Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 13:13
Behavioral task
behavioral1
Sample
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
Resource
win10v2004-20240508-en
General
-
Target
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe
-
Size
386KB
-
MD5
2006bc44df811c0eb75576461934f000
-
SHA1
2cf2bf314a2bffba6a0d95f356872456d03c9170
-
SHA256
2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206
-
SHA512
5990d9de0315bffc34d3cc4f2231b647c242b14a482e2e9ce89b1d0d84436520a6932c6e87ca9a4810e8116a9b371f9b68efaa6ccfb531121cc73124df13340b
-
SSDEEP
12288:z0s+a4rCZYE6YYBHpd0uD319ZvSntnhp352SCdL:z0sX4rCyE6YYBHpd0uD319ZvSntnhp3c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlefklpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oponmilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oneklm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfcfml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkaag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgcgbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojoign32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcoim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegdnopg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amddjegd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkplejl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qddfkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcebhoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfdodjhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nepgjaeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agjhgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olmeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeklkchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjkjpgfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Delnin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojaelm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmajipb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pncgmkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmbplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlcbbcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeklkchg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbknfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbknfed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjjhbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmfhig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhhoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgcbgo32.exe -
Malware Dropper & Backdoor - Berbew 47 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000600000002326f-6.dat family_berbew behavioral2/files/0x00070000000233b2-14.dat family_berbew behavioral2/files/0x00070000000233b4-22.dat family_berbew behavioral2/files/0x00070000000233b6-30.dat family_berbew behavioral2/files/0x00070000000233b8-38.dat family_berbew behavioral2/files/0x00070000000233bb-47.dat family_berbew behavioral2/files/0x00070000000233bd-55.dat family_berbew behavioral2/files/0x00070000000233bf-62.dat family_berbew behavioral2/files/0x00070000000233c1-71.dat family_berbew behavioral2/files/0x00070000000233c3-78.dat family_berbew behavioral2/files/0x00070000000233c5-86.dat family_berbew behavioral2/files/0x00070000000233c5-81.dat family_berbew behavioral2/files/0x00070000000233c7-94.dat family_berbew behavioral2/files/0x00070000000233c9-103.dat family_berbew behavioral2/files/0x00070000000233cb-110.dat family_berbew behavioral2/files/0x00080000000233af-118.dat family_berbew behavioral2/files/0x00070000000233ce-126.dat family_berbew behavioral2/files/0x00070000000233d0-134.dat family_berbew behavioral2/files/0x00070000000233d2-137.dat family_berbew behavioral2/files/0x00070000000233d2-143.dat family_berbew behavioral2/files/0x00070000000233d5-150.dat family_berbew behavioral2/files/0x00070000000233d7-158.dat family_berbew behavioral2/files/0x00070000000233d9-166.dat family_berbew behavioral2/files/0x00070000000233db-175.dat family_berbew behavioral2/files/0x00070000000233dd-182.dat family_berbew behavioral2/files/0x00070000000233e1-198.dat family_berbew behavioral2/files/0x00070000000233e3-206.dat family_berbew behavioral2/files/0x00070000000233e5-215.dat family_berbew behavioral2/files/0x00070000000233e7-222.dat family_berbew behavioral2/files/0x00070000000233eb-235.dat family_berbew behavioral2/files/0x00070000000233ef-250.dat family_berbew behavioral2/files/0x00070000000233ed-243.dat family_berbew behavioral2/files/0x00070000000233e9-229.dat family_berbew behavioral2/files/0x00070000000233df-191.dat family_berbew behavioral2/files/0x0007000000023429-425.dat family_berbew behavioral2/files/0x000700000002342f-443.dat family_berbew behavioral2/files/0x000700000002343f-491.dat family_berbew behavioral2/files/0x000700000002344b-527.dat family_berbew behavioral2/files/0x0007000000023453-551.dat family_berbew behavioral2/files/0x0007000000023457-563.dat family_berbew behavioral2/files/0x000700000002345d-581.dat family_berbew behavioral2/files/0x000700000002347b-666.dat family_berbew behavioral2/files/0x000700000002347f-678.dat family_berbew behavioral2/files/0x0007000000023487-702.dat family_berbew behavioral2/files/0x000700000002348b-714.dat family_berbew behavioral2/files/0x000700000002349d-774.dat family_berbew behavioral2/files/0x00070000000234a3-794.dat family_berbew -
Executes dropped EXE 64 IoCs
pid Process 3764 Ldjhpl32.exe 2172 Lekehdgp.exe 724 Lfkaag32.exe 3124 Lpcfkm32.exe 4968 Lljfpnjg.exe 4620 Lbdolh32.exe 2812 Lingibiq.exe 2092 Lllcen32.exe 1688 Mpjlklok.exe 1836 Mmnldp32.exe 4224 Mgfqmfde.exe 2320 Mlcifmbl.exe 1964 Melnob32.exe 1900 Mlefklpj.exe 532 Mgkjhe32.exe 1624 Ncbknfed.exe 2344 Nepgjaeg.exe 1812 Ngdmod32.exe 3016 Nckndeni.exe 1200 Njefqo32.exe 2084 Oponmilc.exe 392 Ojgbfocc.exe 2184 Olfobjbg.exe 5048 Odmgcgbi.exe 2640 Ofnckp32.exe 616 Oneklm32.exe 3828 Odocigqg.exe 3360 Ocbddc32.exe 3080 Ognpebpj.exe 116 Ojllan32.exe 4376 Onhhamgg.exe 3596 Olkhmi32.exe 1796 Odapnf32.exe 3404 Ocdqjceo.exe 948 Ofcmfodb.exe 1972 Ojoign32.exe 3704 Olmeci32.exe 4300 Oddmdf32.exe 1784 Ocgmpccl.exe 3992 Ofeilobp.exe 3808 Ojaelm32.exe 2712 Pqknig32.exe 4772 Pdfjifjo.exe 4408 Pgefeajb.exe 2720 Pfhfan32.exe 3716 Pjcbbmif.exe 2652 Pmannhhj.exe 3260 Pqmjog32.exe 4372 Pclgkb32.exe 2808 Pcncpbmd.exe 1068 Pgioqq32.exe 5036 Pjhlml32.exe 2396 Pncgmkmj.exe 2468 Pmfhig32.exe 856 Pdmpje32.exe 2792 Pcppfaka.exe 5056 Pgllfp32.exe 2304 Pjjhbl32.exe 4084 Pnfdcjkg.exe 8 Pqdqof32.exe 4796 Qfcfml32.exe 2744 Qmmnjfnl.exe 3624 Qddfkd32.exe 5068 Qgcbgo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lljfpnjg.exe Lpcfkm32.exe File created C:\Windows\SysWOW64\Pqmjog32.exe Pmannhhj.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dkkcge32.exe File created C:\Windows\SysWOW64\Deagdn32.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Amhpcomb.dll Lfkaag32.exe File created C:\Windows\SysWOW64\Jfpbkoql.dll Oddmdf32.exe File created C:\Windows\SysWOW64\Lnlden32.dll Pjjhbl32.exe File created C:\Windows\SysWOW64\Cdcoim32.exe Caebma32.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cdcoim32.exe File created C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Agjhgngj.exe Aeklkchg.exe File created C:\Windows\SysWOW64\Cfmajipb.exe Bcoenmao.exe File created C:\Windows\SysWOW64\Lljfpnjg.exe Lpcfkm32.exe File opened for modification C:\Windows\SysWOW64\Ocbddc32.exe Odocigqg.exe File opened for modification C:\Windows\SysWOW64\Odapnf32.exe Olkhmi32.exe File created C:\Windows\SysWOW64\Oddmdf32.exe Olmeci32.exe File created C:\Windows\SysWOW64\Pgefeajb.exe Pdfjifjo.exe File created C:\Windows\SysWOW64\Ifoihl32.dll Pdmpje32.exe File created C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Lllcen32.exe Lingibiq.exe File created C:\Windows\SysWOW64\Bffkij32.exe Baicac32.exe File created C:\Windows\SysWOW64\Mlefklpj.exe Melnob32.exe File created C:\Windows\SysWOW64\Lgepdkpo.dll Ngdmod32.exe File opened for modification C:\Windows\SysWOW64\Onhhamgg.exe Ojllan32.exe File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe Pqmjog32.exe File created C:\Windows\SysWOW64\Adgbpc32.exe Ampkof32.exe File created C:\Windows\SysWOW64\Gdeahgnm.dll Amddjegd.exe File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Ncbknfed.exe Mgkjhe32.exe File created C:\Windows\SysWOW64\Jbaqqh32.dll Oneklm32.exe File created C:\Windows\SysWOW64\Pjcbbmif.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Mmcdaagm.dll Ocgmpccl.exe File created C:\Windows\SysWOW64\Baicac32.exe Bfdodjhm.exe File created C:\Windows\SysWOW64\Cnicfe32.exe Cdcoim32.exe File created C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Ofnckp32.exe Odmgcgbi.exe File created C:\Windows\SysWOW64\Ocbddc32.exe Odocigqg.exe File created C:\Windows\SysWOW64\Llmglb32.dll Odocigqg.exe File created C:\Windows\SysWOW64\Igjnojdk.dll Pgefeajb.exe File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe Cffdpghg.exe File opened for modification C:\Windows\SysWOW64\Dfknkg32.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe Deagdn32.exe File created C:\Windows\SysWOW64\Ojllan32.exe Ognpebpj.exe File created C:\Windows\SysWOW64\Ocgmpccl.exe Oddmdf32.exe File opened for modification C:\Windows\SysWOW64\Pqmjog32.exe Pmannhhj.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Pjngmo32.dll Cdfkolkf.exe File created C:\Windows\SysWOW64\Dobfld32.exe Dfknkg32.exe File created C:\Windows\SysWOW64\Cffdpghg.exe Ceehho32.exe File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe Delnin32.exe File created C:\Windows\SysWOW64\Mgkjhe32.exe Mlefklpj.exe File opened for modification C:\Windows\SysWOW64\Olfobjbg.exe Ojgbfocc.exe File opened for modification C:\Windows\SysWOW64\Pncgmkmj.exe Pjhlml32.exe File opened for modification C:\Windows\SysWOW64\Aclpap32.exe Ambgef32.exe File created C:\Windows\SysWOW64\Bmhnkg32.dll Bmpcfdmg.exe File created C:\Windows\SysWOW64\Kofpij32.dll Beglgani.exe File created C:\Windows\SysWOW64\Ingbah32.dll Lingibiq.exe File created C:\Windows\SysWOW64\Olfobjbg.exe Ojgbfocc.exe File created C:\Windows\SysWOW64\Booogccm.dll Odmgcgbi.exe File opened for modification C:\Windows\SysWOW64\Pjcbbmif.exe Pfhfan32.exe File created C:\Windows\SysWOW64\Nepgjaeg.exe Ncbknfed.exe File opened for modification C:\Windows\SysWOW64\Odocigqg.exe Oneklm32.exe File opened for modification C:\Windows\SysWOW64\Oddmdf32.exe Olmeci32.exe File created C:\Windows\SysWOW64\Bdjinlko.dll Pqknig32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5416 5128 WerFault.exe 209 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll" Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" Nepgjaeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ojoign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgmpccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgefeajb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdmpje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aabmqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjfaeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmajipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmnldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ampkof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Accfbokl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnnlaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocbddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfhfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll" Pcppfaka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bffkij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" Cnicfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" Lfkaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njefqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll" Odmgcgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odocigqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll" Ocgmpccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" Cdfkolkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olfobjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odapnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pqmjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll" Lllcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Melnob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odmgcgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll" Pjjhbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkkcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncgmkmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll" Ojgbfocc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojaelm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgioqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmlcbbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" Cegdnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dmgbnq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3764 4572 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 83 PID 4572 wrote to memory of 3764 4572 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 83 PID 4572 wrote to memory of 3764 4572 2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe 83 PID 3764 wrote to memory of 2172 3764 Ldjhpl32.exe 84 PID 3764 wrote to memory of 2172 3764 Ldjhpl32.exe 84 PID 3764 wrote to memory of 2172 3764 Ldjhpl32.exe 84 PID 2172 wrote to memory of 724 2172 Lekehdgp.exe 85 PID 2172 wrote to memory of 724 2172 Lekehdgp.exe 85 PID 2172 wrote to memory of 724 2172 Lekehdgp.exe 85 PID 724 wrote to memory of 3124 724 Lfkaag32.exe 86 PID 724 wrote to memory of 3124 724 Lfkaag32.exe 86 PID 724 wrote to memory of 3124 724 Lfkaag32.exe 86 PID 3124 wrote to memory of 4968 3124 Lpcfkm32.exe 87 PID 3124 wrote to memory of 4968 3124 Lpcfkm32.exe 87 PID 3124 wrote to memory of 4968 3124 Lpcfkm32.exe 87 PID 4968 wrote to memory of 4620 4968 Lljfpnjg.exe 88 PID 4968 wrote to memory of 4620 4968 Lljfpnjg.exe 88 PID 4968 wrote to memory of 4620 4968 Lljfpnjg.exe 88 PID 4620 wrote to memory of 2812 4620 Lbdolh32.exe 89 PID 4620 wrote to memory of 2812 4620 Lbdolh32.exe 89 PID 4620 wrote to memory of 2812 4620 Lbdolh32.exe 89 PID 2812 wrote to memory of 2092 2812 Lingibiq.exe 90 PID 2812 wrote to memory of 2092 2812 Lingibiq.exe 90 PID 2812 wrote to memory of 2092 2812 Lingibiq.exe 90 PID 2092 wrote to memory of 1688 2092 Lllcen32.exe 92 PID 2092 wrote to memory of 1688 2092 Lllcen32.exe 92 PID 2092 wrote to memory of 1688 2092 Lllcen32.exe 92 PID 1688 wrote to memory of 1836 1688 Mpjlklok.exe 94 PID 1688 wrote to memory of 1836 1688 Mpjlklok.exe 94 PID 1688 wrote to memory of 1836 1688 Mpjlklok.exe 94 PID 1836 wrote to memory of 4224 1836 Mmnldp32.exe 95 PID 1836 wrote to memory of 4224 1836 Mmnldp32.exe 95 PID 1836 wrote to memory of 4224 1836 Mmnldp32.exe 95 PID 4224 wrote to memory of 2320 4224 Mgfqmfde.exe 96 PID 4224 wrote to memory of 2320 4224 Mgfqmfde.exe 96 PID 4224 wrote to memory of 2320 4224 Mgfqmfde.exe 96 PID 2320 wrote to memory of 1964 2320 Mlcifmbl.exe 98 PID 2320 wrote to memory of 1964 2320 Mlcifmbl.exe 98 PID 2320 wrote to memory of 1964 2320 Mlcifmbl.exe 98 PID 1964 wrote to memory of 1900 1964 Melnob32.exe 99 PID 1964 wrote to memory of 1900 1964 Melnob32.exe 99 PID 1964 wrote to memory of 1900 1964 Melnob32.exe 99 PID 1900 wrote to memory of 532 1900 Mlefklpj.exe 100 PID 1900 wrote to memory of 532 1900 Mlefklpj.exe 100 PID 1900 wrote to memory of 532 1900 Mlefklpj.exe 100 PID 532 wrote to memory of 1624 532 Mgkjhe32.exe 101 PID 532 wrote to memory of 1624 532 Mgkjhe32.exe 101 PID 532 wrote to memory of 1624 532 Mgkjhe32.exe 101 PID 1624 wrote to memory of 2344 1624 Ncbknfed.exe 102 PID 1624 wrote to memory of 2344 1624 Ncbknfed.exe 102 PID 1624 wrote to memory of 2344 1624 Ncbknfed.exe 102 PID 2344 wrote to memory of 1812 2344 Nepgjaeg.exe 103 PID 2344 wrote to memory of 1812 2344 Nepgjaeg.exe 103 PID 2344 wrote to memory of 1812 2344 Nepgjaeg.exe 103 PID 1812 wrote to memory of 3016 1812 Ngdmod32.exe 104 PID 1812 wrote to memory of 3016 1812 Ngdmod32.exe 104 PID 1812 wrote to memory of 3016 1812 Ngdmod32.exe 104 PID 3016 wrote to memory of 1200 3016 Nckndeni.exe 105 PID 3016 wrote to memory of 1200 3016 Nckndeni.exe 105 PID 3016 wrote to memory of 1200 3016 Nckndeni.exe 105 PID 1200 wrote to memory of 2084 1200 Njefqo32.exe 106 PID 1200 wrote to memory of 2084 1200 Njefqo32.exe 106 PID 1200 wrote to memory of 2084 1200 Njefqo32.exe 106 PID 2084 wrote to memory of 392 2084 Oponmilc.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe"C:\Users\Admin\AppData\Local\Temp\2ffaedcd0e947cb6baec163d15eb7e3905fdae09ece4365f0c5f3750bbae7206.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Lekehdgp.exeC:\Windows\system32\Lekehdgp.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Ncbknfed.exeC:\Windows\system32\Ncbknfed.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Ngdmod32.exeC:\Windows\system32\Ngdmod32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe26⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Odocigqg.exeC:\Windows\system32\Odocigqg.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3080 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe32⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Odapnf32.exeC:\Windows\system32\Odapnf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe35⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe36⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4300 -
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe41⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Pdfjifjo.exeC:\Windows\system32\Pdfjifjo.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4772 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4408 -
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe47⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe50⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Pcncpbmd.exeC:\Windows\system32\Pcncpbmd.exe51⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe58⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Pjjhbl32.exeC:\Windows\system32\Pjjhbl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe60⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Qgcbgo32.exeC:\Windows\system32\Qgcbgo32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe67⤵PID:1412
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe68⤵PID:2372
-
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe70⤵
- Modifies registry class
PID:180 -
C:\Windows\SysWOW64\Agglboim.exeC:\Windows\system32\Agglboim.exe71⤵PID:3916
-
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Agjhgngj.exeC:\Windows\system32\Agjhgngj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Andqdh32.exeC:\Windows\system32\Andqdh32.exe75⤵PID:2784
-
C:\Windows\SysWOW64\Aabmqd32.exeC:\Windows\system32\Aabmqd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe77⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe79⤵PID:3428
-
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe80⤵
- Modifies registry class
PID:4896 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe81⤵PID:3424
-
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe82⤵PID:3644
-
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4580 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Baicac32.exeC:\Windows\system32\Baicac32.exe85⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe86⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe87⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3436 -
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe91⤵PID:228
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe92⤵
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Belebq32.exeC:\Windows\system32\Belebq32.exe93⤵
- Modifies registry class
PID:4920 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe96⤵PID:2156
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe97⤵PID:1448
-
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe99⤵
- Drops file in System32 directory
PID:4848 -
C:\Windows\SysWOW64\Cdcoim32.exeC:\Windows\system32\Cdcoim32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe101⤵
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Cmlcbbcj.exeC:\Windows\system32\Cmlcbbcj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5244 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe105⤵
- Drops file in System32 directory
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe106⤵
- Drops file in System32 directory
PID:5432 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe107⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Cegdnopg.exeC:\Windows\system32\Cegdnopg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5508 -
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe109⤵PID:5552
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5592 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe111⤵
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe112⤵
- Drops file in System32 directory
PID:5672 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe121⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe122⤵PID:6100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-