Analysis
-
max time kernel
149s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe
Resource
win10v2004-20220901-en
General
-
Target
cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe
-
Size
92KB
-
MD5
079ef782fb1b8db0df85600ecb38eb00
-
SHA1
ca573a1348ccc55e23b85809e6fdbf775206c53a
-
SHA256
cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf
-
SHA512
0bcfe8a174631c2831a4e156d0dc27e6ec3e295845abf43056823e2019d9f7b5e2958d9831d55583e345813ba337a383ba466729ecc6363f81dde33fa69f2d12
-
SSDEEP
1536:Vxm6SjL7rowIjmYeWUxSpWROZYQ9+5FTzBA3jLV3BGnMPJKEsztuJO:cjLvoFYSp7S5FJkjLlBRh1sN
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnqfgbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oklnbkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnlod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bicgfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lemcoccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meamib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhnifeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poqpanem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnaoeqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difehkgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alljdngf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqegce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqcigqhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaqgmpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgblepb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmeoajm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhbbjaoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bplhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mafaidgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioimfil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjcdhjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbdimenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plhdhkkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmeoajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhikj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhddohe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnkkkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kndggdhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfjebdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcegfajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejfho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmakidic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakmbllp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdapok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogekmkhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfbnelf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdimenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqnoianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikaeqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbppffcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfnelbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnphgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkkefmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfllgima.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbejckk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgofjgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqnoianm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doadopei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdocikij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acmlemmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcomijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldmie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdedoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkdekad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnpkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paolmidq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafngkog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhqiinol.exe -
Executes dropped EXE 64 IoCs
pid Process 1748 Lgfnjdaj.exe 2012 Loabofne.exe 1304 Mfkgjchn.exe 1336 Mmglmm32.exe 2000 Mbddedlo.exe 1772 Mmihbmke.exe 320 Nccqog32.exe 1704 Nloeci32.exe 1152 Nfdjqbpc.exe 1592 Nlabiink.exe 340 Nankaplb.exe 1488 Nhhcnj32.exe 544 Nbmgkcce.exe 1508 Nlfldh32.exe 1108 Penlla32.exe 2024 Plhdhkkn.exe 2044 Pkmaih32.exe 1104 Pdefbm32.exe 1828 Aiehmo32.exe 988 Akddij32.exe 1016 Abnlfdcf.exe 868 Ajiajf32.exe 1340 Aqcigqhn.exe 1268 Bkimdihd.exe 1324 Bmjjla32.exe 1720 Bgonij32.exe 1116 Bniffd32.exe 1952 Bpkbnmkc.exe 1484 Bfdkjg32.exe 1860 Bicgfb32.exe 1620 Chfpim32.exe 1584 Dellniki.exe 1504 Eigdnkfn.exe 1656 Epcipd32.exe 2032 Fhedef32.exe 1752 Fpcfohnc.exe 1480 Fljfdi32.exe 1552 Gdanef32.exe 1804 Gmicnl32.exe 1176 Gedhbn32.exe 908 Gomlkcof.exe 796 Gakhgonj.exe 1184 Geianmdp.exe 1664 Goaefc32.exe 960 Gdonoj32.exe 860 Hpeock32.exe 388 Hkmpfc32.exe 1068 Hnllbolc.exe 592 Hdedoi32.exe 600 Hlqick32.exe 1912 Ifkjbp32.exe 436 Ikhbjg32.exe 932 Idqgcmja.exe 1692 Ikmlefok.exe 1724 Ijbifc32.exe 1360 Ikaeqf32.exe 680 Jejjikaf.exe 912 Jghfegqj.exe 1304 Jqajnlgj.exe 1772 Jmgkcm32.exe 704 Jfpplcco.exe 1780 Jcdpeg32.exe 1696 Jpkakhhm.exe 1104 Kicecn32.exe -
Loads dropped DLL 64 IoCs
pid Process 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 1748 Lgfnjdaj.exe 1748 Lgfnjdaj.exe 2012 Loabofne.exe 2012 Loabofne.exe 1304 Mfkgjchn.exe 1304 Mfkgjchn.exe 1336 Mmglmm32.exe 1336 Mmglmm32.exe 2000 Mbddedlo.exe 2000 Mbddedlo.exe 1772 Mmihbmke.exe 1772 Mmihbmke.exe 320 Nccqog32.exe 320 Nccqog32.exe 1704 Nloeci32.exe 1704 Nloeci32.exe 1152 Nfdjqbpc.exe 1152 Nfdjqbpc.exe 1592 Nlabiink.exe 1592 Nlabiink.exe 340 Nankaplb.exe 340 Nankaplb.exe 1488 Nhhcnj32.exe 1488 Nhhcnj32.exe 544 Nbmgkcce.exe 544 Nbmgkcce.exe 1508 Nlfldh32.exe 1508 Nlfldh32.exe 1108 Penlla32.exe 1108 Penlla32.exe 2024 Plhdhkkn.exe 2024 Plhdhkkn.exe 2044 Pkmaih32.exe 2044 Pkmaih32.exe 1104 Pdefbm32.exe 1104 Pdefbm32.exe 1828 Aiehmo32.exe 1828 Aiehmo32.exe 988 Akddij32.exe 988 Akddij32.exe 956 Aihdbn32.exe 956 Aihdbn32.exe 868 Ajiajf32.exe 868 Ajiajf32.exe 1340 Aqcigqhn.exe 1340 Aqcigqhn.exe 1268 Bkimdihd.exe 1268 Bkimdihd.exe 1324 Bmjjla32.exe 1324 Bmjjla32.exe 1720 Bgonij32.exe 1720 Bgonij32.exe 1116 Bniffd32.exe 1116 Bniffd32.exe 1952 Bpkbnmkc.exe 1952 Bpkbnmkc.exe 1484 Bfdkjg32.exe 1484 Bfdkjg32.exe 1860 Bicgfb32.exe 1860 Bicgfb32.exe 1620 Chfpim32.exe 1620 Chfpim32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kanjhpli.exe Kicecn32.exe File opened for modification C:\Windows\SysWOW64\Kndggdhp.exe Kdocikij.exe File created C:\Windows\SysWOW64\Ngndkhlf.exe Mofmjjld.exe File created C:\Windows\SysWOW64\Licfdbpa.exe Lgbjlj32.exe File created C:\Windows\SysWOW64\Lkihqm32.exe Liklda32.exe File created C:\Windows\SysWOW64\Gcjojgod.dll Qpmlddqn.exe File created C:\Windows\SysWOW64\Dfpkbd32.dll Mofmjjld.exe File created C:\Windows\SysWOW64\Oekcgabh.dll Mafaidgd.exe File created C:\Windows\SysWOW64\Gafogh32.dll Aogbqpap.exe File opened for modification C:\Windows\SysWOW64\Bilphc32.exe Fnidhl32.exe File created C:\Windows\SysWOW64\Gblpfgpa.dll Nbackh32.exe File created C:\Windows\SysWOW64\Gmacjogi.dll Apcljnce.exe File created C:\Windows\SysWOW64\Bkmilp32.dll Akncea32.exe File created C:\Windows\SysWOW64\Boidkm32.exe Bgamjo32.exe File created C:\Windows\SysWOW64\Fdfbnelf.exe Fecbbh32.exe File created C:\Windows\SysWOW64\Nhhcnj32.exe Nankaplb.exe File created C:\Windows\SysWOW64\Mnqfgbjk.exe Mhdnol32.exe File opened for modification C:\Windows\SysWOW64\Mjqbgi32.exe Mknblleg.exe File created C:\Windows\SysWOW64\Fgagcd32.dll Boidkm32.exe File created C:\Windows\SysWOW64\Dnnkbg32.exe Dkpoflbj.exe File opened for modification C:\Windows\SysWOW64\Goaefc32.exe Geianmdp.exe File created C:\Windows\SysWOW64\Difehkgp.exe Dfhilphl.exe File created C:\Windows\SysWOW64\Aakalo32.dll Cfplajjh.exe File created C:\Windows\SysWOW64\Aijmco32.dll Dekmli32.exe File opened for modification C:\Windows\SysWOW64\Lnehgi32.exe Lkglkm32.exe File opened for modification C:\Windows\SysWOW64\Bmffnhgk.exe Bbmemjjl.exe File opened for modification C:\Windows\SysWOW64\Bbgagh32.exe Boidkm32.exe File created C:\Windows\SysWOW64\Aghlmoem.dll Ckbbem32.exe File opened for modification C:\Windows\SysWOW64\Hpnlod32.exe Folfknll.exe File created C:\Windows\SysWOW64\Iihmmi32.exe Ifjqan32.exe File opened for modification C:\Windows\SysWOW64\Baphmd32.exe Bmelmefm.exe File created C:\Windows\SysWOW64\Jljlpl32.dll Ejiebh32.exe File created C:\Windows\SysWOW64\Fljfdi32.exe Fpcfohnc.exe File created C:\Windows\SysWOW64\Okcnfm32.dll Mhdnol32.exe File opened for modification C:\Windows\SysWOW64\Okimkj32.exe Ododnppn.exe File created C:\Windows\SysWOW64\Bhiahdcf.dll Poqpanem.exe File created C:\Windows\SysWOW64\Cbgbed32.dll Cckjdpam.exe File created C:\Windows\SysWOW64\Pfiomelk.exe Phenca32.exe File opened for modification C:\Windows\SysWOW64\Bjdckjil.exe Bdjknpbo.exe File created C:\Windows\SysWOW64\Bgonij32.exe Bmjjla32.exe File created C:\Windows\SysWOW64\Ilfhfhji.dll Lenlbabh.exe File created C:\Windows\SysWOW64\Offploee.dll Nhanip32.exe File opened for modification C:\Windows\SysWOW64\Ppldnjgg.exe Piblap32.exe File opened for modification C:\Windows\SysWOW64\Pkjnlnin.exe Phkaocik.exe File created C:\Windows\SysWOW64\Cedjlg32.exe Cdcndojd.exe File created C:\Windows\SysWOW64\Pdefbm32.exe Pkmaih32.exe File opened for modification C:\Windows\SysWOW64\Bkimdihd.exe Aqcigqhn.exe File created C:\Windows\SysWOW64\Gdonoj32.exe Goaefc32.exe File created C:\Windows\SysWOW64\Ghmhnf32.dll Ookbdm32.exe File opened for modification C:\Windows\SysWOW64\Lgpmgkle.exe Knhhne32.exe File created C:\Windows\SysWOW64\Dipqam32.dll Bdlhdp32.exe File created C:\Windows\SysWOW64\Ceidgflm.exe Checnbmc.exe File created C:\Windows\SysWOW64\Lmdlpqde.exe Lemcoccc.exe File opened for modification C:\Windows\SysWOW64\Njhhhh32.exe Mfllgima.exe File created C:\Windows\SysWOW64\Odpipaof.exe Oaamdepb.exe File created C:\Windows\SysWOW64\Eaeoie32.dll Cneognqi.exe File opened for modification C:\Windows\SysWOW64\Biaicben.exe Bbgagh32.exe File created C:\Windows\SysWOW64\Bjfpqjgi.exe Bhhddohe.exe File created C:\Windows\SysWOW64\Kehichcp.dll Mmihbmke.exe File opened for modification C:\Windows\SysWOW64\Jfpplcco.exe Jmgkcm32.exe File opened for modification C:\Windows\SysWOW64\Ajjjhici.exe Alfioedo.exe File created C:\Windows\SysWOW64\Jjhhao32.dll Bgamjo32.exe File opened for modification C:\Windows\SysWOW64\Ldbcch32.exe Ijqoeqce.exe File created C:\Windows\SysWOW64\Cjmkdf32.dll Aqcigqhn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cealdcqm.dll" Lienhqof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baphmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnppbehi.dll" Fcafjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghmipmn.dll" Aiehmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkagic32.dll" Difehkgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folfknll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iflmfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iimfhhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfibd32.dll" Checnbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhifm32.dll" Mgikph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhchgab.dll" Ceiqcinn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgdkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidnanq.dll" Okfkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qceedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnjhbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phnnebgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnophiaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmemjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcegfajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caagcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhhhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdanef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Necfnepf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pocpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blofjnec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epcipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkknobb.dll" Kaepho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfhfhji.dll" Lenlbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpekabip.dll" Bmbpgfho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjmkdf32.dll" Aqcigqhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifljpga.dll" Bicgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobcnkje.dll" Ommfha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnokng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhqiinol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdkef32.dll" Bjfpqjgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bniffd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkdekad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djaigobh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcmdp32.dll" Bfpnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlqick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjjjblnd.dll" Jqajnlgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgchnb32.dll" Cmhhhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phidjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbgoeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knelhegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjelbhgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkipmlg.dll" Dlgojfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimfhhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlabiink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macpak32.dll" Kaqgmpjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiakcgih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilglnp32.dll" Aobieq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cafgiinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdjkm32.dll" Lhmhomal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfenbdok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbogeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndioocfa.dll" Dipcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcfhg32.dll" Kicecn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ingbkppc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1748 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 28 PID 1728 wrote to memory of 1748 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 28 PID 1728 wrote to memory of 1748 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 28 PID 1728 wrote to memory of 1748 1728 cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe 28 PID 1748 wrote to memory of 2012 1748 Lgfnjdaj.exe 29 PID 1748 wrote to memory of 2012 1748 Lgfnjdaj.exe 29 PID 1748 wrote to memory of 2012 1748 Lgfnjdaj.exe 29 PID 1748 wrote to memory of 2012 1748 Lgfnjdaj.exe 29 PID 2012 wrote to memory of 1304 2012 Loabofne.exe 30 PID 2012 wrote to memory of 1304 2012 Loabofne.exe 30 PID 2012 wrote to memory of 1304 2012 Loabofne.exe 30 PID 2012 wrote to memory of 1304 2012 Loabofne.exe 30 PID 1304 wrote to memory of 1336 1304 Mfkgjchn.exe 31 PID 1304 wrote to memory of 1336 1304 Mfkgjchn.exe 31 PID 1304 wrote to memory of 1336 1304 Mfkgjchn.exe 31 PID 1304 wrote to memory of 1336 1304 Mfkgjchn.exe 31 PID 1336 wrote to memory of 2000 1336 Mmglmm32.exe 32 PID 1336 wrote to memory of 2000 1336 Mmglmm32.exe 32 PID 1336 wrote to memory of 2000 1336 Mmglmm32.exe 32 PID 1336 wrote to memory of 2000 1336 Mmglmm32.exe 32 PID 2000 wrote to memory of 1772 2000 Mbddedlo.exe 33 PID 2000 wrote to memory of 1772 2000 Mbddedlo.exe 33 PID 2000 wrote to memory of 1772 2000 Mbddedlo.exe 33 PID 2000 wrote to memory of 1772 2000 Mbddedlo.exe 33 PID 1772 wrote to memory of 320 1772 Mmihbmke.exe 34 PID 1772 wrote to memory of 320 1772 Mmihbmke.exe 34 PID 1772 wrote to memory of 320 1772 Mmihbmke.exe 34 PID 1772 wrote to memory of 320 1772 Mmihbmke.exe 34 PID 320 wrote to memory of 1704 320 Nccqog32.exe 35 PID 320 wrote to memory of 1704 320 Nccqog32.exe 35 PID 320 wrote to memory of 1704 320 Nccqog32.exe 35 PID 320 wrote to memory of 1704 320 Nccqog32.exe 35 PID 1704 wrote to memory of 1152 1704 Nloeci32.exe 36 PID 1704 wrote to memory of 1152 1704 Nloeci32.exe 36 PID 1704 wrote to memory of 1152 1704 Nloeci32.exe 36 PID 1704 wrote to memory of 1152 1704 Nloeci32.exe 36 PID 1152 wrote to memory of 1592 1152 Nfdjqbpc.exe 37 PID 1152 wrote to memory of 1592 1152 Nfdjqbpc.exe 37 PID 1152 wrote to memory of 1592 1152 Nfdjqbpc.exe 37 PID 1152 wrote to memory of 1592 1152 Nfdjqbpc.exe 37 PID 1592 wrote to memory of 340 1592 Nlabiink.exe 38 PID 1592 wrote to memory of 340 1592 Nlabiink.exe 38 PID 1592 wrote to memory of 340 1592 Nlabiink.exe 38 PID 1592 wrote to memory of 340 1592 Nlabiink.exe 38 PID 340 wrote to memory of 1488 340 Nankaplb.exe 39 PID 340 wrote to memory of 1488 340 Nankaplb.exe 39 PID 340 wrote to memory of 1488 340 Nankaplb.exe 39 PID 340 wrote to memory of 1488 340 Nankaplb.exe 39 PID 1488 wrote to memory of 544 1488 Nhhcnj32.exe 40 PID 1488 wrote to memory of 544 1488 Nhhcnj32.exe 40 PID 1488 wrote to memory of 544 1488 Nhhcnj32.exe 40 PID 1488 wrote to memory of 544 1488 Nhhcnj32.exe 40 PID 544 wrote to memory of 1508 544 Nbmgkcce.exe 41 PID 544 wrote to memory of 1508 544 Nbmgkcce.exe 41 PID 544 wrote to memory of 1508 544 Nbmgkcce.exe 41 PID 544 wrote to memory of 1508 544 Nbmgkcce.exe 41 PID 1508 wrote to memory of 1108 1508 Nlfldh32.exe 42 PID 1508 wrote to memory of 1108 1508 Nlfldh32.exe 42 PID 1508 wrote to memory of 1108 1508 Nlfldh32.exe 42 PID 1508 wrote to memory of 1108 1508 Nlfldh32.exe 42 PID 1108 wrote to memory of 2024 1108 Penlla32.exe 43 PID 1108 wrote to memory of 2024 1108 Penlla32.exe 43 PID 1108 wrote to memory of 2024 1108 Penlla32.exe 43 PID 1108 wrote to memory of 2024 1108 Penlla32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe"C:\Users\Admin\AppData\Local\Temp\cff3b479c1bb2610f4d451565180361e5ebcbe4a7b17348684237a2d48d831bf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Lgfnjdaj.exeC:\Windows\system32\Lgfnjdaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Loabofne.exeC:\Windows\system32\Loabofne.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Mfkgjchn.exeC:\Windows\system32\Mfkgjchn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Mmglmm32.exeC:\Windows\system32\Mmglmm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Mbddedlo.exeC:\Windows\system32\Mbddedlo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mmihbmke.exeC:\Windows\system32\Mmihbmke.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Nccqog32.exeC:\Windows\system32\Nccqog32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Nloeci32.exeC:\Windows\system32\Nloeci32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Nfdjqbpc.exeC:\Windows\system32\Nfdjqbpc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Nlabiink.exeC:\Windows\system32\Nlabiink.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Nankaplb.exeC:\Windows\system32\Nankaplb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Nhhcnj32.exeC:\Windows\system32\Nhhcnj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Nbmgkcce.exeC:\Windows\system32\Nbmgkcce.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Nlfldh32.exeC:\Windows\system32\Nlfldh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Penlla32.exeC:\Windows\system32\Penlla32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Plhdhkkn.exeC:\Windows\system32\Plhdhkkn.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Pkmaih32.exeC:\Windows\system32\Pkmaih32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Pdefbm32.exeC:\Windows\system32\Pdefbm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Aiehmo32.exeC:\Windows\system32\Aiehmo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Akddij32.exeC:\Windows\system32\Akddij32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Abnlfdcf.exeC:\Windows\system32\Abnlfdcf.exe22⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Aihdbn32.exeC:\Windows\system32\Aihdbn32.exe23⤵
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Ajiajf32.exeC:\Windows\system32\Ajiajf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Aqcigqhn.exeC:\Windows\system32\Aqcigqhn.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Bkimdihd.exeC:\Windows\system32\Bkimdihd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Bmjjla32.exeC:\Windows\system32\Bmjjla32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Bgonij32.exeC:\Windows\system32\Bgonij32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Bniffd32.exeC:\Windows\system32\Bniffd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Bpkbnmkc.exeC:\Windows\system32\Bpkbnmkc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Bfdkjg32.exeC:\Windows\system32\Bfdkjg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Bicgfb32.exeC:\Windows\system32\Bicgfb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Chfpim32.exeC:\Windows\system32\Chfpim32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Dellniki.exeC:\Windows\system32\Dellniki.exe34⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Eigdnkfn.exeC:\Windows\system32\Eigdnkfn.exe35⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Epcipd32.exeC:\Windows\system32\Epcipd32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Fhedef32.exeC:\Windows\system32\Fhedef32.exe37⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Fpcfohnc.exeC:\Windows\system32\Fpcfohnc.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Fljfdi32.exeC:\Windows\system32\Fljfdi32.exe39⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Gdanef32.exeC:\Windows\system32\Gdanef32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Gmicnl32.exeC:\Windows\system32\Gmicnl32.exe41⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gedhbn32.exeC:\Windows\system32\Gedhbn32.exe42⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Gomlkcof.exeC:\Windows\system32\Gomlkcof.exe43⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Gakhgonj.exeC:\Windows\system32\Gakhgonj.exe44⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Geianmdp.exeC:\Windows\system32\Geianmdp.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Goaefc32.exeC:\Windows\system32\Goaefc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Gdonoj32.exeC:\Windows\system32\Gdonoj32.exe47⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Hpeock32.exeC:\Windows\system32\Hpeock32.exe48⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hkmpfc32.exeC:\Windows\system32\Hkmpfc32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:388 -
C:\Windows\SysWOW64\Hnllbolc.exeC:\Windows\system32\Hnllbolc.exe50⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Hdedoi32.exeC:\Windows\system32\Hdedoi32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Hlqick32.exeC:\Windows\system32\Hlqick32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Ifkjbp32.exeC:\Windows\system32\Ifkjbp32.exe53⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ikhbjg32.exeC:\Windows\system32\Ikhbjg32.exe54⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Idqgcmja.exeC:\Windows\system32\Idqgcmja.exe55⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ikmlefok.exeC:\Windows\system32\Ikmlefok.exe56⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ijbifc32.exeC:\Windows\system32\Ijbifc32.exe57⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Ikaeqf32.exeC:\Windows\system32\Ikaeqf32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Jejjikaf.exeC:\Windows\system32\Jejjikaf.exe59⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Jghfegqj.exeC:\Windows\system32\Jghfegqj.exe60⤵
- Executes dropped EXE
PID:912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Jqajnlgj.exeC:\Windows\system32\Jqajnlgj.exe1⤵
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Jmgkcm32.exeC:\Windows\system32\Jmgkcm32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Jfpplcco.exeC:\Windows\system32\Jfpplcco.exe3⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Jcdpeg32.exeC:\Windows\system32\Jcdpeg32.exe4⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Jpkakhhm.exeC:\Windows\system32\Jpkakhhm.exe5⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Kicecn32.exeC:\Windows\system32\Kicecn32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Kanjhpli.exeC:\Windows\system32\Kanjhpli.exe7⤵PID:1016
-
C:\Windows\SysWOW64\Kejfho32.exeC:\Windows\system32\Kejfho32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Kbnfbc32.exeC:\Windows\system32\Kbnfbc32.exe9⤵PID:1116
-
C:\Windows\SysWOW64\Kaqgmpjf.exeC:\Windows\system32\Kaqgmpjf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Kdocikij.exeC:\Windows\system32\Kdocikij.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Kndggdhp.exeC:\Windows\system32\Kndggdhp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Kdapok32.exeC:\Windows\system32\Kdapok32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Kaepho32.exeC:\Windows\system32\Kaepho32.exe14⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Kfbiqf32.exeC:\Windows\system32\Kfbiqf32.exe15⤵PID:1364
-
C:\Windows\SysWOW64\Kpjmiljh.exeC:\Windows\system32\Kpjmiljh.exe16⤵PID:1980
-
C:\Windows\SysWOW64\Lbiiegil.exeC:\Windows\system32\Lbiiegil.exe17⤵PID:1072
-
C:\Windows\SysWOW64\Lmnncp32.exeC:\Windows\system32\Lmnncp32.exe18⤵PID:1996
-
C:\Windows\SysWOW64\Lfgblepb.exeC:\Windows\system32\Lfgblepb.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Lienhqof.exeC:\Windows\system32\Lienhqof.exe20⤵
- Modifies registry class
PID:272 -
C:\Windows\SysWOW64\Lelomadk.exeC:\Windows\system32\Lelomadk.exe21⤵PID:1140
-
C:\Windows\SysWOW64\Lbppffcd.exeC:\Windows\system32\Lbppffcd.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Lenlbabh.exeC:\Windows\system32\Lenlbabh.exe23⤵
- Drops file in System32 directory
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Lhmhomal.exeC:\Windows\system32\Lhmhomal.exe24⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Lkkdkhqo.exeC:\Windows\system32\Lkkdkhqo.exe25⤵PID:280
-
C:\Windows\SysWOW64\Mkmaph32.exeC:\Windows\system32\Mkmaph32.exe26⤵PID:1388
-
C:\Windows\SysWOW64\Mokjffec.exeC:\Windows\system32\Mokjffec.exe27⤵PID:1748
-
C:\Windows\SysWOW64\Mhdnol32.exeC:\Windows\system32\Mhdnol32.exe28⤵
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Mnqfgbjk.exeC:\Windows\system32\Mnqfgbjk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1316 -
C:\Windows\SysWOW64\Mgikph32.exeC:\Windows\system32\Mgikph32.exe30⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Mjggld32.exeC:\Windows\system32\Mjggld32.exe31⤵PID:320
-
C:\Windows\SysWOW64\Mcpleifp.exeC:\Windows\system32\Mcpleifp.exe32⤵PID:876
-
C:\Windows\SysWOW64\Mlhpnolp.exeC:\Windows\system32\Mlhpnolp.exe33⤵PID:1636
-
C:\Windows\SysWOW64\Mofmjjld.exeC:\Windows\system32\Mofmjjld.exe34⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Ngndkhlf.exeC:\Windows\system32\Ngndkhlf.exe35⤵PID:560
-
C:\Windows\SysWOW64\Ncdepi32.exeC:\Windows\system32\Ncdepi32.exe36⤵PID:1936
-
C:\Windows\SysWOW64\Njnmmbig.exeC:\Windows\system32\Njnmmbig.exe37⤵PID:1716
-
C:\Windows\SysWOW64\Nhanip32.exeC:\Windows\system32\Nhanip32.exe38⤵
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Nfenbdok.exeC:\Windows\system32\Nfenbdok.exe39⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Nhcjnono.exeC:\Windows\system32\Nhcjnono.exe40⤵PID:856
-
C:\Windows\SysWOW64\Nbloge32.exeC:\Windows\system32\Nbloge32.exe41⤵PID:988
-
C:\Windows\SysWOW64\Ngkdekad.exeC:\Windows\system32\Ngkdekad.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Njipagph.exeC:\Windows\system32\Njipagph.exe43⤵PID:1532
-
C:\Windows\SysWOW64\Ododnppn.exeC:\Windows\system32\Ododnppn.exe44⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Okimkj32.exeC:\Windows\system32\Okimkj32.exe45⤵PID:1248
-
C:\Windows\SysWOW64\Ojlmffne.exeC:\Windows\system32\Ojlmffne.exe46⤵PID:1496
-
C:\Windows\SysWOW64\Omjibb32.exeC:\Windows\system32\Omjibb32.exe47⤵PID:880
-
C:\Windows\SysWOW64\Oqfecqeb.exeC:\Windows\system32\Oqfecqeb.exe48⤵PID:544
-
C:\Windows\SysWOW64\Odaado32.exeC:\Windows\system32\Odaado32.exe49⤵PID:2052
-
C:\Windows\SysWOW64\Ogpmpk32.exeC:\Windows\system32\Ogpmpk32.exe50⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ommfha32.exeC:\Windows\system32\Ommfha32.exe51⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ookbdm32.exeC:\Windows\system32\Ookbdm32.exe52⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Ocfnelbc.exeC:\Windows\system32\Ocfnelbc.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Ogbjej32.exeC:\Windows\system32\Ogbjej32.exe54⤵PID:2092
-
C:\Windows\SysWOW64\Omobnaic.exeC:\Windows\system32\Omobnaic.exe55⤵PID:2100
-
C:\Windows\SysWOW64\Ocikjk32.exeC:\Windows\system32\Ocikjk32.exe56⤵PID:2256
-
C:\Windows\SysWOW64\Pbhdee32.exeC:\Windows\system32\Pbhdee32.exe57⤵PID:2264
-
C:\Windows\SysWOW64\Piblap32.exeC:\Windows\system32\Piblap32.exe58⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Ppldnjgg.exeC:\Windows\system32\Ppldnjgg.exe59⤵PID:2316
-
C:\Windows\SysWOW64\Ihkkpm32.exeC:\Windows\system32\Ihkkpm32.exe60⤵PID:2324
-
C:\Windows\SysWOW64\Jhoqjpak.exeC:\Windows\system32\Jhoqjpak.exe61⤵PID:2356
-
C:\Windows\SysWOW64\Knelhegh.exeC:\Windows\system32\Knelhegh.exe62⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Knhhne32.exeC:\Windows\system32\Knhhne32.exe63⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Lgpmgkle.exeC:\Windows\system32\Lgpmgkle.exe64⤵PID:2380
-
C:\Windows\SysWOW64\Lmmeoajm.exeC:\Windows\system32\Lmmeoajm.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Lgbjlj32.exeC:\Windows\system32\Lgbjlj32.exe66⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Licfdbpa.exeC:\Windows\system32\Licfdbpa.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Lqknepqc.exeC:\Windows\system32\Lqknepqc.exe68⤵PID:2412
-
C:\Windows\SysWOW64\Lcijakpg.exeC:\Windows\system32\Lcijakpg.exe69⤵PID:2420
-
C:\Windows\SysWOW64\Lfgfmgok.exeC:\Windows\system32\Lfgfmgok.exe70⤵PID:2428
-
C:\Windows\SysWOW64\Lifcibno.exeC:\Windows\system32\Lifcibno.exe71⤵PID:2436
-
C:\Windows\SysWOW64\Lkdoenmb.exeC:\Windows\system32\Lkdoenmb.exe72⤵PID:2444
-
C:\Windows\SysWOW64\Lclggk32.exeC:\Windows\system32\Lclggk32.exe73⤵PID:2452
-
C:\Windows\SysWOW64\Lfjccf32.exeC:\Windows\system32\Lfjccf32.exe74⤵PID:2460
-
C:\Windows\SysWOW64\Lemcoccc.exeC:\Windows\system32\Lemcoccc.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Lmdlpqde.exeC:\Windows\system32\Lmdlpqde.exe76⤵PID:2476
-
C:\Windows\SysWOW64\Lkglkm32.exeC:\Windows\system32\Lkglkm32.exe77⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Lnehgi32.exeC:\Windows\system32\Lnehgi32.exe78⤵PID:2492
-
C:\Windows\SysWOW64\Liklda32.exeC:\Windows\system32\Liklda32.exe79⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Lkihqm32.exeC:\Windows\system32\Lkihqm32.exe80⤵PID:2508
-
C:\Windows\SysWOW64\Loddalaf.exeC:\Windows\system32\Loddalaf.exe81⤵PID:2516
-
C:\Windows\SysWOW64\Mbcqmg32.exeC:\Windows\system32\Mbcqmg32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Mafaidgd.exeC:\Windows\system32\Mafaidgd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Meamib32.exeC:\Windows\system32\Meamib32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Mgpifn32.exeC:\Windows\system32\Mgpifn32.exe85⤵PID:2548
-
C:\Windows\SysWOW64\Mkkefmgj.exeC:\Windows\system32\Mkkefmgj.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556 -
C:\Windows\SysWOW64\Mnjabhfn.exeC:\Windows\system32\Mnjabhfn.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Mbemcg32.exeC:\Windows\system32\Mbemcg32.exe88⤵PID:2572
-
C:\Windows\SysWOW64\Medjob32.exeC:\Windows\system32\Medjob32.exe89⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Mcgjkode.exeC:\Windows\system32\Mcgjkode.exe90⤵PID:2588
-
C:\Windows\SysWOW64\Mknblleg.exeC:\Windows\system32\Mknblleg.exe91⤵
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Mjqbgi32.exeC:\Windows\system32\Mjqbgi32.exe92⤵PID:2604
-
C:\Windows\SysWOW64\Mgdbamjl.exeC:\Windows\system32\Mgdbamjl.exe93⤵PID:2612
-
C:\Windows\SysWOW64\Mjcomijp.exeC:\Windows\system32\Mjcomijp.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2620 -
C:\Windows\SysWOW64\Mnokng32.exeC:\Windows\system32\Mnokng32.exe95⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Mmakidic.exeC:\Windows\system32\Mmakidic.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Mjelbhgm.exeC:\Windows\system32\Mjelbhgm.exe97⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Mmdhodgq.exeC:\Windows\system32\Mmdhodgq.exe98⤵PID:2696
-
C:\Windows\SysWOW64\Mcnpkn32.exeC:\Windows\system32\Mcnpkn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Mfllgima.exeC:\Windows\system32\Mfllgima.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Njhhhh32.exeC:\Windows\system32\Njhhhh32.exe101⤵PID:2744
-
C:\Windows\SysWOW64\Nmfddc32.exeC:\Windows\system32\Nmfddc32.exe102⤵PID:2756
-
C:\Windows\SysWOW64\Nlieppkh.exeC:\Windows\system32\Nlieppkh.exe103⤵PID:2776
-
C:\Windows\SysWOW64\Ncpmanlk.exeC:\Windows\system32\Ncpmanlk.exe104⤵PID:2792
-
C:\Windows\SysWOW64\Nbcmlj32.exeC:\Windows\system32\Nbcmlj32.exe105⤵PID:2852
-
C:\Windows\SysWOW64\Nmhajc32.exeC:\Windows\system32\Nmhajc32.exe106⤵PID:2868
-
C:\Windows\SysWOW64\Npgnfo32.exeC:\Windows\system32\Npgnfo32.exe107⤵PID:2924
-
C:\Windows\SysWOW64\Nfqfbi32.exeC:\Windows\system32\Nfqfbi32.exe108⤵PID:2948
-
C:\Windows\SysWOW64\Necfnepf.exeC:\Windows\system32\Necfnepf.exe109⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Nhbbjaoj.exeC:\Windows\system32\Nhbbjaoj.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Npijknpl.exeC:\Windows\system32\Npijknpl.exe111⤵PID:2988
-
C:\Windows\SysWOW64\Noljgk32.exeC:\Windows\system32\Noljgk32.exe112⤵PID:3004
-
C:\Windows\SysWOW64\Najgcf32.exeC:\Windows\system32\Najgcf32.exe113⤵PID:3020
-
C:\Windows\SysWOW64\Niaodd32.exeC:\Windows\system32\Niaodd32.exe114⤵PID:3032
-
C:\Windows\SysWOW64\Nlpkpo32.exeC:\Windows\system32\Nlpkpo32.exe115⤵PID:3052
-
C:\Windows\SysWOW64\Nonglk32.exeC:\Windows\system32\Nonglk32.exe116⤵PID:3064
-
C:\Windows\SysWOW64\Nbjcmimm.exeC:\Windows\system32\Nbjcmimm.exe117⤵PID:2136
-
C:\Windows\SysWOW64\Nhglep32.exeC:\Windows\system32\Nhglep32.exe118⤵PID:2160
-
C:\Windows\SysWOW64\Noqdbjba.exeC:\Windows\system32\Noqdbjba.exe119⤵PID:2180
-
C:\Windows\SysWOW64\Nmcdng32.exeC:\Windows\system32\Nmcdng32.exe120⤵PID:2196
-
C:\Windows\SysWOW64\Oeklod32.exeC:\Windows\system32\Oeklod32.exe121⤵PID:2212
-
C:\Windows\SysWOW64\Ohihkp32.exeC:\Windows\system32\Ohihkp32.exe122⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-