Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
26-11-2023 19:39
Behavioral task
behavioral1
Sample
edd604751e3bfadbb7dda65f64781a10.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
edd604751e3bfadbb7dda65f64781a10.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
edd604751e3bfadbb7dda65f64781a10.exe
-
Size
107KB
-
MD5
edd604751e3bfadbb7dda65f64781a10
-
SHA1
34a3c1aa8ea808c83710cc88d61293dcb8c251e5
-
SHA256
ea154c1986edc8cc27444851d7d1d894026e41ec02a0984ba8f1aa58f77d66c5
-
SHA512
0a786c4b0c9a99d606623a206197567737526e140ba5d38c37b7393d19d8ff8b8224a2f9ec8fb896a5a15bb89aee2ca539fbfd2c9cbd6530117d3cf7aa3a2cc3
-
SSDEEP
1536:774HMOeA1xqQfLirhRSQzL7Clz1iY3vqs2LMaIZTJ+7LhkiB0MPiKeEAgHD/Chxi:774HMOeX7GFhyMaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbgikia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgoboc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfgegnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjfjbdle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjjclobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcefji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgapdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqqgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnbkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bofgii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelkeeah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nianhplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfaocal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kljabgnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmpbopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpcqaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddpobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfonkfqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnjnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffefjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femeig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdojfgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldoimh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkigoimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmbfbgo.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1192-0-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x00070000000120b7-5.dat family_berbew behavioral1/files/0x00070000000120b7-8.dat family_berbew behavioral1/files/0x00070000000120b7-13.dat family_berbew behavioral1/files/0x00070000000120b7-12.dat family_berbew behavioral1/files/0x00070000000120b7-7.dat family_berbew behavioral1/files/0x000700000001587a-34.dat family_berbew behavioral1/files/0x000700000001587a-33.dat family_berbew behavioral1/files/0x002d000000015047-26.dat family_berbew behavioral1/files/0x002d000000015047-25.dat family_berbew behavioral1/files/0x000700000001587a-31.dat family_berbew behavioral1/files/0x002d000000015047-22.dat family_berbew behavioral1/files/0x002d000000015047-21.dat family_berbew behavioral1/files/0x002d000000015047-19.dat family_berbew behavioral1/memory/2188-18-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0009000000015c8a-64.dat family_berbew behavioral1/files/0x0009000000015c8a-61.dat family_berbew behavioral1/files/0x0009000000015c8a-60.dat family_berbew behavioral1/files/0x0006000000015ca2-78.dat family_berbew behavioral1/files/0x0006000000015ca2-67.dat family_berbew behavioral1/files/0x0006000000015cb0-85.dat family_berbew behavioral1/files/0x0006000000015ca2-80.dat family_berbew behavioral1/memory/2636-79-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/memory/2608-77-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000015ca2-73.dat family_berbew behavioral1/files/0x0006000000015ca2-71.dat family_berbew behavioral1/files/0x0009000000015c8a-66.dat family_berbew behavioral1/files/0x0009000000015c8a-58.dat family_berbew behavioral1/memory/2324-65-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/memory/2324-57-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0009000000015c2b-52.dat family_berbew behavioral1/memory/2784-51-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0009000000015c2b-50.dat family_berbew behavioral1/files/0x0009000000015c2b-40.dat family_berbew behavioral1/files/0x000700000001587a-39.dat family_berbew behavioral1/files/0x000700000001587a-38.dat family_berbew behavioral1/files/0x0009000000015c2b-46.dat family_berbew behavioral1/files/0x0009000000015c2b-44.dat family_berbew behavioral1/memory/2788-37-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000015cb0-88.dat family_berbew behavioral1/files/0x0006000000015cb0-87.dat family_berbew behavioral1/files/0x0006000000015db5-94.dat family_berbew behavioral1/files/0x0006000000015cb0-93.dat family_berbew behavioral1/memory/2020-92-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000015cb0-91.dat family_berbew behavioral1/files/0x0006000000015db5-100.dat family_berbew behavioral1/files/0x0006000000015db5-98.dat family_berbew behavioral1/files/0x0006000000015eb0-126.dat family_berbew behavioral1/files/0x0006000000015eb0-124.dat family_berbew behavioral1/memory/2808-117-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000015e30-114.dat family_berbew behavioral1/files/0x0006000000015e30-113.dat family_berbew behavioral1/files/0x0006000000015db5-106.dat family_berbew behavioral1/memory/1660-142-0x0000000000400000-0x000000000043C000-memory.dmp family_berbew behavioral1/files/0x0006000000016059-139.dat family_berbew behavioral1/files/0x0006000000016059-138.dat family_berbew behavioral1/files/0x0006000000016059-136.dat family_berbew behavioral1/files/0x0006000000015eb0-131.dat family_berbew behavioral1/files/0x0006000000015eb0-130.dat family_berbew behavioral1/files/0x0006000000015eb0-120.dat family_berbew behavioral1/files/0x0006000000015e30-119.dat family_berbew behavioral1/files/0x0006000000015e30-118.dat family_berbew behavioral1/memory/2020-105-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/files/0x0006000000015db5-104.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2188 Cclkfdnc.exe 2788 Dfmdho32.exe 2784 Dpbheh32.exe 2324 Dglpbbbg.exe 2608 Dogefd32.exe 2636 Dhpiojfb.exe 2020 Dfdjhndl.exe 2808 Ddigjkid.exe 2944 Dookgcij.exe 1660 Ehgppi32.exe 1940 Endhhp32.exe 1484 Edpmjj32.exe 2884 Enhacojl.exe 1636 Eojnkg32.exe 1432 Eqijej32.exe 2936 Fjaonpnn.exe 1164 Fbmcbbki.exe 2320 Fncdgcqm.exe 1692 Fenmdm32.exe 2464 Fpcqaf32.exe 1748 Fikejl32.exe 1080 Fcefji32.exe 556 Gakcimgf.exe 2112 Gfjhgdck.exe 2124 Gmgninie.exe 1060 Gfobbc32.exe 1656 Hlljjjnm.exe 2276 Haiccald.exe 2708 Hkaglf32.exe 1968 Heihnoph.exe 3012 Hhjapjmi.exe 2844 Hmfjha32.exe 1944 Iccbqh32.exe 1188 Igakgfpn.exe 1960 Inkccpgk.exe 472 Ipllekdl.exe 2648 Ioaifhid.exe 2192 Ifkacb32.exe 2812 Jnffgd32.exe 1412 Jhljdm32.exe 1308 Jqgoiokm.exe 544 Jhngjmlo.exe 3028 Jnkpbcjg.exe 2072 Jgcdki32.exe 3024 Jqlhdo32.exe 1368 Jgfqaiod.exe 1136 Jjdmmdnh.exe 900 Joaeeklp.exe 836 Jcmafj32.exe 1268 Kjfjbdle.exe 844 Kocbkk32.exe 888 Kkaiqk32.exe 2492 Lanaiahq.exe 2240 Lghjel32.exe 2016 Leljop32.exe 2848 Lgjfkk32.exe 2704 Lmgocb32.exe 2716 Lgmcqkkh.exe 2792 Linphc32.exe 2828 Lphhenhc.exe 2616 Lmlhnagm.exe 2148 Lpjdjmfp.exe 1500 Legmbd32.exe 2896 Mlaeonld.exe -
Loads dropped DLL 64 IoCs
pid Process 1192 edd604751e3bfadbb7dda65f64781a10.exe 1192 edd604751e3bfadbb7dda65f64781a10.exe 2188 Cclkfdnc.exe 2188 Cclkfdnc.exe 2788 Dfmdho32.exe 2788 Dfmdho32.exe 2784 Dpbheh32.exe 2784 Dpbheh32.exe 2324 Dglpbbbg.exe 2324 Dglpbbbg.exe 2608 Dogefd32.exe 2608 Dogefd32.exe 2636 Dhpiojfb.exe 2636 Dhpiojfb.exe 2020 Dfdjhndl.exe 2020 Dfdjhndl.exe 2808 Ddigjkid.exe 2808 Ddigjkid.exe 2944 Dookgcij.exe 2944 Dookgcij.exe 1660 Ehgppi32.exe 1660 Ehgppi32.exe 1940 Endhhp32.exe 1940 Endhhp32.exe 1484 Edpmjj32.exe 1484 Edpmjj32.exe 2884 Enhacojl.exe 2884 Enhacojl.exe 1636 Eojnkg32.exe 1636 Eojnkg32.exe 1432 Eqijej32.exe 1432 Eqijej32.exe 2936 Fjaonpnn.exe 2936 Fjaonpnn.exe 1164 Fbmcbbki.exe 1164 Fbmcbbki.exe 2320 Fncdgcqm.exe 2320 Fncdgcqm.exe 1692 Fenmdm32.exe 1692 Fenmdm32.exe 2464 Fpcqaf32.exe 2464 Fpcqaf32.exe 1748 Fikejl32.exe 1748 Fikejl32.exe 1080 Fcefji32.exe 1080 Fcefji32.exe 556 Gakcimgf.exe 556 Gakcimgf.exe 2112 Gfjhgdck.exe 2112 Gfjhgdck.exe 2124 Gmgninie.exe 2124 Gmgninie.exe 1060 Gfobbc32.exe 1060 Gfobbc32.exe 1656 Hlljjjnm.exe 1656 Hlljjjnm.exe 2276 Haiccald.exe 2276 Haiccald.exe 2708 Hkaglf32.exe 2708 Hkaglf32.exe 1968 Heihnoph.exe 1968 Heihnoph.exe 3012 Hhjapjmi.exe 3012 Hhjapjmi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enlejpga.dll Jcmafj32.exe File created C:\Windows\SysWOW64\Mabgcd32.exe Melfncqb.exe File created C:\Windows\SysWOW64\Qfonkfqd.exe Qcqaok32.exe File opened for modification C:\Windows\SysWOW64\Nfdkoc32.exe Necogkbo.exe File created C:\Windows\SysWOW64\Ljnnko32.exe Lgoboc32.exe File opened for modification C:\Windows\SysWOW64\Ljnnko32.exe Lgoboc32.exe File created C:\Windows\SysWOW64\Lpjdjmfp.exe Lmlhnagm.exe File opened for modification C:\Windows\SysWOW64\Mhloponc.exe Mabgcd32.exe File created C:\Windows\SysWOW64\Boplllob.exe Blaopqpo.exe File created C:\Windows\SysWOW64\Fdjidgfa.exe Fnqqgm32.exe File opened for modification C:\Windows\SysWOW64\Opplolac.exe Oehklddp.exe File opened for modification C:\Windows\SysWOW64\Eoompl32.exe Eheecbia.exe File opened for modification C:\Windows\SysWOW64\Pjcmap32.exe Pegqpacp.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Gfpifm32.dll Cpfaocal.exe File opened for modification C:\Windows\SysWOW64\Hbnbkbja.exe Hppfog32.exe File created C:\Windows\SysWOW64\Qcqaok32.exe Pdldnomh.exe File created C:\Windows\SysWOW64\Degiggjm.exe Domqjm32.exe File created C:\Windows\SysWOW64\Dllgcqbk.dll Fgohna32.exe File created C:\Windows\SysWOW64\Dmmmfc32.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Dbojdmcd.exe Dpqnhadq.exe File created C:\Windows\SysWOW64\Gojijh32.dll Elajgpmj.exe File created C:\Windows\SysWOW64\Giacpp32.dll Inhanl32.exe File created C:\Windows\SysWOW64\Ieagbm32.exe Ipdojfgh.exe File created C:\Windows\SysWOW64\Lklejh32.exe Leammn32.exe File opened for modification C:\Windows\SysWOW64\Bmnlbcfg.exe Bpjkiogm.exe File opened for modification C:\Windows\SysWOW64\Inhanl32.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Ffnbaojm.exe Femeig32.exe File opened for modification C:\Windows\SysWOW64\Iknpkd32.exe Ieagbm32.exe File created C:\Windows\SysWOW64\Cifelgmd.exe Cdjmcpnl.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hlccdboi.exe File created C:\Windows\SysWOW64\Hcohnaep.dll Pgnjde32.exe File created C:\Windows\SysWOW64\Hkaglf32.exe Haiccald.exe File created C:\Windows\SysWOW64\Oebimf32.exe Ocdmaj32.exe File created C:\Windows\SysWOW64\Ppdjkg32.dll Ikefkcmo.exe File opened for modification C:\Windows\SysWOW64\Mhonngce.exe Maefamlh.exe File opened for modification C:\Windows\SysWOW64\Ohhmcinf.exe Oanefo32.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dfmdho32.exe File created C:\Windows\SysWOW64\Bfqgjgep.dll Aaloddnn.exe File opened for modification C:\Windows\SysWOW64\Ejehgkdp.exe Djclbl32.exe File opened for modification C:\Windows\SysWOW64\Blchcpko.exe Bffpki32.exe File created C:\Windows\SysWOW64\Dedlag32.exe Dpgcip32.exe File opened for modification C:\Windows\SysWOW64\Gjbmelgm.exe Geeemeif.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Enhacojl.exe File opened for modification C:\Windows\SysWOW64\Ipllekdl.exe Inkccpgk.exe File created C:\Windows\SysWOW64\Pledghce.dll Jnffgd32.exe File opened for modification C:\Windows\SysWOW64\Ffibkj32.exe Foojop32.exe File created C:\Windows\SysWOW64\Iplkimih.dll Nfkapb32.exe File opened for modification C:\Windows\SysWOW64\Afdgfelo.exe Ajmfad32.exe File created C:\Windows\SysWOW64\Iiegdegb.dll Mpmcielb.exe File created C:\Windows\SysWOW64\Hgpmbc32.dll Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Fdbhge32.exe Fbdlkj32.exe File created C:\Windows\SysWOW64\Ohhmcinf.exe Oanefo32.exe File created C:\Windows\SysWOW64\Ajcipc32.exe Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Femeig32.exe Fqajihle.exe File created C:\Windows\SysWOW64\Mifdih32.dll Gldmoepi.exe File created C:\Windows\SysWOW64\Ppdlmc32.dll Ldoimh32.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hgbfnngi.exe File opened for modification C:\Windows\SysWOW64\Dogefd32.exe Dglpbbbg.exe File created C:\Windows\SysWOW64\Fmhbhf32.dll Heihnoph.exe File opened for modification C:\Windows\SysWOW64\Igakgfpn.exe Iccbqh32.exe File created C:\Windows\SysWOW64\Binieb32.dll Cmlong32.exe File created C:\Windows\SysWOW64\Bnjghm32.dll Ijmipn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elcdcgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhdqdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phnnho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjcmbe.dll" Jhljdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicieohp.dll" Ifkacb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfnhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqmjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplpppdf.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" Becnhgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongkdd32.dll" Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekpheb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfhke32.dll" Fqajihle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqlicclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlheehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpjnkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejopecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqijej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oackeakj.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linfkk32.dll" Nkjapglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmnalja.dll" Opifnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmjgcipg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkejof32.dll" Mndmoaog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodnpp32.dll" Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdkoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqajihle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnflbh32.dll" Hfbhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnbeb32.dll" Jjmpbopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcnghm32.dll" Cljodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aecaidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckeolc32.dll" Oaaifdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqnpei32.dll" Ilabmedg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dookgcij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll" Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqcfnhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedlag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgoqc32.dll" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbfdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giacpp32.dll" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqnfen32.dll" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlfhkoa.dll" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcfig32.dll" Pphkbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehgppi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlaeonld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boplllob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnlbcfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2188 1192 edd604751e3bfadbb7dda65f64781a10.exe 28 PID 1192 wrote to memory of 2188 1192 edd604751e3bfadbb7dda65f64781a10.exe 28 PID 1192 wrote to memory of 2188 1192 edd604751e3bfadbb7dda65f64781a10.exe 28 PID 1192 wrote to memory of 2188 1192 edd604751e3bfadbb7dda65f64781a10.exe 28 PID 2188 wrote to memory of 2788 2188 Cclkfdnc.exe 29 PID 2188 wrote to memory of 2788 2188 Cclkfdnc.exe 29 PID 2188 wrote to memory of 2788 2188 Cclkfdnc.exe 29 PID 2188 wrote to memory of 2788 2188 Cclkfdnc.exe 29 PID 2788 wrote to memory of 2784 2788 Dfmdho32.exe 30 PID 2788 wrote to memory of 2784 2788 Dfmdho32.exe 30 PID 2788 wrote to memory of 2784 2788 Dfmdho32.exe 30 PID 2788 wrote to memory of 2784 2788 Dfmdho32.exe 30 PID 2784 wrote to memory of 2324 2784 Dpbheh32.exe 31 PID 2784 wrote to memory of 2324 2784 Dpbheh32.exe 31 PID 2784 wrote to memory of 2324 2784 Dpbheh32.exe 31 PID 2784 wrote to memory of 2324 2784 Dpbheh32.exe 31 PID 2324 wrote to memory of 2608 2324 Dglpbbbg.exe 32 PID 2324 wrote to memory of 2608 2324 Dglpbbbg.exe 32 PID 2324 wrote to memory of 2608 2324 Dglpbbbg.exe 32 PID 2324 wrote to memory of 2608 2324 Dglpbbbg.exe 32 PID 2608 wrote to memory of 2636 2608 Dogefd32.exe 33 PID 2608 wrote to memory of 2636 2608 Dogefd32.exe 33 PID 2608 wrote to memory of 2636 2608 Dogefd32.exe 33 PID 2608 wrote to memory of 2636 2608 Dogefd32.exe 33 PID 2636 wrote to memory of 2020 2636 Dhpiojfb.exe 34 PID 2636 wrote to memory of 2020 2636 Dhpiojfb.exe 34 PID 2636 wrote to memory of 2020 2636 Dhpiojfb.exe 34 PID 2636 wrote to memory of 2020 2636 Dhpiojfb.exe 34 PID 2020 wrote to memory of 2808 2020 Dfdjhndl.exe 35 PID 2020 wrote to memory of 2808 2020 Dfdjhndl.exe 35 PID 2020 wrote to memory of 2808 2020 Dfdjhndl.exe 35 PID 2020 wrote to memory of 2808 2020 Dfdjhndl.exe 35 PID 2808 wrote to memory of 2944 2808 Ddigjkid.exe 36 PID 2808 wrote to memory of 2944 2808 Ddigjkid.exe 36 PID 2808 wrote to memory of 2944 2808 Ddigjkid.exe 36 PID 2808 wrote to memory of 2944 2808 Ddigjkid.exe 36 PID 2944 wrote to memory of 1660 2944 Dookgcij.exe 38 PID 2944 wrote to memory of 1660 2944 Dookgcij.exe 38 PID 2944 wrote to memory of 1660 2944 Dookgcij.exe 38 PID 2944 wrote to memory of 1660 2944 Dookgcij.exe 38 PID 1660 wrote to memory of 1940 1660 Ehgppi32.exe 37 PID 1660 wrote to memory of 1940 1660 Ehgppi32.exe 37 PID 1660 wrote to memory of 1940 1660 Ehgppi32.exe 37 PID 1660 wrote to memory of 1940 1660 Ehgppi32.exe 37 PID 1940 wrote to memory of 1484 1940 Endhhp32.exe 40 PID 1940 wrote to memory of 1484 1940 Endhhp32.exe 40 PID 1940 wrote to memory of 1484 1940 Endhhp32.exe 40 PID 1940 wrote to memory of 1484 1940 Endhhp32.exe 40 PID 1484 wrote to memory of 2884 1484 Edpmjj32.exe 39 PID 1484 wrote to memory of 2884 1484 Edpmjj32.exe 39 PID 1484 wrote to memory of 2884 1484 Edpmjj32.exe 39 PID 1484 wrote to memory of 2884 1484 Edpmjj32.exe 39 PID 2884 wrote to memory of 1636 2884 Enhacojl.exe 41 PID 2884 wrote to memory of 1636 2884 Enhacojl.exe 41 PID 2884 wrote to memory of 1636 2884 Enhacojl.exe 41 PID 2884 wrote to memory of 1636 2884 Enhacojl.exe 41 PID 1636 wrote to memory of 1432 1636 Eojnkg32.exe 42 PID 1636 wrote to memory of 1432 1636 Eojnkg32.exe 42 PID 1636 wrote to memory of 1432 1636 Eojnkg32.exe 42 PID 1636 wrote to memory of 1432 1636 Eojnkg32.exe 42 PID 1432 wrote to memory of 2936 1432 Eqijej32.exe 43 PID 1432 wrote to memory of 2936 1432 Eqijej32.exe 43 PID 1432 wrote to memory of 2936 1432 Eqijej32.exe 43 PID 1432 wrote to memory of 2936 1432 Eqijej32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd604751e3bfadbb7dda65f64781a10.exe"C:\Users\Admin\AppData\Local\Temp\edd604751e3bfadbb7dda65f64781a10.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ddigjkid.exeC:\Windows\system32\Ddigjkid.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Edpmjj32.exeC:\Windows\system32\Edpmjj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe3⤵PID:2728
-
-
-
C:\Windows\SysWOW64\Enhacojl.exeC:\Windows\system32\Enhacojl.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Fjaonpnn.exeC:\Windows\system32\Fjaonpnn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164
-
-
-
-
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Fenmdm32.exeC:\Windows\system32\Fenmdm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Igakgfpn.exeC:\Windows\system32\Igakgfpn.exe17⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe19⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe20⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ifkacb32.exeC:\Windows\system32\Ifkacb32.exe21⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1412 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe24⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe25⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Jnkpbcjg.exeC:\Windows\system32\Jnkpbcjg.exe26⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe27⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe28⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe29⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe30⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Joaeeklp.exeC:\Windows\system32\Joaeeklp.exe31⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Kjfjbdle.exeC:\Windows\system32\Kjfjbdle.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Kkaiqk32.exeC:\Windows\system32\Kkaiqk32.exe35⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe36⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe38⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Lgjfkk32.exeC:\Windows\system32\Lgjfkk32.exe39⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe40⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe41⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe43⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe45⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe48⤵PID:2932
-
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe49⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe50⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe51⤵PID:764
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe54⤵PID:1476
-
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe55⤵PID:2388
-
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe56⤵PID:1088
-
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe57⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe58⤵PID:828
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe59⤵PID:432
-
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe60⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe61⤵PID:332
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe62⤵PID:1156
-
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe63⤵PID:2440
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe64⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe65⤵PID:2000
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe66⤵PID:2852
-
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe67⤵PID:1976
-
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe69⤵PID:2684
-
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe70⤵PID:2772
-
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe71⤵PID:2556
-
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe72⤵PID:2632
-
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe73⤵PID:2624
-
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe74⤵PID:2940
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe75⤵PID:268
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe76⤵PID:2028
-
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe77⤵PID:1528
-
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe78⤵PID:2600
-
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe80⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe81⤵PID:1280
-
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe82⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe83⤵PID:2396
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe84⤵PID:1036
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe85⤵PID:2200
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe88⤵PID:1928
-
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe89⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe90⤵PID:2832
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe92⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe93⤵PID:1204
-
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe94⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe95⤵PID:2660
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe97⤵PID:2156
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe98⤵PID:1560
-
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe100⤵PID:2356
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe101⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe102⤵PID:592
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe103⤵PID:660
-
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe104⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe105⤵PID:2444
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe106⤵
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe107⤵PID:1952
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe108⤵PID:2008
-
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe109⤵PID:3056
-
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe111⤵PID:2712
-
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe112⤵PID:1072
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe113⤵PID:2620
-
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe114⤵PID:2872
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe115⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe116⤵PID:980
-
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe117⤵PID:1820
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe119⤵PID:1784
-
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe120⤵PID:2180
-
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe121⤵
- Modifies registry class
PID:1212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-