Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 20:53
Behavioral task
behavioral1
Sample
0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe
Resource
win10v2004-20240508-en
General
-
Target
0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe
-
Size
128KB
-
MD5
0e81858f9a350411b34fbc68f3115bf0
-
SHA1
7fbf516427b5eea2630464339b02da0fae34ec51
-
SHA256
0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400
-
SHA512
e75064a671c63d3ad6db86636c607fdb54dfe982f1edd1f0faba807cf42bce6d1df7c4e3dbb6109c9aaaff72660f9f4a6d1edc713107b097b650f11f4a89da71
-
SSDEEP
1536:V1Vtfm0F4BCs3Se9z2nyxjeFynyZuaRQDtNRfRa9HprmRfRJCLIXG:V7x5p5Q2y0ynoeDtN5wkpHxG
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mooaljkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijcpoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpnanch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecqqpgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcfqkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mlkopcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhgdkjol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmahdggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbopgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiaeoang.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppoqeja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmdho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jgagfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqqboncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Keednado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhaikn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjjea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmkmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpncej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obcccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahgnke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Faigdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libicbma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maoajf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lafndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfjhgdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leljop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kohkfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lahkigca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonafa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndlim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afohaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leajdfnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcnbablo.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1844-0-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1844-6-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x000a000000012286-5.dat family_berbew behavioral1/files/0x0008000000016581-18.dat family_berbew behavioral1/memory/2596-19-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/memory/2344-31-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0007000000016a8a-32.dat family_berbew behavioral1/memory/2344-34-0x0000000000270000-0x00000000002B1000-memory.dmp family_berbew behavioral1/files/0x0007000000016c6f-49.dat family_berbew behavioral1/memory/2956-54-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2668-45-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0008000000016dd1-60.dat family_berbew behavioral1/memory/2956-63-0x0000000000250000-0x0000000000291000-memory.dmp family_berbew behavioral1/files/0x0006000000016de3-73.dat family_berbew behavioral1/memory/2556-80-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017223-86.dat family_berbew behavioral1/memory/2556-92-0x0000000001F80000-0x0000000001FC1000-memory.dmp family_berbew behavioral1/files/0x00060000000173f6-99.dat family_berbew behavioral1/memory/3052-106-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000017577-112.dat family_berbew behavioral1/memory/1436-119-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000d000000018673-127.dat family_berbew behavioral1/memory/740-132-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001870f-138.dat family_berbew behavioral1/files/0x0005000000018723-151.dat family_berbew behavioral1/memory/2872-149-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2848-158-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000018797-164.dat family_berbew behavioral1/files/0x00050000000187b3-177.dat family_berbew behavioral1/memory/1788-184-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/756-171-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0006000000018bd9-190.dat family_berbew behavioral1/memory/1788-196-0x0000000000450000-0x0000000000491000-memory.dmp family_berbew behavioral1/memory/1680-198-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x003700000001611e-210.dat family_berbew behavioral1/memory/1668-211-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019314-220.dat family_berbew behavioral1/memory/2320-221-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000193d9-227.dat family_berbew behavioral1/memory/1628-230-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000193ff-236.dat family_berbew behavioral1/memory/524-245-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001942b-247.dat family_berbew behavioral1/memory/1776-252-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/524-250-0x00000000002A0000-0x00000000002E1000-memory.dmp family_berbew behavioral1/files/0x0005000000019470-258.dat family_berbew behavioral1/memory/1952-267-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/968-273-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x00050000000194b3-269.dat family_berbew behavioral1/files/0x000500000001952d-281.dat family_berbew behavioral1/memory/2176-284-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019627-290.dat family_berbew behavioral1/memory/1128-298-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001962b-301.dat family_berbew behavioral1/memory/2332-310-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/1720-317-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001962f-312.dat family_berbew behavioral1/files/0x0005000000019635-324.dat family_berbew behavioral1/memory/2944-332-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/memory/2712-339-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x000500000001963b-334.dat family_berbew behavioral1/files/0x000500000001963f-346.dat family_berbew behavioral1/memory/2820-354-0x0000000000400000-0x0000000000441000-memory.dmp family_berbew behavioral1/files/0x0005000000019641-357.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2596 Eijcpoac.exe 2344 Efncicpm.exe 2668 Emhlfmgj.exe 2956 Efppoc32.exe 2684 Enkece32.exe 2556 Eiaiqn32.exe 2060 Ennaieib.exe 3052 Fckjalhj.exe 1436 Fnpnndgp.exe 740 Fcmgfkeg.exe 2872 Fnbkddem.exe 2848 Faagpp32.exe 756 Fjilieka.exe 1788 Fpfdalii.exe 1680 Fjlhneio.exe 1668 Fddmgjpo.exe 2320 Fiaeoang.exe 1628 Globlmmj.exe 524 Gonnhhln.exe 1776 Gegfdb32.exe 1952 Ghfbqn32.exe 968 Gejcjbah.exe 2176 Gaqcoc32.exe 1128 Glfhll32.exe 2332 Goddhg32.exe 1720 Gdamqndn.exe 2944 Gphmeo32.exe 2712 Ghoegl32.exe 2820 Hpkjko32.exe 2392 Hcifgjgc.exe 2808 Hlakpp32.exe 2588 Hdhbam32.exe 1328 Hckcmjep.exe 3032 Hlcgeo32.exe 2896 Hhjhkq32.exe 2796 Hodpgjha.exe 2248 Hlhaqogk.exe 2936 Hogmmjfo.exe 676 Ilknfn32.exe 980 Ioijbj32.exe 1900 Ifcbodli.exe 2460 Inngcfid.exe 2312 Idhopq32.exe 1092 Iblpjdpk.exe 2268 Icmlam32.exe 1380 Ikddbj32.exe 1784 Iqalka32.exe 1860 Igkdgk32.exe 1544 Jjjacf32.exe 1596 Jmhmpb32.exe 2832 Jcbellac.exe 2324 Jiondcpk.exe 2644 Jmjjea32.exe 2628 Jcdbbloa.exe 2512 Jfcnngnd.exe 1696 Jiakjb32.exe 620 Jkpgfn32.exe 1672 Jbjochdi.exe 2096 Jehkodcm.exe 824 Jkbcln32.exe 2076 Jbllihbf.exe 788 Jifdebic.exe 324 Jkdpanhg.exe 2988 Jnclnihj.exe -
Loads dropped DLL 64 IoCs
pid Process 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 2596 Eijcpoac.exe 2596 Eijcpoac.exe 2344 Efncicpm.exe 2344 Efncicpm.exe 2668 Emhlfmgj.exe 2668 Emhlfmgj.exe 2956 Efppoc32.exe 2956 Efppoc32.exe 2684 Enkece32.exe 2684 Enkece32.exe 2556 Eiaiqn32.exe 2556 Eiaiqn32.exe 2060 Ennaieib.exe 2060 Ennaieib.exe 3052 Fckjalhj.exe 3052 Fckjalhj.exe 1436 Fnpnndgp.exe 1436 Fnpnndgp.exe 740 Fcmgfkeg.exe 740 Fcmgfkeg.exe 2872 Fnbkddem.exe 2872 Fnbkddem.exe 2848 Faagpp32.exe 2848 Faagpp32.exe 756 Fjilieka.exe 756 Fjilieka.exe 1788 Fpfdalii.exe 1788 Fpfdalii.exe 1680 Fjlhneio.exe 1680 Fjlhneio.exe 1668 Fddmgjpo.exe 1668 Fddmgjpo.exe 2320 Fiaeoang.exe 2320 Fiaeoang.exe 1628 Globlmmj.exe 1628 Globlmmj.exe 524 Gonnhhln.exe 524 Gonnhhln.exe 1776 Gegfdb32.exe 1776 Gegfdb32.exe 1952 Ghfbqn32.exe 1952 Ghfbqn32.exe 968 Gejcjbah.exe 968 Gejcjbah.exe 2176 Gaqcoc32.exe 2176 Gaqcoc32.exe 1128 Glfhll32.exe 1128 Glfhll32.exe 2332 Goddhg32.exe 2332 Goddhg32.exe 1720 Gdamqndn.exe 1720 Gdamqndn.exe 2944 Gphmeo32.exe 2944 Gphmeo32.exe 2712 Ghoegl32.exe 2712 Ghoegl32.exe 2820 Hpkjko32.exe 2820 Hpkjko32.exe 2392 Hcifgjgc.exe 2392 Hcifgjgc.exe 2808 Hlakpp32.exe 2808 Hlakpp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Enkece32.exe Efppoc32.exe File created C:\Windows\SysWOW64\Nadddkfi.dll Olmhdf32.exe File created C:\Windows\SysWOW64\Fbgkoe32.dll Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Hdqbekcm.exe Habfipdj.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kmjojo32.exe File created C:\Windows\SysWOW64\Icjhagdp.exe Ipllekdl.exe File created C:\Windows\SysWOW64\Jfcnngnd.exe Jcdbbloa.exe File opened for modification C:\Windows\SysWOW64\Leajdfnm.exe Lafndg32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qlkdkd32.exe File created C:\Windows\SysWOW64\Cafecmlj.exe Cnkicn32.exe File created C:\Windows\SysWOW64\Ekhhadmk.exe Ecqqpgli.exe File opened for modification C:\Windows\SysWOW64\Lphhenhc.exe Lmikibio.exe File created C:\Windows\SysWOW64\Lfdmggnm.exe Lcfqkl32.exe File created C:\Windows\SysWOW64\Fbbecd32.dll Nnennj32.exe File opened for modification C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File created C:\Windows\SysWOW64\Aemkjiem.exe Amfcikek.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Blpjegfm.exe File created C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Ljibgg32.exe Lgjfkk32.exe File created C:\Windows\SysWOW64\Ghoegl32.exe Gphmeo32.exe File created C:\Windows\SysWOW64\Mmhodf32.exe Mgnfhlin.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Ofmbnkhg.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File created C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Lpdbloof.exe Lhmjkaoc.exe File created C:\Windows\SysWOW64\Kmccegik.dll Obafnlpn.exe File created C:\Windows\SysWOW64\Alnqqd32.exe Qedhdjnh.exe File created C:\Windows\SysWOW64\Enfenplo.exe Ekhhadmk.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Llcefjgf.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Mhbped32.exe File created C:\Windows\SysWOW64\Agmceh32.dll Kfpgmdog.exe File created C:\Windows\SysWOW64\Qaqkcf32.dll Mholen32.exe File created C:\Windows\SysWOW64\Dinhacjp.dll Eqbddk32.exe File created C:\Windows\SysWOW64\Kigbna32.dll Jocflgga.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hlakpp32.exe File created C:\Windows\SysWOW64\Kcihlong.exe Kmopod32.exe File opened for modification C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File created C:\Windows\SysWOW64\Fddcahee.dll Ocgpappk.exe File opened for modification C:\Windows\SysWOW64\Dojald32.exe Dlkepi32.exe File created C:\Windows\SysWOW64\Pbfpik32.exe Pogclp32.exe File created C:\Windows\SysWOW64\Hmbpmapf.exe Hkcdafqb.exe File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe Niikceid.exe File opened for modification C:\Windows\SysWOW64\Fnbkddem.exe Fcmgfkeg.exe File opened for modification C:\Windows\SysWOW64\Kmaled32.exe Kfgdhjmk.exe File created C:\Windows\SysWOW64\Fkcpip32.dll Fmbhok32.exe File created C:\Windows\SysWOW64\Ichllgfb.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Daiohhgh.dll Icjhagdp.exe File created C:\Windows\SysWOW64\Oklkmnbp.exe Nceclqan.exe File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe Dndlim32.exe File opened for modification C:\Windows\SysWOW64\Jfnnha32.exe Jocflgga.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Namqci32.exe File created C:\Windows\SysWOW64\Diaagb32.dll Mlaeonld.exe File created C:\Windows\SysWOW64\Afdignjb.dll Nhaikn32.exe File created C:\Windows\SysWOW64\Jmmjdk32.dll Gdamqndn.exe File opened for modification C:\Windows\SysWOW64\Idhopq32.exe Inngcfid.exe File created C:\Windows\SysWOW64\Lqelfddi.dll Dlkepi32.exe File created C:\Windows\SysWOW64\Dfdlklmn.dll Gpncej32.exe File opened for modification C:\Windows\SysWOW64\Kconkibf.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Ioijbj32.exe Ilknfn32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kfbkmk32.exe File created C:\Windows\SysWOW64\Dhnmij32.exe Dfoqmo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4132 4612 WerFault.exe 465 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgkoe32.dll" Aadloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjlion.dll" Gohjaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiiegafd.dll" Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ocgpappk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fepiimfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" Mkhofjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kckmmp32.dll" Aehboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll" Jqnejn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llcefjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgjfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ennaieib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fpfdalii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcihlong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcegmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nhdlkdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmpgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfhdp32.dll" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emnndlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nondgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallbqdi.dll" Fjmaaddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll" Kkjcplpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ifcbodli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Cgcmlcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggeiabkc.dll" Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepch32.dll" Jbdonb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nckjkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lefdpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnobnmpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" Dndlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Febfomdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikddbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nejiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chbjffad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egoife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jifdebic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkdpanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcnbablo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" Mooaljkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll" Lphhenhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll" Lmlhnagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edkcojga.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1844 wrote to memory of 2596 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 28 PID 1844 wrote to memory of 2596 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 28 PID 1844 wrote to memory of 2596 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 28 PID 1844 wrote to memory of 2596 1844 0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe 28 PID 2596 wrote to memory of 2344 2596 Eijcpoac.exe 29 PID 2596 wrote to memory of 2344 2596 Eijcpoac.exe 29 PID 2596 wrote to memory of 2344 2596 Eijcpoac.exe 29 PID 2596 wrote to memory of 2344 2596 Eijcpoac.exe 29 PID 2344 wrote to memory of 2668 2344 Efncicpm.exe 30 PID 2344 wrote to memory of 2668 2344 Efncicpm.exe 30 PID 2344 wrote to memory of 2668 2344 Efncicpm.exe 30 PID 2344 wrote to memory of 2668 2344 Efncicpm.exe 30 PID 2668 wrote to memory of 2956 2668 Emhlfmgj.exe 31 PID 2668 wrote to memory of 2956 2668 Emhlfmgj.exe 31 PID 2668 wrote to memory of 2956 2668 Emhlfmgj.exe 31 PID 2668 wrote to memory of 2956 2668 Emhlfmgj.exe 31 PID 2956 wrote to memory of 2684 2956 Efppoc32.exe 32 PID 2956 wrote to memory of 2684 2956 Efppoc32.exe 32 PID 2956 wrote to memory of 2684 2956 Efppoc32.exe 32 PID 2956 wrote to memory of 2684 2956 Efppoc32.exe 32 PID 2684 wrote to memory of 2556 2684 Enkece32.exe 33 PID 2684 wrote to memory of 2556 2684 Enkece32.exe 33 PID 2684 wrote to memory of 2556 2684 Enkece32.exe 33 PID 2684 wrote to memory of 2556 2684 Enkece32.exe 33 PID 2556 wrote to memory of 2060 2556 Eiaiqn32.exe 34 PID 2556 wrote to memory of 2060 2556 Eiaiqn32.exe 34 PID 2556 wrote to memory of 2060 2556 Eiaiqn32.exe 34 PID 2556 wrote to memory of 2060 2556 Eiaiqn32.exe 34 PID 2060 wrote to memory of 3052 2060 Ennaieib.exe 35 PID 2060 wrote to memory of 3052 2060 Ennaieib.exe 35 PID 2060 wrote to memory of 3052 2060 Ennaieib.exe 35 PID 2060 wrote to memory of 3052 2060 Ennaieib.exe 35 PID 3052 wrote to memory of 1436 3052 Fckjalhj.exe 36 PID 3052 wrote to memory of 1436 3052 Fckjalhj.exe 36 PID 3052 wrote to memory of 1436 3052 Fckjalhj.exe 36 PID 3052 wrote to memory of 1436 3052 Fckjalhj.exe 36 PID 1436 wrote to memory of 740 1436 Fnpnndgp.exe 37 PID 1436 wrote to memory of 740 1436 Fnpnndgp.exe 37 PID 1436 wrote to memory of 740 1436 Fnpnndgp.exe 37 PID 1436 wrote to memory of 740 1436 Fnpnndgp.exe 37 PID 740 wrote to memory of 2872 740 Fcmgfkeg.exe 38 PID 740 wrote to memory of 2872 740 Fcmgfkeg.exe 38 PID 740 wrote to memory of 2872 740 Fcmgfkeg.exe 38 PID 740 wrote to memory of 2872 740 Fcmgfkeg.exe 38 PID 2872 wrote to memory of 2848 2872 Fnbkddem.exe 39 PID 2872 wrote to memory of 2848 2872 Fnbkddem.exe 39 PID 2872 wrote to memory of 2848 2872 Fnbkddem.exe 39 PID 2872 wrote to memory of 2848 2872 Fnbkddem.exe 39 PID 2848 wrote to memory of 756 2848 Faagpp32.exe 40 PID 2848 wrote to memory of 756 2848 Faagpp32.exe 40 PID 2848 wrote to memory of 756 2848 Faagpp32.exe 40 PID 2848 wrote to memory of 756 2848 Faagpp32.exe 40 PID 756 wrote to memory of 1788 756 Fjilieka.exe 41 PID 756 wrote to memory of 1788 756 Fjilieka.exe 41 PID 756 wrote to memory of 1788 756 Fjilieka.exe 41 PID 756 wrote to memory of 1788 756 Fjilieka.exe 41 PID 1788 wrote to memory of 1680 1788 Fpfdalii.exe 42 PID 1788 wrote to memory of 1680 1788 Fpfdalii.exe 42 PID 1788 wrote to memory of 1680 1788 Fpfdalii.exe 42 PID 1788 wrote to memory of 1680 1788 Fpfdalii.exe 42 PID 1680 wrote to memory of 1668 1680 Fjlhneio.exe 43 PID 1680 wrote to memory of 1668 1680 Fjlhneio.exe 43 PID 1680 wrote to memory of 1668 1680 Fjlhneio.exe 43 PID 1680 wrote to memory of 1668 1680 Fjlhneio.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe"C:\Users\Admin\AppData\Local\Temp\0d9b1792458191389c8829e8226134514a9a7354395c6283e16f60c0f7ca9400.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Goddhg32.exeC:\Windows\system32\Goddhg32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Gdamqndn.exeC:\Windows\system32\Gdamqndn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Hdhbam32.exeC:\Windows\system32\Hdhbam32.exe33⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe34⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe35⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe36⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe37⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe38⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hogmmjfo.exeC:\Windows\system32\Hogmmjfo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe41⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Ifcbodli.exeC:\Windows\system32\Ifcbodli.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe45⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Icmlam32.exeC:\Windows\system32\Icmlam32.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Ikddbj32.exeC:\Windows\system32\Ikddbj32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe48⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe49⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jjjacf32.exeC:\Windows\system32\Jjjacf32.exe50⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Jcbellac.exeC:\Windows\system32\Jcbellac.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe53⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Jcdbbloa.exeC:\Windows\system32\Jcdbbloa.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe56⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe57⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe58⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jbjochdi.exeC:\Windows\system32\Jbjochdi.exe59⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jehkodcm.exeC:\Windows\system32\Jehkodcm.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Jbllihbf.exeC:\Windows\system32\Jbllihbf.exe62⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Jifdebic.exeC:\Windows\system32\Jifdebic.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe65⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Kaaijdgn.exeC:\Windows\system32\Kaaijdgn.exe66⤵PID:2020
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe67⤵PID:2220
-
C:\Windows\SysWOW64\Kkgmgmfd.exeC:\Windows\system32\Kkgmgmfd.exe68⤵PID:892
-
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe69⤵PID:896
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe70⤵PID:2240
-
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe71⤵PID:2488
-
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe72⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe73⤵PID:2972
-
C:\Windows\SysWOW64\Keanebkb.exeC:\Windows\system32\Keanebkb.exe74⤵PID:2900
-
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe75⤵PID:2516
-
C:\Windows\SysWOW64\Kfbkmk32.exeC:\Windows\system32\Kfbkmk32.exe76⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe77⤵PID:2880
-
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Kiccofna.exeC:\Windows\system32\Kiccofna.exe79⤵PID:1300
-
C:\Windows\SysWOW64\Kmopod32.exeC:\Windows\system32\Kmopod32.exe80⤵
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe81⤵
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe82⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Kmaled32.exeC:\Windows\system32\Kmaled32.exe83⤵PID:1076
-
C:\Windows\SysWOW64\Lckdanld.exeC:\Windows\system32\Lckdanld.exe84⤵PID:1504
-
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe85⤵PID:2396
-
C:\Windows\SysWOW64\Lihmjejl.exeC:\Windows\system32\Lihmjejl.exe86⤵PID:1604
-
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe87⤵PID:2640
-
C:\Windows\SysWOW64\Loeebl32.exeC:\Windows\system32\Loeebl32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe90⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Lpdbloof.exeC:\Windows\system32\Lpdbloof.exe91⤵PID:3036
-
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Lhpfqama.exeC:\Windows\system32\Lhpfqama.exe94⤵PID:328
-
C:\Windows\SysWOW64\Lbeknj32.exeC:\Windows\system32\Lbeknj32.exe95⤵PID:2224
-
C:\Windows\SysWOW64\Lahkigca.exeC:\Windows\system32\Lahkigca.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe97⤵PID:2472
-
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe98⤵PID:1116
-
C:\Windows\SysWOW64\Lmolnh32.exeC:\Windows\system32\Lmolnh32.exe99⤵PID:1692
-
C:\Windows\SysWOW64\Lefdpe32.exeC:\Windows\system32\Lefdpe32.exe100⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe101⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2744 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe103⤵PID:2544
-
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe104⤵PID:2508
-
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe105⤵PID:468
-
C:\Windows\SysWOW64\Maoajf32.exeC:\Windows\system32\Maoajf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Mlibjc32.exeC:\Windows\system32\Mlibjc32.exe108⤵PID:300
-
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe109⤵PID:1704
-
C:\Windows\SysWOW64\Mgnfhlin.exeC:\Windows\system32\Mgnfhlin.exe110⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe111⤵PID:1816
-
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe113⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe114⤵PID:2032
-
C:\Windows\SysWOW64\Mhbped32.exeC:\Windows\system32\Mhbped32.exe115⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe116⤵PID:1868
-
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe117⤵PID:2932
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe118⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe119⤵
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Namqci32.exeC:\Windows\system32\Namqci32.exe120⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe121⤵PID:2912
-
C:\Windows\SysWOW64\Nkeelohh.exeC:\Windows\system32\Nkeelohh.exe122⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-