Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2023 06:44
Behavioral task
behavioral1
Sample
NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe
-
Size
368KB
-
MD5
d82cc53112faf4f1b142ac9a3a7d5320
-
SHA1
783e7c7ea39be7a7cd79f9ec213fdbcbcea69e2d
-
SHA256
79ee01264e6889a875b97e65285ed18fc4727d30804de652829bc76b87345611
-
SHA512
48b7fd6718cdb36a0557c53f7f59d0c3247effeefb95f0d10ed850b60df7dc249e627b100ff7f6cd7fe55ba1f38230ac9162ceed1f6eb656a40e480474ad2344
-
SSDEEP
6144:qtA+kvmgvp5cE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfToX:6GdPaAD6RrI1+lDMEAD6Rr2NWL
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfccchd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poodicio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqamieno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bojomm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgdphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcggjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjfngi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjaioe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjcojo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdifhkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djhifnho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfngdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpeigle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfogohpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmngjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcpieamc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdaneff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oocmcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obfpejcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgeao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lifqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fggfghap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cppfgnlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclkee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knalji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Albikp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajphagha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlmbofdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nahgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djbpjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfepf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghnpmqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aolblopj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foghhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlkldmjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odpjmcjp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colfpace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lifjgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efnennjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndmgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnefoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgidgakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jidkek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aqoijcbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahbacq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lfmnbjcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bajqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmoclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ekemap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diafkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbaaapj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbhdafdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phnoac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgnpn32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022dc4-6.dat family_berbew behavioral2/files/0x0002000000022612-14.dat family_berbew behavioral2/files/0x0007000000022dd0-24.dat family_berbew behavioral2/files/0x0007000000022dd0-22.dat family_berbew behavioral2/files/0x0002000000022612-15.dat family_berbew behavioral2/files/0x0008000000022dc4-8.dat family_berbew behavioral2/files/0x0007000000022dd4-38.dat family_berbew behavioral2/files/0x0007000000022dd6-47.dat family_berbew behavioral2/files/0x0007000000022dd6-46.dat family_berbew behavioral2/files/0x0007000000022dd8-55.dat family_berbew behavioral2/files/0x0007000000022ddc-69.dat family_berbew behavioral2/files/0x0007000000022dde-76.dat family_berbew behavioral2/files/0x0007000000022dde-75.dat family_berbew behavioral2/files/0x0007000000022ddc-68.dat family_berbew behavioral2/files/0x0007000000022dda-62.dat family_berbew behavioral2/files/0x0007000000022dda-61.dat family_berbew behavioral2/files/0x0007000000022dd8-54.dat family_berbew behavioral2/files/0x0007000000022dd4-37.dat family_berbew behavioral2/files/0x0007000000022dd2-31.dat family_berbew behavioral2/files/0x0007000000022dd2-30.dat family_berbew behavioral2/files/0x0007000000022de0-84.dat family_berbew behavioral2/files/0x0006000000022de2-93.dat family_berbew behavioral2/files/0x0006000000022de2-94.dat family_berbew behavioral2/files/0x0007000000022de0-85.dat family_berbew behavioral2/files/0x0008000000022dc8-102.dat family_berbew behavioral2/files/0x0008000000022dc8-103.dat family_berbew behavioral2/files/0x0006000000022de5-110.dat family_berbew behavioral2/files/0x0006000000022de5-111.dat family_berbew behavioral2/files/0x0006000000022de7-118.dat family_berbew behavioral2/files/0x0006000000022de7-119.dat family_berbew behavioral2/files/0x0006000000022de9-126.dat family_berbew behavioral2/files/0x0006000000022de9-127.dat family_berbew behavioral2/files/0x0006000000022deb-134.dat family_berbew behavioral2/files/0x0006000000022deb-135.dat family_berbew behavioral2/files/0x0006000000022dee-142.dat family_berbew behavioral2/files/0x0006000000022dee-144.dat family_berbew behavioral2/files/0x0006000000022df0-145.dat family_berbew behavioral2/files/0x0006000000022df0-150.dat family_berbew behavioral2/files/0x0006000000022df0-151.dat family_berbew behavioral2/files/0x0006000000022df2-158.dat family_berbew behavioral2/files/0x0006000000022df2-160.dat family_berbew behavioral2/files/0x0006000000022df4-166.dat family_berbew behavioral2/files/0x0006000000022df4-167.dat family_berbew behavioral2/files/0x0006000000022df6-174.dat family_berbew behavioral2/files/0x0006000000022df6-175.dat family_berbew behavioral2/files/0x0006000000022df8-182.dat family_berbew behavioral2/files/0x0006000000022df8-183.dat family_berbew behavioral2/files/0x0006000000022dfb-190.dat family_berbew behavioral2/files/0x0006000000022dfb-192.dat family_berbew behavioral2/files/0x0005000000022434-198.dat family_berbew behavioral2/files/0x0005000000022434-200.dat family_berbew behavioral2/files/0x0006000000022dff-206.dat family_berbew behavioral2/files/0x0006000000022dff-207.dat family_berbew behavioral2/files/0x0006000000022e01-214.dat family_berbew behavioral2/files/0x0006000000022e01-216.dat family_berbew behavioral2/files/0x0006000000022e03-222.dat family_berbew behavioral2/files/0x0006000000022e03-223.dat family_berbew behavioral2/files/0x0006000000022e06-231.dat family_berbew behavioral2/files/0x0006000000022e06-230.dat family_berbew behavioral2/files/0x0006000000022e08-239.dat family_berbew behavioral2/files/0x0006000000022e08-238.dat family_berbew behavioral2/files/0x0006000000022e0a-246.dat family_berbew behavioral2/files/0x0006000000022e0c-254.dat family_berbew behavioral2/files/0x0006000000022e0c-255.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3372 Bjaqpbkh.exe 3124 Bciehh32.exe 2156 Bjcmebie.exe 312 Bppfmigl.exe 432 Bihjfnmm.exe 2936 Cpbbch32.exe 3948 Cjhfpa32.exe 4956 Cpeohh32.exe 3132 Cfogeb32.exe 1868 Cimcan32.exe 1888 Cadlbk32.exe 868 Cibmlmeb.exe 4256 Cgcmjd32.exe 1516 Dclkee32.exe 3464 Dabhdinj.exe 4268 Kbddfmgl.exe 4200 Kjpijpdg.exe 3160 Obafpg32.exe 1444 Qepkbpak.exe 1580 Afkknogn.exe 600 Acokhc32.exe 4660 Bfngdn32.exe 2720 Bjlpjm32.exe 2392 Bjnmpl32.exe 3856 Hdokdg32.exe 3648 Hildmn32.exe 4848 Ikkpgafg.exe 4540 Idcepgmg.exe 4408 Ijqmhnko.exe 4596 Ikpjbq32.exe 2236 Idhnkf32.exe 4124 Ijegcm32.exe 8 Igigla32.exe 2228 Jlfpdh32.exe 60 Jkgpbp32.exe 1956 Jkimho32.exe 1912 Jpfepf32.exe 2128 Jklinohd.exe 1508 Jlmfeg32.exe 4316 Jcgnbaeo.exe 1524 Jjafok32.exe 1576 Jgeghp32.exe 1360 Kmaopfjm.exe 4320 Kclgmq32.exe 2176 Knalji32.exe 4648 Kgipcogp.exe 996 Kjhloj32.exe 316 Kdmqmc32.exe 492 Kkgiimng.exe 1488 Kqdaadln.exe 1776 Lklbdm32.exe 3400 Lmmolepp.exe 800 Lknojl32.exe 1304 Lqkgbcff.exe 2808 Lnohlgep.exe 3568 Odmbaj32.exe 4520 Ojigdcll.exe 4672 Odalmibl.exe 4700 Olicnfco.exe 1812 Peahgl32.exe 3524 Plkpcfal.exe 2184 Pmlmkn32.exe 744 Pdfehh32.exe 2740 Pkpmdbfd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Igioikpj.dll Cgecpa32.exe File opened for modification C:\Windows\SysWOW64\Pdkcnklf.exe Pdifhkni.exe File created C:\Windows\SysWOW64\Ahnkoaah.dll Qmkanmel.exe File created C:\Windows\SysWOW64\Ohboeenl.exe Nahgik32.exe File created C:\Windows\SysWOW64\Agcahnip.dll Dkmebh32.exe File created C:\Windows\SysWOW64\Clmmco32.dll Ieojgc32.exe File created C:\Windows\SysWOW64\Diblgnen.dll Ifcpgiji.exe File created C:\Windows\SysWOW64\Eleagb32.dll Cacmkn32.exe File created C:\Windows\SysWOW64\Hqpnmlqd.dll Pgfljqia.exe File opened for modification C:\Windows\SysWOW64\Ajjokd32.exe Abcgjg32.exe File created C:\Windows\SysWOW64\Meembc32.dll Lbnnphhk.exe File created C:\Windows\SysWOW64\Bqdbec32.exe Bfnnhj32.exe File created C:\Windows\SysWOW64\Jpfepf32.exe Jkimho32.exe File opened for modification C:\Windows\SysWOW64\Afappe32.exe Acccdj32.exe File created C:\Windows\SysWOW64\Qgfidb32.dll Ckiipa32.exe File created C:\Windows\SysWOW64\Dllmoj32.exe Ccacjgfb.exe File opened for modification C:\Windows\SysWOW64\Cdaigi32.exe Cacmkn32.exe File created C:\Windows\SysWOW64\Mejmcl32.dll Qjjhla32.exe File opened for modification C:\Windows\SysWOW64\Bmomecoi.exe Bfedhihl.exe File created C:\Windows\SysWOW64\Ahbacq32.exe Ajndbd32.exe File created C:\Windows\SysWOW64\Pmlmkn32.exe Plkpcfal.exe File created C:\Windows\SysWOW64\Aoalnm32.dll Nkijbooo.exe File created C:\Windows\SysWOW64\Jllimj32.dll Cliahf32.exe File opened for modification C:\Windows\SysWOW64\Gfaikoad.exe Gnkajapa.exe File created C:\Windows\SysWOW64\Agpoqoaf.exe Aqffdejj.exe File created C:\Windows\SysWOW64\Jommbpbc.dll Nijeoikf.exe File opened for modification C:\Windows\SysWOW64\Gjocaj32.exe Gbgkpm32.exe File created C:\Windows\SysWOW64\Ekooihip.dll Kclgmq32.exe File created C:\Windows\SysWOW64\Gmggac32.exe Fjikeg32.exe File created C:\Windows\SysWOW64\Gqhknd32.exe Giacmggo.exe File created C:\Windows\SysWOW64\Jfoihalp.exe Jlidkh32.exe File created C:\Windows\SysWOW64\Pkjipj32.dll Bjokno32.exe File created C:\Windows\SysWOW64\Amodnenk.exe Afelal32.exe File created C:\Windows\SysWOW64\Mqmckp32.dll Ejabgcdp.exe File opened for modification C:\Windows\SysWOW64\Cgcmjd32.exe Cibmlmeb.exe File created C:\Windows\SysWOW64\Bcmolimg.exe Boabkj32.exe File created C:\Windows\SysWOW64\Pciqjoec.dll Afinbdon.exe File created C:\Windows\SysWOW64\Dodfed32.dll Bfkbfd32.exe File opened for modification C:\Windows\SysWOW64\Opmcod32.exe Ljjpnb32.exe File created C:\Windows\SysWOW64\Ghklmk32.exe Gaadpqmp.exe File opened for modification C:\Windows\SysWOW64\Opjnai32.exe Nlnbqjjq.exe File opened for modification C:\Windows\SysWOW64\Dplebmbl.exe Djomjfde.exe File opened for modification C:\Windows\SysWOW64\Mlmbofdh.exe Mhafoh32.exe File opened for modification C:\Windows\SysWOW64\Ibegfglj.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Gdknpp32.exe Gbkdod32.exe File created C:\Windows\SysWOW64\Bocjdiol.exe Bhibgo32.exe File created C:\Windows\SysWOW64\Hcidoo32.exe Hakhcd32.exe File opened for modification C:\Windows\SysWOW64\Ojopki32.exe Ocegnoog.exe File created C:\Windows\SysWOW64\Jecoog32.exe Jkkjfa32.exe File created C:\Windows\SysWOW64\Acnefoac.exe Aqoijcbo.exe File created C:\Windows\SysWOW64\Kclgmq32.exe Kmaopfjm.exe File created C:\Windows\SysWOW64\Nkgdfb32.dll Ocohmc32.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qjiipk32.exe File created C:\Windows\SysWOW64\Jbjciano.exe Jmmjpjpg.exe File created C:\Windows\SysWOW64\Bppfmigl.exe Bjcmebie.exe File opened for modification C:\Windows\SysWOW64\Nclbpf32.exe Nmbjcljl.exe File opened for modification C:\Windows\SysWOW64\Ffjdjmpf.exe Fbnhjn32.exe File created C:\Windows\SysWOW64\Ndajcnag.dll Giacmggo.exe File created C:\Windows\SysWOW64\Emhlefoa.dll Nojagf32.exe File created C:\Windows\SysWOW64\Ldkldmdj.dll Injcginc.exe File created C:\Windows\SysWOW64\Mfhbga32.exe Mnjqmpgg.exe File created C:\Windows\SysWOW64\Pqoppk32.dll Lhbkac32.exe File created C:\Windows\SysWOW64\Cpqnog32.dll Glkkop32.exe File opened for modification C:\Windows\SysWOW64\Blpemn32.exe Bajqpe32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnfehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgfiphn.dll" Fjqgpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Noehlgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgko32.dll" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghifmbc.dll" Elccpife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgdklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibocbah.dll" Qcppogqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbccg32.dll" Lpkiim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pjffkhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbghpinc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plkpcfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcglo32.dll" Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hembndee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdoidcjk.dll" Peddhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fllplajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlabgq32.dll" Giqlbqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleabh32.dll" Lifqbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnmcdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ijqmhnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djcoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djelqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligio32.dll" Ochjmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ionlhlld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghohac.dll" Hjhfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngpekcgb.dll" Ngbgmpcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Doqpkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nfcabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goipae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idfhibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlnbhlof.dll" Hbbdad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Caebfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghajgpd.dll" Eddodfhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll" Adgmoigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll" Ecikjoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdnjabab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfelgknf.dll" Djfckenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmkleoe.dll" Dplebmbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icdmqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lmkfah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjhaeklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbcfp32.dll" Oolgbpei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pllggbje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdfehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fhjoilop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqdoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lmmolepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Palklf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlhopo.dll" Blpemn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fblldn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcjdfne.dll" Ngnnbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mnhdgpii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diafkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfedhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgkbhpei.dll" Mkbcbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cajblmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Immaimnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjgellfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 3372 2696 NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe 86 PID 2696 wrote to memory of 3372 2696 NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe 86 PID 2696 wrote to memory of 3372 2696 NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe 86 PID 3372 wrote to memory of 3124 3372 Bjaqpbkh.exe 95 PID 3372 wrote to memory of 3124 3372 Bjaqpbkh.exe 95 PID 3372 wrote to memory of 3124 3372 Bjaqpbkh.exe 95 PID 3124 wrote to memory of 2156 3124 Bciehh32.exe 87 PID 3124 wrote to memory of 2156 3124 Bciehh32.exe 87 PID 3124 wrote to memory of 2156 3124 Bciehh32.exe 87 PID 2156 wrote to memory of 312 2156 Bjcmebie.exe 88 PID 2156 wrote to memory of 312 2156 Bjcmebie.exe 88 PID 2156 wrote to memory of 312 2156 Bjcmebie.exe 88 PID 312 wrote to memory of 432 312 Bppfmigl.exe 89 PID 312 wrote to memory of 432 312 Bppfmigl.exe 89 PID 312 wrote to memory of 432 312 Bppfmigl.exe 89 PID 432 wrote to memory of 2936 432 Bihjfnmm.exe 90 PID 432 wrote to memory of 2936 432 Bihjfnmm.exe 90 PID 432 wrote to memory of 2936 432 Bihjfnmm.exe 90 PID 2936 wrote to memory of 3948 2936 Cpbbch32.exe 91 PID 2936 wrote to memory of 3948 2936 Cpbbch32.exe 91 PID 2936 wrote to memory of 3948 2936 Cpbbch32.exe 91 PID 3948 wrote to memory of 4956 3948 Cjhfpa32.exe 92 PID 3948 wrote to memory of 4956 3948 Cjhfpa32.exe 92 PID 3948 wrote to memory of 4956 3948 Cjhfpa32.exe 92 PID 4956 wrote to memory of 3132 4956 Cpeohh32.exe 93 PID 4956 wrote to memory of 3132 4956 Cpeohh32.exe 93 PID 4956 wrote to memory of 3132 4956 Cpeohh32.exe 93 PID 3132 wrote to memory of 1868 3132 Cfogeb32.exe 94 PID 3132 wrote to memory of 1868 3132 Cfogeb32.exe 94 PID 3132 wrote to memory of 1868 3132 Cfogeb32.exe 94 PID 1868 wrote to memory of 1888 1868 Cimcan32.exe 96 PID 1868 wrote to memory of 1888 1868 Cimcan32.exe 96 PID 1868 wrote to memory of 1888 1868 Cimcan32.exe 96 PID 1888 wrote to memory of 868 1888 Cadlbk32.exe 97 PID 1888 wrote to memory of 868 1888 Cadlbk32.exe 97 PID 1888 wrote to memory of 868 1888 Cadlbk32.exe 97 PID 868 wrote to memory of 4256 868 Cibmlmeb.exe 98 PID 868 wrote to memory of 4256 868 Cibmlmeb.exe 98 PID 868 wrote to memory of 4256 868 Cibmlmeb.exe 98 PID 4256 wrote to memory of 1516 4256 Cgcmjd32.exe 99 PID 4256 wrote to memory of 1516 4256 Cgcmjd32.exe 99 PID 4256 wrote to memory of 1516 4256 Cgcmjd32.exe 99 PID 1516 wrote to memory of 3464 1516 Dclkee32.exe 102 PID 1516 wrote to memory of 3464 1516 Dclkee32.exe 102 PID 1516 wrote to memory of 3464 1516 Dclkee32.exe 102 PID 3464 wrote to memory of 4268 3464 Dabhdinj.exe 103 PID 3464 wrote to memory of 4268 3464 Dabhdinj.exe 103 PID 3464 wrote to memory of 4268 3464 Dabhdinj.exe 103 PID 4268 wrote to memory of 4200 4268 Kbddfmgl.exe 104 PID 4268 wrote to memory of 4200 4268 Kbddfmgl.exe 104 PID 4268 wrote to memory of 4200 4268 Kbddfmgl.exe 104 PID 4200 wrote to memory of 3160 4200 Kjpijpdg.exe 105 PID 4200 wrote to memory of 3160 4200 Kjpijpdg.exe 105 PID 4200 wrote to memory of 3160 4200 Kjpijpdg.exe 105 PID 3160 wrote to memory of 1444 3160 Obafpg32.exe 107 PID 3160 wrote to memory of 1444 3160 Obafpg32.exe 107 PID 3160 wrote to memory of 1444 3160 Obafpg32.exe 107 PID 1444 wrote to memory of 1580 1444 Qepkbpak.exe 108 PID 1444 wrote to memory of 1580 1444 Qepkbpak.exe 108 PID 1444 wrote to memory of 1580 1444 Qepkbpak.exe 108 PID 1580 wrote to memory of 600 1580 Afkknogn.exe 109 PID 1580 wrote to memory of 600 1580 Afkknogn.exe 109 PID 1580 wrote to memory of 600 1580 Afkknogn.exe 109 PID 600 wrote to memory of 4660 600 Acokhc32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d82cc53112faf4f1b142ac9a3a7d5320.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124
-
-
-
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe21⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe22⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe23⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe24⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe26⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe1⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe2⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe3⤵
- Executes dropped EXE
PID:4124
-
-
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe1⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe2⤵
- Executes dropped EXE
PID:2228
-
-
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe1⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe4⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe5⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe6⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe7⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe8⤵
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4320 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe12⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe13⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Kdmqmc32.exeC:\Windows\system32\Kdmqmc32.exe14⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe15⤵
- Executes dropped EXE
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe16⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe17⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:3400 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe19⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe20⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe21⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Odmbaj32.exeC:\Windows\system32\Odmbaj32.exe22⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe23⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Odalmibl.exeC:\Windows\system32\Odalmibl.exe24⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe25⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\Peahgl32.exeC:\Windows\system32\Peahgl32.exe26⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Plkpcfal.exeC:\Windows\system32\Plkpcfal.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe28⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:744 -
C:\Windows\SysWOW64\Pkpmdbfd.exeC:\Windows\system32\Pkpmdbfd.exe30⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe31⤵PID:4176
-
C:\Windows\SysWOW64\Phdnngdn.exeC:\Windows\system32\Phdnngdn.exe32⤵
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Ponfka32.exeC:\Windows\system32\Ponfka32.exe33⤵PID:2712
-
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe34⤵PID:5136
-
C:\Windows\SysWOW64\Plbfdekd.exeC:\Windows\system32\Plbfdekd.exe35⤵PID:5176
-
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe36⤵PID:5212
-
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe37⤵PID:5256
-
C:\Windows\SysWOW64\Qaalblgi.exeC:\Windows\system32\Qaalblgi.exe38⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Qkipkani.exeC:\Windows\system32\Qkipkani.exe39⤵PID:5340
-
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe40⤵PID:5380
-
C:\Windows\SysWOW64\Qdbdcg32.exeC:\Windows\system32\Qdbdcg32.exe41⤵PID:5420
-
C:\Windows\SysWOW64\Amjillkj.exeC:\Windows\system32\Amjillkj.exe42⤵PID:5460
-
C:\Windows\SysWOW64\Ahpmjejp.exeC:\Windows\system32\Ahpmjejp.exe43⤵PID:5500
-
C:\Windows\SysWOW64\Aknifq32.exeC:\Windows\system32\Aknifq32.exe44⤵PID:5540
-
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe45⤵PID:5580
-
C:\Windows\SysWOW64\Adfnofpd.exeC:\Windows\system32\Adfnofpd.exe46⤵PID:5620
-
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Aefjii32.exeC:\Windows\system32\Aefjii32.exe48⤵PID:5716
-
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe49⤵PID:5752
-
C:\Windows\SysWOW64\Aonoao32.exeC:\Windows\system32\Aonoao32.exe50⤵PID:5796
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe51⤵PID:5844
-
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe52⤵PID:5896
-
C:\Windows\SysWOW64\Akepfpcl.exeC:\Windows\system32\Akepfpcl.exe53⤵PID:5956
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe54⤵PID:6016
-
C:\Windows\SysWOW64\Adndoe32.exeC:\Windows\system32\Adndoe32.exe55⤵PID:6064
-
C:\Windows\SysWOW64\Bochmn32.exeC:\Windows\system32\Bochmn32.exe56⤵PID:6112
-
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe57⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe58⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Badanigc.exeC:\Windows\system32\Badanigc.exe59⤵PID:5252
-
C:\Windows\SysWOW64\Bdbnjdfg.exeC:\Windows\system32\Bdbnjdfg.exe60⤵PID:5364
-
C:\Windows\SysWOW64\Blielbfi.exeC:\Windows\system32\Blielbfi.exe61⤵PID:5468
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe62⤵PID:5588
-
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe63⤵PID:5668
-
C:\Windows\SysWOW64\Bojomm32.exeC:\Windows\system32\Bojomm32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5764 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe65⤵PID:5872
-
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe66⤵PID:5980
-
C:\Windows\SysWOW64\Lmaamn32.exeC:\Windows\system32\Lmaamn32.exe67⤵PID:6048
-
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe68⤵PID:5168
-
C:\Windows\SysWOW64\Ljeafb32.exeC:\Windows\system32\Ljeafb32.exe69⤵PID:5332
-
C:\Windows\SysWOW64\Lncjlq32.exeC:\Windows\system32\Lncjlq32.exe70⤵PID:5532
-
C:\Windows\SysWOW64\Mqafhl32.exeC:\Windows\system32\Mqafhl32.exe71⤵PID:5684
-
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe72⤵PID:3620
-
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe73⤵PID:2540
-
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe74⤵PID:5940
-
C:\Windows\SysWOW64\Mgnlkfal.exeC:\Windows\system32\Mgnlkfal.exe75⤵PID:5124
-
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe76⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe77⤵PID:5608
-
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe78⤵PID:2316
-
C:\Windows\SysWOW64\Mnjqmpgg.exeC:\Windows\system32\Mnjqmpgg.exe79⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe80⤵PID:4472
-
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe81⤵
- Drops file in System32 directory
PID:5524 -
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe82⤵PID:4436
-
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe83⤵PID:5184
-
C:\Windows\SysWOW64\Nnafno32.exeC:\Windows\system32\Nnafno32.exe84⤵PID:5576
-
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe85⤵PID:708
-
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe86⤵PID:3556
-
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe87⤵PID:5808
-
C:\Windows\SysWOW64\Ncchae32.exeC:\Windows\system32\Ncchae32.exe88⤵PID:6164
-
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe89⤵PID:6204
-
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe90⤵PID:6252
-
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe91⤵PID:6300
-
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe92⤵
- Modifies registry class
PID:6336 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe93⤵PID:6388
-
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe94⤵PID:6432
-
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe95⤵PID:6484
-
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe96⤵PID:6532
-
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe97⤵PID:6576
-
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe98⤵
- Drops file in System32 directory
PID:6616 -
C:\Windows\SysWOW64\Ondljl32.exeC:\Windows\system32\Ondljl32.exe99⤵PID:6660
-
C:\Windows\SysWOW64\Opeiadfg.exeC:\Windows\system32\Opeiadfg.exe100⤵PID:6708
-
C:\Windows\SysWOW64\Pfoann32.exeC:\Windows\system32\Pfoann32.exe101⤵PID:6752
-
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe102⤵PID:6796
-
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe103⤵PID:6840
-
C:\Windows\SysWOW64\Pfdjinjo.exeC:\Windows\system32\Pfdjinjo.exe104⤵PID:6888
-
C:\Windows\SysWOW64\Paiogf32.exeC:\Windows\system32\Paiogf32.exe105⤵PID:6964
-
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe106⤵
- Modifies registry class
PID:7008 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe107⤵PID:7052
-
C:\Windows\SysWOW64\Pnplfj32.exeC:\Windows\system32\Pnplfj32.exe108⤵PID:7096
-
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe109⤵PID:7140
-
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe110⤵PID:5688
-
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe111⤵PID:6236
-
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe112⤵
- Drops file in System32 directory
PID:6288 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6368 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe114⤵PID:6420
-
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe115⤵PID:6528
-
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe116⤵PID:6572
-
C:\Windows\SysWOW64\Ahaceo32.exeC:\Windows\system32\Ahaceo32.exe117⤵PID:6648
-
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe118⤵PID:6696
-
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe119⤵PID:6776
-
C:\Windows\SysWOW64\Apodoq32.exeC:\Windows\system32\Apodoq32.exe120⤵PID:6856
-
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe121⤵PID:6948
-
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe122⤵PID:7020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-