Analysis
-
max time kernel
190s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10/10/2023, 21:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a69ac023cc46e31aff9170d0c9aa18e6_JC.exe
Resource
win7-20230831-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
a69ac023cc46e31aff9170d0c9aa18e6_JC.exe
Resource
win10v2004-20230915-en
5 signatures
150 seconds
General
-
Target
a69ac023cc46e31aff9170d0c9aa18e6_JC.exe
-
Size
164KB
-
MD5
a69ac023cc46e31aff9170d0c9aa18e6
-
SHA1
96f88f0e4b39b1c94f6c9fa344c675aca1a0e399
-
SHA256
f33da93f91282dbbc4f76fe6e4d597301fa26be7be3fc412d5eda2f915d33940
-
SHA512
68f5a4b741de7d5790ac72d32a8697c9f770418c370e0ddaaa926b7e29468f1ae53834fecdac3d9087a0db11ea3a9251456a35eb7cf974548a76e0b099bcb50f
-
SSDEEP
3072:mxTY/6vsXentt08uFafmHURHAVgnvedh6DRyU:ANtt08uF8YU8gnve7GR
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjggnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkcpndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmjbphod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbhckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgkncfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlifie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poldnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inhoegqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidhfgpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmdlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmaialjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghpnihbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkgmkbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fklaqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncpjnahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceeibbgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makhlkel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poldnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lelmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dblgbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqomai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emhdhipd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpfcnoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpkfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjnlikic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iihgadhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ioapnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmiicj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cniajdkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jopbnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgdpnqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Holcka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knocpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epkjoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" a69ac023cc46e31aff9170d0c9aa18e6_JC.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhqpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkmkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifhdlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflidmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikiedq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcnklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iemank32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdidhfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhnmiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkiopock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loicnemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfqngom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffghjg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2612 Goocenaa.exe 2664 Lfkfkopk.exe 2500 Bphaglgo.exe 2344 Ccpqjfnh.exe 2696 Cenmfbml.exe 2844 Cniajdkg.exe 1832 Chabmm32.exe 1044 Cjboeenh.exe 1280 Dgildi32.exe 1164 Dleelp32.exe 368 Djjeedhp.exe 308 Djlbkcfn.exe 2092 Dcdfdi32.exe 2272 Eokgij32.exe 2584 Ekbhnkhf.exe 1516 Enbapf32.exe 444 Fcdbcloi.exe 1976 Fjnkpf32.exe 940 Fjqhef32.exe 2872 Ffghjg32.exe 1000 Fldabn32.exe 2164 Ffiepg32.exe 1504 Ghmnmo32.exe 2676 Ghpkbn32.exe 2176 Gecklbih.exe 2044 Gjpddigo.exe 1696 Gpoibp32.exe 3008 Gpafgp32.exe 3024 Hhogaamj.exe 2540 Hoipnl32.exe 2536 Heedqe32.exe 2608 Hehafe32.exe 2828 Iaobkf32.exe 532 Idmnga32.exe 1116 Idokma32.exe 1344 Igngim32.exe 2028 Inhoegqc.exe 436 Icdhnn32.exe 1492 Jopbnn32.exe 1708 Jdmjfe32.exe 2136 Jneoojeb.exe 2884 Jjnlikic.exe 2704 Jqhdfe32.exe 1868 Jcgqbq32.exe 2192 Jknicnpf.exe 1108 Kmoekf32.exe 1780 Kdfmlc32.exe 1644 Kgdiho32.exe 2184 Kmabqf32.exe 1592 Kqmnadlk.exe 1352 Kggfnoch.exe 2000 Kqokgd32.exe 2644 Kmfklepl.exe 1172 Qdhqpe32.exe 2480 Dpofpg32.exe 2464 Joenaf32.exe 2788 Mmmpdp32.exe 1984 Aqimoc32.exe 1724 Kkfjpemb.exe 1392 Ipimic32.exe 568 Cbfhjfdk.exe 2356 Iihgadhl.exe 2300 Ioapnn32.exe 2888 Ieohfemq.exe -
Loads dropped DLL 64 IoCs
pid Process 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 2612 Goocenaa.exe 2612 Goocenaa.exe 2664 Lfkfkopk.exe 2664 Lfkfkopk.exe 2500 Bphaglgo.exe 2500 Bphaglgo.exe 2344 Ccpqjfnh.exe 2344 Ccpqjfnh.exe 2696 Cenmfbml.exe 2696 Cenmfbml.exe 2844 Cniajdkg.exe 2844 Cniajdkg.exe 1832 Chabmm32.exe 1832 Chabmm32.exe 1044 Cjboeenh.exe 1044 Cjboeenh.exe 1280 Dgildi32.exe 1280 Dgildi32.exe 1164 Dleelp32.exe 1164 Dleelp32.exe 368 Djjeedhp.exe 368 Djjeedhp.exe 308 Djlbkcfn.exe 308 Djlbkcfn.exe 2092 Dcdfdi32.exe 2092 Dcdfdi32.exe 2272 Eokgij32.exe 2272 Eokgij32.exe 2584 Ekbhnkhf.exe 2584 Ekbhnkhf.exe 1516 Enbapf32.exe 1516 Enbapf32.exe 444 Fcdbcloi.exe 444 Fcdbcloi.exe 1976 Fjnkpf32.exe 1976 Fjnkpf32.exe 940 Fjqhef32.exe 940 Fjqhef32.exe 2872 Ffghjg32.exe 2872 Ffghjg32.exe 1000 Fldabn32.exe 1000 Fldabn32.exe 2164 Ffiepg32.exe 2164 Ffiepg32.exe 1504 Ghmnmo32.exe 1504 Ghmnmo32.exe 2676 Ghpkbn32.exe 2676 Ghpkbn32.exe 2176 Gecklbih.exe 2176 Gecklbih.exe 2044 Gjpddigo.exe 2044 Gjpddigo.exe 1696 Gpoibp32.exe 1696 Gpoibp32.exe 3008 Gpafgp32.exe 3008 Gpafgp32.exe 3024 Hhogaamj.exe 3024 Hhogaamj.exe 2540 Hoipnl32.exe 2540 Hoipnl32.exe 2536 Heedqe32.exe 2536 Heedqe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qdhqpe32.exe Kmfklepl.exe File opened for modification C:\Windows\SysWOW64\Ipimic32.exe Kkfjpemb.exe File opened for modification C:\Windows\SysWOW64\Ncpjnahm.exe Nlfaag32.exe File created C:\Windows\SysWOW64\Abopnhlp.dll Foeqlo32.exe File created C:\Windows\SysWOW64\Bbjkmi32.dll Chabmm32.exe File created C:\Windows\SysWOW64\Jneoojeb.exe Jdmjfe32.exe File created C:\Windows\SysWOW64\Ecppoc32.exe Ejgkfn32.exe File created C:\Windows\SysWOW64\Lalpelfm.dll Gojfeb32.exe File created C:\Windows\SysWOW64\Feqkhl32.dll Holcka32.exe File opened for modification C:\Windows\SysWOW64\Dcdfdi32.exe Djlbkcfn.exe File opened for modification C:\Windows\SysWOW64\Khkmba32.exe Kldlmqml.exe File created C:\Windows\SysWOW64\Fmppfa32.dll Koifob32.exe File created C:\Windows\SysWOW64\Mjcieb32.dll Nmaialjp.exe File opened for modification C:\Windows\SysWOW64\Hjggnp32.exe Ncjgao32.exe File opened for modification C:\Windows\SysWOW64\Dgildi32.exe Cjboeenh.exe File opened for modification C:\Windows\SysWOW64\Ibqmen32.exe Ikiedq32.exe File created C:\Windows\SysWOW64\Ikiedq32.exe Iihhmhng.exe File created C:\Windows\SysWOW64\Bpfaodaa.dll Ndlanf32.exe File created C:\Windows\SysWOW64\Eqfcpb32.dll Odiagj32.exe File created C:\Windows\SysWOW64\Neomleaq.dll Oijbkpqm.exe File created C:\Windows\SysWOW64\Opghmjfg.exe Oimpppoj.exe File created C:\Windows\SysWOW64\Foeqlo32.exe Fblcaohd.exe File created C:\Windows\SysWOW64\Kmabqf32.exe Kgdiho32.exe File created C:\Windows\SysWOW64\Nflidmic.exe Mlcekgbb.exe File opened for modification C:\Windows\SysWOW64\Dleelp32.exe Dgildi32.exe File opened for modification C:\Windows\SysWOW64\Dlpbpa32.exe Diaecf32.exe File opened for modification C:\Windows\SysWOW64\Jpkgggnh.exe Jaejfj32.exe File opened for modification C:\Windows\SysWOW64\Mppiod32.exe Lfhdeoqh.exe File created C:\Windows\SysWOW64\Bfhnmiii.exe Bciaqnje.exe File opened for modification C:\Windows\SysWOW64\Glfqngom.exe Gclopbjo.exe File created C:\Windows\SysWOW64\Hhbkngpl.exe Hecnblah.exe File created C:\Windows\SysWOW64\Pdcgpi32.dll Iihgadhl.exe File opened for modification C:\Windows\SysWOW64\Jnlhbb32.exe Ihopjl32.exe File created C:\Windows\SysWOW64\Nogjbbma.exe Ncpjnahm.exe File created C:\Windows\SysWOW64\Imgljkbm.dll Pngcnpkg.exe File created C:\Windows\SysWOW64\Inhoegqc.exe Igngim32.exe File opened for modification C:\Windows\SysWOW64\Kdfmlc32.exe Kmoekf32.exe File opened for modification C:\Windows\SysWOW64\Kqmnadlk.exe Kmabqf32.exe File created C:\Windows\SysWOW64\Lelmei32.exe Lmjbphod.exe File created C:\Windows\SysWOW64\Bdogceln.exe Bcnklm32.exe File opened for modification C:\Windows\SysWOW64\Eioemj32.exe Edbmec32.exe File opened for modification C:\Windows\SysWOW64\Cenmfbml.exe Ccpqjfnh.exe File created C:\Windows\SysWOW64\Jopbnn32.exe Icdhnn32.exe File created C:\Windows\SysWOW64\Omaepoml.exe Odiagj32.exe File opened for modification C:\Windows\SysWOW64\Gpafgp32.exe Gpoibp32.exe File opened for modification C:\Windows\SysWOW64\Kkfjpemb.exe Aqimoc32.exe File created C:\Windows\SysWOW64\Jkpfcnoe.exe Jchobqnc.exe File created C:\Windows\SysWOW64\Adkbiook.dll Pacbel32.exe File opened for modification C:\Windows\SysWOW64\Lgcooh32.exe Ecnbpcje.exe File created C:\Windows\SysWOW64\Lfanfg32.dll Mgkncfdc.exe File opened for modification C:\Windows\SysWOW64\Dfoplkel.exe Dqagddge.exe File opened for modification C:\Windows\SysWOW64\Chabmm32.exe Cniajdkg.exe File created C:\Windows\SysWOW64\Iaehne32.dll Heedqe32.exe File created C:\Windows\SysWOW64\Aqimoc32.exe Mmmpdp32.exe File created C:\Windows\SysWOW64\Cinelbbc.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Cbgandnk.dll Ibqmen32.exe File created C:\Windows\SysWOW64\Lmhjlj32.exe Kdmehh32.exe File opened for modification C:\Windows\SysWOW64\Piaiko32.exe Poldnf32.exe File opened for modification C:\Windows\SysWOW64\Opkcpndm.exe Hmecjk32.exe File opened for modification C:\Windows\SysWOW64\Bphaglgo.exe Lfkfkopk.exe File created C:\Windows\SysWOW64\Dabniqgg.dll Cjboeenh.exe File created C:\Windows\SysWOW64\Holcka32.exe Hhbkngpl.exe File created C:\Windows\SysWOW64\Clgmka32.dll Ieohfemq.exe File created C:\Windows\SysWOW64\Kknkncbl.exe Jnogakma.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgdpnqfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggldlpoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcdfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idmnga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipimic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kldlmqml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeidi32.dll" Mnlkdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ioibde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjdeaohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bldbococ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cobkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcfeo32.dll" Efeblnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmecjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnlafm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efeblnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjboeenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heedqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdhqpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapkfp32.dll" Mgdpnqfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odkjhonl.dll" Oeobfgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elbkddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oehmamnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hienhqkm.dll" Bkiopock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjnlikic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgdiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Makhlkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idblbjen.dll" Bdddpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioapnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdenj32.dll" Pfjbdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oimpppoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcean32.dll" Fklaqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjmjln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjqhef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffiepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieamnan.dll" Kldlmqml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoopnc.dll" Iiablido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kknkncbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkccjcbp.dll" Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmhjlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dqagddge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iolojejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifhdlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iodlcnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlcekgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifckaodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcijqgo.dll" Iodlcnmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmmgafjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgnmi32.dll" Oimpppoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioibde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfgajna.dll" Imppciin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpief32.dll" Jopbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nofnglhg.dll" Nkmkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppkahi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chmpicbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dlpbpa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2612 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 29 PID 2808 wrote to memory of 2612 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 29 PID 2808 wrote to memory of 2612 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 29 PID 2808 wrote to memory of 2612 2808 a69ac023cc46e31aff9170d0c9aa18e6_JC.exe 29 PID 2612 wrote to memory of 2664 2612 Goocenaa.exe 30 PID 2612 wrote to memory of 2664 2612 Goocenaa.exe 30 PID 2612 wrote to memory of 2664 2612 Goocenaa.exe 30 PID 2612 wrote to memory of 2664 2612 Goocenaa.exe 30 PID 2664 wrote to memory of 2500 2664 Lfkfkopk.exe 31 PID 2664 wrote to memory of 2500 2664 Lfkfkopk.exe 31 PID 2664 wrote to memory of 2500 2664 Lfkfkopk.exe 31 PID 2664 wrote to memory of 2500 2664 Lfkfkopk.exe 31 PID 2500 wrote to memory of 2344 2500 Bphaglgo.exe 32 PID 2500 wrote to memory of 2344 2500 Bphaglgo.exe 32 PID 2500 wrote to memory of 2344 2500 Bphaglgo.exe 32 PID 2500 wrote to memory of 2344 2500 Bphaglgo.exe 32 PID 2344 wrote to memory of 2696 2344 Ccpqjfnh.exe 34 PID 2344 wrote to memory of 2696 2344 Ccpqjfnh.exe 34 PID 2344 wrote to memory of 2696 2344 Ccpqjfnh.exe 34 PID 2344 wrote to memory of 2696 2344 Ccpqjfnh.exe 34 PID 2696 wrote to memory of 2844 2696 Cenmfbml.exe 33 PID 2696 wrote to memory of 2844 2696 Cenmfbml.exe 33 PID 2696 wrote to memory of 2844 2696 Cenmfbml.exe 33 PID 2696 wrote to memory of 2844 2696 Cenmfbml.exe 33 PID 2844 wrote to memory of 1832 2844 Cniajdkg.exe 35 PID 2844 wrote to memory of 1832 2844 Cniajdkg.exe 35 PID 2844 wrote to memory of 1832 2844 Cniajdkg.exe 35 PID 2844 wrote to memory of 1832 2844 Cniajdkg.exe 35 PID 1832 wrote to memory of 1044 1832 Chabmm32.exe 36 PID 1832 wrote to memory of 1044 1832 Chabmm32.exe 36 PID 1832 wrote to memory of 1044 1832 Chabmm32.exe 36 PID 1832 wrote to memory of 1044 1832 Chabmm32.exe 36 PID 1044 wrote to memory of 1280 1044 Cjboeenh.exe 37 PID 1044 wrote to memory of 1280 1044 Cjboeenh.exe 37 PID 1044 wrote to memory of 1280 1044 Cjboeenh.exe 37 PID 1044 wrote to memory of 1280 1044 Cjboeenh.exe 37 PID 1280 wrote to memory of 1164 1280 Dgildi32.exe 38 PID 1280 wrote to memory of 1164 1280 Dgildi32.exe 38 PID 1280 wrote to memory of 1164 1280 Dgildi32.exe 38 PID 1280 wrote to memory of 1164 1280 Dgildi32.exe 38 PID 1164 wrote to memory of 368 1164 Dleelp32.exe 39 PID 1164 wrote to memory of 368 1164 Dleelp32.exe 39 PID 1164 wrote to memory of 368 1164 Dleelp32.exe 39 PID 1164 wrote to memory of 368 1164 Dleelp32.exe 39 PID 368 wrote to memory of 308 368 Djjeedhp.exe 40 PID 368 wrote to memory of 308 368 Djjeedhp.exe 40 PID 368 wrote to memory of 308 368 Djjeedhp.exe 40 PID 368 wrote to memory of 308 368 Djjeedhp.exe 40 PID 308 wrote to memory of 2092 308 Djlbkcfn.exe 41 PID 308 wrote to memory of 2092 308 Djlbkcfn.exe 41 PID 308 wrote to memory of 2092 308 Djlbkcfn.exe 41 PID 308 wrote to memory of 2092 308 Djlbkcfn.exe 41 PID 2092 wrote to memory of 2272 2092 Dcdfdi32.exe 42 PID 2092 wrote to memory of 2272 2092 Dcdfdi32.exe 42 PID 2092 wrote to memory of 2272 2092 Dcdfdi32.exe 42 PID 2092 wrote to memory of 2272 2092 Dcdfdi32.exe 42 PID 2272 wrote to memory of 2584 2272 Eokgij32.exe 43 PID 2272 wrote to memory of 2584 2272 Eokgij32.exe 43 PID 2272 wrote to memory of 2584 2272 Eokgij32.exe 43 PID 2272 wrote to memory of 2584 2272 Eokgij32.exe 43 PID 2584 wrote to memory of 1516 2584 Ekbhnkhf.exe 44 PID 2584 wrote to memory of 1516 2584 Ekbhnkhf.exe 44 PID 2584 wrote to memory of 1516 2584 Ekbhnkhf.exe 44 PID 2584 wrote to memory of 1516 2584 Ekbhnkhf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a69ac023cc46e31aff9170d0c9aa18e6_JC.exe"C:\Users\Admin\AppData\Local\Temp\a69ac023cc46e31aff9170d0c9aa18e6_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
-
-
-
-
-
-
C:\Windows\SysWOW64\Cniajdkg.exeC:\Windows\system32\Cniajdkg.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Dleelp32.exeC:\Windows\system32\Dleelp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Djlbkcfn.exeC:\Windows\system32\Djlbkcfn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2872
-
-
-
C:\Windows\SysWOW64\Bjamhh32.exeC:\Windows\system32\Bjamhh32.exe14⤵PID:1340
-
C:\Windows\SysWOW64\Bpkedbka.exeC:\Windows\system32\Bpkedbka.exe15⤵PID:1736
-
C:\Windows\SysWOW64\Bciaqnje.exeC:\Windows\system32\Bciaqnje.exe16⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Bfhnmiii.exeC:\Windows\system32\Bfhnmiii.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Bldbococ.exeC:\Windows\system32\Bldbococ.exe18⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Bcnklm32.exeC:\Windows\system32\Bcnklm32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Bdogceln.exeC:\Windows\system32\Bdogceln.exe20⤵PID:1604
-
C:\Windows\SysWOW64\Bkiopock.exeC:\Windows\system32\Bkiopock.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Cbcgmi32.exeC:\Windows\system32\Cbcgmi32.exe22⤵PID:2936
-
C:\Windows\SysWOW64\Chmpicbd.exeC:\Windows\system32\Chmpicbd.exe23⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Cqhdnfpp.exeC:\Windows\system32\Cqhdnfpp.exe24⤵PID:2676
-
C:\Windows\SysWOW64\Cggffocg.exeC:\Windows\system32\Cggffocg.exe25⤵PID:1692
-
C:\Windows\SysWOW64\Cjebbkbk.exeC:\Windows\system32\Cjebbkbk.exe26⤵PID:2460
-
C:\Windows\SysWOW64\Cobkja32.exeC:\Windows\system32\Cobkja32.exe27⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Cflcglho.exeC:\Windows\system32\Cflcglho.exe28⤵PID:1640
-
C:\Windows\SysWOW64\Dqagddge.exeC:\Windows\system32\Dqagddge.exe29⤵
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Dfoplkel.exeC:\Windows\system32\Dfoplkel.exe30⤵PID:1048
-
C:\Windows\SysWOW64\Dmkeoekf.exeC:\Windows\system32\Dmkeoekf.exe31⤵PID:1840
-
C:\Windows\SysWOW64\Dnlafm32.exeC:\Windows\system32\Dnlafm32.exe32⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Diaecf32.exeC:\Windows\system32\Diaecf32.exe33⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Dlpbpa32.exeC:\Windows\system32\Dlpbpa32.exe34⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Dblgbk32.exeC:\Windows\system32\Dblgbk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Ecncjckf.exeC:\Windows\system32\Ecncjckf.exe36⤵PID:1744
-
C:\Windows\SysWOW64\Ejgkfn32.exeC:\Windows\system32\Ejgkfn32.exe37⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Ecppoc32.exeC:\Windows\system32\Ecppoc32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Emhdhipd.exeC:\Windows\system32\Emhdhipd.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Edbmec32.exeC:\Windows\system32\Edbmec32.exe40⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Eioemj32.exeC:\Windows\system32\Eioemj32.exe41⤵PID:2996
-
C:\Windows\SysWOW64\Ebgifo32.exeC:\Windows\system32\Ebgifo32.exe42⤵PID:3028
-
C:\Windows\SysWOW64\Eiabbicf.exeC:\Windows\system32\Eiabbicf.exe43⤵PID:1500
-
C:\Windows\SysWOW64\Epkjoc32.exeC:\Windows\system32\Epkjoc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Efeblnbp.exeC:\Windows\system32\Efeblnbp.exe45⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Elbkddpg.exeC:\Windows\system32\Elbkddpg.exe46⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Fblcaohd.exeC:\Windows\system32\Fblcaohd.exe47⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Foeqlo32.exeC:\Windows\system32\Foeqlo32.exe48⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Feoihi32.exeC:\Windows\system32\Feoihi32.exe49⤵PID:2208
-
C:\Windows\SysWOW64\Fhnede32.exeC:\Windows\system32\Fhnede32.exe50⤵PID:2948
-
C:\Windows\SysWOW64\Fklaqp32.exeC:\Windows\system32\Fklaqp32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Fgcbeagn.exeC:\Windows\system32\Fgcbeagn.exe52⤵PID:2984
-
C:\Windows\SysWOW64\Fmmjbk32.exeC:\Windows\system32\Fmmjbk32.exe53⤵PID:2252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Fldabn32.exeC:\Windows\system32\Fldabn32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Gpoibp32.exeC:\Windows\system32\Gpoibp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Heedqe32.exeC:\Windows\system32\Heedqe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Hehafe32.exeC:\Windows\system32\Hehafe32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe13⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe14⤵
- Executes dropped EXE
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe15⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344 -
C:\Windows\SysWOW64\Inhoegqc.exeC:\Windows\system32\Inhoegqc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Icdhnn32.exeC:\Windows\system32\Icdhnn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Jneoojeb.exeC:\Windows\system32\Jneoojeb.exe21⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe23⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe24⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kgdiho32.exeC:\Windows\system32\Kgdiho32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe30⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe31⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe32⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe35⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe36⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe41⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Ioapnn32.exeC:\Windows\system32\Ioapnn32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ieohfemq.exeC:\Windows\system32\Ieohfemq.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe45⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe46⤵PID:1808
-
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe47⤵PID:2284
-
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe48⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Jnncoini.exeC:\Windows\system32\Jnncoini.exe50⤵PID:904
-
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe51⤵PID:1980
-
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe53⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe54⤵PID:2448
-
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe55⤵PID:1048
-
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe57⤵PID:2680
-
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2624 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe59⤵PID:928
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe60⤵PID:2952
-
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe62⤵
- Drops file in System32 directory
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe63⤵PID:1760
-
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe64⤵PID:2684
-
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe67⤵PID:1036
-
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe69⤵PID:2420
-
C:\Windows\SysWOW64\Mhobldaf.exeC:\Windows\system32\Mhobldaf.exe70⤵PID:1560
-
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe71⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe73⤵PID:1012
-
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Nlfaag32.exeC:\Windows\system32\Nlfaag32.exe76⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe78⤵PID:1788
-
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe80⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Nonqca32.exeC:\Windows\system32\Nonqca32.exe82⤵PID:2976
-
C:\Windows\SysWOW64\Oncndnlq.exeC:\Windows\system32\Oncndnlq.exe83⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe84⤵PID:2180
-
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe86⤵PID:2668
-
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe87⤵PID:2428
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe89⤵PID:2620
-
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe90⤵
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe91⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Pfjbdn32.exeC:\Windows\system32\Pfjbdn32.exe92⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Plfjme32.exeC:\Windows\system32\Plfjme32.exe93⤵PID:2696
-
C:\Windows\SysWOW64\Pacbel32.exeC:\Windows\system32\Pacbel32.exe94⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Pngcnpkg.exeC:\Windows\system32\Pngcnpkg.exe95⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe96⤵PID:1000
-
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe97⤵PID:2368
-
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe98⤵PID:1416
-
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe99⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe100⤵PID:1868
-
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe101⤵
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Lgcooh32.exeC:\Windows\system32\Lgcooh32.exe102⤵PID:1112
-
C:\Windows\SysWOW64\Llojpghe.exeC:\Windows\system32\Llojpghe.exe103⤵PID:2084
-
C:\Windows\SysWOW64\Ceeibbgn.exeC:\Windows\system32\Ceeibbgn.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Iiablido.exeC:\Windows\system32\Iiablido.exe105⤵
- Modifies registry class
PID:1200 -
C:\Windows\SysWOW64\Ilpohecc.exeC:\Windows\system32\Ilpohecc.exe106⤵PID:2104
-
C:\Windows\SysWOW64\Iihhmhng.exeC:\Windows\system32\Iihhmhng.exe107⤵
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Ikiedq32.exeC:\Windows\system32\Ikiedq32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Ibqmen32.exeC:\Windows\system32\Ibqmen32.exe109⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Iacmakkb.exeC:\Windows\system32\Iacmakkb.exe110⤵PID:2024
-
C:\Windows\SysWOW64\Jaejfj32.exeC:\Windows\system32\Jaejfj32.exe111⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Jpkgggnh.exeC:\Windows\system32\Jpkgggnh.exe112⤵PID:2604
-
C:\Windows\SysWOW64\Jnogakma.exeC:\Windows\system32\Jnogakma.exe113⤵
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Kknkncbl.exeC:\Windows\system32\Kknkncbl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Koifob32.exeC:\Windows\system32\Koifob32.exe115⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Kbhckm32.exeC:\Windows\system32\Kbhckm32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Knocpn32.exeC:\Windows\system32\Knocpn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:920 -
C:\Windows\SysWOW64\Konpjafp.exeC:\Windows\system32\Konpjafp.exe118⤵PID:1744
-
C:\Windows\SysWOW64\Kqomai32.exeC:\Windows\system32\Kqomai32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Kkeqobld.exeC:\Windows\system32\Kkeqobld.exe120⤵PID:2136
-
C:\Windows\SysWOW64\Kdmehh32.exeC:\Windows\system32\Kdmehh32.exe121⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Lmhjlj32.exeC:\Windows\system32\Lmhjlj32.exe122⤵
- Modifies registry class
PID:2300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-