Analysis
-
max time kernel
15s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 20:58
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe
-
Size
385KB
-
MD5
f2f700c128a3c5589b7459f8af0fe2f8
-
SHA1
92dba089607dcfcf7e5fcec5929b3bd07db2ceae
-
SHA256
64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe
-
SHA512
52a0ce1ad18775bb2795da5e81812b410c5a393dfbea08e57fc0deec55cc2a33bdf7dea16d2ddf4584f372af6e575f3c2f626f5fca297873788a5a0b00cbcd31
-
SSDEEP
12288:RAY7hVE588y59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:RAY7hK88y7oWypy7o3y7Ey7oAy7oZyUl
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qogbdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpjkiogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckahkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkpedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnejk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidphq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcpei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfaefd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnnho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgegok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcpei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgjqjjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbogfcjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmakmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgopf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqain32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpgconp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndigd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojojl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekknjcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gngcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbqoqbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgopf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojhejbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aapemc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfemlpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfllkece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefbga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bplhnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjqjjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgegok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakqgeoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgalndh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbqoqbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgbipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000d0000000122fa-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000f000000015c8a-24.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0033000000015c54-35.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015cc8-46.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000a000000015db3-59.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c0e-71.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c1e-84.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ca7-97.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cd0-110.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ce9-125.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cf4-139.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d20-158.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d4c-168.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d60-187.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d6d-201.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016fd0-211.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001754d-229.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001867d-240.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186b4-251.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018afc-261.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1424-276-0x0000000000220000-0x00000000002AB000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b25-273.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b56-283.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b78-295.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bac-305.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2212-308-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018f7d-317.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019316-327.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019383-337.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193b1-348.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001946e-361.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019484-371.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001948a-382.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194bf-393.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001950f-402.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019576-410.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a3-418.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a7-426.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ab-434.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195af-443.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195b3-450.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195b9-458.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195bf-467.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195c3-474.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001963f-482.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019754-490.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019804-498.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019bf3-509.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019bf1-506.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d5b-522.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d66-530.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fcf-538.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a031-546.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a079-554.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3a7-562.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3f4-570.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3fb-578.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a434-586.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a44b-594.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a455-602.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a465-610.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a469-618.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a46d-626.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a471-634.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 812 Cpmhpbkc.exe 2532 Dahgni32.exe 1148 Egiiapci.exe 2540 Ekknjcfh.exe 2444 Ehoocgeb.exe 2948 Fblmglgm.exe 584 Fjgalndh.exe 2752 Gpkpedmh.exe 2824 Gejebk32.exe 804 Gngcgp32.exe 1120 Hjcmgp32.exe 1240 Hbqoqbho.exe 2728 Iecdhm32.exe 872 Ippbnjni.exe 1676 Jcbhee32.exe 3008 Jfemlpdf.exe 2308 Kkgopf32.exe 2292 Kgbipf32.exe 1632 Lbogfcjc.exe 1424 Lmfhil32.exe 1940 Lpgajgeg.exe 1444 Mmakmp32.exe 2212 Mfllkece.exe 2152 Mfaefd32.exe 1616 Nefbga32.exe 2192 Ndnlnm32.exe 1588 Ngneph32.exe 844 Npgihn32.exe 2652 Olpgconp.exe 2560 Ocllehcj.exe 2624 Ohidmoaa.exe 2412 Oaaifdhb.exe 2956 Poeipifl.exe 2340 Phnnho32.exe 680 Phpjnnki.exe 2800 Pkofjijm.exe 2788 Pqkobqhd.exe 2168 Pgegok32.exe 1636 Pakllc32.exe 1480 Pkcpei32.exe 1272 Pcnejk32.exe 1388 Qgjqjjll.exe 884 Qndigd32.exe 1648 Qoeeolig.exe 1672 Qinjgbpg.exe 2096 Qogbdl32.exe 2104 Ajmfad32.exe 2052 Aojojl32.exe 2056 Afdgfelo.exe 2280 Amnocpdk.exe 1808 Aidphq32.exe 1668 Akcldl32.exe 768 Aapemc32.exe 308 Aboaff32.exe 1460 Akhfoldn.exe 3000 Bmibgd32.exe 1752 Bgnfdm32.exe 1156 Bpjkiogm.exe 2116 Bfccei32.exe 1684 Bplhnoej.exe 2984 Bmphhc32.exe 1688 Bpnddn32.exe 2644 Bigimdjh.exe 1832 Bpqain32.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 812 Cpmhpbkc.exe 812 Cpmhpbkc.exe 2532 Dahgni32.exe 2532 Dahgni32.exe 1148 Egiiapci.exe 1148 Egiiapci.exe 2540 Ekknjcfh.exe 2540 Ekknjcfh.exe 2444 Ehoocgeb.exe 2444 Ehoocgeb.exe 2948 Fblmglgm.exe 2948 Fblmglgm.exe 584 Fjgalndh.exe 584 Fjgalndh.exe 2752 Gpkpedmh.exe 2752 Gpkpedmh.exe 2824 Gejebk32.exe 2824 Gejebk32.exe 804 Gngcgp32.exe 804 Gngcgp32.exe 1120 Hjcmgp32.exe 1120 Hjcmgp32.exe 1240 Hbqoqbho.exe 1240 Hbqoqbho.exe 2728 Iecdhm32.exe 2728 Iecdhm32.exe 872 Ippbnjni.exe 872 Ippbnjni.exe 1676 Jcbhee32.exe 1676 Jcbhee32.exe 3008 Jfemlpdf.exe 3008 Jfemlpdf.exe 2308 Kkgopf32.exe 2308 Kkgopf32.exe 2292 Kgbipf32.exe 2292 Kgbipf32.exe 1632 Lbogfcjc.exe 1632 Lbogfcjc.exe 1424 Lmfhil32.exe 1424 Lmfhil32.exe 1940 Lpgajgeg.exe 1940 Lpgajgeg.exe 1444 Mmakmp32.exe 1444 Mmakmp32.exe 2212 Mfllkece.exe 2212 Mfllkece.exe 2152 Mfaefd32.exe 2152 Mfaefd32.exe 1616 Nefbga32.exe 1616 Nefbga32.exe 2192 Ndnlnm32.exe 2192 Ndnlnm32.exe 1588 Ngneph32.exe 1588 Ngneph32.exe 844 Npgihn32.exe 844 Npgihn32.exe 2652 Olpgconp.exe 2652 Olpgconp.exe 2560 Ocllehcj.exe 2560 Ocllehcj.exe 2624 Ohidmoaa.exe 2624 Ohidmoaa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cohkpj32.exe Cikbhc32.exe File created C:\Windows\SysWOW64\Bmphhc32.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Bdclgn32.dll Cikbhc32.exe File opened for modification C:\Windows\SysWOW64\Oaaifdhb.exe Ohidmoaa.exe File opened for modification C:\Windows\SysWOW64\Poeipifl.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Phpjnnki.exe Phnnho32.exe File created C:\Windows\SysWOW64\Pakllc32.exe Pgegok32.exe File created C:\Windows\SysWOW64\Aapemc32.exe Akcldl32.exe File created C:\Windows\SysWOW64\Opakbgif.dll Cemjae32.exe File created C:\Windows\SysWOW64\Gejebk32.exe Gpkpedmh.exe File created C:\Windows\SysWOW64\Cakqgeoi.exe Ckahkk32.exe File opened for modification C:\Windows\SysWOW64\Aapemc32.exe Akcldl32.exe File opened for modification C:\Windows\SysWOW64\Bmibgd32.exe Akhfoldn.exe File created C:\Windows\SysWOW64\Fjgalndh.exe Fblmglgm.exe File created C:\Windows\SysWOW64\Lmfhil32.exe Lbogfcjc.exe File created C:\Windows\SysWOW64\Clhfpifk.dll Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Cakqgeoi.exe Ckahkk32.exe File created C:\Windows\SysWOW64\Egiiapci.exe Dahgni32.exe File created C:\Windows\SysWOW64\Oaaifdhb.exe Ohidmoaa.exe File created C:\Windows\SysWOW64\Pgegok32.exe Pqkobqhd.exe File created C:\Windows\SysWOW64\Aojojl32.exe Ajmfad32.exe File created C:\Windows\SysWOW64\Bmibgd32.exe Akhfoldn.exe File created C:\Windows\SysWOW64\Ohidmoaa.exe Ocllehcj.exe File opened for modification C:\Windows\SysWOW64\Bigimdjh.exe Bpnddn32.exe File created C:\Windows\SysWOW64\Bqlldigd.dll Mfaefd32.exe File opened for modification C:\Windows\SysWOW64\Olpgconp.exe Npgihn32.exe File created C:\Windows\SysWOW64\Igmkem32.dll Fjgalndh.exe File opened for modification C:\Windows\SysWOW64\Phpjnnki.exe Phnnho32.exe File created C:\Windows\SysWOW64\Kndfop32.dll Pkcpei32.exe File created C:\Windows\SysWOW64\Moijcf32.dll Cpmhpbkc.exe File opened for modification C:\Windows\SysWOW64\Pkcpei32.exe Pakllc32.exe File created C:\Windows\SysWOW64\Hgokokhf.dll Pcnejk32.exe File created C:\Windows\SysWOW64\Kkgopf32.exe Jfemlpdf.exe File created C:\Windows\SysWOW64\Afdgfelo.exe Aojojl32.exe File opened for modification C:\Windows\SysWOW64\Afdgfelo.exe Aojojl32.exe File opened for modification C:\Windows\SysWOW64\Qgjqjjll.exe Pcnejk32.exe File opened for modification C:\Windows\SysWOW64\Kgbipf32.exe Kkgopf32.exe File created C:\Windows\SysWOW64\Bnfeag32.dll Bplhnoej.exe File created C:\Windows\SysWOW64\Cemjae32.exe Bpqain32.exe File opened for modification C:\Windows\SysWOW64\Iecdhm32.exe Hbqoqbho.exe File opened for modification C:\Windows\SysWOW64\Jcbhee32.exe Ippbnjni.exe File created C:\Windows\SysWOW64\Jnghnbki.dll Ocllehcj.exe File opened for modification C:\Windows\SysWOW64\Cpcnonob.exe Cemjae32.exe File opened for modification C:\Windows\SysWOW64\Ippbnjni.exe Iecdhm32.exe File opened for modification C:\Windows\SysWOW64\Lbogfcjc.exe Kgbipf32.exe File opened for modification C:\Windows\SysWOW64\Pakllc32.exe Pgegok32.exe File opened for modification C:\Windows\SysWOW64\Qogbdl32.exe Qinjgbpg.exe File opened for modification C:\Windows\SysWOW64\Ekknjcfh.exe Egiiapci.exe File opened for modification C:\Windows\SysWOW64\Ajmfad32.exe Qogbdl32.exe File opened for modification C:\Windows\SysWOW64\Bmphhc32.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Gadgjn32.dll Bmphhc32.exe File created C:\Windows\SysWOW64\Cijcglcj.dll Cdecha32.exe File created C:\Windows\SysWOW64\Fohodj32.dll Gpkpedmh.exe File created C:\Windows\SysWOW64\Pqkobqhd.exe Pkofjijm.exe File created C:\Windows\SysWOW64\Kkidapal.dll Ngneph32.exe File opened for modification C:\Windows\SysWOW64\Jfemlpdf.exe Jcbhee32.exe File created C:\Windows\SysWOW64\Lbogfcjc.exe Kgbipf32.exe File created C:\Windows\SysWOW64\Dahgni32.exe Cpmhpbkc.exe File created C:\Windows\SysWOW64\Gahcqf32.dll Poeipifl.exe File opened for modification C:\Windows\SysWOW64\Ngneph32.exe Ndnlnm32.exe File created C:\Windows\SysWOW64\Jfemlpdf.exe Jcbhee32.exe File created C:\Windows\SysWOW64\Npgihn32.exe Ngneph32.exe File opened for modification C:\Windows\SysWOW64\Aidphq32.exe Amnocpdk.exe File created C:\Windows\SysWOW64\Llnigibf.dll Fblmglgm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmibgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkldcj32.dll" Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moijcf32.dll" Cpmhpbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gngcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfaefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkacflm.dll" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocllehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnnho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkofjijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmfad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmphhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cikbhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhfpifk.dll" Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceaeh32.dll" Bfccei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cemjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binoil32.dll" Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkhhnnhg.dll" Aidphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjgop32.dll" Lmfhil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfllkece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehoocgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfaefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmhpbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejebk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgjqjjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigimdjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpljfn.dll" Ekknjcfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbqoqbho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmphhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakemm32.dll" Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndnlnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egiiapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojhejbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfhib32.dll" Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgnma32.dll" Jcbhee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcqf32.dll" Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpelefj.dll" Ajmfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qinjgbpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmhpbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkgopf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfhil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqkobqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoeeolig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfaeb32.dll" Afdgfelo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 812 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 28 PID 2028 wrote to memory of 812 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 28 PID 2028 wrote to memory of 812 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 28 PID 2028 wrote to memory of 812 2028 64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe 28 PID 812 wrote to memory of 2532 812 Cpmhpbkc.exe 29 PID 812 wrote to memory of 2532 812 Cpmhpbkc.exe 29 PID 812 wrote to memory of 2532 812 Cpmhpbkc.exe 29 PID 812 wrote to memory of 2532 812 Cpmhpbkc.exe 29 PID 2532 wrote to memory of 1148 2532 Dahgni32.exe 30 PID 2532 wrote to memory of 1148 2532 Dahgni32.exe 30 PID 2532 wrote to memory of 1148 2532 Dahgni32.exe 30 PID 2532 wrote to memory of 1148 2532 Dahgni32.exe 30 PID 1148 wrote to memory of 2540 1148 Egiiapci.exe 31 PID 1148 wrote to memory of 2540 1148 Egiiapci.exe 31 PID 1148 wrote to memory of 2540 1148 Egiiapci.exe 31 PID 1148 wrote to memory of 2540 1148 Egiiapci.exe 31 PID 2540 wrote to memory of 2444 2540 Ekknjcfh.exe 32 PID 2540 wrote to memory of 2444 2540 Ekknjcfh.exe 32 PID 2540 wrote to memory of 2444 2540 Ekknjcfh.exe 32 PID 2540 wrote to memory of 2444 2540 Ekknjcfh.exe 32 PID 2444 wrote to memory of 2948 2444 Ehoocgeb.exe 33 PID 2444 wrote to memory of 2948 2444 Ehoocgeb.exe 33 PID 2444 wrote to memory of 2948 2444 Ehoocgeb.exe 33 PID 2444 wrote to memory of 2948 2444 Ehoocgeb.exe 33 PID 2948 wrote to memory of 584 2948 Fblmglgm.exe 34 PID 2948 wrote to memory of 584 2948 Fblmglgm.exe 34 PID 2948 wrote to memory of 584 2948 Fblmglgm.exe 34 PID 2948 wrote to memory of 584 2948 Fblmglgm.exe 34 PID 584 wrote to memory of 2752 584 Fjgalndh.exe 35 PID 584 wrote to memory of 2752 584 Fjgalndh.exe 35 PID 584 wrote to memory of 2752 584 Fjgalndh.exe 35 PID 584 wrote to memory of 2752 584 Fjgalndh.exe 35 PID 2752 wrote to memory of 2824 2752 Gpkpedmh.exe 36 PID 2752 wrote to memory of 2824 2752 Gpkpedmh.exe 36 PID 2752 wrote to memory of 2824 2752 Gpkpedmh.exe 36 PID 2752 wrote to memory of 2824 2752 Gpkpedmh.exe 36 PID 2824 wrote to memory of 804 2824 Gejebk32.exe 37 PID 2824 wrote to memory of 804 2824 Gejebk32.exe 37 PID 2824 wrote to memory of 804 2824 Gejebk32.exe 37 PID 2824 wrote to memory of 804 2824 Gejebk32.exe 37 PID 804 wrote to memory of 1120 804 Gngcgp32.exe 38 PID 804 wrote to memory of 1120 804 Gngcgp32.exe 38 PID 804 wrote to memory of 1120 804 Gngcgp32.exe 38 PID 804 wrote to memory of 1120 804 Gngcgp32.exe 38 PID 1120 wrote to memory of 1240 1120 Hjcmgp32.exe 39 PID 1120 wrote to memory of 1240 1120 Hjcmgp32.exe 39 PID 1120 wrote to memory of 1240 1120 Hjcmgp32.exe 39 PID 1120 wrote to memory of 1240 1120 Hjcmgp32.exe 39 PID 1240 wrote to memory of 2728 1240 Hbqoqbho.exe 40 PID 1240 wrote to memory of 2728 1240 Hbqoqbho.exe 40 PID 1240 wrote to memory of 2728 1240 Hbqoqbho.exe 40 PID 1240 wrote to memory of 2728 1240 Hbqoqbho.exe 40 PID 2728 wrote to memory of 872 2728 Iecdhm32.exe 41 PID 2728 wrote to memory of 872 2728 Iecdhm32.exe 41 PID 2728 wrote to memory of 872 2728 Iecdhm32.exe 41 PID 2728 wrote to memory of 872 2728 Iecdhm32.exe 41 PID 872 wrote to memory of 1676 872 Ippbnjni.exe 42 PID 872 wrote to memory of 1676 872 Ippbnjni.exe 42 PID 872 wrote to memory of 1676 872 Ippbnjni.exe 42 PID 872 wrote to memory of 1676 872 Ippbnjni.exe 42 PID 1676 wrote to memory of 3008 1676 Jcbhee32.exe 43 PID 1676 wrote to memory of 3008 1676 Jcbhee32.exe 43 PID 1676 wrote to memory of 3008 1676 Jcbhee32.exe 43 PID 1676 wrote to memory of 3008 1676 Jcbhee32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe"C:\Users\Admin\AppData\Local\Temp\64fe64fbbc359515020ffaf099bdcb111bc79a0a2bbb00c8fd94b82c885a02fe.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2052 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:820 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe70⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe72⤵PID:2452
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe75⤵PID:900
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe76⤵PID:1080
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe77⤵PID:1624
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe78⤵PID:2500
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe79⤵PID:2760
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe80⤵PID:2236
-
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe81⤵PID:2268
-
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe82⤵PID:1076
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe83⤵PID:1488
-
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe84⤵PID:2092
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe85⤵PID:3052
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe86⤵PID:2872
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe87⤵PID:2704
-
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe88⤵PID:1416
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe89⤵PID:1596
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe90⤵PID:3016
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe91⤵PID:2496
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe92⤵PID:2668
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe93⤵PID:2448
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe95⤵PID:2140
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe96⤵PID:268
-
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe97⤵PID:2148
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe98⤵PID:2504
-
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe99⤵PID:1804
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe100⤵PID:564
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe102⤵PID:1748
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe103⤵PID:1092
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe104⤵PID:2128
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe105⤵PID:3068
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe106⤵PID:1052
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe107⤵PID:1556
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe108⤵PID:1828
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe109⤵PID:2084
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe110⤵PID:2324
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe111⤵PID:2196
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe112⤵PID:2080
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe113⤵PID:2068
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe114⤵PID:1772
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe115⤵PID:2428
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe116⤵PID:2524
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe117⤵PID:1904
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe118⤵PID:2764
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe119⤵PID:2920
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe121⤵PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-