Analysis
-
max time kernel
117s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
18-11-2023 03:49
Behavioral task
behavioral1
Sample
NEAS.aa096105f202be7592610b16a1fb4790.exe
Resource
win7-20231025-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.aa096105f202be7592610b16a1fb4790.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
NEAS.aa096105f202be7592610b16a1fb4790.exe
-
Size
121KB
-
MD5
aa096105f202be7592610b16a1fb4790
-
SHA1
da628bbc712feb35ee72a7de12438f63baccb400
-
SHA256
62239c736691bfb27e78fbff404b8639253ce7ae75f6579c3ac7457926eca1bb
-
SHA512
89cf2a9813b0de3f1f1a50250cd8d5fe2b2cbfa36979361bbb4185e7cf2673e13cd067b69c68f9997761e09f86fbafd9d7a26cb8da7a842ae587b8337b09c75a
-
SSDEEP
3072:Y07nUCcYocg2Cy2mT8HiXXzO7AJnD5tvv:Y07NQcgVy24EazOarvv
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfagpiam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abegfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljcbaamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmgibqjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Padhdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkomjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ielclkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcopdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ednbncmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckgicnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiokbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clpabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlnlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cillkbac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogqaehak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiigiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajcipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacbmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idknoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilofhffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Incbgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpdqdkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bpjkiogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlafnbal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocohkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmclhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjbhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmgelil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbnpkmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2940-0-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0009000000012023-8.dat family_berbew behavioral1/memory/2940-6-0x00000000002E0000-0x0000000000327000-memory.dmp family_berbew behavioral1/files/0x0009000000012023-5.dat family_berbew behavioral1/files/0x001b000000015586-15.dat family_berbew behavioral1/files/0x0009000000012023-14.dat family_berbew behavioral1/files/0x0009000000012023-9.dat family_berbew behavioral1/files/0x0009000000012023-13.dat family_berbew behavioral1/files/0x001b000000015586-22.dat family_berbew behavioral1/files/0x001b000000015586-20.dat family_berbew behavioral1/files/0x0007000000015c30-35.dat family_berbew behavioral1/files/0x0007000000015c30-34.dat family_berbew behavioral1/files/0x0007000000015c30-40.dat family_berbew behavioral1/files/0x0007000000015c30-39.dat family_berbew behavioral1/memory/2236-38-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0007000000015c30-32.dat family_berbew behavioral1/files/0x001b000000015586-27.dat family_berbew behavioral1/files/0x001b000000015586-26.dat family_berbew behavioral1/memory/2092-19-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/memory/2700-45-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0009000000015c57-49.dat family_berbew behavioral1/files/0x0009000000015c57-50.dat family_berbew behavioral1/memory/2700-47-0x0000000000450000-0x0000000000497000-memory.dmp family_berbew behavioral1/files/0x0009000000015c57-46.dat family_berbew behavioral1/files/0x0006000000015ca0-65.dat family_berbew behavioral1/files/0x0006000000015ca0-62.dat family_berbew behavioral1/files/0x0006000000015ca0-61.dat family_berbew behavioral1/memory/2816-66-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca0-67.dat family_berbew behavioral1/files/0x0006000000015ca0-59.dat family_berbew behavioral1/files/0x0009000000015c57-54.dat family_berbew behavioral1/files/0x0009000000015c57-53.dat family_berbew behavioral1/files/0x0006000000015cc9-74.dat family_berbew behavioral1/files/0x0006000000015cc9-72.dat family_berbew behavioral1/files/0x0006000000015cc9-80.dat family_berbew behavioral1/memory/2816-79-0x00000000002F0000-0x0000000000337000-memory.dmp family_berbew behavioral1/files/0x0006000000015cc9-78.dat family_berbew behavioral1/files/0x0006000000015cc9-75.dat family_berbew behavioral1/files/0x0006000000015dc0-85.dat family_berbew behavioral1/files/0x0006000000015dc0-88.dat family_berbew behavioral1/files/0x0006000000015dc0-87.dat family_berbew behavioral1/files/0x0006000000015e35-94.dat family_berbew behavioral1/files/0x0006000000015dc0-93.dat family_berbew behavioral1/files/0x0006000000015dc0-92.dat family_berbew behavioral1/memory/2552-91-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015e35-106.dat family_berbew behavioral1/memory/2028-111-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015e35-105.dat family_berbew behavioral1/memory/2232-104-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015eba-112.dat family_berbew behavioral1/files/0x0006000000015e35-100.dat family_berbew behavioral1/files/0x0006000000015e35-98.dat family_berbew behavioral1/files/0x0006000000015eba-114.dat family_berbew behavioral1/files/0x0006000000015eba-115.dat family_berbew behavioral1/memory/1756-119-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000015eba-120.dat family_berbew behavioral1/files/0x0006000000015eba-118.dat family_berbew behavioral1/files/0x0006000000016058-125.dat family_berbew behavioral1/files/0x0006000000016058-128.dat family_berbew behavioral1/files/0x0006000000016058-131.dat family_berbew behavioral1/files/0x0006000000016058-127.dat family_berbew behavioral1/memory/1348-132-0x0000000000400000-0x0000000000447000-memory.dmp family_berbew behavioral1/files/0x0006000000016058-133.dat family_berbew behavioral1/files/0x001b0000000155a6-141.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2092 Apdhjq32.exe 2236 Blkioa32.exe 2700 Bbdallnd.exe 2060 Bhajdblk.exe 2816 Behgcf32.exe 2552 Bmclhi32.exe 2232 Bkglameg.exe 2028 Cdoajb32.exe 1756 Ckiigmcd.exe 1348 Cmjbhh32.exe 1800 Ciqcmiei.exe 2168 Clooiddm.exe 1684 Cgdcgm32.exe 2972 Cophko32.exe 2536 Dcnqanhd.exe 1720 Dkiefp32.exe 1112 Dgpfkakd.exe 1744 Daejhjkj.exe 1816 Dhobddbf.exe 2908 Djqoll32.exe 1556 Ddfcje32.exe 756 Ejgemkbm.exe 2884 Eodnebpd.exe 1936 Ejjbbkpj.exe 3036 Eogjka32.exe 2360 Ebefgm32.exe 1320 Fnndan32.exe 2244 Fkbdkb32.exe 1948 Fdjidgfa.exe 2364 Fqajihle.exe 2636 Ffnbaojm.exe 2732 Fiokbjgn.exe 2628 Gmmdiind.exe 2608 Gfehan32.exe 800 Glbqje32.exe 2124 Gnpmfqap.exe 2796 Gldmoepi.exe 2152 Gihniioc.exe 1944 Gnefapmj.exe 852 Gacbmk32.exe 2412 Hafock32.exe 324 Hfbhkb32.exe 2832 Hpkldg32.exe 1368 Hicqmmfc.exe 836 Hdiejfej.exe 536 Hfgafadm.exe 2064 Hdkape32.exe 2448 Helngnie.exe 1680 Hbqoqbho.exe 2348 Heokmmgb.exe 888 Iogoec32.exe 1484 Iimcclni.exe 1032 Ilkpogmm.exe 2188 Ioilkblq.exe 3004 Ilnmdgkj.exe 2764 Iajemnia.exe 2692 Iamabm32.exe 2880 Idknoi32.exe 2844 Incbgnmc.exe 2956 Joihjfnl.exe 1920 Jhamckel.exe 2004 Jcgapdeb.exe 1992 Jjaimn32.exe 2424 Jkbfdfbm.exe -
Loads dropped DLL 64 IoCs
pid Process 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 2092 Apdhjq32.exe 2092 Apdhjq32.exe 2236 Blkioa32.exe 2236 Blkioa32.exe 2700 Bbdallnd.exe 2700 Bbdallnd.exe 2060 Bhajdblk.exe 2060 Bhajdblk.exe 2816 Behgcf32.exe 2816 Behgcf32.exe 2552 Bmclhi32.exe 2552 Bmclhi32.exe 2232 Bkglameg.exe 2232 Bkglameg.exe 2028 Cdoajb32.exe 2028 Cdoajb32.exe 1756 Ckiigmcd.exe 1756 Ckiigmcd.exe 1348 Cmjbhh32.exe 1348 Cmjbhh32.exe 1800 Ciqcmiei.exe 1800 Ciqcmiei.exe 2168 Clooiddm.exe 2168 Clooiddm.exe 1684 Cgdcgm32.exe 1684 Cgdcgm32.exe 2972 Cophko32.exe 2972 Cophko32.exe 2536 Dcnqanhd.exe 2536 Dcnqanhd.exe 1720 Dkiefp32.exe 1720 Dkiefp32.exe 1112 Dgpfkakd.exe 1112 Dgpfkakd.exe 1744 Daejhjkj.exe 1744 Daejhjkj.exe 1816 Dhobddbf.exe 1816 Dhobddbf.exe 2908 Djqoll32.exe 2908 Djqoll32.exe 1556 Ddfcje32.exe 1556 Ddfcje32.exe 756 Ejgemkbm.exe 756 Ejgemkbm.exe 2884 Eodnebpd.exe 2884 Eodnebpd.exe 1936 Ejjbbkpj.exe 1936 Ejjbbkpj.exe 3036 Eogjka32.exe 3036 Eogjka32.exe 2360 Ebefgm32.exe 2360 Ebefgm32.exe 1320 Fnndan32.exe 1320 Fnndan32.exe 2244 Fkbdkb32.exe 2244 Fkbdkb32.exe 1948 Fdjidgfa.exe 1948 Fdjidgfa.exe 2364 Fqajihle.exe 2364 Fqajihle.exe 2636 Ffnbaojm.exe 2636 Ffnbaojm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oedcmfgb.dll Kgnpeg32.exe File created C:\Windows\SysWOW64\Leopgo32.exe Lbackc32.exe File created C:\Windows\SysWOW64\Enfgfh32.exe Ekhkjm32.exe File created C:\Windows\SysWOW64\Giiglhjb.exe Gfkkpmko.exe File opened for modification C:\Windows\SysWOW64\Difnaqih.exe Cblfdg32.exe File opened for modification C:\Windows\SysWOW64\Olophhjd.exe Odhhgkib.exe File created C:\Windows\SysWOW64\Fnndan32.exe Ebefgm32.exe File created C:\Windows\SysWOW64\Ilnmdgkj.exe Ioilkblq.exe File opened for modification C:\Windows\SysWOW64\Cbajkiof.exe Clgbno32.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mhonngce.exe File created C:\Windows\SysWOW64\Ijmkqhaf.dll Aqonbm32.exe File created C:\Windows\SysWOW64\Pijjilik.dll Boljgg32.exe File created C:\Windows\SysWOW64\Jilhjm32.dll Bmibgd32.exe File opened for modification C:\Windows\SysWOW64\Hbknkl32.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Iinmfk32.exe Idadnd32.exe File created C:\Windows\SysWOW64\Knnkpobc.exe Khabghdl.exe File created C:\Windows\SysWOW64\Bkklhjnk.exe Bimoloog.exe File created C:\Windows\SysWOW64\Mpebmc32.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Qnghel32.exe File opened for modification C:\Windows\SysWOW64\Dgpfkakd.exe Dkiefp32.exe File created C:\Windows\SysWOW64\Kklikejc.exe Kceqjhiq.exe File created C:\Windows\SysWOW64\Fmcjhdbc.exe Fjdnlhco.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mgmahg32.exe File created C:\Windows\SysWOW64\Nepdfnja.dll Nhdhif32.exe File opened for modification C:\Windows\SysWOW64\Kcgmoggn.exe Kklikejc.exe File created C:\Windows\SysWOW64\Jopijcli.dll Nefbga32.exe File opened for modification C:\Windows\SysWOW64\Pnjfae32.exe Plijimee.exe File opened for modification C:\Windows\SysWOW64\Kfkpknkq.exe Kdjccf32.exe File created C:\Windows\SysWOW64\Dfmcfjpo.dll Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Pmpbdm32.exe Pidfdofi.exe File created C:\Windows\SysWOW64\Pkoconjf.dll Ddfcje32.exe File created C:\Windows\SysWOW64\Ghfmdj32.dll Padeldeo.exe File created C:\Windows\SysWOW64\Emdpnb32.dll Pahogc32.exe File created C:\Windows\SysWOW64\Gqnfackh.dll Nnkcpq32.exe File created C:\Windows\SysWOW64\Pniqhlqh.dll Pgbdodnh.exe File created C:\Windows\SysWOW64\Hafock32.exe Gacbmk32.exe File created C:\Windows\SysWOW64\Iimcclni.exe Iogoec32.exe File created C:\Windows\SysWOW64\Ilkpogmm.exe Iimcclni.exe File created C:\Windows\SysWOW64\Knekla32.exe Khiccj32.exe File created C:\Windows\SysWOW64\Pmomjlhj.dll Kklikejc.exe File opened for modification C:\Windows\SysWOW64\Neklbppb.exe Nblpfepo.exe File created C:\Windows\SysWOW64\Affdle32.exe Aollokco.exe File created C:\Windows\SysWOW64\Fajplnhf.dll Affdle32.exe File opened for modification C:\Windows\SysWOW64\Cadjgf32.exe Cbajkiof.exe File created C:\Windows\SysWOW64\Eheecbia.exe Dchmkkkj.exe File created C:\Windows\SysWOW64\Njekpl32.dll Foafdoag.exe File opened for modification C:\Windows\SysWOW64\Gfmgelil.exe Gbaken32.exe File opened for modification C:\Windows\SysWOW64\Nbbbdcgi.exe Npdfhhhe.exe File created C:\Windows\SysWOW64\Idknoi32.exe Iamabm32.exe File created C:\Windows\SysWOW64\Mgebdipp.exe Lnlnlc32.exe File created C:\Windows\SysWOW64\Gbdhjm32.exe Gpelnb32.exe File created C:\Windows\SysWOW64\Hjipenda.exe Hapklimq.exe File opened for modification C:\Windows\SysWOW64\Iipiljgf.exe Ijmipn32.exe File opened for modification C:\Windows\SysWOW64\Cacclpae.exe Cillkbac.exe File created C:\Windows\SysWOW64\Njbdea32.exe Nhdhif32.exe File created C:\Windows\SysWOW64\Oagoep32.exe Olkfmi32.exe File created C:\Windows\SysWOW64\Ameaio32.dll Pmpbdm32.exe File opened for modification C:\Windows\SysWOW64\Dhobddbf.exe Daejhjkj.exe File opened for modification C:\Windows\SysWOW64\Gnpmfqap.exe Glbqje32.exe File created C:\Windows\SysWOW64\Kpijcjdl.dll Jjaimn32.exe File created C:\Windows\SysWOW64\Bdedjl32.dll Ohidmoaa.exe File created C:\Windows\SysWOW64\Dgnjacmq.dll Aollokco.exe File opened for modification C:\Windows\SysWOW64\Domqjm32.exe Daipqhdg.exe File opened for modification C:\Windows\SysWOW64\Eheecbia.exe Dchmkkkj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 5296 WerFault.exe 503 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaincdp.dll" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imiigiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gldmoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eapfagno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcomhbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfgafadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcial32.dll" Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnebjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baepmlkg.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heikgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkbonmp.dll" Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmladcej.dll" Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll" Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacegg32.dll" Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjghm32.dll" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" Aoagccfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npijoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nianhplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkbdkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Medeaaej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oemegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcnqanhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpcoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilfnc32.dll" Ohfqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnefapmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edaimkbc.dll" Ljcbaamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmhamoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchgdg32.dll" Aeggbbci.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2092 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 28 PID 2940 wrote to memory of 2092 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 28 PID 2940 wrote to memory of 2092 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 28 PID 2940 wrote to memory of 2092 2940 NEAS.aa096105f202be7592610b16a1fb4790.exe 28 PID 2092 wrote to memory of 2236 2092 Apdhjq32.exe 30 PID 2092 wrote to memory of 2236 2092 Apdhjq32.exe 30 PID 2092 wrote to memory of 2236 2092 Apdhjq32.exe 30 PID 2092 wrote to memory of 2236 2092 Apdhjq32.exe 30 PID 2236 wrote to memory of 2700 2236 Blkioa32.exe 29 PID 2236 wrote to memory of 2700 2236 Blkioa32.exe 29 PID 2236 wrote to memory of 2700 2236 Blkioa32.exe 29 PID 2236 wrote to memory of 2700 2236 Blkioa32.exe 29 PID 2700 wrote to memory of 2060 2700 Bbdallnd.exe 31 PID 2700 wrote to memory of 2060 2700 Bbdallnd.exe 31 PID 2700 wrote to memory of 2060 2700 Bbdallnd.exe 31 PID 2700 wrote to memory of 2060 2700 Bbdallnd.exe 31 PID 2060 wrote to memory of 2816 2060 Bhajdblk.exe 32 PID 2060 wrote to memory of 2816 2060 Bhajdblk.exe 32 PID 2060 wrote to memory of 2816 2060 Bhajdblk.exe 32 PID 2060 wrote to memory of 2816 2060 Bhajdblk.exe 32 PID 2816 wrote to memory of 2552 2816 Behgcf32.exe 33 PID 2816 wrote to memory of 2552 2816 Behgcf32.exe 33 PID 2816 wrote to memory of 2552 2816 Behgcf32.exe 33 PID 2816 wrote to memory of 2552 2816 Behgcf32.exe 33 PID 2552 wrote to memory of 2232 2552 Bmclhi32.exe 35 PID 2552 wrote to memory of 2232 2552 Bmclhi32.exe 35 PID 2552 wrote to memory of 2232 2552 Bmclhi32.exe 35 PID 2552 wrote to memory of 2232 2552 Bmclhi32.exe 35 PID 2232 wrote to memory of 2028 2232 Bkglameg.exe 34 PID 2232 wrote to memory of 2028 2232 Bkglameg.exe 34 PID 2232 wrote to memory of 2028 2232 Bkglameg.exe 34 PID 2232 wrote to memory of 2028 2232 Bkglameg.exe 34 PID 2028 wrote to memory of 1756 2028 Cdoajb32.exe 36 PID 2028 wrote to memory of 1756 2028 Cdoajb32.exe 36 PID 2028 wrote to memory of 1756 2028 Cdoajb32.exe 36 PID 2028 wrote to memory of 1756 2028 Cdoajb32.exe 36 PID 1756 wrote to memory of 1348 1756 Ckiigmcd.exe 37 PID 1756 wrote to memory of 1348 1756 Ckiigmcd.exe 37 PID 1756 wrote to memory of 1348 1756 Ckiigmcd.exe 37 PID 1756 wrote to memory of 1348 1756 Ckiigmcd.exe 37 PID 1348 wrote to memory of 1800 1348 Cmjbhh32.exe 38 PID 1348 wrote to memory of 1800 1348 Cmjbhh32.exe 38 PID 1348 wrote to memory of 1800 1348 Cmjbhh32.exe 38 PID 1348 wrote to memory of 1800 1348 Cmjbhh32.exe 38 PID 1800 wrote to memory of 2168 1800 Ciqcmiei.exe 39 PID 1800 wrote to memory of 2168 1800 Ciqcmiei.exe 39 PID 1800 wrote to memory of 2168 1800 Ciqcmiei.exe 39 PID 1800 wrote to memory of 2168 1800 Ciqcmiei.exe 39 PID 2168 wrote to memory of 1684 2168 Clooiddm.exe 40 PID 2168 wrote to memory of 1684 2168 Clooiddm.exe 40 PID 2168 wrote to memory of 1684 2168 Clooiddm.exe 40 PID 2168 wrote to memory of 1684 2168 Clooiddm.exe 40 PID 1684 wrote to memory of 2972 1684 Cgdcgm32.exe 41 PID 1684 wrote to memory of 2972 1684 Cgdcgm32.exe 41 PID 1684 wrote to memory of 2972 1684 Cgdcgm32.exe 41 PID 1684 wrote to memory of 2972 1684 Cgdcgm32.exe 41 PID 2972 wrote to memory of 2536 2972 Cophko32.exe 42 PID 2972 wrote to memory of 2536 2972 Cophko32.exe 42 PID 2972 wrote to memory of 2536 2972 Cophko32.exe 42 PID 2972 wrote to memory of 2536 2972 Cophko32.exe 42 PID 2536 wrote to memory of 1720 2536 Dcnqanhd.exe 43 PID 2536 wrote to memory of 1720 2536 Dcnqanhd.exe 43 PID 2536 wrote to memory of 1720 2536 Dcnqanhd.exe 43 PID 2536 wrote to memory of 1720 2536 Dcnqanhd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.aa096105f202be7592610b16a1fb4790.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.aa096105f202be7592610b16a1fb4790.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
-
-
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
-
-
-
-
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Fqajihle.exeC:\Windows\system32\Fqajihle.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe26⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe27⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe29⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe31⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe34⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe35⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe36⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe37⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe38⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe42⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe43⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Iogoec32.exeC:\Windows\system32\Iogoec32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe46⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe48⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe49⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe53⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe54⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe55⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe57⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe58⤵PID:648
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe59⤵PID:2680
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe60⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe61⤵PID:1712
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe62⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe63⤵PID:1240
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe64⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe65⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe66⤵PID:1388
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe67⤵PID:1328
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe68⤵PID:2336
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe69⤵PID:2400
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe71⤵PID:676
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe72⤵PID:1080
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe74⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe76⤵PID:2744
-
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe77⤵PID:2948
-
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe78⤵PID:2176
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe79⤵PID:1976
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe81⤵PID:320
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe82⤵PID:476
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe83⤵PID:1072
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe84⤵PID:1300
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe86⤵
- Modifies registry class
PID:820 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe87⤵PID:1384
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe88⤵PID:1360
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe89⤵
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe90⤵PID:292
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe91⤵
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe93⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe94⤵PID:2776
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe95⤵PID:2532
-
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe96⤵PID:2504
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe97⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe98⤵PID:2788
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe99⤵PID:2780
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe100⤵PID:1956
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe101⤵PID:1040
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe103⤵PID:1632
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe104⤵PID:2840
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe105⤵PID:2292
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe106⤵PID:1864
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe107⤵PID:440
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe108⤵PID:1560
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe112⤵
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe113⤵PID:3000
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe114⤵PID:2688
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe115⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe116⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe117⤵PID:2492
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe118⤵PID:2572
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe119⤵PID:2480
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe120⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe121⤵PID:372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-