Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 18:52
Behavioral task
behavioral1
Sample
a2036ebeb7a0050485df7a94604428f0.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a2036ebeb7a0050485df7a94604428f0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a2036ebeb7a0050485df7a94604428f0.exe
-
Size
107KB
-
MD5
a2036ebeb7a0050485df7a94604428f0
-
SHA1
c3a8e5f8f0664a5c8e5a2db424e7fc50a64133b3
-
SHA256
7286ec92e48e07d5145f81046e467c5278139afb66b9e30a5242e4fa73af9b49
-
SHA512
5674c3fac48f42d125e2528826282d9ad2d3372544a740a8e189d577366cba7534b5e47e9257042ba15a6477c1018c3f95f1f0f440c4253a0cfbb638e20f8fdf
-
SSDEEP
1536:8gtxCYHkqtdAyd83mH+8wjfOB4VWul2LkaIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:KYEu6Y7+80OB4WuWkaMU7uihJ5233y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdakniag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjona32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbdea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gembhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifdbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejgemkbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjijqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajinjff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfaocal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oifdbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfccei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjbbpmgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenakoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioakoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkklhjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnocpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aapemc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfjnpgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafbadcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohgomgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmbddgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgphcqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldlga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foccjood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeaoinb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcecbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkpkfooh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolepe32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0008000000012248-5.dat family_berbew behavioral1/files/0x002c00000001529f-25.dat family_berbew behavioral1/files/0x0007000000015be4-33.dat family_berbew behavioral1/files/0x0008000000015c1b-42.dat family_berbew behavioral1/files/0x0006000000016d27-65.dat family_berbew behavioral1/memory/2592-66-0x0000000000230000-0x000000000026C000-memory.dmp family_berbew behavioral1/files/0x0006000000016d48-75.dat family_berbew behavioral1/files/0x0006000000016d56-86.dat family_berbew behavioral1/files/0x0006000000016fb9-107.dat family_berbew behavioral1/files/0x0006000000017535-119.dat family_berbew behavioral1/files/0x002a00000001552e-122.dat family_berbew behavioral1/files/0x0005000000018671-139.dat family_berbew behavioral1/files/0x0005000000018714-148.dat family_berbew behavioral1/files/0x0006000000018aed-169.dat family_berbew behavioral1/files/0x0006000000018b20-175.dat family_berbew behavioral1/memory/1684-198-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0006000000018b75-205.dat family_berbew behavioral1/files/0x0006000000018b4d-195.dat family_berbew behavioral1/files/0x0006000000018b9d-218.dat family_berbew behavioral1/memory/1932-216-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x00050000000192f9-232.dat family_berbew behavioral1/files/0x0005000000019340-241.dat family_berbew behavioral1/memory/1400-248-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x000500000001938e-251.dat family_berbew behavioral1/files/0x0005000000019429-254.dat family_berbew behavioral1/files/0x000500000001946e-267.dat family_berbew behavioral1/memory/2776-276-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x0005000000019474-279.dat family_berbew behavioral1/files/0x000500000001947e-283.dat family_berbew behavioral1/memory/328-301-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x00050000000194f9-298.dat family_berbew behavioral1/files/0x0005000000019523-302.dat family_berbew behavioral1/memory/2084-315-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/files/0x0005000000019593-322.dat family_berbew behavioral1/memory/1812-320-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/files/0x0005000000019590-317.dat family_berbew behavioral1/files/0x0005000000019597-330.dat family_berbew behavioral1/files/0x000500000001959b-352.dat family_berbew behavioral1/memory/2084-358-0x00000000003C0000-0x00000000003FC000-memory.dmp family_berbew behavioral1/files/0x000500000001959f-363.dat family_berbew behavioral1/files/0x00050000000195a3-367.dat family_berbew behavioral1/files/0x00050000000195a9-381.dat family_berbew behavioral1/files/0x00050000000195f4-394.dat family_berbew behavioral1/files/0x00050000000195af-391.dat family_berbew behavioral1/memory/2732-408-0x0000000000220000-0x000000000025C000-memory.dmp family_berbew behavioral1/files/0x000500000001973c-414.dat family_berbew behavioral1/files/0x00050000000197e3-417.dat family_berbew behavioral1/files/0x0005000000019975-433.dat family_berbew behavioral1/files/0x0005000000019be0-446.dat family_berbew behavioral1/files/0x0005000000019c24-455.dat family_berbew behavioral1/files/0x0005000000019d4a-467.dat family_berbew behavioral1/files/0x0005000000019e6f-477.dat family_berbew behavioral1/files/0x0005000000019fc3-488.dat family_berbew behavioral1/files/0x000500000001a032-497.dat family_berbew behavioral1/files/0x000500000001a2ee-508.dat family_berbew behavioral1/files/0x000500000001a3df-518.dat family_berbew behavioral1/files/0x000500000001a3e4-527.dat family_berbew behavioral1/files/0x000500000001a3eb-537.dat family_berbew behavioral1/files/0x000500000001a437-548.dat family_berbew behavioral1/files/0x000500000001a441-576.dat family_berbew behavioral1/files/0x000500000001a44d-591.dat family_berbew behavioral1/files/0x000500000001a455-600.dat family_berbew behavioral1/files/0x000500000001a459-608.dat family_berbew behavioral1/files/0x000500000001a45d-617.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2284 Achojp32.exe 2804 Amcpie32.exe 2576 Afkdakjb.exe 2592 Aeqabgoj.exe 2600 Bbdallnd.exe 3060 Bphbeplm.exe 800 Biafnecn.exe 572 Bdkgocpm.exe 2908 Bmclhi32.exe 1980 Bobhal32.exe 1968 Ckiigmcd.exe 1684 Cpfaocal.exe 1664 Clmbddgp.exe 2524 Ciqcmiei.exe 2016 Cicpch32.exe 2276 Cophko32.exe 1400 Dldhdc32.exe 3024 Dacnbjml.exe 1260 Dognlnlf.exe 1844 Daejhjkj.exe 2776 Dpjgifpa.exe 328 Dkpkfooh.exe 1032 Eckpkamb.exe 2084 Ejgemkbm.exe 1812 Ecpjfq32.exe 1724 Eogjka32.exe 1740 Efqbglen.exe 2528 Ebgclm32.exe 2712 Ekpheb32.exe 2792 Fbjpblip.exe 2732 Fkdaqa32.exe 2780 Ffnbaojm.exe 2580 Fqcfnhjb.exe 2012 Ffqofohj.exe 2552 Fafcdh32.exe 564 Ffcllo32.exe 2824 Gmoqnhla.exe 2896 Gnpmfqap.exe 1960 Gejebk32.exe 1948 Gnbjlpom.exe 944 Gembhj32.exe 1824 Gjijqa32.exe 2140 Gacbmk32.exe 2300 Gligjd32.exe 2808 Hafock32.exe 2452 Hhpgpebh.exe 1100 Hmmphlpp.exe 952 Hpkldg32.exe 1336 Hjqqap32.exe 272 Hajinjff.exe 556 Jpfhoi32.exe 2384 Jolepe32.exe 1704 Jfemlpdf.exe 2260 Jlpeij32.exe 1592 Jfhjbobc.exe 2716 Jhffnk32.exe 2820 Kfjggo32.exe 2860 Kkgopf32.exe 2500 Kbaglpee.exe 2568 Khkpijma.exe 1636 Knjegqif.exe 2960 Kddmdk32.exe 2240 Kjaelaok.exe 1244 Konndhmb.exe -
Loads dropped DLL 64 IoCs
pid Process 1932 a2036ebeb7a0050485df7a94604428f0.exe 1932 a2036ebeb7a0050485df7a94604428f0.exe 2284 Achojp32.exe 2284 Achojp32.exe 2804 Amcpie32.exe 2804 Amcpie32.exe 2576 Afkdakjb.exe 2576 Afkdakjb.exe 2592 Aeqabgoj.exe 2592 Aeqabgoj.exe 2600 Bbdallnd.exe 2600 Bbdallnd.exe 3060 Bphbeplm.exe 3060 Bphbeplm.exe 800 Biafnecn.exe 800 Biafnecn.exe 572 Bdkgocpm.exe 572 Bdkgocpm.exe 2908 Bmclhi32.exe 2908 Bmclhi32.exe 1980 Bobhal32.exe 1980 Bobhal32.exe 1968 Ckiigmcd.exe 1968 Ckiigmcd.exe 1684 Cpfaocal.exe 1684 Cpfaocal.exe 1664 Clmbddgp.exe 1664 Clmbddgp.exe 2524 Ciqcmiei.exe 2524 Ciqcmiei.exe 2016 Cicpch32.exe 2016 Cicpch32.exe 2276 Cophko32.exe 2276 Cophko32.exe 1400 Dldhdc32.exe 1400 Dldhdc32.exe 3024 Dacnbjml.exe 3024 Dacnbjml.exe 1260 Dognlnlf.exe 1260 Dognlnlf.exe 1844 Daejhjkj.exe 1844 Daejhjkj.exe 2776 Dpjgifpa.exe 2776 Dpjgifpa.exe 328 Dkpkfooh.exe 328 Dkpkfooh.exe 1032 Eckpkamb.exe 1032 Eckpkamb.exe 2084 Ejgemkbm.exe 2084 Ejgemkbm.exe 1812 Ecpjfq32.exe 1812 Ecpjfq32.exe 1724 Eogjka32.exe 1724 Eogjka32.exe 1740 Efqbglen.exe 1740 Efqbglen.exe 2528 Ebgclm32.exe 2528 Ebgclm32.exe 2712 Ekpheb32.exe 2712 Ekpheb32.exe 2792 Fbjpblip.exe 2792 Fbjpblip.exe 2732 Fkdaqa32.exe 2732 Fkdaqa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mnmpdlac.exe Lhpglecl.exe File created C:\Windows\SysWOW64\Dnbamjbm.dll Bdcifi32.exe File created C:\Windows\SysWOW64\Aaddfb32.dll Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Cicpch32.exe Ciqcmiei.exe File created C:\Windows\SysWOW64\Coikpclh.dll Gcmoda32.exe File opened for modification C:\Windows\SysWOW64\Hbfepmmn.exe Hmjlhfof.exe File opened for modification C:\Windows\SysWOW64\Cfpldf32.exe Cpfdhl32.exe File opened for modification C:\Windows\SysWOW64\Kjmnjkjd.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Phfmllbd.exe Pegqpacp.exe File opened for modification C:\Windows\SysWOW64\Ooabmbbe.exe Objaha32.exe File opened for modification C:\Windows\SysWOW64\Fffefjmi.exe Elnqmd32.exe File created C:\Windows\SysWOW64\Ecnoijbd.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Kcecbq32.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Nncbdomg.exe Ncnngfna.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bqlfaj32.exe File opened for modification C:\Windows\SysWOW64\Dldhdc32.exe Cophko32.exe File created C:\Windows\SysWOW64\Dacnbjml.exe Dldhdc32.exe File created C:\Windows\SysWOW64\Kaoacgen.dll Lipecm32.exe File created C:\Windows\SysWOW64\Decimbli.dll Kglehp32.exe File created C:\Windows\SysWOW64\Pleofj32.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Henjfpgi.dll Mfjann32.exe File created C:\Windows\SysWOW64\Momeefin.dll Aeqabgoj.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bmclhi32.exe File opened for modification C:\Windows\SysWOW64\Gcmoda32.exe Gjdjklek.exe File created C:\Windows\SysWOW64\Kpadhg32.exe Kjglkm32.exe File created C:\Windows\SysWOW64\Imahkg32.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Nkjjnk32.dll Dgeaoinb.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Apgagg32.exe File created C:\Windows\SysWOW64\Dclckn32.dll Fqcfnhjb.exe File created C:\Windows\SysWOW64\Okmqlhnm.dll Kgefefnd.exe File created C:\Windows\SysWOW64\Mjbappoe.dll Edlfhc32.exe File created C:\Windows\SysWOW64\Bkmjncbj.dll Njbdea32.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Cfpldf32.exe File created C:\Windows\SysWOW64\Nemhhpmp.exe Nledoj32.exe File created C:\Windows\SysWOW64\Aapemc32.exe Aoohekal.exe File opened for modification C:\Windows\SysWOW64\Bmkomchi.exe Bgnfdm32.exe File created C:\Windows\SysWOW64\Ehjona32.exe Endjaief.exe File created C:\Windows\SysWOW64\Epphbb32.dll Khcomhbi.exe File opened for modification C:\Windows\SysWOW64\Bfccei32.exe Bpjkiogm.exe File created C:\Windows\SysWOW64\Mmpife32.dll Knnkpobc.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Kddomchg.exe File opened for modification C:\Windows\SysWOW64\Bdqlajbb.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Lldmleam.exe Ljfapjbi.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Padhdm32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Clojhf32.exe File opened for modification C:\Windows\SysWOW64\Bgnfdm32.exe Bnfblgca.exe File opened for modification C:\Windows\SysWOW64\Enbnkigh.exe Eheecbia.exe File created C:\Windows\SysWOW64\Gbdhjm32.exe Gljpncgc.exe File created C:\Windows\SysWOW64\Amaelomh.exe Afgmodel.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hgbfnngi.exe File created C:\Windows\SysWOW64\Ckiigmcd.exe Bobhal32.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe Nplimbka.exe File created C:\Windows\SysWOW64\Kmhnlgkg.dll Akfkbd32.exe File created C:\Windows\SysWOW64\Hgbnifna.dll Ebgclm32.exe File created C:\Windows\SysWOW64\Makjho32.exe Lipecm32.exe File created C:\Windows\SysWOW64\Hhioeeeo.dll Dcfpel32.exe File opened for modification C:\Windows\SysWOW64\Edlfhc32.exe Enbnkigh.exe File created C:\Windows\SysWOW64\Phcpgm32.exe Pgbdodnh.exe File created C:\Windows\SysWOW64\Ellcac32.dll Gjdjklek.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jdaqmg32.exe File opened for modification C:\Windows\SysWOW64\Odmabj32.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Epojbfko.dll Aqjdgmgd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4356 2796 WerFault.exe 475 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkpijma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbappoe.dll" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoddn32.dll" Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlbfien.dll" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffncbeip.dll" Kjaelaok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgiefej.dll" Lmfhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjlhfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpidd32.dll" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dacnbjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifmdk32.dll" Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjkiogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" Bobhal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqlic32.dll" Debplg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdojcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll" Npjlhcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbonmll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amcbfmck.dll" Nlbgikia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endjaief.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foehfmaf.dll" Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibgoq32.dll" Jpfhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdhpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgjodmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Kpkpadnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclgjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoljh32.dll" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeofkoh.dll" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdakgdi.dll" Nledoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpomfdnk.dll" Jlckbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdlhpmb.dll" Dldhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dllhhaep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedlag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnomjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlpeij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgebdipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocmadb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1932 wrote to memory of 2284 1932 a2036ebeb7a0050485df7a94604428f0.exe 28 PID 1932 wrote to memory of 2284 1932 a2036ebeb7a0050485df7a94604428f0.exe 28 PID 1932 wrote to memory of 2284 1932 a2036ebeb7a0050485df7a94604428f0.exe 28 PID 1932 wrote to memory of 2284 1932 a2036ebeb7a0050485df7a94604428f0.exe 28 PID 2284 wrote to memory of 2804 2284 Achojp32.exe 29 PID 2284 wrote to memory of 2804 2284 Achojp32.exe 29 PID 2284 wrote to memory of 2804 2284 Achojp32.exe 29 PID 2284 wrote to memory of 2804 2284 Achojp32.exe 29 PID 2804 wrote to memory of 2576 2804 Amcpie32.exe 30 PID 2804 wrote to memory of 2576 2804 Amcpie32.exe 30 PID 2804 wrote to memory of 2576 2804 Amcpie32.exe 30 PID 2804 wrote to memory of 2576 2804 Amcpie32.exe 30 PID 2576 wrote to memory of 2592 2576 Afkdakjb.exe 31 PID 2576 wrote to memory of 2592 2576 Afkdakjb.exe 31 PID 2576 wrote to memory of 2592 2576 Afkdakjb.exe 31 PID 2576 wrote to memory of 2592 2576 Afkdakjb.exe 31 PID 2592 wrote to memory of 2600 2592 Aeqabgoj.exe 32 PID 2592 wrote to memory of 2600 2592 Aeqabgoj.exe 32 PID 2592 wrote to memory of 2600 2592 Aeqabgoj.exe 32 PID 2592 wrote to memory of 2600 2592 Aeqabgoj.exe 32 PID 2600 wrote to memory of 3060 2600 Bbdallnd.exe 34 PID 2600 wrote to memory of 3060 2600 Bbdallnd.exe 34 PID 2600 wrote to memory of 3060 2600 Bbdallnd.exe 34 PID 2600 wrote to memory of 3060 2600 Bbdallnd.exe 34 PID 3060 wrote to memory of 800 3060 Bphbeplm.exe 33 PID 3060 wrote to memory of 800 3060 Bphbeplm.exe 33 PID 3060 wrote to memory of 800 3060 Bphbeplm.exe 33 PID 3060 wrote to memory of 800 3060 Bphbeplm.exe 33 PID 800 wrote to memory of 572 800 Biafnecn.exe 35 PID 800 wrote to memory of 572 800 Biafnecn.exe 35 PID 800 wrote to memory of 572 800 Biafnecn.exe 35 PID 800 wrote to memory of 572 800 Biafnecn.exe 35 PID 572 wrote to memory of 2908 572 Bdkgocpm.exe 36 PID 572 wrote to memory of 2908 572 Bdkgocpm.exe 36 PID 572 wrote to memory of 2908 572 Bdkgocpm.exe 36 PID 572 wrote to memory of 2908 572 Bdkgocpm.exe 36 PID 2908 wrote to memory of 1980 2908 Bmclhi32.exe 37 PID 2908 wrote to memory of 1980 2908 Bmclhi32.exe 37 PID 2908 wrote to memory of 1980 2908 Bmclhi32.exe 37 PID 2908 wrote to memory of 1980 2908 Bmclhi32.exe 37 PID 1980 wrote to memory of 1968 1980 Bobhal32.exe 38 PID 1980 wrote to memory of 1968 1980 Bobhal32.exe 38 PID 1980 wrote to memory of 1968 1980 Bobhal32.exe 38 PID 1980 wrote to memory of 1968 1980 Bobhal32.exe 38 PID 1968 wrote to memory of 1684 1968 Ckiigmcd.exe 41 PID 1968 wrote to memory of 1684 1968 Ckiigmcd.exe 41 PID 1968 wrote to memory of 1684 1968 Ckiigmcd.exe 41 PID 1968 wrote to memory of 1684 1968 Ckiigmcd.exe 41 PID 1684 wrote to memory of 1664 1684 Cpfaocal.exe 39 PID 1684 wrote to memory of 1664 1684 Cpfaocal.exe 39 PID 1684 wrote to memory of 1664 1684 Cpfaocal.exe 39 PID 1684 wrote to memory of 1664 1684 Cpfaocal.exe 39 PID 1664 wrote to memory of 2524 1664 Clmbddgp.exe 40 PID 1664 wrote to memory of 2524 1664 Clmbddgp.exe 40 PID 1664 wrote to memory of 2524 1664 Clmbddgp.exe 40 PID 1664 wrote to memory of 2524 1664 Clmbddgp.exe 40 PID 2524 wrote to memory of 2016 2524 Ciqcmiei.exe 42 PID 2524 wrote to memory of 2016 2524 Ciqcmiei.exe 42 PID 2524 wrote to memory of 2016 2524 Ciqcmiei.exe 42 PID 2524 wrote to memory of 2016 2524 Ciqcmiei.exe 42 PID 2016 wrote to memory of 2276 2016 Cicpch32.exe 43 PID 2016 wrote to memory of 2276 2016 Cicpch32.exe 43 PID 2016 wrote to memory of 2276 2016 Cicpch32.exe 43 PID 2016 wrote to memory of 2276 2016 Cicpch32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2036ebeb7a0050485df7a94604428f0.exe"C:\Users\Admin\AppData\Local\Temp\a2036ebeb7a0050485df7a94604428f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
-
-
-
-
-
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024
-
-
-
-
-
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe7⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe9⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe10⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe11⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe12⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gnpmfqap.exeC:\Windows\system32\Gnpmfqap.exe13⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe15⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Gjijqa32.exeC:\Windows\system32\Gjijqa32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe18⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe19⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe20⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe21⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe22⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe23⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe24⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe28⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe30⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe31⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe32⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe33⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe34⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe36⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe39⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe40⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe41⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe42⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe43⤵PID:2512
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe44⤵PID:2308
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe45⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe46⤵PID:980
-
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe47⤵PID:2748
-
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe48⤵PID:1028
-
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe49⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe50⤵PID:3040
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe51⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe52⤵PID:1712
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe53⤵PID:2724
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe54⤵PID:2708
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe55⤵PID:1876
-
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe56⤵PID:532
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe57⤵PID:2888
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe58⤵PID:2932
-
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe59⤵PID:936
-
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe60⤵PID:844
-
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe61⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe62⤵
- Drops file in System32 directory
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe63⤵PID:2428
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe65⤵PID:1744
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe66⤵PID:1852
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe67⤵PID:928
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe68⤵PID:2176
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe69⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe71⤵PID:2644
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe72⤵PID:2420
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe74⤵PID:1000
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe76⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe77⤵PID:1604
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe79⤵PID:2060
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe80⤵PID:2268
-
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe81⤵PID:2916
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe82⤵PID:2412
-
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe83⤵PID:2232
-
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe84⤵PID:1816
-
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe85⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe86⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe87⤵PID:2548
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2948 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe90⤵PID:2944
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe91⤵
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe93⤵PID:2244
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe94⤵PID:2252
-
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe95⤵PID:2440
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe96⤵PID:1052
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe97⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe98⤵
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2336 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe102⤵PID:2784
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe103⤵PID:2752
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe104⤵PID:2692
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe105⤵PID:2848
-
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe106⤵PID:1568
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe108⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe109⤵
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe110⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe111⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe112⤵PID:2320
-
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe113⤵PID:2116
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe115⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe117⤵PID:2136
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe120⤵PID:2556
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe121⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-