows\system32\Dhpdkm32.exe13⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Decdeama.exeC:\Windows\system32\Decdeama.exe14⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Dbjade32.exeC:\Windows\system32\Dbjade32.exe15⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Gegchl32.exeC:\Windows\system32\Gegchl32.exe16⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Hgmebnpd.exeC:\Windows\system32\Hgmebnpd.exe17⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Iiokacgp.exeC:\Windows\system32\Iiokacgp.exe18⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Jcgldl32.exeC:\Windows\system32\Jcgldl32.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Jqklnp32.exeC:\Windows\system32\Jqklnp32.exe20⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Jqbbno32.exeC:\Windows\system32\Jqbbno32.exe21⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe22⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Kclnfi32.exeC:\Windows\system32\Kclnfi32.exe23⤵
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Ljffccjh.exeC:\Windows\system32\Ljffccjh.exe24⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Lpbokjho.exeC:\Windows\system32\Lpbokjho.exe25⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Lagepl32.exeC:\Windows\system32\Lagepl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe27⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe28⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ndhgie32.exeC:\Windows\system32\Ndhgie32.exe29⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Nmpkakak.exeC:\Windows\system32\Nmpkakak.exe30⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Nhfoocaa.exeC:\Windows\system32\Nhfoocaa.exe31⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe32⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Ndmpddfe.exeC:\Windows\system32\Ndmpddfe.exe33⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Niihlkdm.exeC:\Windows\system32\Niihlkdm.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Ogpfko32.exeC:\Windows\system32\Ogpfko32.exe35⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Ohdlpa32.exeC:\Windows\system32\Ohdlpa32.exe36⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe37⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Pkinmlnm.exeC:\Windows\system32\Pkinmlnm.exe38⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Pacfjfej.exeC:\Windows\system32\Pacfjfej.exe39⤵PID:3628
-
C:\Windows\SysWOW64\Phmnfp32.exeC:\Windows\system32\Phmnfp32.exe40⤵PID:2336
-
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe41⤵PID:1324
-
C:\Windows\SysWOW64\Pgbkgmao.exeC:\Windows\system32\Pgbkgmao.exe42⤵PID:1572
-
C:\Windows\SysWOW64\Pnlcdg32.exeC:\Windows\system32\Pnlcdg32.exe43⤵PID:3344
-
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:492 -
C:\Windows\SysWOW64\Bdgehobe.exeC:\Windows\system32\Bdgehobe.exe45⤵PID:2756
-
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe46⤵PID:4292
-
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe47⤵PID:4980
-
C:\Windows\SysWOW64\Bbmbgb32.exeC:\Windows\system32\Bbmbgb32.exe48⤵PID:3084
-
C:\Windows\SysWOW64\Bjhgke32.exeC:\Windows\system32\Bjhgke32.exe49⤵PID:1664
-
C:\Windows\SysWOW64\Bbbkbbkg.exeC:\Windows\system32\Bbbkbbkg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe51⤵
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe52⤵PID:2372
-
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe53⤵PID:4492
-
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe54⤵PID:2520
-
C:\Windows\SysWOW64\Dbijinfl.exeC:\Windows\system32\Dbijinfl.exe55⤵PID:2176
-
C:\Windows\SysWOW64\Ebnddn32.exeC:\Windows\system32\Ebnddn32.exe56⤵PID:3488
-
C:\Windows\SysWOW64\Ebpqjmpd.exeC:\Windows\system32\Ebpqjmpd.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Eliecc32.exeC:\Windows\system32\Eliecc32.exe58⤵PID:1124
-
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Gekeie32.exeC:\Windows\system32\Gekeie32.exe60⤵PID:2864
-
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe61⤵PID:2792
-
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe62⤵PID:2944
-
C:\Windows\SysWOW64\Hadcce32.exeC:\Windows\system32\Hadcce32.exe63⤵PID:2140
-
C:\Windows\SysWOW64\Hklglk32.exeC:\Windows\system32\Hklglk32.exe64⤵PID:3064
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe65⤵PID:5200
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe66⤵PID:5256
-
C:\Windows\SysWOW64\Ileflmpb.exeC:\Windows\system32\Ileflmpb.exe67⤵PID:5296
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe68⤵PID:5348
-
C:\Windows\SysWOW64\Iofpnhmc.exeC:\Windows\system32\Iofpnhmc.exe69⤵PID:5408
-
C:\Windows\SysWOW64\Jjefao32.exeC:\Windows\system32\Jjefao32.exe70⤵
- Drops file in System32 directory
PID:5456 -
C:\Windows\SysWOW64\Jflgfpkc.exeC:\Windows\system32\Jflgfpkc.exe71⤵
- Drops file in System32 directory
PID:5496 -
C:\Windows\SysWOW64\Kcphpdil.exeC:\Windows\system32\Kcphpdil.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Kkkldg32.exeC:\Windows\system32\Kkkldg32.exe73⤵PID:5652
-
C:\Windows\SysWOW64\Kkdoje32.exeC:\Windows\system32\Kkdoje32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Lfjchn32.exeC:\Windows\system32\Lfjchn32.exe75⤵PID:5740
-
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe76⤵PID:5788
-
C:\Windows\SysWOW64\Lkiiee32.exeC:\Windows\system32\Lkiiee32.exe77⤵PID:5832
-
C:\Windows\SysWOW64\Lfqjhmhk.exeC:\Windows\system32\Lfqjhmhk.exe78⤵PID:5876
-
C:\Windows\SysWOW64\Lcdjba32.exeC:\Windows\system32\Lcdjba32.exe79⤵PID:5920
-
C:\Windows\SysWOW64\Lmmokgne.exeC:\Windows\system32\Lmmokgne.exe80⤵PID:5960
-
C:\Windows\SysWOW64\Mjaodkmo.exeC:\Windows\system32\Mjaodkmo.exe81⤵PID:6008
-
C:\Windows\SysWOW64\Mcicma32.exeC:\Windows\system32\Mcicma32.exe82⤵PID:6064
-
C:\Windows\SysWOW64\Mflidl32.exeC:\Windows\system32\Mflidl32.exe83⤵PID:6104
-
C:\Windows\SysWOW64\Mpenmadn.exeC:\Windows\system32\Mpenmadn.exe84⤵PID:3904
-
C:\Windows\SysWOW64\Npgjbabk.exeC:\Windows\system32\Npgjbabk.exe85⤵PID:5152
-
C:\Windows\SysWOW64\Nipokfil.exeC:\Windows\system32\Nipokfil.exe86⤵PID:5252
-
C:\Windows\SysWOW64\Ncecioib.exeC:\Windows\system32\Ncecioib.exe87⤵PID:1064
-
C:\Windows\SysWOW64\Nmmgae32.exeC:\Windows\system32\Nmmgae32.exe88⤵PID:5416
-
C:\Windows\SysWOW64\Nffljjfc.exeC:\Windows\system32\Nffljjfc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Omdnbd32.exeC:\Windows\system32\Omdnbd32.exe90⤵PID:5580
-
C:\Windows\SysWOW64\Pdjeklfj.exeC:\Windows\system32\Pdjeklfj.exe91⤵PID:5692
-
C:\Windows\SysWOW64\Pignccea.exeC:\Windows\system32\Pignccea.exe92⤵PID:5756
-
C:\Windows\SysWOW64\Pboblika.exeC:\Windows\system32\Pboblika.exe93⤵PID:5840
-
C:\Windows\SysWOW64\Pmefiakh.exeC:\Windows\system32\Pmefiakh.exe94⤵PID:5908
-
C:\Windows\SysWOW64\Pilgnb32.exeC:\Windows\system32\Pilgnb32.exe95⤵PID:5996
-
C:\Windows\SysWOW64\Pdalkk32.exeC:\Windows\system32\Pdalkk32.exe96⤵PID:6036
-
C:\Windows\SysWOW64\Pmipdq32.exeC:\Windows\system32\Pmipdq32.exe97⤵
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Pgbdmfnc.exeC:\Windows\system32\Pgbdmfnc.exe98⤵PID:3860
-
C:\Windows\SysWOW64\Qpjifl32.exeC:\Windows\system32\Qpjifl32.exe99⤵PID:5304
-
C:\Windows\SysWOW64\Ajggjq32.exeC:\Windows\system32\Ajggjq32.exe100⤵PID:3900
-
C:\Windows\SysWOW64\Ajjcoqdl.exeC:\Windows\system32\Ajjcoqdl.exe101⤵PID:5568
-
C:\Windows\SysWOW64\Akipic32.exeC:\Windows\system32\Akipic32.exe102⤵PID:5796
-
C:\Windows\SysWOW64\Bpkbmi32.exeC:\Windows\system32\Bpkbmi32.exe103⤵PID:5884
-
C:\Windows\SysWOW64\Bnobfn32.exeC:\Windows\system32\Bnobfn32.exe104⤵PID:6000
-
C:\Windows\SysWOW64\Bldogjib.exeC:\Windows\system32\Bldogjib.exe105⤵PID:6136
-
C:\Windows\SysWOW64\Bkepeaaa.exeC:\Windows\system32\Bkepeaaa.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Bdmdng32.exeC:\Windows\system32\Bdmdng32.exe107⤵PID:5468
-
C:\Windows\SysWOW64\Bnehgmob.exeC:\Windows\system32\Bnehgmob.exe108⤵PID:5660
-
C:\Windows\SysWOW64\Cgnmpbec.exeC:\Windows\system32\Cgnmpbec.exe109⤵PID:3268
-
C:\Windows\SysWOW64\Cmkehicj.exeC:\Windows\system32\Cmkehicj.exe110⤵
- Modifies registry class
PID:5952 -
C:\Windows\SysWOW64\Cgpjebcp.exeC:\Windows\system32\Cgpjebcp.exe111⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Dqdnjfpc.exeC:\Windows\system32\Dqdnjfpc.exe112⤵PID:5520
-
C:\Windows\SysWOW64\Dmphjfab.exeC:\Windows\system32\Dmphjfab.exe113⤵PID:4572
-
C:\Windows\SysWOW64\Ekahhn32.exeC:\Windows\system32\Ekahhn32.exe114⤵PID:6048
-
C:\Windows\SysWOW64\Eanqpdgi.exeC:\Windows\system32\Eanqpdgi.exe115⤵PID:968
-
C:\Windows\SysWOW64\Ekcemmgo.exeC:\Windows\system32\Ekcemmgo.exe116⤵PID:4352
-
C:\Windows\SysWOW64\Eelifc32.exeC:\Windows\system32\Eelifc32.exe117⤵PID:4828
-
C:\Windows\SysWOW64\Endnohdp.exeC:\Windows\system32\Endnohdp.exe118⤵PID:2216
-
C:\Windows\SysWOW64\Enfjdh32.exeC:\Windows\system32\Enfjdh32.exe119⤵PID:5424
-
C:\Windows\SysWOW64\Egoomnin.exeC:\Windows\system32\Egoomnin.exe120⤵PID:5968
-
C:\Windows\SysWOW64\Febogbhg.exeC:\Windows\system32\Febogbhg.exe121⤵PID:1656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-