Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 19:24
Behavioral task
behavioral1
Sample
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
Resource
win10v2004-20240426-en
General
-
Target
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
-
Size
343KB
-
MD5
126d70536cbb21f71eb2f0a8d7cd8b60
-
SHA1
a13c0c208551c48b0877e46f040a9398fd668553
-
SHA256
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741
-
SHA512
c0e664fddc69a2a635a1252754af34cd7d709febe94be17e107000be960d7cfbff52b851b43c8b97ecb3403232c6a26c7b69d333fb3fc177d311e811edcf9497
-
SSDEEP
6144:4S7MzAFEhRTqO+uNk54t3haeTFLel6ZfoPPB2I5BjopZ7TngrVIeoKhyCjonootK:pPFECO+uNk54t3hJVKOfoHBfByZPgrVF
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimafop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbmmcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmgfkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gobgcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfijnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnieom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelmai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqcnfjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paggai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbehoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaemjbcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lipjejgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mpolmdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjpqdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmoipopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoakolod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmlgonbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcecmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbfahp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhnfkigh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocajbekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njiijlbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ghmiam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcknbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iolmbpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ncoamb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Claifkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loapim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ambmpmln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlakpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbdocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bokphdld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpafkknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokphdld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmimafop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faokjpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Claifkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ddeaalpg.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x0009000000014390-5.dat family_berbew behavioral1/files/0x00080000000147ea-25.dat family_berbew behavioral1/files/0x00070000000149f5-39.dat family_berbew behavioral1/files/0x000a000000014af6-46.dat family_berbew behavioral1/files/0x0007000000014ef8-59.dat family_berbew behavioral1/files/0x00070000000155ed-74.dat family_berbew behavioral1/files/0x00060000000155f7-87.dat family_berbew behavioral1/files/0x0006000000015616-107.dat family_berbew behavioral1/files/0x0006000000015b6f-115.dat family_berbew behavioral1/files/0x0006000000015c52-132.dat family_berbew behavioral1/files/0x0006000000015c78-146.dat family_berbew behavioral1/files/0x0006000000015c9f-165.dat family_berbew behavioral1/memory/1512-167-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew behavioral1/files/0x00090000000146b8-176.dat family_berbew behavioral1/memory/2708-181-0x0000000000260000-0x000000000029F000-memory.dmp family_berbew behavioral1/files/0x0006000000015cee-193.dat family_berbew behavioral1/files/0x0006000000015cfe-205.dat family_berbew behavioral1/memory/1616-213-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew behavioral1/files/0x0006000000015d0f-219.dat family_berbew behavioral1/files/0x0006000000015d27-235.dat family_berbew behavioral1/files/0x0006000000015d98-245.dat family_berbew behavioral1/files/0x0006000000015f01-255.dat family_berbew behavioral1/files/0x00060000000160af-263.dat family_berbew behavioral1/files/0x0006000000016287-278.dat family_berbew behavioral1/files/0x000600000001650c-290.dat family_berbew behavioral1/files/0x00060000000167d5-300.dat family_berbew behavioral1/memory/3068-303-0x0000000000310000-0x000000000034F000-memory.dmp family_berbew behavioral1/files/0x0006000000016be2-310.dat family_berbew behavioral1/files/0x0006000000016cb6-347.dat family_berbew behavioral1/files/0x0006000000016c7c-338.dat family_berbew behavioral1/files/0x0006000000016c04-324.dat family_berbew behavioral1/files/0x0006000000016cc6-358.dat family_berbew behavioral1/files/0x0006000000016d1a-367.dat family_berbew behavioral1/files/0x0006000000016d51-379.dat family_berbew behavioral1/files/0x0006000000016e24-390.dat family_berbew behavioral1/files/0x0006000000016fed-397.dat family_berbew behavioral1/files/0x0006000000017371-409.dat family_berbew behavioral1/files/0x000600000001737c-420.dat family_berbew behavioral1/memory/320-423-0x0000000000250000-0x000000000028F000-memory.dmp family_berbew behavioral1/files/0x0006000000017407-432.dat family_berbew behavioral1/files/0x00060000000174a5-440.dat family_berbew behavioral1/files/0x000d0000000185f4-452.dat family_berbew behavioral1/files/0x0005000000018717-462.dat family_berbew behavioral1/files/0x0006000000018bab-477.dat family_berbew behavioral1/files/0x0006000000018fbf-488.dat family_berbew behavioral1/files/0x0006000000019064-499.dat family_berbew behavioral1/files/0x0005000000019185-506.dat family_berbew behavioral1/files/0x00050000000191c8-519.dat family_berbew behavioral1/files/0x00050000000191dd-529.dat family_berbew behavioral1/files/0x00050000000191ea-541.dat family_berbew behavioral1/files/0x0005000000019216-552.dat family_berbew behavioral1/files/0x00050000000192da-562.dat family_berbew behavioral1/files/0x0005000000019305-577.dat family_berbew behavioral1/files/0x000500000001932a-590.dat family_berbew behavioral1/files/0x00050000000193ab-601.dat family_berbew behavioral1/files/0x00050000000193c7-612.dat family_berbew behavioral1/files/0x00050000000193dd-623.dat family_berbew behavioral1/files/0x00050000000193ef-635.dat family_berbew behavioral1/files/0x0005000000019433-645.dat family_berbew behavioral1/files/0x0005000000019464-659.dat family_berbew behavioral1/files/0x00050000000194b1-667.dat family_berbew behavioral1/files/0x00050000000195b9-682.dat family_berbew behavioral1/files/0x00050000000195bf-691.dat family_berbew behavioral1/files/0x00050000000199e7-706.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 1680 Hdkfacpo.exe 2900 Hoakolod.exe 2528 Hdncgbnl.exe 2788 Hjkkojlc.exe 2584 Hjmhdi32.exe 2592 Idblbb32.exe 2544 Iolmbpfe.exe 2204 Igcecmfg.exe 1616 Ijdnehci.exe 1548 Ibocjk32.exe 1512 Imeggc32.exe 2708 Infdolgh.exe 840 Joepio32.exe 2076 Jbdlejmn.exe 1020 Jcgfbb32.exe 1836 Jgenhp32.exe 1292 Jancafna.exe 2816 Jmdcfg32.exe 1540 Kcolba32.exe 376 Kbalnnam.exe 3036 Kjhdokbo.exe 3068 Kcahhq32.exe 3060 Kebepion.exe 2828 Kmimafop.exe 1676 Kphimanc.exe 2316 Kedaeh32.exe 2564 Khcnad32.exe 2744 Kbhbom32.exe 2616 Kakbjibo.exe 2524 Kibjkgca.exe 2460 Koocdnai.exe 2496 Kbkodl32.exe 320 Keikqhhe.exe 2376 Lhggmchi.exe 2384 Loapim32.exe 1528 Laplei32.exe 1936 Lhjdbcef.exe 932 Lkhpnnej.exe 2000 Labhkh32.exe 2152 Ldqegd32.exe 2096 Lgoacojo.exe 808 Limmokib.exe 332 Ladeqhjd.exe 2796 Lbfahp32.exe 1536 Lipjejgp.exe 972 Lmkfei32.exe 2804 Ldenbcge.exe 3028 Lefkjkmc.exe 3000 Lmnbkinf.exe 2176 Lplogdmj.exe 2268 Mcjkcplm.exe 2552 Meigpkka.exe 1840 Mhgclfje.exe 2656 Mpolmdkg.exe 2640 Mcmhiojk.exe 1644 Maphdl32.exe 1208 Mhjpaf32.exe 2512 Mkhmma32.exe 1612 Mabejlob.exe 2724 Mkjica32.exe 2856 Mnieom32.exe 2520 Madapkmp.exe 1096 Mhnjle32.exe 1052 Mohbip32.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 1680 Hdkfacpo.exe 1680 Hdkfacpo.exe 2900 Hoakolod.exe 2900 Hoakolod.exe 2528 Hdncgbnl.exe 2528 Hdncgbnl.exe 2788 Hjkkojlc.exe 2788 Hjkkojlc.exe 2584 Hjmhdi32.exe 2584 Hjmhdi32.exe 2592 Idblbb32.exe 2592 Idblbb32.exe 2544 Iolmbpfe.exe 2544 Iolmbpfe.exe 2204 Igcecmfg.exe 2204 Igcecmfg.exe 1616 Ijdnehci.exe 1616 Ijdnehci.exe 1548 Ibocjk32.exe 1548 Ibocjk32.exe 1512 Imeggc32.exe 1512 Imeggc32.exe 2708 Infdolgh.exe 2708 Infdolgh.exe 840 Joepio32.exe 840 Joepio32.exe 2076 Jbdlejmn.exe 2076 Jbdlejmn.exe 1020 Jcgfbb32.exe 1020 Jcgfbb32.exe 1836 Jgenhp32.exe 1836 Jgenhp32.exe 1292 Jancafna.exe 1292 Jancafna.exe 2816 Jmdcfg32.exe 2816 Jmdcfg32.exe 1540 Kcolba32.exe 1540 Kcolba32.exe 376 Kbalnnam.exe 376 Kbalnnam.exe 3036 Kjhdokbo.exe 3036 Kjhdokbo.exe 3068 Kcahhq32.exe 3068 Kcahhq32.exe 3060 Kebepion.exe 3060 Kebepion.exe 2828 Kmimafop.exe 2828 Kmimafop.exe 1676 Kphimanc.exe 1676 Kphimanc.exe 2316 Kedaeh32.exe 2316 Kedaeh32.exe 2564 Khcnad32.exe 2564 Khcnad32.exe 2744 Kbhbom32.exe 2744 Kbhbom32.exe 2616 Kakbjibo.exe 2616 Kakbjibo.exe 2524 Kibjkgca.exe 2524 Kibjkgca.exe 2460 Koocdnai.exe 2460 Koocdnai.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eecqjpee.exe Ebedndfa.exe File opened for modification C:\Windows\SysWOW64\Epieghdk.exe Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Cphlljge.exe Cnippoha.exe File opened for modification C:\Windows\SysWOW64\Bhfagipa.exe Begeknan.exe File created C:\Windows\SysWOW64\Gaemjbcg.exe Gaemjbcg.exe File created C:\Windows\SysWOW64\Khcnad32.exe Kedaeh32.exe File created C:\Windows\SysWOW64\Nmjblg32.exe Nhnfkigh.exe File created C:\Windows\SysWOW64\Mhjpaf32.exe Maphdl32.exe File created C:\Windows\SysWOW64\Qnigda32.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Ckignd32.exe Bcaomf32.exe File created C:\Windows\SysWOW64\Fmhheqje.exe Filldb32.exe File created C:\Windows\SysWOW64\Gieojq32.exe Gbkgnfbd.exe File opened for modification C:\Windows\SysWOW64\Infdolgh.exe Imeggc32.exe File created C:\Windows\SysWOW64\Kebepion.exe Kcahhq32.exe File created C:\Windows\SysWOW64\Emeopn32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Infdolgh.exe Imeggc32.exe File created C:\Windows\SysWOW64\Mkhmma32.exe Mhjpaf32.exe File created C:\Windows\SysWOW64\Minjlg32.dll Joepio32.exe File opened for modification C:\Windows\SysWOW64\Ncoamb32.exe Nocemcbj.exe File created C:\Windows\SysWOW64\Ahakmf32.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Fhkpmjln.exe Faagpp32.exe File created C:\Windows\SysWOW64\Ppiflaho.dll Igcecmfg.exe File created C:\Windows\SysWOW64\Oadqjk32.dll Dgodbh32.exe File created C:\Windows\SysWOW64\Cjpqdp32.exe Cfeddafl.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe Ggpimica.exe File created C:\Windows\SysWOW64\Ambmpmln.exe Aigaon32.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bpafkknm.exe File created C:\Windows\SysWOW64\Mfcngp32.dll Nnnojlpa.exe File created C:\Windows\SysWOW64\Pndniaop.exe Phjelg32.exe File opened for modification C:\Windows\SysWOW64\Bdhhqk32.exe Bbflib32.exe File created C:\Windows\SysWOW64\Cgpgce32.exe Cdakgibq.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Dmafennb.exe File created C:\Windows\SysWOW64\Ipjchc32.dll Fbgmbg32.exe File opened for modification C:\Windows\SysWOW64\Kibjkgca.exe Kakbjibo.exe File created C:\Windows\SysWOW64\Madapkmp.exe Mnieom32.exe File created C:\Windows\SysWOW64\Anllbdkl.dll Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Lmkfei32.exe Lipjejgp.exe File created C:\Windows\SysWOW64\Bbflib32.exe Bokphdld.exe File opened for modification C:\Windows\SysWOW64\Mcjkcplm.exe Lplogdmj.exe File created C:\Windows\SysWOW64\Eihfjo32.exe Dfijnd32.exe File created C:\Windows\SysWOW64\Fbilenko.dll Kcolba32.exe File created C:\Windows\SysWOW64\Lbfahp32.exe Ladeqhjd.exe File opened for modification C:\Windows\SysWOW64\Cfbhnaho.exe Cgpgce32.exe File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe Fiaeoang.exe File opened for modification C:\Windows\SysWOW64\Cckace32.exe Claifkkf.exe File opened for modification C:\Windows\SysWOW64\Kphimanc.exe Kmimafop.exe File created C:\Windows\SysWOW64\Doffod32.dll Oqcnfjli.exe File opened for modification C:\Windows\SysWOW64\Mpolmdkg.exe Mhgclfje.exe File created C:\Windows\SysWOW64\Cbhkgk32.dll Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Phjelg32.exe Pelipl32.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dkmmhf32.exe File created C:\Windows\SysWOW64\Cnkajfop.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Ankdiqih.exe Afdlhchf.exe File created C:\Windows\SysWOW64\Baqbenep.exe Bkfjhd32.exe File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Kebepion.exe Kcahhq32.exe File created C:\Windows\SysWOW64\Dhflmk32.dll Ddeaalpg.exe File created C:\Windows\SysWOW64\Hhbabqdh.dll Njgldmdc.exe File opened for modification C:\Windows\SysWOW64\Oghlgdgk.exe Oqndkj32.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Pabjem32.exe File created C:\Windows\SysWOW64\Cjlgiqbk.exe Ckignd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3672 3648 WerFault.exe 317 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndaof32.dll" Phjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfcak32.dll" Nhnfkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfflopdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lipjejgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomkin32.dll" Ppjglfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pjpkjond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmdcfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Limmokib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmlapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlgefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdoodim.dll" Mnieom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncmdhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofbfdmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djpmccqq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddeaalpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" Ffbicfoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddflckmp.dll" Bgknheej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oockje32.dll" Chemfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdgmmje.dll" Oqqapjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpkceld.dll" Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngfcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefmambf.dll" Dmoipopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odbhmo32.dll" Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hjmhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kakbjibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmgfkeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fbgmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aenbdoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idphiplp.dll" Bdhhqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfgaiaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll" Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lefkjkmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Djnpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmei32.dll" Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" Hggomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kphimanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnnajckm.dll" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gbkgnfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" Gdopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcaomf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijdnehci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjlmdgj.dll" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ecmkghcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhaaje.dll" Mkhmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhnfkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiabof32.dll" Bcaomf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbfahp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbdocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhnjle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nleiqhcg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1680 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 28 PID 2340 wrote to memory of 1680 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 28 PID 2340 wrote to memory of 1680 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 28 PID 2340 wrote to memory of 1680 2340 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 28 PID 1680 wrote to memory of 2900 1680 Hdkfacpo.exe 29 PID 1680 wrote to memory of 2900 1680 Hdkfacpo.exe 29 PID 1680 wrote to memory of 2900 1680 Hdkfacpo.exe 29 PID 1680 wrote to memory of 2900 1680 Hdkfacpo.exe 29 PID 2900 wrote to memory of 2528 2900 Hoakolod.exe 30 PID 2900 wrote to memory of 2528 2900 Hoakolod.exe 30 PID 2900 wrote to memory of 2528 2900 Hoakolod.exe 30 PID 2900 wrote to memory of 2528 2900 Hoakolod.exe 30 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2528 wrote to memory of 2788 2528 Hdncgbnl.exe 31 PID 2788 wrote to memory of 2584 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2584 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2584 2788 Hjkkojlc.exe 32 PID 2788 wrote to memory of 2584 2788 Hjkkojlc.exe 32 PID 2584 wrote to memory of 2592 2584 Hjmhdi32.exe 33 PID 2584 wrote to memory of 2592 2584 Hjmhdi32.exe 33 PID 2584 wrote to memory of 2592 2584 Hjmhdi32.exe 33 PID 2584 wrote to memory of 2592 2584 Hjmhdi32.exe 33 PID 2592 wrote to memory of 2544 2592 Idblbb32.exe 34 PID 2592 wrote to memory of 2544 2592 Idblbb32.exe 34 PID 2592 wrote to memory of 2544 2592 Idblbb32.exe 34 PID 2592 wrote to memory of 2544 2592 Idblbb32.exe 34 PID 2544 wrote to memory of 2204 2544 Iolmbpfe.exe 35 PID 2544 wrote to memory of 2204 2544 Iolmbpfe.exe 35 PID 2544 wrote to memory of 2204 2544 Iolmbpfe.exe 35 PID 2544 wrote to memory of 2204 2544 Iolmbpfe.exe 35 PID 2204 wrote to memory of 1616 2204 Igcecmfg.exe 36 PID 2204 wrote to memory of 1616 2204 Igcecmfg.exe 36 PID 2204 wrote to memory of 1616 2204 Igcecmfg.exe 36 PID 2204 wrote to memory of 1616 2204 Igcecmfg.exe 36 PID 1616 wrote to memory of 1548 1616 Ijdnehci.exe 37 PID 1616 wrote to memory of 1548 1616 Ijdnehci.exe 37 PID 1616 wrote to memory of 1548 1616 Ijdnehci.exe 37 PID 1616 wrote to memory of 1548 1616 Ijdnehci.exe 37 PID 1548 wrote to memory of 1512 1548 Ibocjk32.exe 38 PID 1548 wrote to memory of 1512 1548 Ibocjk32.exe 38 PID 1548 wrote to memory of 1512 1548 Ibocjk32.exe 38 PID 1548 wrote to memory of 1512 1548 Ibocjk32.exe 38 PID 1512 wrote to memory of 2708 1512 Imeggc32.exe 39 PID 1512 wrote to memory of 2708 1512 Imeggc32.exe 39 PID 1512 wrote to memory of 2708 1512 Imeggc32.exe 39 PID 1512 wrote to memory of 2708 1512 Imeggc32.exe 39 PID 2708 wrote to memory of 840 2708 Infdolgh.exe 40 PID 2708 wrote to memory of 840 2708 Infdolgh.exe 40 PID 2708 wrote to memory of 840 2708 Infdolgh.exe 40 PID 2708 wrote to memory of 840 2708 Infdolgh.exe 40 PID 840 wrote to memory of 2076 840 Joepio32.exe 41 PID 840 wrote to memory of 2076 840 Joepio32.exe 41 PID 840 wrote to memory of 2076 840 Joepio32.exe 41 PID 840 wrote to memory of 2076 840 Joepio32.exe 41 PID 2076 wrote to memory of 1020 2076 Jbdlejmn.exe 42 PID 2076 wrote to memory of 1020 2076 Jbdlejmn.exe 42 PID 2076 wrote to memory of 1020 2076 Jbdlejmn.exe 42 PID 2076 wrote to memory of 1020 2076 Jbdlejmn.exe 42 PID 1020 wrote to memory of 1836 1020 Jcgfbb32.exe 43 PID 1020 wrote to memory of 1836 1020 Jcgfbb32.exe 43 PID 1020 wrote to memory of 1836 1020 Jcgfbb32.exe 43 PID 1020 wrote to memory of 1836 1020 Jcgfbb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe"C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hoakolod.exeC:\Windows\system32\Hoakolod.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Hjkkojlc.exeC:\Windows\system32\Hjkkojlc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Igcecmfg.exeC:\Windows\system32\Igcecmfg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kcolba32.exeC:\Windows\system32\Kcolba32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Kakbjibo.exeC:\Windows\system32\Kakbjibo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe33⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe34⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe35⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe37⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe38⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe39⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe40⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe42⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe47⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe53⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe60⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe61⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe63⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe65⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe66⤵PID:2416
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe67⤵PID:1460
-
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe68⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe69⤵PID:2280
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe70⤵
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe71⤵PID:1592
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe73⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe74⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe75⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe76⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1320 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe79⤵PID:1776
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe80⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe81⤵PID:620
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe82⤵PID:1172
-
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe84⤵PID:352
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe86⤵PID:976
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe87⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe89⤵PID:1580
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe90⤵PID:1688
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe91⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe92⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe94⤵PID:924
-
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe97⤵
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe98⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe100⤵PID:1476
-
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe101⤵PID:1240
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe105⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe106⤵PID:2556
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe107⤵PID:2548
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe108⤵PID:2412
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe109⤵PID:1720
-
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe110⤵PID:1608
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe112⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe113⤵PID:1988
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Plahag32.exeC:\Windows\system32\Plahag32.exe115⤵PID:3056
-
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe116⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe117⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe118⤵PID:2896
-
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe120⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe122⤵PID:1860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-