Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 04:04
Behavioral task
behavioral1
Sample
1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe
Resource
win10v2004-20240508-en
General
-
Target
1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe
-
Size
384KB
-
MD5
0ab53e57dc08e6002672f0ba911a7320
-
SHA1
cda6f46ca87271920d4221fc6a2cecec78757935
-
SHA256
1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3
-
SHA512
c3802c92834a284219ed150381fc795ad4a22219d7723bed6147b55acfada0d47d47c54bf41368254427b0b4044a39e9af90f06c387e73f6dce5362e0be7df1c
-
SSDEEP
6144:0g0SkAo1bX3HHxIspui6yYPaIGckpyWO63t5YNpui6yYPaIGcky0PVd68LwYwI+y:0g2bnfpV6yYPI3cpV6yYPZ0PVdvcY9+y
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfinoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pminkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocomlemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchpbded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdcfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adhlaggp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hejoiedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhgclfje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcfdgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgobhcac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adeplhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhjkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djnpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ggpimica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jcjbgaog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lodlom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkhmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcodno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmfhacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affhncfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Paggai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiinen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicbeald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofejom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oomhcbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oenifh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdpip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lekhfgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldcamcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gejcjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adhlaggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckffgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eflgccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnfjna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boiccdnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hggomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nghphaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdlbf32.exe -
Malware Dropper & Backdoor - Berbew 64 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000013113-5.dat family_berbew behavioral1/files/0x00090000000139e0-18.dat family_berbew behavioral1/files/0x0008000000013a21-32.dat family_berbew behavioral1/files/0x000b000000014120-45.dat family_berbew behavioral1/files/0x00070000000142b0-60.dat family_berbew behavioral1/files/0x0007000000014316-74.dat family_berbew behavioral1/files/0x00060000000143ec-88.dat family_berbew behavioral1/files/0x000600000001448a-101.dat family_berbew behavioral1/files/0x0006000000014539-115.dat family_berbew behavioral1/files/0x00060000000146a2-132.dat family_berbew behavioral1/files/0x000a000000013928-151.dat family_berbew behavioral1/files/0x00060000000147ea-163.dat family_berbew behavioral1/files/0x00060000000149f5-170.dat family_berbew behavioral1/files/0x0006000000014af6-184.dat family_berbew behavioral1/files/0x0006000000014b70-200.dat family_berbew behavioral1/files/0x0006000000014ef8-213.dat family_berbew behavioral1/files/0x00060000000155ed-223.dat family_berbew behavioral1/files/0x00060000000155f7-235.dat family_berbew behavioral1/files/0x0006000000015616-248.dat family_berbew behavioral1/files/0x0006000000015b6f-255.dat family_berbew behavioral1/files/0x0006000000015c52-267.dat family_berbew behavioral1/files/0x0006000000015c78-274.dat family_berbew behavioral1/files/0x0006000000015c9f-285.dat family_berbew behavioral1/files/0x0006000000015cce-294.dat family_berbew behavioral1/memory/964-290-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew behavioral1/files/0x0006000000015cf6-307.dat family_berbew behavioral1/memory/2116-309-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew behavioral1/memory/2116-308-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew behavioral1/files/0x0006000000015d07-316.dat family_berbew behavioral1/files/0x0006000000015d1a-327.dat family_berbew behavioral1/memory/2000-330-0x0000000000360000-0x0000000000394000-memory.dmp family_berbew behavioral1/files/0x0006000000015d31-338.dat family_berbew behavioral1/files/0x0006000000015df1-351.dat family_berbew behavioral1/memory/2304-353-0x0000000000250000-0x0000000000284000-memory.dmp family_berbew behavioral1/files/0x0006000000015f7a-361.dat family_berbew behavioral1/files/0x0006000000016176-371.dat family_berbew behavioral1/memory/2692-374-0x00000000005D0000-0x0000000000604000-memory.dmp family_berbew behavioral1/files/0x0006000000016448-382.dat family_berbew behavioral1/files/0x00060000000165ae-394.dat family_berbew behavioral1/files/0x0006000000016a29-404.dat family_berbew behavioral1/files/0x0006000000016bfb-414.dat family_berbew behavioral1/files/0x0006000000016c51-426.dat family_berbew behavioral1/files/0x0006000000016ca5-436.dat family_berbew behavioral1/files/0x0006000000016cbe-446.dat family_berbew behavioral1/files/0x0006000000016d16-458.dat family_berbew behavioral1/files/0x0006000000016d3e-469.dat family_berbew behavioral1/files/0x0006000000016d57-482.dat family_berbew behavioral1/files/0x0006000000016e4a-491.dat family_berbew behavioral1/files/0x000600000001735a-504.dat family_berbew behavioral1/files/0x0006000000017374-514.dat family_berbew behavioral1/files/0x00060000000173f2-526.dat family_berbew behavioral1/files/0x0006000000017422-537.dat family_berbew behavioral1/files/0x00140000000185e9-548.dat family_berbew behavioral1/files/0x000500000001860c-557.dat family_berbew behavioral1/files/0x0006000000018ba1-569.dat family_berbew behavioral1/files/0x0006000000018ed8-576.dat family_berbew behavioral1/files/0x0006000000019052-589.dat family_berbew behavioral1/files/0x0005000000019159-599.dat family_berbew behavioral1/files/0x00050000000191b0-609.dat family_berbew behavioral1/files/0x00050000000191da-622.dat family_berbew behavioral1/files/0x00050000000191e7-632.dat family_berbew behavioral1/files/0x000500000001920d-642.dat family_berbew behavioral1/files/0x00050000000192d8-656.dat family_berbew behavioral1/files/0x00050000000192f0-667.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 2552 Iigoqe32.exe 2292 Ifkojiim.exe 2664 Jeplkf32.exe 2600 Jbdlejmn.exe 2728 Jjoailji.exe 2468 Jkonco32.exe 2700 Jcjbgaog.exe 956 Jnofejom.exe 2364 Jmdcfg32.exe 1920 Kjhdokbo.exe 2808 Kfoedl32.exe 864 Kinaqg32.exe 1612 Kegnkh32.exe 1440 Koocdnai.exe 2892 Lkfciogm.exe 2068 Lekhfgfc.exe 656 Lfmdnp32.exe 1144 Lodlom32.exe 344 Lgoacojo.exe 1344 Ladeqhjd.exe 616 Ldcamcih.exe 964 Lipjejgp.exe 1252 Lpjbad32.exe 2116 Lchnnp32.exe 2444 Lmnbkinf.exe 2000 Loooca32.exe 1584 Mhgclfje.exe 2304 Mcmhiojk.exe 2576 Migpeiag.exe 2692 Mkhmma32.exe 2816 Mcodno32.exe 2532 Mlgigdoh.exe 2484 Mnieom32.exe 2424 Mepnpj32.exe 2568 Mkmfhacp.exe 1400 Magnek32.exe 2652 Mgcgmb32.exe 2936 Njbcim32.exe 2980 Ndgggf32.exe 1660 Nkaocp32.exe 1684 Ndjdlffl.exe 1200 Nghphaeo.exe 1640 Nnbhek32.exe 452 Nqqdag32.exe 296 Njiijlbp.exe 1812 Nqcagfim.exe 1888 Nofabc32.exe 2876 Nfpjomgd.exe 768 Nohnhc32.exe 1644 Nbfjdn32.exe 276 Odegpj32.exe 2972 Omloag32.exe 2156 Ofdcjm32.exe 2560 Ogfpbeim.exe 2680 Oomhcbjp.exe 2732 Obkdonic.exe 2636 Ojficpfn.exe 2180 Obnqem32.exe 2280 Ocomlemo.exe 2772 Ondajnme.exe 2644 Omgaek32.exe 2992 Oenifh32.exe 2084 Ogmfbd32.exe 1112 Pminkk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 2552 Iigoqe32.exe 2552 Iigoqe32.exe 2292 Ifkojiim.exe 2292 Ifkojiim.exe 2664 Jeplkf32.exe 2664 Jeplkf32.exe 2600 Jbdlejmn.exe 2600 Jbdlejmn.exe 2728 Jjoailji.exe 2728 Jjoailji.exe 2468 Jkonco32.exe 2468 Jkonco32.exe 2700 Jcjbgaog.exe 2700 Jcjbgaog.exe 956 Jnofejom.exe 956 Jnofejom.exe 2364 Jmdcfg32.exe 2364 Jmdcfg32.exe 1920 Kjhdokbo.exe 1920 Kjhdokbo.exe 2808 Kfoedl32.exe 2808 Kfoedl32.exe 864 Kinaqg32.exe 864 Kinaqg32.exe 1612 Kegnkh32.exe 1612 Kegnkh32.exe 1440 Koocdnai.exe 1440 Koocdnai.exe 2892 Lkfciogm.exe 2892 Lkfciogm.exe 2068 Lekhfgfc.exe 2068 Lekhfgfc.exe 656 Lfmdnp32.exe 656 Lfmdnp32.exe 1144 Lodlom32.exe 1144 Lodlom32.exe 344 Lgoacojo.exe 344 Lgoacojo.exe 1344 Ladeqhjd.exe 1344 Ladeqhjd.exe 616 Ldcamcih.exe 616 Ldcamcih.exe 964 Lipjejgp.exe 964 Lipjejgp.exe 1252 Lpjbad32.exe 1252 Lpjbad32.exe 2116 Lchnnp32.exe 2116 Lchnnp32.exe 2444 Lmnbkinf.exe 2444 Lmnbkinf.exe 2000 Loooca32.exe 2000 Loooca32.exe 1584 Mhgclfje.exe 1584 Mhgclfje.exe 2304 Mcmhiojk.exe 2304 Mcmhiojk.exe 2576 Migpeiag.exe 2576 Migpeiag.exe 2692 Mkhmma32.exe 2692 Mkhmma32.exe 2816 Mcodno32.exe 2816 Mcodno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pndniaop.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Qmlgonbe.exe Qljkhe32.exe File created C:\Windows\SysWOW64\Maomqp32.dll Cfgaiaci.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Hnempl32.dll Geolea32.exe File opened for modification C:\Windows\SysWOW64\Inljnfkg.exe Ilknfn32.exe File created C:\Windows\SysWOW64\Cnacpn32.dll Migpeiag.exe File created C:\Windows\SysWOW64\Pfiidobe.exe Pnbacbac.exe File created C:\Windows\SysWOW64\Qhmbagfa.exe Pabjem32.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cphlljge.exe File opened for modification C:\Windows\SysWOW64\Chhjkl32.exe Cfinoq32.exe File created C:\Windows\SysWOW64\Fkahhbbj.dll Djnpnc32.exe File opened for modification C:\Windows\SysWOW64\Gegfdb32.exe Gonnhhln.exe File created C:\Windows\SysWOW64\Pabakh32.dll Gaqcoc32.exe File created C:\Windows\SysWOW64\Loooca32.exe Lmnbkinf.exe File opened for modification C:\Windows\SysWOW64\Mnieom32.exe Mlgigdoh.exe File created C:\Windows\SysWOW64\Geolea32.exe Gacpdbej.exe File created C:\Windows\SysWOW64\Hgpdcgoc.dll Hlakpp32.exe File created C:\Windows\SysWOW64\Ogmfbd32.exe Oenifh32.exe File created C:\Windows\SysWOW64\Piehkkcl.exe Pchpbded.exe File opened for modification C:\Windows\SysWOW64\Bloqah32.exe Baildokg.exe File created C:\Windows\SysWOW64\Cljcelan.exe Cjlgiqbk.exe File created C:\Windows\SysWOW64\Ipdljffa.dll Dflkdp32.exe File created C:\Windows\SysWOW64\Jfpjfeia.dll Djbiicon.exe File opened for modification C:\Windows\SysWOW64\Mhgclfje.exe Loooca32.exe File created C:\Windows\SysWOW64\Ojficpfn.exe Obkdonic.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File opened for modification C:\Windows\SysWOW64\Hpkjko32.exe Hmlnoc32.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qaefjm32.exe File created C:\Windows\SysWOW64\Cfbhnaho.exe Ccdlbf32.exe File created C:\Windows\SysWOW64\Hlakpp32.exe Hicodd32.exe File opened for modification C:\Windows\SysWOW64\Pjpkjond.exe Pfdpip32.exe File created C:\Windows\SysWOW64\Ajenen32.dll Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Qljkhe32.exe Qaefjm32.exe File created C:\Windows\SysWOW64\Aepojo32.exe Abbbnchb.exe File opened for modification C:\Windows\SysWOW64\Hejoiedd.exe Hggomh32.exe File opened for modification C:\Windows\SysWOW64\Mkhmma32.exe Migpeiag.exe File created C:\Windows\SysWOW64\Ljfekqdn.dll Mlgigdoh.exe File opened for modification C:\Windows\SysWOW64\Ealnephf.exe Ennaieib.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Cinika32.dll Qmlgonbe.exe File created C:\Windows\SysWOW64\Djnpnc32.exe Dkkpbgli.exe File opened for modification C:\Windows\SysWOW64\Hicodd32.exe Hgdbhi32.exe File created C:\Windows\SysWOW64\Omgaek32.exe Ondajnme.exe File opened for modification C:\Windows\SysWOW64\Epdkli32.exe Eijcpoac.exe File created C:\Windows\SysWOW64\Glpjaf32.dll Eijcpoac.exe File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe Faokjpfd.exe File created C:\Windows\SysWOW64\Mcodno32.exe Mkhmma32.exe File opened for modification C:\Windows\SysWOW64\Mcodno32.exe Mkhmma32.exe File opened for modification C:\Windows\SysWOW64\Pchpbded.exe Pjpkjond.exe File opened for modification C:\Windows\SysWOW64\Aiedjneg.exe Affhncfc.exe File created C:\Windows\SysWOW64\Ckblig32.dll Cjpqdp32.exe File opened for modification C:\Windows\SysWOW64\Gicbeald.exe Gegfdb32.exe File created C:\Windows\SysWOW64\Lmnbkinf.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Kfammbdf.dll Pfdpip32.exe File opened for modification C:\Windows\SysWOW64\Lekhfgfc.exe Lkfciogm.exe File created C:\Windows\SysWOW64\Qngmeo32.dll Magnek32.exe File created C:\Windows\SysWOW64\Fonfbi32.dll Ndgggf32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Bnpmipql.exe File opened for modification C:\Windows\SysWOW64\Djefobmk.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Gkgkbipp.exe Gieojq32.exe File opened for modification C:\Windows\SysWOW64\Jbdlejmn.exe Jeplkf32.exe File opened for modification C:\Windows\SysWOW64\Jmdcfg32.exe Jnofejom.exe File created C:\Windows\SysWOW64\Fdoclk32.exe Fmekoalh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3232 3212 WerFault.exe 247 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ifkojiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haobqm32.dll" Mkmfhacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmdloao.dll" Paggai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bloqah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpjbad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibcni32.dll" Qaefjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gieojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ilknfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hejoiedd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obnqem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfammbdf.dll" Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppiecpn.dll" Cckace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" Fddmgjpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcodno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckggkg32.dll" Qljkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hggomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfjfiam.dll" Lgoacojo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcocb32.dll" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" Hicodd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjhdokbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjlg32.dll" Mcodno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boiccdnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Comimg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eijcpoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jkonco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdmeemc.dll" Piehkkcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqddgc32.dll" Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ladeqhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ocomlemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aljgfioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjoailji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodnnc32.dll" Mcmhiojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacpn32.dll" Migpeiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Inljnfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgilchkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lkfciogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Obkdonic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adjigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobkmdfq.dll" Boiccdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjpqdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjbmjplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mgcgmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nkaocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ondajnme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pminkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ccdlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlakpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihoafpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll" Cljcelan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2552 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 28 PID 2024 wrote to memory of 2552 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 28 PID 2024 wrote to memory of 2552 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 28 PID 2024 wrote to memory of 2552 2024 1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe 28 PID 2552 wrote to memory of 2292 2552 Iigoqe32.exe 29 PID 2552 wrote to memory of 2292 2552 Iigoqe32.exe 29 PID 2552 wrote to memory of 2292 2552 Iigoqe32.exe 29 PID 2552 wrote to memory of 2292 2552 Iigoqe32.exe 29 PID 2292 wrote to memory of 2664 2292 Ifkojiim.exe 30 PID 2292 wrote to memory of 2664 2292 Ifkojiim.exe 30 PID 2292 wrote to memory of 2664 2292 Ifkojiim.exe 30 PID 2292 wrote to memory of 2664 2292 Ifkojiim.exe 30 PID 2664 wrote to memory of 2600 2664 Jeplkf32.exe 31 PID 2664 wrote to memory of 2600 2664 Jeplkf32.exe 31 PID 2664 wrote to memory of 2600 2664 Jeplkf32.exe 31 PID 2664 wrote to memory of 2600 2664 Jeplkf32.exe 31 PID 2600 wrote to memory of 2728 2600 Jbdlejmn.exe 32 PID 2600 wrote to memory of 2728 2600 Jbdlejmn.exe 32 PID 2600 wrote to memory of 2728 2600 Jbdlejmn.exe 32 PID 2600 wrote to memory of 2728 2600 Jbdlejmn.exe 32 PID 2728 wrote to memory of 2468 2728 Jjoailji.exe 33 PID 2728 wrote to memory of 2468 2728 Jjoailji.exe 33 PID 2728 wrote to memory of 2468 2728 Jjoailji.exe 33 PID 2728 wrote to memory of 2468 2728 Jjoailji.exe 33 PID 2468 wrote to memory of 2700 2468 Jkonco32.exe 34 PID 2468 wrote to memory of 2700 2468 Jkonco32.exe 34 PID 2468 wrote to memory of 2700 2468 Jkonco32.exe 34 PID 2468 wrote to memory of 2700 2468 Jkonco32.exe 34 PID 2700 wrote to memory of 956 2700 Jcjbgaog.exe 35 PID 2700 wrote to memory of 956 2700 Jcjbgaog.exe 35 PID 2700 wrote to memory of 956 2700 Jcjbgaog.exe 35 PID 2700 wrote to memory of 956 2700 Jcjbgaog.exe 35 PID 956 wrote to memory of 2364 956 Jnofejom.exe 36 PID 956 wrote to memory of 2364 956 Jnofejom.exe 36 PID 956 wrote to memory of 2364 956 Jnofejom.exe 36 PID 956 wrote to memory of 2364 956 Jnofejom.exe 36 PID 2364 wrote to memory of 1920 2364 Jmdcfg32.exe 37 PID 2364 wrote to memory of 1920 2364 Jmdcfg32.exe 37 PID 2364 wrote to memory of 1920 2364 Jmdcfg32.exe 37 PID 2364 wrote to memory of 1920 2364 Jmdcfg32.exe 37 PID 1920 wrote to memory of 2808 1920 Kjhdokbo.exe 38 PID 1920 wrote to memory of 2808 1920 Kjhdokbo.exe 38 PID 1920 wrote to memory of 2808 1920 Kjhdokbo.exe 38 PID 1920 wrote to memory of 2808 1920 Kjhdokbo.exe 38 PID 2808 wrote to memory of 864 2808 Kfoedl32.exe 39 PID 2808 wrote to memory of 864 2808 Kfoedl32.exe 39 PID 2808 wrote to memory of 864 2808 Kfoedl32.exe 39 PID 2808 wrote to memory of 864 2808 Kfoedl32.exe 39 PID 864 wrote to memory of 1612 864 Kinaqg32.exe 40 PID 864 wrote to memory of 1612 864 Kinaqg32.exe 40 PID 864 wrote to memory of 1612 864 Kinaqg32.exe 40 PID 864 wrote to memory of 1612 864 Kinaqg32.exe 40 PID 1612 wrote to memory of 1440 1612 Kegnkh32.exe 41 PID 1612 wrote to memory of 1440 1612 Kegnkh32.exe 41 PID 1612 wrote to memory of 1440 1612 Kegnkh32.exe 41 PID 1612 wrote to memory of 1440 1612 Kegnkh32.exe 41 PID 1440 wrote to memory of 2892 1440 Koocdnai.exe 42 PID 1440 wrote to memory of 2892 1440 Koocdnai.exe 42 PID 1440 wrote to memory of 2892 1440 Koocdnai.exe 42 PID 1440 wrote to memory of 2892 1440 Koocdnai.exe 42 PID 2892 wrote to memory of 2068 2892 Lkfciogm.exe 43 PID 2892 wrote to memory of 2068 2892 Lkfciogm.exe 43 PID 2892 wrote to memory of 2068 2892 Lkfciogm.exe 43 PID 2892 wrote to memory of 2068 2892 Lkfciogm.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe"C:\Users\Admin\AppData\Local\Temp\1a19eb9f58be3d52d88e6ce7803101f4124037badad185a48bf58322b0badeb3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jkonco32.exeC:\Windows\system32\Jkonco32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe34⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe35⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe39⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe42⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe44⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe45⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe46⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe48⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe49⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe51⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe52⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe53⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe64⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Pmlkpjpj.exeC:\Windows\system32\Pmlkpjpj.exe67⤵PID:564
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe70⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe72⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe73⤵PID:3064
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe74⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe75⤵PID:2736
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe76⤵
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Pndniaop.exeC:\Windows\system32\Pndniaop.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe78⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe79⤵PID:2792
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe83⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe85⤵PID:912
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe88⤵PID:2656
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe89⤵PID:2076
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe90⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe92⤵PID:2516
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe93⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe95⤵PID:2996
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe96⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe97⤵PID:2940
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe98⤵
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe100⤵PID:2020
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe101⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe103⤵PID:3028
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe104⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe105⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe106⤵PID:2308
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe107⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe109⤵PID:2160
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe110⤵PID:2832
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe111⤵PID:2188
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe112⤵PID:1316
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe113⤵PID:1608
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe115⤵PID:332
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe116⤵PID:640
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe117⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe118⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe120⤵PID:2628
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe121⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe122⤵PID:1768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-