Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 21:41
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
-
Size
385KB
-
MD5
bd0458c5ff9d0623f52c9df805014aa2
-
SHA1
7830f3b51797a34d3f2532919db172e84b299fab
-
SHA256
4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6
-
SHA512
f9eb00fcdc522d1a61d94f14ed16a5f52e9b1710a67c035f07e588b590239a2ab056fb856aca4245c03519fa87eb6bb2f193e852a5a5ca97f3dc94922b1ed62b
-
SSDEEP
12288:rsGpGRzNy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:QbNy7oWypy7o3y7Ey7oAy7oZyUy7o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlljjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlqdei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmjejphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhgmapfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhdokbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppoqge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhfob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckignd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnaocmmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnfniii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaled32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqkqkdne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigeqkai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieojq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaiqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbjgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpkjond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlhnbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpfojmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocflgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beejng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkopcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalfhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgldmdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjmehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldnhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifgdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkdakjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kafbec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ealnephf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkhnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdcjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkafo32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000a000000012252-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0031000000014502-19.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014b10-33.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000014ba7-49.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c93-59.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cb0-71.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cce-84.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015ce3-103.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d0c-113.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d44-131.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e09-143.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015f3c-153.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0031000000014588-174.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000161b3-191.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016476-200.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000165f0-221.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1408-228-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016a6f-231.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c8c-253.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ce4-264.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cfd-275.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d0e-286.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d36-307.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016fe8-340.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000173e5-350.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175ac-362.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175b8-373.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186c1-393.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001874c-416.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000191eb-427.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019223-437.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019248-461.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019331-469.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193e2-485.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001935b-477.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019413-493.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019437-509.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001948d-517.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019426-501.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019520-533.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ef-557.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195f1-565.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001968d-589.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019961-597.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c3e-613.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019da2-629.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fa5-637.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a2ec-653.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a40c-661.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a410-669.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a416-677.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a476-685.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a06b-645.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a481-693.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4a7-725.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4a3-717.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4ab-733.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4af-741.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a49f-709.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b3-749.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b7-757.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4bf-774.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4bb-766.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4c8-790.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2524 Jebiaelb.exe 2660 Jklanp32.exe 2684 Jnmjok32.exe 2720 Jfhocmnk.exe 2432 Jclomamd.exe 2840 Jjfgjk32.exe 1884 Kappfeln.exe 1524 Kjhdokbo.exe 1776 Kmgpkfab.exe 1696 Kmimafop.exe 1520 Klnjbbdh.exe 2008 Kbhbom32.exe 2736 Khekgc32.exe 2000 Ldnhad32.exe 1408 Lodlom32.exe 992 Labhkh32.exe 2940 Limmokib.exe 2292 Llqcfe32.exe 1492 Lplogdmj.exe 552 Mgfgdn32.exe 924 Mhgclfje.exe 2272 Moalhq32.exe 2924 Maphdl32.exe 1612 Mepnpj32.exe 2152 Mhnjle32.exe 2920 Mkmfhacp.exe 2560 Magnek32.exe 2648 Mdejaf32.exe 2452 Mgcgmb32.exe 1664 Ncjgbcoi.exe 2552 Nkaocp32.exe 2504 Npnhlg32.exe 1468 Ndjdlffl.exe 1268 Ncmdhb32.exe 1236 Nfkpdn32.exe 2324 Njgldmdc.exe 2380 Nleiqhcg.exe 1580 Ncoamb32.exe 1044 Njiijlbp.exe 1428 Nlgefh32.exe 1020 Nofabc32.exe 1688 Nbdnoo32.exe 1064 Njkfpl32.exe 2936 Nmjblg32.exe 2056 Nkmbgdfl.exe 1740 Nccjhafn.exe 960 Ofbfdmeb.exe 772 Ohqbqhde.exe 3016 Omloag32.exe 1488 Okoomd32.exe 2900 Onmkio32.exe 2244 Ofdcjm32.exe 2668 Oicpfh32.exe 2704 Ogfpbeim.exe 2588 Okalbc32.exe 2268 Odjpkihg.exe 2908 Oiellh32.exe 2548 Okchhc32.exe 2484 Ojficpfn.exe 2488 Obnqem32.exe 2164 Oelmai32.exe 1900 Ocomlemo.exe 2360 Ojieip32.exe 2188 Omgaek32.exe -
Loads dropped DLL 64 IoCs
pid Process 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 2524 Jebiaelb.exe 2524 Jebiaelb.exe 2660 Jklanp32.exe 2660 Jklanp32.exe 2684 Jnmjok32.exe 2684 Jnmjok32.exe 2720 Jfhocmnk.exe 2720 Jfhocmnk.exe 2432 Jclomamd.exe 2432 Jclomamd.exe 2840 Jjfgjk32.exe 2840 Jjfgjk32.exe 1884 Kappfeln.exe 1884 Kappfeln.exe 1524 Kjhdokbo.exe 1524 Kjhdokbo.exe 1776 Kmgpkfab.exe 1776 Kmgpkfab.exe 1696 Kmimafop.exe 1696 Kmimafop.exe 1520 Klnjbbdh.exe 1520 Klnjbbdh.exe 2008 Kbhbom32.exe 2008 Kbhbom32.exe 2736 Khekgc32.exe 2736 Khekgc32.exe 2000 Ldnhad32.exe 2000 Ldnhad32.exe 1408 Lodlom32.exe 1408 Lodlom32.exe 992 Labhkh32.exe 992 Labhkh32.exe 2940 Limmokib.exe 2940 Limmokib.exe 2292 Llqcfe32.exe 2292 Llqcfe32.exe 1492 Lplogdmj.exe 1492 Lplogdmj.exe 552 Mgfgdn32.exe 552 Mgfgdn32.exe 924 Mhgclfje.exe 924 Mhgclfje.exe 2272 Moalhq32.exe 2272 Moalhq32.exe 2924 Maphdl32.exe 2924 Maphdl32.exe 1612 Mepnpj32.exe 1612 Mepnpj32.exe 2152 Mhnjle32.exe 2152 Mhnjle32.exe 2920 Mkmfhacp.exe 2920 Mkmfhacp.exe 2560 Magnek32.exe 2560 Magnek32.exe 2648 Mdejaf32.exe 2648 Mdejaf32.exe 2452 Mgcgmb32.exe 2452 Mgcgmb32.exe 1664 Ncjgbcoi.exe 1664 Ncjgbcoi.exe 2552 Nkaocp32.exe 2552 Nkaocp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmddhkao.dll Bebkpn32.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jqilooij.exe File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe Fdoclk32.exe File created C:\Windows\SysWOW64\Gpcmpijk.exe Glgaok32.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File opened for modification C:\Windows\SysWOW64\Oqkqkdne.exe Ojahnj32.exe File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe Qqeicede.exe File opened for modification C:\Windows\SysWOW64\Amnfnfgg.exe Anlfbi32.exe File created C:\Windows\SysWOW64\Lgjfkk32.exe Leljop32.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Bmclhi32.exe File created C:\Windows\SysWOW64\Nmjblg32.exe Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Eihfjo32.exe Djefobmk.exe File opened for modification C:\Windows\SysWOW64\Eloemi32.exe Eiaiqn32.exe File created C:\Windows\SysWOW64\Kgnnln32.exe Kaceodek.exe File opened for modification C:\Windows\SysWOW64\Nkbalifo.exe Ndhipoob.exe File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe Acmhepko.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Beejng32.exe File created C:\Windows\SysWOW64\Hdfflm32.exe Hpkjko32.exe File opened for modification C:\Windows\SysWOW64\Nceclqan.exe Npfgpe32.exe File opened for modification C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File opened for modification C:\Windows\SysWOW64\Enakbp32.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Lanfmb32.dll Eiomkn32.exe File opened for modification C:\Windows\SysWOW64\Gldkfl32.exe Gieojq32.exe File created C:\Windows\SysWOW64\Ngdfge32.dll Icjhagdp.exe File opened for modification C:\Windows\SysWOW64\Ljkomfjl.exe Lgmcqkkh.exe File created C:\Windows\SysWOW64\Dgaqoq32.dll Hanlnp32.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File opened for modification C:\Windows\SysWOW64\Bobhal32.exe Bfkpqn32.exe File created C:\Windows\SysWOW64\Khekgc32.exe Kbhbom32.exe File opened for modification C:\Windows\SysWOW64\Qhmbagfa.exe Penfelgm.exe File created C:\Windows\SysWOW64\Hkkalk32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nejiih32.exe File created C:\Windows\SysWOW64\Egllae32.exe Ednpej32.exe File created C:\Windows\SysWOW64\Maiooo32.dll Febfomdd.exe File opened for modification C:\Windows\SysWOW64\Igchlf32.exe Ipjoplgo.exe File opened for modification C:\Windows\SysWOW64\Njgldmdc.exe Nfkpdn32.exe File created C:\Windows\SysWOW64\Omloag32.exe Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe File opened for modification C:\Windows\SysWOW64\Affhncfc.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Aedeic32.dll Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Knpemf32.exe Kicmdo32.exe File created C:\Windows\SysWOW64\Iigpciig.dll Nnennj32.exe File created C:\Windows\SysWOW64\Cnmehnan.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Gifhnpea.exe Gfhladfn.exe File created C:\Windows\SysWOW64\Bbgdfdaf.dll Gdniqh32.exe File opened for modification C:\Windows\SysWOW64\Hmfjha32.exe Hkhnle32.exe File created C:\Windows\SysWOW64\Qijdocfj.exe Qflhbhgg.exe File created C:\Windows\SysWOW64\Hnbjle32.dll Nmjblg32.exe File created C:\Windows\SysWOW64\Qmlgonbe.exe Qnigda32.exe File created C:\Windows\SysWOW64\Fdapak32.exe Facdeo32.exe File created C:\Windows\SysWOW64\Ckmkcoqd.dll Npdjje32.exe File created C:\Windows\SysWOW64\Onmkio32.exe Okoomd32.exe File created C:\Windows\SysWOW64\Hlqdei32.exe Heglio32.exe File opened for modification C:\Windows\SysWOW64\Maedhd32.exe Mmihhelk.exe File created C:\Windows\SysWOW64\Gqpnhgek.dll Oelmai32.exe File created C:\Windows\SysWOW64\Cklmgb32.exe Chnqkg32.exe File opened for modification C:\Windows\SysWOW64\Fnkjhb32.exe Fjongcbl.exe File created C:\Windows\SysWOW64\Eokjlf32.dll Hkhnle32.exe File created C:\Windows\SysWOW64\Lpjdjmfp.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Mdhbbiki.dll Apajlhka.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bbdocc32.exe File created C:\Windows\SysWOW64\Epafjqck.dll Emcbkn32.exe File created C:\Windows\SysWOW64\Maphhihi.dll Emhlfmgj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8024 7260 WerFault.exe 841 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keednado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okdkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjpacfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll" Dfamcogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoogfn32.dll" Ebjglbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecpgmhai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" Gkihhhnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anccmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdkcckg.dll" Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncgdbmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnkicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcqoe32.dll" Pbkpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdfflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iajcde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gddifnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgdbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmndnn32.dll" Miooigfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhnle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmfhacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alenki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apajlhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" Aaolidlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlanqkq.dll" Cjndop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll" Mlfojn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfqahgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclfkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qpgpkcpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddigjkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dialipcb.dll" Pjpkjond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" Abeemhkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alnqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpiipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll" Agfgqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhohik.dll" Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fljafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll" Oalfhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fonfbi32.dll" Ncjgbcoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoajf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqphdm32.dll" Jnclnihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoladf32.dll" Fnfamcoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhladfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmihhelk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcfcmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpbep32.dll" Jfqahgpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2524 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 28 PID 2744 wrote to memory of 2524 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 28 PID 2744 wrote to memory of 2524 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 28 PID 2744 wrote to memory of 2524 2744 4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe 28 PID 2524 wrote to memory of 2660 2524 Jebiaelb.exe 29 PID 2524 wrote to memory of 2660 2524 Jebiaelb.exe 29 PID 2524 wrote to memory of 2660 2524 Jebiaelb.exe 29 PID 2524 wrote to memory of 2660 2524 Jebiaelb.exe 29 PID 2660 wrote to memory of 2684 2660 Jklanp32.exe 30 PID 2660 wrote to memory of 2684 2660 Jklanp32.exe 30 PID 2660 wrote to memory of 2684 2660 Jklanp32.exe 30 PID 2660 wrote to memory of 2684 2660 Jklanp32.exe 30 PID 2684 wrote to memory of 2720 2684 Jnmjok32.exe 31 PID 2684 wrote to memory of 2720 2684 Jnmjok32.exe 31 PID 2684 wrote to memory of 2720 2684 Jnmjok32.exe 31 PID 2684 wrote to memory of 2720 2684 Jnmjok32.exe 31 PID 2720 wrote to memory of 2432 2720 Jfhocmnk.exe 32 PID 2720 wrote to memory of 2432 2720 Jfhocmnk.exe 32 PID 2720 wrote to memory of 2432 2720 Jfhocmnk.exe 32 PID 2720 wrote to memory of 2432 2720 Jfhocmnk.exe 32 PID 2432 wrote to memory of 2840 2432 Jclomamd.exe 33 PID 2432 wrote to memory of 2840 2432 Jclomamd.exe 33 PID 2432 wrote to memory of 2840 2432 Jclomamd.exe 33 PID 2432 wrote to memory of 2840 2432 Jclomamd.exe 33 PID 2840 wrote to memory of 1884 2840 Jjfgjk32.exe 34 PID 2840 wrote to memory of 1884 2840 Jjfgjk32.exe 34 PID 2840 wrote to memory of 1884 2840 Jjfgjk32.exe 34 PID 2840 wrote to memory of 1884 2840 Jjfgjk32.exe 34 PID 1884 wrote to memory of 1524 1884 Kappfeln.exe 35 PID 1884 wrote to memory of 1524 1884 Kappfeln.exe 35 PID 1884 wrote to memory of 1524 1884 Kappfeln.exe 35 PID 1884 wrote to memory of 1524 1884 Kappfeln.exe 35 PID 1524 wrote to memory of 1776 1524 Kjhdokbo.exe 36 PID 1524 wrote to memory of 1776 1524 Kjhdokbo.exe 36 PID 1524 wrote to memory of 1776 1524 Kjhdokbo.exe 36 PID 1524 wrote to memory of 1776 1524 Kjhdokbo.exe 36 PID 1776 wrote to memory of 1696 1776 Kmgpkfab.exe 37 PID 1776 wrote to memory of 1696 1776 Kmgpkfab.exe 37 PID 1776 wrote to memory of 1696 1776 Kmgpkfab.exe 37 PID 1776 wrote to memory of 1696 1776 Kmgpkfab.exe 37 PID 1696 wrote to memory of 1520 1696 Kmimafop.exe 38 PID 1696 wrote to memory of 1520 1696 Kmimafop.exe 38 PID 1696 wrote to memory of 1520 1696 Kmimafop.exe 38 PID 1696 wrote to memory of 1520 1696 Kmimafop.exe 38 PID 1520 wrote to memory of 2008 1520 Klnjbbdh.exe 39 PID 1520 wrote to memory of 2008 1520 Klnjbbdh.exe 39 PID 1520 wrote to memory of 2008 1520 Klnjbbdh.exe 39 PID 1520 wrote to memory of 2008 1520 Klnjbbdh.exe 39 PID 2008 wrote to memory of 2736 2008 Kbhbom32.exe 40 PID 2008 wrote to memory of 2736 2008 Kbhbom32.exe 40 PID 2008 wrote to memory of 2736 2008 Kbhbom32.exe 40 PID 2008 wrote to memory of 2736 2008 Kbhbom32.exe 40 PID 2736 wrote to memory of 2000 2736 Khekgc32.exe 41 PID 2736 wrote to memory of 2000 2736 Khekgc32.exe 41 PID 2736 wrote to memory of 2000 2736 Khekgc32.exe 41 PID 2736 wrote to memory of 2000 2736 Khekgc32.exe 41 PID 2000 wrote to memory of 1408 2000 Ldnhad32.exe 42 PID 2000 wrote to memory of 1408 2000 Ldnhad32.exe 42 PID 2000 wrote to memory of 1408 2000 Ldnhad32.exe 42 PID 2000 wrote to memory of 1408 2000 Ldnhad32.exe 42 PID 1408 wrote to memory of 992 1408 Lodlom32.exe 43 PID 1408 wrote to memory of 992 1408 Lodlom32.exe 43 PID 1408 wrote to memory of 992 1408 Lodlom32.exe 43 PID 1408 wrote to memory of 992 1408 Lodlom32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe"C:\Users\Admin\AppData\Local\Temp\4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Windows\SysWOW64\Mhgclfje.exeC:\Windows\system32\Mhgclfje.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe33⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe34⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe35⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1236 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe38⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe39⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe40⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe41⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe42⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe43⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe46⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe47⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe48⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:772 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe50⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe54⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe59⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe60⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe61⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe63⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe64⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe66⤵PID:1568
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe67⤵PID:1576
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe68⤵PID:1128
-
C:\Windows\SysWOW64\Ojkboo32.exeC:\Windows\system32\Ojkboo32.exe69⤵
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe70⤵PID:1256
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe71⤵PID:336
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe72⤵PID:1820
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe73⤵PID:580
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe74⤵PID:540
-
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe75⤵PID:832
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe76⤵PID:1292
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe78⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe79⤵PID:1956
-
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe81⤵PID:1680
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe82⤵PID:912
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe83⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Pfflopdh.exeC:\Windows\system32\Pfflopdh.exe84⤵PID:2076
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe85⤵PID:2692
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe86⤵PID:2568
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe88⤵PID:2044
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe90⤵PID:2376
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe92⤵PID:2756
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe93⤵PID:1788
-
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe94⤵PID:1620
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe95⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe96⤵PID:324
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe98⤵PID:872
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe99⤵PID:1772
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe100⤵PID:2144
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe101⤵PID:2776
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe102⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe103⤵PID:1436
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe104⤵PID:2016
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe105⤵PID:1584
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe106⤵PID:956
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe107⤵PID:2732
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe108⤵PID:2604
-
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe109⤵PID:3060
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe110⤵PID:1572
-
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe111⤵
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe112⤵PID:2176
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe113⤵PID:1592
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe114⤵PID:1676
-
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe115⤵PID:1244
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe116⤵PID:472
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe117⤵PID:1600
-
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe118⤵PID:1248
-
C:\Windows\SysWOW64\Ambmpmln.exeC:\Windows\system32\Ambmpmln.exe119⤵PID:1216
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe120⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Apajlhka.exeC:\Windows\system32\Apajlhka.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-