Analysis
-
max time kernel
63s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2023, 10:18
Behavioral task
behavioral1
Sample
cad647db1c7714d279caf9c2889e8af5.exe
Resource
win7-20231023-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cad647db1c7714d279caf9c2889e8af5.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
cad647db1c7714d279caf9c2889e8af5.exe
-
Size
407KB
-
MD5
cad647db1c7714d279caf9c2889e8af5
-
SHA1
06bd7166d10d4671c709995ce7c7345a43b5bde5
-
SHA256
0d3617ddcd6cffeda0480e963617df892248c9a4047104cebdee03e2c9d6417b
-
SHA512
3d2e0088512934649d15a60fbdd119cc97faa54ac517fc32935a6c8aebfdb34732a169700248e00a2c61047aee4befdebe108c8efef164188c15ad33347c0b2e
-
SSDEEP
12288:2s3h1NJO/awrSmfyiPFg8prNdw+C7797TnPtLU8deJUP//zk9FGB:2CJO/awrSmfyiPFg8prNdw+C7797TnP/
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mociol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmhhpkcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmijnfgd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndkjik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkbhbeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibgdlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okmpqjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmifkecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodjemee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqmnpk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifmoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eekjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqfpckhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjompqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfidgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgceqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jopiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgqennl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhgkmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klggli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggdpnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmbiackg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfmekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cifdjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phbolflm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbjbnnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgbppknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfbfjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgnjebd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbhhlccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egened32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqdcnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomlek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciogobcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jphkkpbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknnoofg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjodbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keekjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mankaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbmbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pccahbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckhecmcf.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/1296-0-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0008000000022cbe-6.dat family_berbew behavioral2/memory/4236-7-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0008000000022cbe-8.dat family_berbew behavioral2/files/0x0007000000022cc3-14.dat family_berbew behavioral2/memory/744-15-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc3-16.dat family_berbew behavioral2/files/0x0007000000022cc5-22.dat family_berbew behavioral2/memory/4924-23-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc5-24.dat family_berbew behavioral2/files/0x0007000000022cc7-30.dat family_berbew behavioral2/memory/5020-31-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc7-32.dat family_berbew behavioral2/files/0x0007000000022cc9-38.dat family_berbew behavioral2/memory/5064-40-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cc9-39.dat family_berbew behavioral2/files/0x0007000000022ccc-46.dat family_berbew behavioral2/memory/3532-48-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022ccc-47.dat family_berbew behavioral2/files/0x0008000000022ccf-54.dat family_berbew behavioral2/memory/1612-55-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0008000000022ccf-56.dat family_berbew behavioral2/files/0x0008000000022cd1-62.dat family_berbew behavioral2/memory/4416-64-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0008000000022cd1-63.dat family_berbew behavioral2/files/0x0008000000022cd3-70.dat family_berbew behavioral2/files/0x0008000000022cd3-72.dat family_berbew behavioral2/memory/1236-71-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd6-78.dat family_berbew behavioral2/memory/1296-80-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/520-81-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0007000000022cd6-79.dat family_berbew behavioral2/files/0x0009000000022cd8-87.dat family_berbew behavioral2/memory/4236-88-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0009000000022cd8-89.dat family_berbew behavioral2/memory/1924-90-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022cdf-96.dat family_berbew behavioral2/files/0x0006000000022cdf-97.dat family_berbew behavioral2/memory/744-98-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/5024-102-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-105.dat family_berbew behavioral2/memory/4924-106-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/1744-108-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce1-107.dat family_berbew behavioral2/files/0x0006000000022ce3-114.dat family_berbew behavioral2/memory/5020-115-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/396-117-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce3-116.dat family_berbew behavioral2/files/0x0006000000022ce5-124.dat family_berbew behavioral2/files/0x0006000000022ce5-123.dat family_berbew behavioral2/memory/5064-125-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/3140-130-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022ce7-132.dat family_berbew behavioral2/memory/3532-134-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-140.dat family_berbew behavioral2/memory/928-142-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022cea-141.dat family_berbew behavioral2/files/0x0006000000022ce7-133.dat family_berbew behavioral2/files/0x0006000000022cec-148.dat family_berbew behavioral2/memory/1612-155-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022cec-150.dat family_berbew behavioral2/memory/2092-149-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/memory/1528-156-0x0000000000400000-0x0000000000446000-memory.dmp family_berbew behavioral2/files/0x0006000000022cee-159.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 4236 Hkfglb32.exe 744 Ikkpgafg.exe 4924 Iknmla32.exe 5020 Ipmbjgpi.exe 5064 Ikdcmpnl.exe 3532 Jdmgfedl.exe 1612 Jcbdgb32.exe 4416 Jnjejjgh.exe 1236 Jjafok32.exe 520 Knooej32.exe 1924 Manmoq32.exe 5024 Najmjokc.exe 1744 Odjeljhd.exe 396 Ohmhmh32.exe 3140 Pmlmkn32.exe 928 Poliea32.exe 2092 Palbgl32.exe 1528 Phfjcf32.exe 1316 Pkgcea32.exe 2860 Qachgk32.exe 2168 Qlimed32.exe 4640 Aahbbkaq.exe 1632 Akqfkp32.exe 2360 Ahdged32.exe 3900 Adkgje32.exe 3100 Bhkmec32.exe 4600 Bhnikc32.exe 3952 Bohbhmfm.exe 3104 Bkaobnio.exe 2892 Ckhecmcf.exe 1644 Cbdjeg32.exe 4488 Ckmonl32.exe 4456 Dokgdkeh.exe 4248 Dkahilkl.exe 4436 Dkceokii.exe 2336 Doaneiop.exe 4756 Ddnfmqng.exe 2596 Dngjff32.exe 3744 Eiloco32.exe 3068 Ebdcld32.exe 1112 Ekmhejao.exe 2792 Efblbbqd.exe 1784 Emoadlfo.exe 3572 Eifaim32.exe 3972 Efjbcakl.exe 1336 Flfkkhid.exe 4432 Fflohaij.exe 3136 Fimhjl32.exe 3248 Ffqhcq32.exe 3940 Flmqlg32.exe 2456 Fefedmil.exe 3076 Fbjena32.exe 2672 Gnqfcbnj.exe 4156 Gifkpknp.exe 5044 Glgcbf32.exe 1536 Gmfplibd.exe 5008 Hfcnpn32.exe 4940 Hoobdp32.exe 1340 Hehkajig.exe 640 Hfhgkmpj.exe 4060 Hemdlj32.exe 3760 Iohejo32.exe 3540 Igajal32.exe 724 Ibhkfm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Klggli32.exe Kpqggh32.exe File opened for modification C:\Windows\SysWOW64\Nfnjbdep.exe Nlefjnno.exe File created C:\Windows\SysWOW64\Odgqopeb.exe Ocfdgg32.exe File created C:\Windows\SysWOW64\Ipekmlhg.dll Bedbhi32.exe File opened for modification C:\Windows\SysWOW64\Addhbo32.exe Process not Found File created C:\Windows\SysWOW64\Anhcpeon.exe Process not Found File created C:\Windows\SysWOW64\Foolmeif.dll Dahfkimd.exe File created C:\Windows\SysWOW64\Iapjgo32.exe Hbknebqi.exe File created C:\Windows\SysWOW64\Aidomjaf.exe Ammnhilb.exe File created C:\Windows\SysWOW64\Bihancje.exe Bnbmqjjo.exe File created C:\Windows\SysWOW64\Oknnanhj.exe Process not Found File created C:\Windows\SysWOW64\Palbgl32.exe Poliea32.exe File created C:\Windows\SysWOW64\Knnele32.dll Kpqggh32.exe File created C:\Windows\SysWOW64\Dfbjlf32.dll Ggicbe32.exe File opened for modification C:\Windows\SysWOW64\Gckcap32.exe Glqkefff.exe File created C:\Windows\SysWOW64\Iabodcnj.exe Process not Found File created C:\Windows\SysWOW64\Hemdlj32.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Amhmnagf.dll Jhnojl32.exe File created C:\Windows\SysWOW64\Elfahb32.dll Dncpkjoc.exe File created C:\Windows\SysWOW64\Dfaadk32.dll Ibdplaho.exe File opened for modification C:\Windows\SysWOW64\Meoggpmd.exe Mgngih32.exe File opened for modification C:\Windows\SysWOW64\Pdbiphhi.exe Poeahaib.exe File created C:\Windows\SysWOW64\Ejhaop32.dll Process not Found File created C:\Windows\SysWOW64\Ggpcfd32.dll Efblbbqd.exe File created C:\Windows\SysWOW64\Eifaim32.exe Emoadlfo.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll Loighj32.exe File created C:\Windows\SysWOW64\Bcnleb32.exe Bfjllnnm.exe File opened for modification C:\Windows\SysWOW64\Jeilne32.exe Jcjodbgl.exe File created C:\Windows\SysWOW64\Eeeaodnk.dll Lljdai32.exe File created C:\Windows\SysWOW64\Pqoppk32.dll Ocknbglo.exe File created C:\Windows\SysWOW64\Mmebpbod.exe Fcgemhic.exe File created C:\Windows\SysWOW64\Pfeijqqe.exe Pokanf32.exe File opened for modification C:\Windows\SysWOW64\Qkfkng32.exe Qbngeadf.exe File created C:\Windows\SysWOW64\Ndcamoeh.dll Qhekaejj.exe File created C:\Windows\SysWOW64\Dqpfmlce.exe Doojec32.exe File opened for modification C:\Windows\SysWOW64\Paocim32.exe Dodjemee.exe File created C:\Windows\SysWOW64\Bpaikm32.exe Peajngoi.exe File opened for modification C:\Windows\SysWOW64\Mhjpceko.exe Process not Found File created C:\Windows\SysWOW64\Hcofbifb.exe Process not Found File created C:\Windows\SysWOW64\Fqgedh32.exe Fgoakc32.exe File opened for modification C:\Windows\SysWOW64\Adbkmo32.exe Anhcpeon.exe File created C:\Windows\SysWOW64\Dokgdkeh.exe Ckmonl32.exe File opened for modification C:\Windows\SysWOW64\Knenkbio.exe Klcekpdo.exe File created C:\Windows\SysWOW64\Fpeaeedg.exe Fofdkcmd.exe File created C:\Windows\SysWOW64\Gckcap32.exe Glqkefff.exe File created C:\Windows\SysWOW64\Jjhjae32.exe Process not Found File created C:\Windows\SysWOW64\Hicakqhn.dll Jphkkpbp.exe File opened for modification C:\Windows\SysWOW64\Mepnaf32.exe Moefdljc.exe File opened for modification C:\Windows\SysWOW64\Pkklbh32.exe Pfncia32.exe File opened for modification C:\Windows\SysWOW64\Fofdkcmd.exe Fempbm32.exe File created C:\Windows\SysWOW64\Oclkgccf.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Dickplko.exe Dahfkimd.exe File created C:\Windows\SysWOW64\Nkjlqd32.exe Mnmmmbll.exe File created C:\Windows\SysWOW64\Bcecgb32.dll Aeeomegd.exe File created C:\Windows\SysWOW64\Dpnbmi32.exe Dfemdcba.exe File created C:\Windows\SysWOW64\Ghqeihbb.exe Pihmcflg.exe File created C:\Windows\SysWOW64\Cjacpfqm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Capkim32.exe Ckcbaf32.exe File created C:\Windows\SysWOW64\Bhkmec32.exe Adkgje32.exe File created C:\Windows\SysWOW64\Qhjgfkpf.dll Hclccd32.exe File opened for modification C:\Windows\SysWOW64\Kjmjgk32.exe Jepbodhg.exe File opened for modification C:\Windows\SysWOW64\Ldfhgn32.exe Ongijo32.exe File created C:\Windows\SysWOW64\Maghkogk.dll Khmoionj.exe File created C:\Windows\SysWOW64\Jhackbjl.dll Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phbolflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll" Pkklbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddegdohc.dll" Keekjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqbmqdi.dll" Pdbiphhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcncdkp.dll" Oacdmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piolkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cepadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fggdpnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohnljine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaipdbpa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ciogobcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqdbdbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll" Nciopppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knenffqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpahkbdh.dll" Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhgkgijg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lddble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmedjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnoacp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclccd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhibfek.dll" Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Bdmmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Indkpcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqbe32.dll" Ggjjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopabjci.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jemfhacc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Famhmfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhckhgq.dll" Kimgba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dahmfpap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enmjlojd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdhail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egnajocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naapmhbn.dll" Ncmaai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbjogmlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnhmg32.dll" Bpdfpmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhkecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll" Dickplko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhfbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebdcld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqbeoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndidna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfidgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgdahgp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nddbqe32.dll" Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll" Akqfkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmjnelk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpkppbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjpekc32.dll" Pmlmkn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 4236 1296 cad647db1c7714d279caf9c2889e8af5.exe 83 PID 1296 wrote to memory of 4236 1296 cad647db1c7714d279caf9c2889e8af5.exe 83 PID 1296 wrote to memory of 4236 1296 cad647db1c7714d279caf9c2889e8af5.exe 83 PID 4236 wrote to memory of 744 4236 Hkfglb32.exe 84 PID 4236 wrote to memory of 744 4236 Hkfglb32.exe 84 PID 4236 wrote to memory of 744 4236 Hkfglb32.exe 84 PID 744 wrote to memory of 4924 744 Ikkpgafg.exe 85 PID 744 wrote to memory of 4924 744 Ikkpgafg.exe 85 PID 744 wrote to memory of 4924 744 Ikkpgafg.exe 85 PID 4924 wrote to memory of 5020 4924 Iknmla32.exe 86 PID 4924 wrote to memory of 5020 4924 Iknmla32.exe 86 PID 4924 wrote to memory of 5020 4924 Iknmla32.exe 86 PID 5020 wrote to memory of 5064 5020 Ipmbjgpi.exe 87 PID 5020 wrote to memory of 5064 5020 Ipmbjgpi.exe 87 PID 5020 wrote to memory of 5064 5020 Ipmbjgpi.exe 87 PID 5064 wrote to memory of 3532 5064 Ikdcmpnl.exe 88 PID 5064 wrote to memory of 3532 5064 Ikdcmpnl.exe 88 PID 5064 wrote to memory of 3532 5064 Ikdcmpnl.exe 88 PID 3532 wrote to memory of 1612 3532 Jdmgfedl.exe 89 PID 3532 wrote to memory of 1612 3532 Jdmgfedl.exe 89 PID 3532 wrote to memory of 1612 3532 Jdmgfedl.exe 89 PID 1612 wrote to memory of 4416 1612 Jcbdgb32.exe 90 PID 1612 wrote to memory of 4416 1612 Jcbdgb32.exe 90 PID 1612 wrote to memory of 4416 1612 Jcbdgb32.exe 90 PID 4416 wrote to memory of 1236 4416 Jnjejjgh.exe 91 PID 4416 wrote to memory of 1236 4416 Jnjejjgh.exe 91 PID 4416 wrote to memory of 1236 4416 Jnjejjgh.exe 91 PID 1236 wrote to memory of 520 1236 Jjafok32.exe 92 PID 1236 wrote to memory of 520 1236 Jjafok32.exe 92 PID 1236 wrote to memory of 520 1236 Jjafok32.exe 92 PID 520 wrote to memory of 1924 520 Knooej32.exe 94 PID 520 wrote to memory of 1924 520 Knooej32.exe 94 PID 520 wrote to memory of 1924 520 Knooej32.exe 94 PID 1924 wrote to memory of 5024 1924 Manmoq32.exe 95 PID 1924 wrote to memory of 5024 1924 Manmoq32.exe 95 PID 1924 wrote to memory of 5024 1924 Manmoq32.exe 95 PID 5024 wrote to memory of 1744 5024 Najmjokc.exe 97 PID 5024 wrote to memory of 1744 5024 Najmjokc.exe 97 PID 5024 wrote to memory of 1744 5024 Najmjokc.exe 97 PID 1744 wrote to memory of 396 1744 Odjeljhd.exe 98 PID 1744 wrote to memory of 396 1744 Odjeljhd.exe 98 PID 1744 wrote to memory of 396 1744 Odjeljhd.exe 98 PID 396 wrote to memory of 3140 396 Ohmhmh32.exe 99 PID 396 wrote to memory of 3140 396 Ohmhmh32.exe 99 PID 396 wrote to memory of 3140 396 Ohmhmh32.exe 99 PID 3140 wrote to memory of 928 3140 Pmlmkn32.exe 101 PID 3140 wrote to memory of 928 3140 Pmlmkn32.exe 101 PID 3140 wrote to memory of 928 3140 Pmlmkn32.exe 101 PID 928 wrote to memory of 2092 928 Poliea32.exe 102 PID 928 wrote to memory of 2092 928 Poliea32.exe 102 PID 928 wrote to memory of 2092 928 Poliea32.exe 102 PID 2092 wrote to memory of 1528 2092 Palbgl32.exe 103 PID 2092 wrote to memory of 1528 2092 Palbgl32.exe 103 PID 2092 wrote to memory of 1528 2092 Palbgl32.exe 103 PID 1528 wrote to memory of 1316 1528 Phfjcf32.exe 104 PID 1528 wrote to memory of 1316 1528 Phfjcf32.exe 104 PID 1528 wrote to memory of 1316 1528 Phfjcf32.exe 104 PID 1316 wrote to memory of 2860 1316 Pkgcea32.exe 105 PID 1316 wrote to memory of 2860 1316 Pkgcea32.exe 105 PID 1316 wrote to memory of 2860 1316 Pkgcea32.exe 105 PID 2860 wrote to memory of 2168 2860 Qachgk32.exe 106 PID 2860 wrote to memory of 2168 2860 Qachgk32.exe 106 PID 2860 wrote to memory of 2168 2860 Qachgk32.exe 106 PID 2168 wrote to memory of 4640 2168 Qlimed32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad647db1c7714d279caf9c2889e8af5.exe"C:\Users\Admin\AppData\Local\Temp\cad647db1c7714d279caf9c2889e8af5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Jdmgfedl.exeC:\Windows\system32\Jdmgfedl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Najmjokc.exeC:\Windows\system32\Najmjokc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Odjeljhd.exeC:\Windows\system32\Odjeljhd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ohmhmh32.exeC:\Windows\system32\Ohmhmh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Pmlmkn32.exeC:\Windows\system32\Pmlmkn32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Palbgl32.exeC:\Windows\system32\Palbgl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Phfjcf32.exeC:\Windows\system32\Phfjcf32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Pkgcea32.exeC:\Windows\system32\Pkgcea32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Qachgk32.exeC:\Windows\system32\Qachgk32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe23⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Akqfkp32.exeC:\Windows\system32\Akqfkp32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Ahdged32.exeC:\Windows\system32\Ahdged32.exe25⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Adkgje32.exeC:\Windows\system32\Adkgje32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3900 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe27⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe28⤵
- Executes dropped EXE
PID:4600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe1⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe2⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cbdjeg32.exeC:\Windows\system32\Cbdjeg32.exe4⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe6⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe7⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe8⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe9⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Ddnfmqng.exeC:\Windows\system32\Ddnfmqng.exe10⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Dngjff32.exeC:\Windows\system32\Dngjff32.exe11⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe12⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ebdcld32.exeC:\Windows\system32\Ebdcld32.exe13⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Ekmhejao.exeC:\Windows\system32\Ekmhejao.exe14⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe17⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Efjbcakl.exeC:\Windows\system32\Efjbcakl.exe18⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe19⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe20⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe21⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe22⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Flmqlg32.exeC:\Windows\system32\Flmqlg32.exe23⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Fefedmil.exeC:\Windows\system32\Fefedmil.exe24⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe25⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe26⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe27⤵
- Executes dropped EXE
PID:4156 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe28⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe29⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Hfcnpn32.exeC:\Windows\system32\Hfcnpn32.exe30⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Hoobdp32.exeC:\Windows\system32\Hoobdp32.exe31⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe32⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe34⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Iohejo32.exeC:\Windows\system32\Iohejo32.exe35⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe36⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe37⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe38⤵PID:3680
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe39⤵PID:4772
-
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe40⤵PID:4204
-
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe41⤵PID:2796
-
C:\Windows\SysWOW64\Jepjhg32.exeC:\Windows\system32\Jepjhg32.exe42⤵PID:1604
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe43⤵PID:404
-
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4656 -
C:\Windows\SysWOW64\Knnhjcog.exeC:\Windows\system32\Knnhjcog.exe45⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe46⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe47⤵PID:3604
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe48⤵
- Drops file in System32 directory
PID:4740 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe49⤵PID:3860
-
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Ljhnlb32.exeC:\Windows\system32\Ljhnlb32.exe51⤵PID:3904
-
C:\Windows\SysWOW64\Mcpcdg32.exeC:\Windows\system32\Mcpcdg32.exe52⤵PID:460
-
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:472 -
C:\Windows\SysWOW64\Mqfpckhm.exeC:\Windows\system32\Mqfpckhm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4324 -
C:\Windows\SysWOW64\Mfchlbfd.exeC:\Windows\system32\Mfchlbfd.exe55⤵PID:1640
-
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe56⤵PID:4196
-
C:\Windows\SysWOW64\Mjaabq32.exeC:\Windows\system32\Mjaabq32.exe57⤵PID:5144
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe59⤵
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe60⤵PID:5276
-
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5324 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe62⤵PID:5368
-
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe63⤵PID:5412
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe64⤵PID:5452
-
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe65⤵PID:5492
-
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe66⤵PID:5536
-
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe67⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Onkidm32.exeC:\Windows\system32\Onkidm32.exe68⤵PID:5620
-
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe69⤵PID:5668
-
C:\Windows\SysWOW64\Ojajin32.exeC:\Windows\system32\Ojajin32.exe70⤵PID:5712
-
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe71⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe72⤵
- Drops file in System32 directory
PID:5800 -
C:\Windows\SysWOW64\Oclkgccf.exeC:\Windows\system32\Oclkgccf.exe73⤵PID:5844
-
C:\Windows\SysWOW64\Onapdl32.exeC:\Windows\system32\Onapdl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5888 -
C:\Windows\SysWOW64\Ocohmc32.exeC:\Windows\system32\Ocohmc32.exe75⤵PID:5932
-
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe76⤵PID:5972
-
C:\Windows\SysWOW64\Pnfiplog.exeC:\Windows\system32\Pnfiplog.exe77⤵PID:6012
-
C:\Windows\SysWOW64\Pccahbmn.exeC:\Windows\system32\Pccahbmn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Phajna32.exeC:\Windows\system32\Phajna32.exe79⤵PID:6116
-
C:\Windows\SysWOW64\Pffgom32.exeC:\Windows\system32\Pffgom32.exe80⤵PID:5184
-
C:\Windows\SysWOW64\Pdjgha32.exeC:\Windows\system32\Pdjgha32.exe81⤵PID:5268
-
C:\Windows\SysWOW64\Pdmdnadc.exeC:\Windows\system32\Pdmdnadc.exe82⤵PID:5332
-
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5400 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe84⤵PID:5464
-
C:\Windows\SysWOW64\Aaenbd32.exeC:\Windows\system32\Aaenbd32.exe85⤵PID:5512
-
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe86⤵PID:5604
-
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe87⤵PID:5676
-
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe88⤵PID:5732
-
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5812 -
C:\Windows\SysWOW64\Ahfmpnql.exeC:\Windows\system32\Ahfmpnql.exe90⤵PID:5872
-
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe92⤵PID:6020
-
C:\Windows\SysWOW64\Bddcenpi.exeC:\Windows\system32\Bddcenpi.exe93⤵PID:6092
-
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe94⤵PID:5224
-
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe95⤵PID:5308
-
C:\Windows\SysWOW64\Cnaaib32.exeC:\Windows\system32\Cnaaib32.exe96⤵PID:5440
-
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe97⤵PID:5572
-
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe98⤵PID:5660
-
C:\Windows\SysWOW64\Ckjknfnh.exeC:\Windows\system32\Ckjknfnh.exe99⤵PID:5796
-
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe100⤵
- Modifies registry class
PID:5876 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe101⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Ddifgk32.exeC:\Windows\system32\Ddifgk32.exe102⤵PID:5968
-
C:\Windows\SysWOW64\Doojec32.exeC:\Windows\system32\Doojec32.exe103⤵
- Drops file in System32 directory
PID:6088 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe104⤵PID:5316
-
C:\Windows\SysWOW64\Dndgfpbo.exeC:\Windows\system32\Dndgfpbo.exe105⤵PID:5392
-
C:\Windows\SysWOW64\Dkhgod32.exeC:\Windows\system32\Dkhgod32.exe106⤵
- Modifies registry class
PID:5612 -
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe107⤵PID:5840
-
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe108⤵
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5228 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe110⤵PID:4312
-
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe111⤵PID:2980
-
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe112⤵PID:5548
-
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe113⤵PID:5708
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6160 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe115⤵PID:6208
-
C:\Windows\SysWOW64\Fgoakc32.exeC:\Windows\system32\Fgoakc32.exe116⤵
- Drops file in System32 directory
PID:6252 -
C:\Windows\SysWOW64\Fqgedh32.exeC:\Windows\system32\Fqgedh32.exe117⤵PID:6300
-
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe118⤵PID:6336
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe119⤵PID:6380
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe120⤵PID:6440
-
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe121⤵PID:6484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-