Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe
Resource
win10v2004-20240508-en
General
-
Target
47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe
-
Size
72KB
-
MD5
272d04fa02e042019e31b34d936dbbc0
-
SHA1
2d9072cc66b6990078cf37d94acd0e19cce8df7d
-
SHA256
47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f
-
SHA512
718ea4d07e305abd44bc3627f5196d683d34696bcd07bfcc87b961dc29615b79278a12c6974d432d7ac6738f5c2660fd6356ab132619733bc4aed5337c8073a9
-
SSDEEP
1536:t5D5r4nDkH3HPDNFjp0pnR3prqoa3Ov+9PgUN3QivEtA:tVlKkXrrjp0pnR3prba3g+9PgU5QJA
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nnhfee32.exeNqfbaq32.exeAegikj32.exeBkidenlg.exeCehkhecb.exeGicinj32.exeMahbje32.exeNklfoi32.exeIkpaldog.exeNeeqea32.exeFcfhof32.exeCndikf32.exeDkifae32.exePnfdcjkg.exeKdhbec32.exeAbbpem32.exeOdapnf32.exeCeqnmpfo.exeBgehcmmm.exeDoqpak32.exeIpbdmaah.exeIbqpimpl.exeMgimcebb.exeLdmlpbbj.exeBhaebcen.exeFkalchij.exeNdhmhh32.exeAlhhhcal.exeAjneip32.exeMciobn32.exeFfimfqgm.exeMlhbal32.exeGmjlcj32.exeLekehdgp.exeDdjejl32.exeKibnhjgj.exeFkmchi32.exeGcimkc32.exeAclpap32.exeCeehho32.exeElgfgl32.exeIeolehop.exeLpqiemge.exeKmjqmi32.exeNjcpee32.exeOdgqdlnj.exePnihcq32.exeBobcpmfc.exeDojcgi32.exePcccfh32.exeNbkhfc32.exeNbmelbid.exePaegjl32.exeFohoigfh.exeOjjolnaq.exeDmjocp32.exeOpakbi32.exeLalcng32.exeMjjmog32.exeNgedij32.exeOgljjiei.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkidenlg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gicinj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahbje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpaldog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neeqea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfhof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cndikf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkifae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhbec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neeqea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqnmpfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doqpak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbdmaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibqpimpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhaebcen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkalchij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhhhcal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffimfqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhbal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjlcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kibnhjgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmchi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcimkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpqiemge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjqmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgqdlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnihcq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bobcpmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcccfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmelbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opakbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogljjiei.exe -
Executes dropped EXE 64 IoCs
Processes:
Kmjqmi32.exeKphmie32.exeKdcijcke.exeKgbefoji.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKibnhjgj.exeKdhbec32.exeLiekmj32.exeLalcng32.exeLcmofolg.exeLmccchkn.exeLdmlpbbj.exeLijdhiaa.exeLpcmec32.exeLkiqbl32.exeLilanioo.exeLgpagm32.exeLaefdf32.exeLddbqa32.exeMjqjih32.exeMahbje32.exeMciobn32.exeMjcgohig.exeMajopeii.exeMcklgm32.exeMjeddggd.exeMpolqa32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMjjmog32.exeMpdelajl.exeMcbahlip.exeNnhfee32.exeNqfbaq32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNnmopdep.exeNqklmpdd.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNggqoj32.exeNbmelbid.exeOgjmdigk.exeOjhiqefo.exeOboaabga.exeOgljjiei.exeOjjffddl.exeOqdoboli.exeOjmcld32.exeObdkma32.exeOgaceh32.exeOjopad32.exeOdednmpm.exeOkolkg32.exeOnmhgb32.exeOqkdcn32.exeOdgqdlnj.exePcjapi32.exePjdilcla.exepid process 544 Kmjqmi32.exe 1508 Kphmie32.exe 3876 Kdcijcke.exe 1628 Kgbefoji.exe 3300 Kagichjo.exe 4116 Kdffocib.exe 3848 Kgdbkohf.exe 3220 Kibnhjgj.exe 772 Kdhbec32.exe 2592 Liekmj32.exe 2076 Lalcng32.exe 4388 Lcmofolg.exe 4976 Lmccchkn.exe 4024 Ldmlpbbj.exe 4944 Lijdhiaa.exe 3144 Lpcmec32.exe 1816 Lkiqbl32.exe 116 Lilanioo.exe 2396 Lgpagm32.exe 1272 Laefdf32.exe 5072 Lddbqa32.exe 4904 Mjqjih32.exe 1048 Mahbje32.exe 4732 Mciobn32.exe 2476 Mjcgohig.exe 3048 Majopeii.exe 1696 Mcklgm32.exe 2412 Mjeddggd.exe 628 Mpolqa32.exe 2832 Mkepnjng.exe 4308 Mncmjfmk.exe 1896 Mpaifalo.exe 3624 Mjjmog32.exe 4172 Mpdelajl.exe 2996 Mcbahlip.exe 3580 Nnhfee32.exe 3224 Nqfbaq32.exe 2120 Nklfoi32.exe 4848 Nnjbke32.exe 3436 Nddkgonp.exe 2848 Nnmopdep.exe 1780 Nqklmpdd.exe 2844 Ngedij32.exe 1172 Njcpee32.exe 1692 Nbkhfc32.exe 3268 Nggqoj32.exe 724 Nbmelbid.exe 2684 Ogjmdigk.exe 668 Ojhiqefo.exe 1092 Oboaabga.exe 3204 Ogljjiei.exe 4264 Ojjffddl.exe 4924 Oqdoboli.exe 3036 Ojmcld32.exe 4968 Obdkma32.exe 3896 Ogaceh32.exe 4292 Ojopad32.exe 4280 Odednmpm.exe 2552 Okolkg32.exe 4852 Onmhgb32.exe 4860 Oqkdcn32.exe 4204 Odgqdlnj.exe 1892 Pcjapi32.exe 4008 Pjdilcla.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bkidenlg.exeDhbgqohi.exeHeocnk32.exeLbabgh32.exeAcnlgp32.exeLpcmec32.exeBbgipldd.exeEoaihhlp.exeNqfbaq32.exeAealah32.exeKipkhdeq.exeNdhmhh32.exeBlmacb32.exeCklaknjd.exeNdfqbhia.exeOgbipa32.exeEhnglm32.exeFbpnkama.exeIejcji32.exePjjhbl32.exe47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exeLcmofolg.exeCddecc32.exeImoneg32.exeIbqpimpl.exeLpqiemge.exeKgdbkohf.exeCeoibflm.exeGcojed32.exeKefkme32.exeKdgljmcd.exePcijeb32.exeCmnpgb32.exeGkaejf32.exeIfjodl32.exeJbeidl32.exeMcpnhfhf.exeNcfdie32.exePmoahijl.exePgjfkg32.exeDhhnpjmh.exeNbmelbid.exeOjmcld32.exeAbpcon32.exeNebdoa32.exeKibnhjgj.exeQnhahj32.exeIpbdmaah.exeLboeaifi.exeLgpagm32.exeMpolqa32.exeNjcpee32.exeEcandfpd.exeIkpaldog.exeDccbbhld.exeGkhbdg32.exePjmehkqk.exeKdffocib.exeMmnldp32.exePgnilpah.exeDejacond.exePqbdjfln.exeLijdhiaa.exedescription ioc process File created C:\Windows\SysWOW64\Ceoibflm.exe Bkidenlg.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Dhbgqohi.exe File created C:\Windows\SysWOW64\Lpcqcc32.dll Heocnk32.exe File created C:\Windows\SysWOW64\Kmmfbg32.dll Lbabgh32.exe File created C:\Windows\SysWOW64\Ajhddjfn.exe Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Lkiqbl32.exe Lpcmec32.exe File created C:\Windows\SysWOW64\Mjdgcbkb.dll Bbgipldd.exe File opened for modification C:\Windows\SysWOW64\Ecmeig32.exe Eoaihhlp.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Alkdnboj.exe Aealah32.exe File created C:\Windows\SysWOW64\Klngdpdd.exe Kipkhdeq.exe File created C:\Windows\SysWOW64\Nggjdc32.exe Ndhmhh32.exe File opened for modification C:\Windows\SysWOW64\Bnlnon32.exe Blmacb32.exe File created C:\Windows\SysWOW64\Ojdamdma.dll Cklaknjd.exe File created C:\Windows\SysWOW64\Fpkknm32.dll Ndfqbhia.exe File created C:\Windows\SysWOW64\Ldamee32.dll Ogbipa32.exe File opened for modification C:\Windows\SysWOW64\Fkmchi32.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Hhhbcf32.dll Fbpnkama.exe File opened for modification C:\Windows\SysWOW64\Imakkfdg.exe Iejcji32.exe File created C:\Windows\SysWOW64\Pnfdcjkg.exe Pjjhbl32.exe File created C:\Windows\SysWOW64\Ajgblndm.dll 47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe File created C:\Windows\SysWOW64\Lmccchkn.exe Lcmofolg.exe File created C:\Windows\SysWOW64\Keoakjca.dll Cddecc32.exe File created C:\Windows\SysWOW64\Bgpmhl32.dll Imoneg32.exe File created C:\Windows\SysWOW64\Ieolehop.exe Ibqpimpl.exe File created C:\Windows\SysWOW64\Oaeokj32.dll Lpqiemge.exe File created C:\Windows\SysWOW64\Bpcbnd32.dll Kgdbkohf.exe File created C:\Windows\SysWOW64\Cklaknjd.exe Ceoibflm.exe File created C:\Windows\SysWOW64\Dqlbaq32.dll Gcojed32.exe File opened for modification C:\Windows\SysWOW64\Kmncnb32.exe Kefkme32.exe File opened for modification C:\Windows\SysWOW64\Lffhfh32.exe Kdgljmcd.exe File opened for modification C:\Windows\SysWOW64\Pfhfan32.exe Pcijeb32.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Gcimkc32.exe Gkaejf32.exe File opened for modification C:\Windows\SysWOW64\Iihkpg32.exe Ifjodl32.exe File created C:\Windows\SysWOW64\Elogmm32.dll Jbeidl32.exe File created C:\Windows\SysWOW64\Miifeq32.exe Mcpnhfhf.exe File created C:\Windows\SysWOW64\Hlfofiig.dll Ncfdie32.exe File opened for modification C:\Windows\SysWOW64\Pdfjifjo.exe Pmoahijl.exe File created C:\Windows\SysWOW64\Pndohaqe.exe Pgjfkg32.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Dhhnpjmh.exe File created C:\Windows\SysWOW64\Honhef32.dll Nbmelbid.exe File created C:\Windows\SysWOW64\Obdkma32.exe Ojmcld32.exe File created C:\Windows\SysWOW64\Cleqadmh.dll Abpcon32.exe File opened for modification C:\Windows\SysWOW64\Nnjlpo32.exe Nebdoa32.exe File created C:\Windows\SysWOW64\Ogdimilg.dll Kibnhjgj.exe File created C:\Windows\SysWOW64\Qqfmde32.exe Qnhahj32.exe File opened for modification C:\Windows\SysWOW64\Ibqpimpl.exe Ipbdmaah.exe File created C:\Windows\SysWOW64\Lfkaag32.exe Lboeaifi.exe File created C:\Windows\SysWOW64\Ebaqkk32.dll Lgpagm32.exe File created C:\Windows\SysWOW64\Qcldhk32.dll Mpolqa32.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Njcpee32.exe File created C:\Windows\SysWOW64\Cilkoi32.dll Bkidenlg.exe File created C:\Windows\SysWOW64\Fhpili32.dll Ecandfpd.exe File created C:\Windows\SysWOW64\Docjlc32.dll Ikpaldog.exe File opened for modification C:\Windows\SysWOW64\Dddojq32.exe Dccbbhld.exe File opened for modification C:\Windows\SysWOW64\Gcojed32.exe Gkhbdg32.exe File created C:\Windows\SysWOW64\Hmphmhjc.dll Pjmehkqk.exe File created C:\Windows\SysWOW64\Fogjfmfe.dll Kdffocib.exe File opened for modification C:\Windows\SysWOW64\Mdhdajea.exe Mmnldp32.exe File opened for modification C:\Windows\SysWOW64\Pjmehkqk.exe Pgnilpah.exe File created C:\Windows\SysWOW64\Dhhnpjmh.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Pcppfaka.exe Pqbdjfln.exe File opened for modification C:\Windows\SysWOW64\Lpcmec32.exe Lijdhiaa.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 10596 10504 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Ojopad32.exeBlpnib32.exeEcmeig32.exeHfqlnm32.exeMiifeq32.exeMpdelajl.exeOnmhgb32.exeFebgea32.exeGhlcnk32.exeHofdacke.exeHecmijim.exeIefioj32.exeJfaedkdp.exeOdednmpm.exeBahmfj32.exeDopigd32.exeMedgncoe.exeOlkhmi32.exePnakhkol.exeAfjlnk32.exeAcnlgp32.exeCehkhecb.exeOgpmjb32.exeOjjffddl.exeLgokmgjm.exeOgifjcdp.exeOneklm32.exeAnfmjhmd.exeLiekmj32.exeOjhiqefo.exeMpolqa32.exePnbbbabh.exeEhnglm32.exeGkoiefmj.exeOjjolnaq.exeOdocigqg.exeLcmofolg.exeMcklgm32.exeDdmhja32.exeIkpaldog.exeIeolehop.exeChjaol32.exePclneicb.exeQchmagie.exePgjfkg32.exeOqdoboli.exePcjapi32.exeIpbdmaah.exeIcplcpgo.exeLbabgh32.exeBagflcje.exeBdfibe32.exeKmfmmcbo.exeAbkjdnoa.exeJifhaenk.exePmoahijl.exeJmknaell.exeOgjmdigk.exeFhqcam32.exeEcandfpd.exeFkalchij.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojopad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blpnib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecmeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfqlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll" Miifeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhibca32.dll" Onmhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Febgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlcnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbbae32.dll" Hofdacke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecmijim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jglkll32.dll" Odednmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medgncoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkhmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehkhecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" Ogpmjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoppd32.dll" Ojjffddl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgokmgjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" Ogifjcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogifjcdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anfmjhmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liekmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhiqefo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmjhgem.dll" Pnbbbabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdalf32.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoiefmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" Ojjolnaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" Odocigqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcmofolg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" Mcklgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieolehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" Chjaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pclneicb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qchmagie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgjfkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjcpkfo.dll" Oqdoboli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcjapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" Icplcpgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepgml32.dll" Bdfibe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnglm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfmmcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miifeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifhaenk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleeed32.dll" Ogjmdigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecandfpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkalchij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exeKmjqmi32.exeKphmie32.exeKdcijcke.exeKgbefoji.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKibnhjgj.exeKdhbec32.exeLiekmj32.exeLalcng32.exeLcmofolg.exeLmccchkn.exeLdmlpbbj.exeLijdhiaa.exeLpcmec32.exeLkiqbl32.exeLilanioo.exeLgpagm32.exeLaefdf32.exeLddbqa32.exedescription pid process target process PID 4880 wrote to memory of 544 4880 47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe Kmjqmi32.exe PID 4880 wrote to memory of 544 4880 47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe Kmjqmi32.exe PID 4880 wrote to memory of 544 4880 47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe Kmjqmi32.exe PID 544 wrote to memory of 1508 544 Kmjqmi32.exe Kphmie32.exe PID 544 wrote to memory of 1508 544 Kmjqmi32.exe Kphmie32.exe PID 544 wrote to memory of 1508 544 Kmjqmi32.exe Kphmie32.exe PID 1508 wrote to memory of 3876 1508 Kphmie32.exe Kdcijcke.exe PID 1508 wrote to memory of 3876 1508 Kphmie32.exe Kdcijcke.exe PID 1508 wrote to memory of 3876 1508 Kphmie32.exe Kdcijcke.exe PID 3876 wrote to memory of 1628 3876 Kdcijcke.exe Kgbefoji.exe PID 3876 wrote to memory of 1628 3876 Kdcijcke.exe Kgbefoji.exe PID 3876 wrote to memory of 1628 3876 Kdcijcke.exe Kgbefoji.exe PID 1628 wrote to memory of 3300 1628 Kgbefoji.exe Kagichjo.exe PID 1628 wrote to memory of 3300 1628 Kgbefoji.exe Kagichjo.exe PID 1628 wrote to memory of 3300 1628 Kgbefoji.exe Kagichjo.exe PID 3300 wrote to memory of 4116 3300 Kagichjo.exe Kdffocib.exe PID 3300 wrote to memory of 4116 3300 Kagichjo.exe Kdffocib.exe PID 3300 wrote to memory of 4116 3300 Kagichjo.exe Kdffocib.exe PID 4116 wrote to memory of 3848 4116 Kdffocib.exe Kgdbkohf.exe PID 4116 wrote to memory of 3848 4116 Kdffocib.exe Kgdbkohf.exe PID 4116 wrote to memory of 3848 4116 Kdffocib.exe Kgdbkohf.exe PID 3848 wrote to memory of 3220 3848 Kgdbkohf.exe Kibnhjgj.exe PID 3848 wrote to memory of 3220 3848 Kgdbkohf.exe Kibnhjgj.exe PID 3848 wrote to memory of 3220 3848 Kgdbkohf.exe Kibnhjgj.exe PID 3220 wrote to memory of 772 3220 Kibnhjgj.exe Kdhbec32.exe PID 3220 wrote to memory of 772 3220 Kibnhjgj.exe Kdhbec32.exe PID 3220 wrote to memory of 772 3220 Kibnhjgj.exe Kdhbec32.exe PID 772 wrote to memory of 2592 772 Kdhbec32.exe Liekmj32.exe PID 772 wrote to memory of 2592 772 Kdhbec32.exe Liekmj32.exe PID 772 wrote to memory of 2592 772 Kdhbec32.exe Liekmj32.exe PID 2592 wrote to memory of 2076 2592 Liekmj32.exe Lalcng32.exe PID 2592 wrote to memory of 2076 2592 Liekmj32.exe Lalcng32.exe PID 2592 wrote to memory of 2076 2592 Liekmj32.exe Lalcng32.exe PID 2076 wrote to memory of 4388 2076 Lalcng32.exe Lcmofolg.exe PID 2076 wrote to memory of 4388 2076 Lalcng32.exe Lcmofolg.exe PID 2076 wrote to memory of 4388 2076 Lalcng32.exe Lcmofolg.exe PID 4388 wrote to memory of 4976 4388 Lcmofolg.exe Lmccchkn.exe PID 4388 wrote to memory of 4976 4388 Lcmofolg.exe Lmccchkn.exe PID 4388 wrote to memory of 4976 4388 Lcmofolg.exe Lmccchkn.exe PID 4976 wrote to memory of 4024 4976 Lmccchkn.exe Ldmlpbbj.exe PID 4976 wrote to memory of 4024 4976 Lmccchkn.exe Ldmlpbbj.exe PID 4976 wrote to memory of 4024 4976 Lmccchkn.exe Ldmlpbbj.exe PID 4024 wrote to memory of 4944 4024 Ldmlpbbj.exe Lijdhiaa.exe PID 4024 wrote to memory of 4944 4024 Ldmlpbbj.exe Lijdhiaa.exe PID 4024 wrote to memory of 4944 4024 Ldmlpbbj.exe Lijdhiaa.exe PID 4944 wrote to memory of 3144 4944 Lijdhiaa.exe Lpcmec32.exe PID 4944 wrote to memory of 3144 4944 Lijdhiaa.exe Lpcmec32.exe PID 4944 wrote to memory of 3144 4944 Lijdhiaa.exe Lpcmec32.exe PID 3144 wrote to memory of 1816 3144 Lpcmec32.exe Lkiqbl32.exe PID 3144 wrote to memory of 1816 3144 Lpcmec32.exe Lkiqbl32.exe PID 3144 wrote to memory of 1816 3144 Lpcmec32.exe Lkiqbl32.exe PID 1816 wrote to memory of 116 1816 Lkiqbl32.exe Lilanioo.exe PID 1816 wrote to memory of 116 1816 Lkiqbl32.exe Lilanioo.exe PID 1816 wrote to memory of 116 1816 Lkiqbl32.exe Lilanioo.exe PID 116 wrote to memory of 2396 116 Lilanioo.exe Lgpagm32.exe PID 116 wrote to memory of 2396 116 Lilanioo.exe Lgpagm32.exe PID 116 wrote to memory of 2396 116 Lilanioo.exe Lgpagm32.exe PID 2396 wrote to memory of 1272 2396 Lgpagm32.exe Laefdf32.exe PID 2396 wrote to memory of 1272 2396 Lgpagm32.exe Laefdf32.exe PID 2396 wrote to memory of 1272 2396 Lgpagm32.exe Laefdf32.exe PID 1272 wrote to memory of 5072 1272 Laefdf32.exe Lddbqa32.exe PID 1272 wrote to memory of 5072 1272 Laefdf32.exe Lddbqa32.exe PID 1272 wrote to memory of 5072 1272 Laefdf32.exe Lddbqa32.exe PID 5072 wrote to memory of 4904 5072 Lddbqa32.exe Mjqjih32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe"C:\Users\Admin\AppData\Local\Temp\47e722a0fff50107a0ac06f739997244d9cffc82711bebf05fd4c30e49622c9f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Kgbefoji.exeC:\Windows\system32\Kgbefoji.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe23⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe26⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe27⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe29⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe31⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe32⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe33⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4172 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe36⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe40⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe41⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe42⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe43⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe47⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:724 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe51⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe56⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe57⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4280 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe60⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:4852 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe62⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe65⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe66⤵PID:2440
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe67⤵PID:3140
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe68⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe69⤵PID:2516
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe70⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe71⤵PID:2604
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe73⤵PID:388
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe74⤵PID:1332
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4828 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe78⤵PID:4164
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe79⤵PID:3376
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe80⤵
- Modifies registry class
PID:3408 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe81⤵PID:4892
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe83⤵PID:4980
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe84⤵
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe85⤵PID:3504
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe86⤵PID:4576
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe87⤵PID:2696
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe88⤵PID:4448
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe89⤵
- Drops file in System32 directory
PID:4496 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe90⤵PID:2112
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe91⤵PID:2380
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3148 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe93⤵PID:4524
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3796 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe95⤵PID:4408
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe96⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe97⤵PID:3528
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe99⤵PID:5132
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe100⤵
- Modifies registry class
PID:5200 -
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe101⤵PID:5248
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe102⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5320 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe104⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe105⤵PID:5416
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe106⤵
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe107⤵PID:5720
-
C:\Windows\SysWOW64\Blpnib32.exeC:\Windows\system32\Blpnib32.exe108⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe109⤵PID:5804
-
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe110⤵PID:5848
-
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe111⤵PID:5892
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe112⤵PID:5936
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe113⤵PID:5976
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe115⤵PID:6060
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe116⤵PID:6104
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe118⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe119⤵
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe120⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe121⤵PID:5428
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe122⤵PID:5512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-