Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2023 20:05
Behavioral task
behavioral1
Sample
10e92d438a553e8bb50ce0e766125f40.exe
Resource
win7-20231020-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
10e92d438a553e8bb50ce0e766125f40.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
10e92d438a553e8bb50ce0e766125f40.exe
-
Size
109KB
-
MD5
10e92d438a553e8bb50ce0e766125f40
-
SHA1
7cfc9e8185b1013c75b35eed87f02be89ed3e0c4
-
SHA256
49bf803b5173360a90ee4e0edcf6bfd4943719cc8253d4211e43954904c4e1ab
-
SHA512
202ef51b86e077e471820bda8660485a875a8eed70e47b63c4c4b517a240220c98bbc1b38aaaa3df3509bcf843771ef64a6968e0e2c8a6f0308ea4da92e6d8d3
-
SSDEEP
3072:39RecqCP9nNIX/akppv4YFdE/PW6iRe8fo3PXl9Z7S/yCsKh2EzZA/z:twcz9n+vFv4YFmmego35e/yCthvUz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifojnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljceqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqkhda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheplb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npepkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieojgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilqoobdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjoadei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahmjjoig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibgdlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqoloc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padnaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdhffg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnljkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaajhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakdbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egnajocq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecikjoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpcecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbicl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkalbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobhkjdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koonge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidlqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jblmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgiohbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlljnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdapehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poliea32.exe -
Malware Backdoor - Berbew 64 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/3968-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000231f6-7.dat family_berbew behavioral2/memory/560-8-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000231fc-14.dat family_berbew behavioral2/files/0x00070000000231fc-15.dat family_berbew behavioral2/memory/1484-16-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00070000000231f6-6.dat family_berbew behavioral2/files/0x00060000000231fe-22.dat family_berbew behavioral2/memory/2052-24-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x00060000000231fe-23.dat family_berbew behavioral2/files/0x0006000000023200-30.dat family_berbew behavioral2/files/0x0006000000023200-31.dat family_berbew behavioral2/memory/5068-32-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023202-38.dat family_berbew behavioral2/memory/4832-40-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023202-39.dat family_berbew behavioral2/files/0x0006000000023204-46.dat family_berbew behavioral2/files/0x0006000000023204-47.dat family_berbew behavioral2/memory/224-48-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023206-54.dat family_berbew behavioral2/memory/3944-55-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023206-56.dat family_berbew behavioral2/files/0x00070000000231fa-62.dat family_berbew behavioral2/files/0x00070000000231fa-64.dat family_berbew behavioral2/memory/4592-63-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023209-65.dat family_berbew behavioral2/files/0x0006000000023209-70.dat family_berbew behavioral2/files/0x0006000000023209-71.dat family_berbew behavioral2/memory/5020-72-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000600000002320b-78.dat family_berbew behavioral2/memory/3968-79-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/4136-81-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000600000002320b-80.dat family_berbew behavioral2/files/0x000600000002320d-87.dat family_berbew behavioral2/memory/560-88-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1968-90-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000600000002320d-89.dat family_berbew behavioral2/memory/1484-98-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000600000002320f-97.dat family_berbew behavioral2/files/0x000600000002320f-96.dat family_berbew behavioral2/files/0x0006000000023211-104.dat family_berbew behavioral2/files/0x0006000000023211-105.dat family_berbew behavioral2/memory/3064-111-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1856-106-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023213-114.dat family_berbew behavioral2/files/0x0006000000023213-116.dat family_berbew behavioral2/files/0x0006000000023215-123.dat family_berbew behavioral2/memory/5068-122-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/1520-129-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023217-132.dat family_berbew behavioral2/memory/4832-133-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023217-131.dat family_berbew behavioral2/files/0x0006000000023215-124.dat family_berbew behavioral2/memory/2028-115-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/2052-113-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/3320-141-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/memory/224-148-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023219-140.dat family_berbew behavioral2/files/0x000600000002321b-149.dat family_berbew behavioral2/memory/4328-146-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x0006000000023219-139.dat family_berbew behavioral2/memory/3944-150-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral2/files/0x000600000002321b-151.dat family_berbew behavioral2/memory/4444-152-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Executes dropped EXE 64 IoCs
pid Process 560 Lmgabcge.exe 1484 Mjkblhfo.exe 2052 Mccfdmmo.exe 5068 Mebcop32.exe 4832 Mnkggfkb.exe 224 Mchppmij.exe 3944 Nnbnhedj.exe 4592 Ngjbaj32.exe 5020 Nlhkgi32.exe 4136 Nlmdbh32.exe 1968 Oeehkn32.exe 1856 Oeheqm32.exe 3064 Ojdnid32.exe 2028 Oejbfmpg.exe 1520 Oaqbkn32.exe 3320 Ojigdcll.exe 4328 Oacoqnci.exe 4444 Olicnfco.exe 3948 Pdfehh32.exe 3288 Poliea32.exe 1444 Pkbjjbda.exe 1112 Pdkoch32.exe 1540 Pejkmk32.exe 2440 Qemhbj32.exe 3900 Qhmqdemc.exe 4180 Aahbbkaq.exe 4336 Aolblopj.exe 2648 Alpbecod.exe 1608 Anaomkdb.exe 2872 Ahgcjddh.exe 4092 Bnfihkqm.exe 1624 Bnhenj32.exe 3104 Bhnikc32.exe 5100 Bddjpd32.exe 4964 Bnmoijje.exe 336 Bkaobnio.exe 2224 Bheplb32.exe 1368 Chglab32.exe 4192 Cdnmfclj.exe 2556 Dmlkhofd.exe 1396 Dbicpfdk.exe 4396 Dnpdegjp.exe 2172 Ddjmba32.exe 2168 Dooaoj32.exe 2268 Digehphc.exe 1136 Doaneiop.exe 4524 Dijbno32.exe 3832 Dbbffdlq.exe 1960 Emhkdmlg.exe 1252 Enigke32.exe 1020 Eiokinbk.exe 2608 Enkdaepb.exe 4512 Eeelnp32.exe 3712 Eokqkh32.exe 3452 Efeihb32.exe 2204 Ekaapi32.exe 4976 Efgemb32.exe 4124 Ebnfbcbc.exe 748 Fneggdhg.exe 2500 Fmfgek32.exe 1232 Fngcmcfe.exe 3492 Fiodpl32.exe 3940 Fpimlfke.exe 3680 Fmmmfj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpccmhdg.exe Kemooo32.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Pdkoch32.exe File created C:\Windows\SysWOW64\Lipgdi32.dll Galoohke.exe File created C:\Windows\SysWOW64\Ekellcop.dll Ehndnh32.exe File created C:\Windows\SysWOW64\Akcjcnpe.dll Enmjlojd.exe File created C:\Windows\SysWOW64\Hajkqfoe.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Eiokinbk.exe Enigke32.exe File created C:\Windows\SysWOW64\Bgemej32.dll Npepkf32.exe File created C:\Windows\SysWOW64\Hoclopne.exe Hfhgkmpj.exe File created C:\Windows\SysWOW64\Faagecfk.dll Cpcpfg32.exe File created C:\Windows\SysWOW64\Agchinmk.dll Bnhenj32.exe File opened for modification C:\Windows\SysWOW64\Gbnoiqdq.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Jiiicf32.exe Jpaekqhh.exe File opened for modification C:\Windows\SysWOW64\Qobhkjdi.exe Pdjgha32.exe File created C:\Windows\SysWOW64\Anijgd32.dll Egnajocq.exe File created C:\Windows\SysWOW64\Nmjfodne.exe Nfqnbjfi.exe File created C:\Windows\SysWOW64\Ofckhj32.exe Ocdnln32.exe File created C:\Windows\SysWOW64\Pkoaeldi.dll Bhpofl32.exe File created C:\Windows\SysWOW64\Coppbe32.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Jongga32.dll Gfeaopqo.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nclbpf32.exe File created C:\Windows\SysWOW64\Eiahpo32.dll Cpogkhnl.exe File created C:\Windows\SysWOW64\Ppihoe32.dll Gpgind32.exe File created C:\Windows\SysWOW64\Ffeifdjo.dll Fbgbnkfm.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Dnajppda.exe Dggbcf32.exe File opened for modification C:\Windows\SysWOW64\Dhgonidg.exe Dnajppda.exe File opened for modification C:\Windows\SysWOW64\Enkmfolf.exe Ehndnh32.exe File created C:\Windows\SysWOW64\Hnbeeiji.exe Haodle32.exe File opened for modification C:\Windows\SysWOW64\Kefiopki.exe Kbhmbdle.exe File opened for modification C:\Windows\SysWOW64\Bnfihkqm.exe Ahgcjddh.exe File created C:\Windows\SysWOW64\Dooaoj32.exe Ddjmba32.exe File created C:\Windows\SysWOW64\Gkbilm32.dll Ckbncapd.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Ncpeaoih.exe File created C:\Windows\SysWOW64\Bgdemb32.exe Bpjmph32.exe File created C:\Windows\SysWOW64\Cggimh32.exe Boldhf32.exe File created C:\Windows\SysWOW64\Fohoiloe.dll Fcekfnkb.exe File created C:\Windows\SysWOW64\Eeelnp32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Pijmiq32.dll Kncaec32.exe File created C:\Windows\SysWOW64\Ndoell32.dll Gikdkj32.exe File opened for modification C:\Windows\SysWOW64\Joekag32.exe Jlgoek32.exe File created C:\Windows\SysWOW64\Bhcmal32.dll Mpapnfhg.exe File created C:\Windows\SysWOW64\Gdiakp32.exe Gnohnffc.exe File created C:\Windows\SysWOW64\Gbmadd32.exe Gggmgk32.exe File created C:\Windows\SysWOW64\Pdfehh32.exe Olicnfco.exe File created C:\Windows\SysWOW64\Ibcbfe32.dll Jniood32.exe File created C:\Windows\SysWOW64\Oaqbkn32.exe Oejbfmpg.exe File created C:\Windows\SysWOW64\Gbnoiqdq.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Ifomll32.exe Ipeeobbe.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lqojclne.exe File opened for modification C:\Windows\SysWOW64\Ehndnh32.exe Ekjded32.exe File created C:\Windows\SysWOW64\Fkjmlaac.exe Fbbicl32.exe File created C:\Windows\SysWOW64\Chkolm32.dll Mnkggfkb.exe File opened for modification C:\Windows\SysWOW64\Oeheqm32.exe Oeehkn32.exe File opened for modification C:\Windows\SysWOW64\Mfbaalbi.exe Mohidbkl.exe File created C:\Windows\SysWOW64\Pnlhmpgg.dll Cajjjk32.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Haodle32.exe File created C:\Windows\SysWOW64\Lhenai32.exe Lchfib32.exe File created C:\Windows\SysWOW64\Ogmeemdg.dll Ocdnln32.exe File created C:\Windows\SysWOW64\Ghcjeh32.dll Enkdaepb.exe File created C:\Windows\SysWOW64\Fmmmfj32.exe Fpimlfke.exe File created C:\Windows\SysWOW64\Kplqhmfl.dll Ekqckmfb.exe File created C:\Windows\SysWOW64\Icbcjhfb.dll Oqoefand.exe File created C:\Windows\SysWOW64\Kkcghg32.dll Ekngemhd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9580 9476 WerFault.exe 463 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjdho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pninea32.dll" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll" Bpjmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll" Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmjjno.dll" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mohidbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poliea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpoeg32.dll" Qhmqdemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhjapnj.dll" Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjeiodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghklqmm.dll" Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ockdmmoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnkggfkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibcjqgnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll" Pfandnla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kemooo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcclncbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glllagck.dll" Lchfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" Oeheqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeciaina.dll" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Ddjmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll" Ckggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebnfbcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gifkpknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Pnfiplog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgphpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacodldj.dll" Loofnccf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejkmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lomqcjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibla32.dll" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll" Lfiokmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pedfeccm.dll" Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dickplko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imffkelf.dll" Ekjded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnphoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhenai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aolblopj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gimqajgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll" Ajdbac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheldb32.dll" Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aalmimfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcfggkac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3968 wrote to memory of 560 3968 10e92d438a553e8bb50ce0e766125f40.exe 79 PID 3968 wrote to memory of 560 3968 10e92d438a553e8bb50ce0e766125f40.exe 79 PID 3968 wrote to memory of 560 3968 10e92d438a553e8bb50ce0e766125f40.exe 79 PID 560 wrote to memory of 1484 560 Lmgabcge.exe 80 PID 560 wrote to memory of 1484 560 Lmgabcge.exe 80 PID 560 wrote to memory of 1484 560 Lmgabcge.exe 80 PID 1484 wrote to memory of 2052 1484 Mjkblhfo.exe 81 PID 1484 wrote to memory of 2052 1484 Mjkblhfo.exe 81 PID 1484 wrote to memory of 2052 1484 Mjkblhfo.exe 81 PID 2052 wrote to memory of 5068 2052 Mccfdmmo.exe 82 PID 2052 wrote to memory of 5068 2052 Mccfdmmo.exe 82 PID 2052 wrote to memory of 5068 2052 Mccfdmmo.exe 82 PID 5068 wrote to memory of 4832 5068 Mebcop32.exe 83 PID 5068 wrote to memory of 4832 5068 Mebcop32.exe 83 PID 5068 wrote to memory of 4832 5068 Mebcop32.exe 83 PID 4832 wrote to memory of 224 4832 Mnkggfkb.exe 84 PID 4832 wrote to memory of 224 4832 Mnkggfkb.exe 84 PID 4832 wrote to memory of 224 4832 Mnkggfkb.exe 84 PID 224 wrote to memory of 3944 224 Mchppmij.exe 85 PID 224 wrote to memory of 3944 224 Mchppmij.exe 85 PID 224 wrote to memory of 3944 224 Mchppmij.exe 85 PID 3944 wrote to memory of 4592 3944 Nnbnhedj.exe 86 PID 3944 wrote to memory of 4592 3944 Nnbnhedj.exe 86 PID 3944 wrote to memory of 4592 3944 Nnbnhedj.exe 86 PID 4592 wrote to memory of 5020 4592 Ngjbaj32.exe 87 PID 4592 wrote to memory of 5020 4592 Ngjbaj32.exe 87 PID 4592 wrote to memory of 5020 4592 Ngjbaj32.exe 87 PID 5020 wrote to memory of 4136 5020 Nlhkgi32.exe 88 PID 5020 wrote to memory of 4136 5020 Nlhkgi32.exe 88 PID 5020 wrote to memory of 4136 5020 Nlhkgi32.exe 88 PID 4136 wrote to memory of 1968 4136 Nlmdbh32.exe 89 PID 4136 wrote to memory of 1968 4136 Nlmdbh32.exe 89 PID 4136 wrote to memory of 1968 4136 Nlmdbh32.exe 89 PID 1968 wrote to memory of 1856 1968 Oeehkn32.exe 90 PID 1968 wrote to memory of 1856 1968 Oeehkn32.exe 90 PID 1968 wrote to memory of 1856 1968 Oeehkn32.exe 90 PID 1856 wrote to memory of 3064 1856 Oeheqm32.exe 91 PID 1856 wrote to memory of 3064 1856 Oeheqm32.exe 91 PID 1856 wrote to memory of 3064 1856 Oeheqm32.exe 91 PID 3064 wrote to memory of 2028 3064 Ojdnid32.exe 92 PID 3064 wrote to memory of 2028 3064 Ojdnid32.exe 92 PID 3064 wrote to memory of 2028 3064 Ojdnid32.exe 92 PID 2028 wrote to memory of 1520 2028 Oejbfmpg.exe 93 PID 2028 wrote to memory of 1520 2028 Oejbfmpg.exe 93 PID 2028 wrote to memory of 1520 2028 Oejbfmpg.exe 93 PID 1520 wrote to memory of 3320 1520 Oaqbkn32.exe 95 PID 1520 wrote to memory of 3320 1520 Oaqbkn32.exe 95 PID 1520 wrote to memory of 3320 1520 Oaqbkn32.exe 95 PID 3320 wrote to memory of 4328 3320 Ojigdcll.exe 94 PID 3320 wrote to memory of 4328 3320 Ojigdcll.exe 94 PID 3320 wrote to memory of 4328 3320 Ojigdcll.exe 94 PID 4328 wrote to memory of 4444 4328 Oacoqnci.exe 96 PID 4328 wrote to memory of 4444 4328 Oacoqnci.exe 96 PID 4328 wrote to memory of 4444 4328 Oacoqnci.exe 96 PID 4444 wrote to memory of 3948 4444 Olicnfco.exe 97 PID 4444 wrote to memory of 3948 4444 Olicnfco.exe 97 PID 4444 wrote to memory of 3948 4444 Olicnfco.exe 97 PID 3948 wrote to memory of 3288 3948 Pdfehh32.exe 98 PID 3948 wrote to memory of 3288 3948 Pdfehh32.exe 98 PID 3948 wrote to memory of 3288 3948 Pdfehh32.exe 98 PID 3288 wrote to memory of 1444 3288 Poliea32.exe 99 PID 3288 wrote to memory of 1444 3288 Poliea32.exe 99 PID 3288 wrote to memory of 1444 3288 Poliea32.exe 99 PID 1444 wrote to memory of 1112 1444 Pkbjjbda.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e92d438a553e8bb50ce0e766125f40.exe"C:\Users\Admin\AppData\Local\Temp\10e92d438a553e8bb50ce0e766125f40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Ngjbaj32.exeC:\Windows\system32\Ngjbaj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Oeehkn32.exeC:\Windows\system32\Oeehkn32.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Oeheqm32.exeC:\Windows\system32\Oeheqm32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Ojdnid32.exeC:\Windows\system32\Ojdnid32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Oaqbkn32.exeC:\Windows\system32\Oaqbkn32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Ojigdcll.exeC:\Windows\system32\Ojigdcll.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Oacoqnci.exeC:\Windows\system32\Oacoqnci.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Pdfehh32.exeC:\Windows\system32\Pdfehh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Poliea32.exeC:\Windows\system32\Poliea32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Pdkoch32.exeC:\Windows\system32\Pdkoch32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1112 -
C:\Windows\SysWOW64\Pejkmk32.exeC:\Windows\system32\Pejkmk32.exe7⤵
- Executes dropped EXE
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe8⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Qhmqdemc.exeC:\Windows\system32\Qhmqdemc.exe9⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Aahbbkaq.exeC:\Windows\system32\Aahbbkaq.exe10⤵
- Executes dropped EXE
PID:4180 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe11⤵
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe12⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Anaomkdb.exeC:\Windows\system32\Anaomkdb.exe13⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ahgcjddh.exeC:\Windows\system32\Ahgcjddh.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe15⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe17⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Bddjpd32.exeC:\Windows\system32\Bddjpd32.exe18⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe19⤵
- Executes dropped EXE
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Bkaobnio.exeC:\Windows\system32\Bkaobnio.exe20⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe22⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe23⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe25⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe26⤵PID:1980
-
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4396 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe29⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe31⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe32⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe33⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Emhkdmlg.exeC:\Windows\system32\Emhkdmlg.exe34⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Eiokinbk.exeC:\Windows\system32\Eiokinbk.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe38⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe39⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe40⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe41⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe44⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Fmfgek32.exeC:\Windows\system32\Fmfgek32.exe45⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Fngcmcfe.exeC:\Windows\system32\Fngcmcfe.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe47⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe50⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe51⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe52⤵PID:4080
-
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe53⤵
- Modifies registry class
PID:3096 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe54⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe55⤵PID:1412
-
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe56⤵
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Gpbpbecj.exeC:\Windows\system32\Gpbpbecj.exe57⤵PID:1204
-
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe58⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Gbchdp32.exeC:\Windows\system32\Gbchdp32.exe59⤵PID:1324
-
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe60⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Gpgind32.exeC:\Windows\system32\Gpgind32.exe61⤵
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe62⤵PID:4600
-
C:\Windows\SysWOW64\Hpiecd32.exeC:\Windows\system32\Hpiecd32.exe63⤵PID:4148
-
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe64⤵
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Hffken32.exeC:\Windows\system32\Hffken32.exe65⤵PID:1012
-
C:\Windows\SysWOW64\Hfhgkmpj.exeC:\Windows\system32\Hfhgkmpj.exe66⤵
- Drops file in System32 directory
PID:5116 -
C:\Windows\SysWOW64\Hoclopne.exeC:\Windows\system32\Hoclopne.exe67⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Hemdlj32.exeC:\Windows\system32\Hemdlj32.exe68⤵PID:2880
-
C:\Windows\SysWOW64\Hpchib32.exeC:\Windows\system32\Hpchib32.exe69⤵PID:4840
-
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe70⤵PID:1976
-
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe72⤵PID:3568
-
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:436 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe74⤵PID:1196
-
C:\Windows\SysWOW64\Ipjoja32.exeC:\Windows\system32\Ipjoja32.exe75⤵PID:1028
-
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4460 -
C:\Windows\SysWOW64\Ilqoobdd.exeC:\Windows\system32\Ilqoobdd.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484 -
C:\Windows\SysWOW64\Ickglm32.exeC:\Windows\system32\Ickglm32.exe78⤵PID:2244
-
C:\Windows\SysWOW64\Ilcldb32.exeC:\Windows\system32\Ilcldb32.exe79⤵PID:1800
-
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe80⤵PID:1364
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe81⤵PID:2940
-
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe82⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe83⤵PID:4144
-
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe84⤵PID:3396
-
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe85⤵PID:532
-
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe86⤵PID:1356
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe87⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe88⤵
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Jedccfqg.exeC:\Windows\system32\Jedccfqg.exe89⤵PID:3756
-
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe90⤵
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe91⤵PID:4492
-
C:\Windows\SysWOW64\Kjeiodek.exeC:\Windows\system32\Kjeiodek.exe92⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Kncaec32.exeC:\Windows\system32\Kncaec32.exe93⤵
- Drops file in System32 directory
PID:4800 -
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe94⤵PID:5040
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe95⤵
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe96⤵PID:4004
-
C:\Windows\SysWOW64\Loighj32.exeC:\Windows\system32\Loighj32.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Lnjgfb32.exeC:\Windows\system32\Lnjgfb32.exe98⤵PID:8
-
C:\Windows\SysWOW64\Lcgpni32.exeC:\Windows\system32\Lcgpni32.exe99⤵PID:4196
-
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe100⤵PID:1516
-
C:\Windows\SysWOW64\Lomqcjie.exeC:\Windows\system32\Lomqcjie.exe101⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Ljceqb32.exeC:\Windows\system32\Ljceqb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Lckiihok.exeC:\Windows\system32\Lckiihok.exe103⤵PID:2532
-
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe104⤵PID:4888
-
C:\Windows\SysWOW64\Lnangaoa.exeC:\Windows\system32\Lnangaoa.exe105⤵
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Lqojclne.exeC:\Windows\system32\Lqojclne.exe106⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Lgibpf32.exeC:\Windows\system32\Lgibpf32.exe107⤵PID:5056
-
C:\Windows\SysWOW64\Modgdicm.exeC:\Windows\system32\Modgdicm.exe108⤵PID:3828
-
C:\Windows\SysWOW64\Mjjkaabc.exeC:\Windows\system32\Mjjkaabc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mgnlkfal.exeC:\Windows\system32\Mgnlkfal.exe110⤵PID:5136
-
C:\Windows\SysWOW64\Mnhdgpii.exeC:\Windows\system32\Mnhdgpii.exe111⤵PID:5180
-
C:\Windows\SysWOW64\Moipoh32.exeC:\Windows\system32\Moipoh32.exe112⤵PID:5216
-
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe113⤵
- Modifies registry class
PID:5264 -
C:\Windows\SysWOW64\Mqimikfj.exeC:\Windows\system32\Mqimikfj.exe114⤵PID:5304
-
C:\Windows\SysWOW64\Mqkiok32.exeC:\Windows\system32\Mqkiok32.exe115⤵PID:5344
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392 -
C:\Windows\SysWOW64\Nmbjcljl.exeC:\Windows\system32\Nmbjcljl.exe117⤵PID:5436
-
C:\Windows\SysWOW64\Nclbpf32.exeC:\Windows\system32\Nclbpf32.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Npbceggm.exeC:\Windows\system32\Npbceggm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5516 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe120⤵PID:5560
-
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe121⤵PID:5604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-