Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 01:36
Behavioral task
behavioral1
Sample
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
Resource
win10v2004-20240426-en
General
-
Target
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
-
Size
337KB
-
MD5
a3a3c768555316c9c9c08055c617888f
-
SHA1
aa24835a85cd1a998529146e5dbcfa78b456b72b
-
SHA256
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80
-
SHA512
e15be89f48c1d7f8e04fdbbdf62c087d0bf00fe48be9b8761acd1784a87e58186a14586ae709eae163882e0d88982eddaecd01412726c0de0bf9921ead3650a3
-
SSDEEP
3072:4TpcDjUJr+/zLgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:4TiDj6r+/n1+fIyG5jZkCwi8r
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fpffje32.exeLhelbh32.exeFagjnn32.exeAckkppma.exePkfceo32.exeHjndlqal.exeDhjgal32.exeEogjka32.exeHhpgpebh.exePhbgcnig.exeJbdlejmn.exeAfcenm32.exePkidlk32.exeMlgigdoh.exeQlkdkd32.exeEmkaol32.exeFcdopc32.exeAaaoij32.exeChbjffad.exeDknekeef.exeEbjglbml.exeHgmalg32.exeNdhipoob.exeJbllihbf.exeAmcpie32.exeClalod32.exeGbkgnfbd.exeFchijone.exeNqcagfim.exeJiondcpk.exeIinmfk32.exeDqelenlc.exeGbcfadgl.exeEdccch32.exeIlncom32.exeMoidahcn.exeBnkbam32.exeHhckpk32.exeIcbimi32.exeAadloj32.exeKeikqhhe.exeBhigphio.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpffje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjndlqal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpgpebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phbgcnig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdlejmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcenm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgigdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcdopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaaoij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknekeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmalg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbllihbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchijone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqcagfim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiondcpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcfadgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edccch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilncom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moidahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhckpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadloj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keikqhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Executes dropped EXE 64 IoCs
Processes:
Igainn32.exeIolmbpfe.exeIoojhpdb.exeIkekmq32.exeIiikfehq.exeIfmlpigj.exeJbdlejmn.exeJjoailji.exeJcgfbb32.exeJakfkfpc.exeJclomamd.exeJiigehkl.exeKbalnnam.exeKikdkh32.exeKbfeimng.exeKedaeh32.exeKoocdnai.exeKeikqhhe.exeLhggmchi.exeLmdpejfq.exeLkhpnnej.exeLabhkh32.exeLdqegd32.exeLkkmdn32.exeLbfahp32.exeLipjejgp.exeLdenbcge.exeLgdjnofi.exeMcjkcplm.exeMeigpkka.exeMpolmdkg.exeMcmhiojk.exeMkhmma32.exeMochnppo.exeMlgigdoh.exeMepnpj32.exeMnkbdlbd.exeMpjoqhah.exeNnnojlpa.exeNaikkk32.exeNdgggf32.exeNgfcca32.exeNnplpl32.exeNghphaeo.exeNjgldmdc.exeNleiqhcg.exeNocemcbj.exeNfmmin32.exeNlgefh32.exeNqcagfim.exeNjkfpl32.exeNkmbgdfl.exeNccjhafn.exeOhqbqhde.exeOkoomd32.exeOnmkio32.exeOicpfh32.exeOgfpbeim.exeObkdonic.exeOdjpkihg.exeOkchhc32.exeOjficpfn.exeObnqem32.exeOelmai32.exepid process 2860 Igainn32.exe 2648 Iolmbpfe.exe 2876 Ioojhpdb.exe 2728 Ikekmq32.exe 2376 Iiikfehq.exe 2132 Ifmlpigj.exe 1596 Jbdlejmn.exe 2680 Jjoailji.exe 2148 Jcgfbb32.exe 1504 Jakfkfpc.exe 1556 Jclomamd.exe 2840 Jiigehkl.exe 2204 Kbalnnam.exe 2212 Kikdkh32.exe 488 Kbfeimng.exe 828 Kedaeh32.exe 396 Koocdnai.exe 2408 Keikqhhe.exe 2348 Lhggmchi.exe 1892 Lmdpejfq.exe 2324 Lkhpnnej.exe 1572 Labhkh32.exe 2232 Ldqegd32.exe 2320 Lkkmdn32.exe 2056 Lbfahp32.exe 868 Lipjejgp.exe 2108 Ldenbcge.exe 2316 Lgdjnofi.exe 2720 Mcjkcplm.exe 3048 Meigpkka.exe 2308 Mpolmdkg.exe 2464 Mcmhiojk.exe 2628 Mkhmma32.exe 884 Mochnppo.exe 2708 Mlgigdoh.exe 1704 Mepnpj32.exe 2240 Mnkbdlbd.exe 2808 Mpjoqhah.exe 1236 Nnnojlpa.exe 1228 Naikkk32.exe 1884 Ndgggf32.exe 2396 Ngfcca32.exe 1412 Nnplpl32.exe 948 Nghphaeo.exe 2452 Njgldmdc.exe 444 Nleiqhcg.exe 1484 Nocemcbj.exe 284 Nfmmin32.exe 860 Nlgefh32.exe 2248 Nqcagfim.exe 2216 Njkfpl32.exe 1208 Nkmbgdfl.exe 3032 Nccjhafn.exe 1496 Ohqbqhde.exe 2608 Okoomd32.exe 2792 Onmkio32.exe 2724 Oicpfh32.exe 3000 Ogfpbeim.exe 1356 Obkdonic.exe 2696 Odjpkihg.exe 344 Okchhc32.exe 348 Ojficpfn.exe 3016 Obnqem32.exe 2760 Oelmai32.exe -
Loads dropped DLL 64 IoCs
Processes:
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exeIgainn32.exeIolmbpfe.exeIoojhpdb.exeIkekmq32.exeIiikfehq.exeIfmlpigj.exeJbdlejmn.exeJjoailji.exeJcgfbb32.exeJakfkfpc.exeJclomamd.exeJiigehkl.exeKbalnnam.exeKikdkh32.exeKbfeimng.exeKedaeh32.exeKoocdnai.exeKeikqhhe.exeLhggmchi.exeLmdpejfq.exeLkhpnnej.exeLabhkh32.exeLdqegd32.exeLkkmdn32.exeLbfahp32.exeLipjejgp.exeLdenbcge.exeLgdjnofi.exeMcjkcplm.exeMeigpkka.exeMpolmdkg.exepid process 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe 2860 Igainn32.exe 2860 Igainn32.exe 2648 Iolmbpfe.exe 2648 Iolmbpfe.exe 2876 Ioojhpdb.exe 2876 Ioojhpdb.exe 2728 Ikekmq32.exe 2728 Ikekmq32.exe 2376 Iiikfehq.exe 2376 Iiikfehq.exe 2132 Ifmlpigj.exe 2132 Ifmlpigj.exe 1596 Jbdlejmn.exe 1596 Jbdlejmn.exe 2680 Jjoailji.exe 2680 Jjoailji.exe 2148 Jcgfbb32.exe 2148 Jcgfbb32.exe 1504 Jakfkfpc.exe 1504 Jakfkfpc.exe 1556 Jclomamd.exe 1556 Jclomamd.exe 2840 Jiigehkl.exe 2840 Jiigehkl.exe 2204 Kbalnnam.exe 2204 Kbalnnam.exe 2212 Kikdkh32.exe 2212 Kikdkh32.exe 488 Kbfeimng.exe 488 Kbfeimng.exe 828 Kedaeh32.exe 828 Kedaeh32.exe 396 Koocdnai.exe 396 Koocdnai.exe 2408 Keikqhhe.exe 2408 Keikqhhe.exe 2348 Lhggmchi.exe 2348 Lhggmchi.exe 1892 Lmdpejfq.exe 1892 Lmdpejfq.exe 2324 Lkhpnnej.exe 2324 Lkhpnnej.exe 1572 Labhkh32.exe 1572 Labhkh32.exe 2232 Ldqegd32.exe 2232 Ldqegd32.exe 2320 Lkkmdn32.exe 2320 Lkkmdn32.exe 2056 Lbfahp32.exe 2056 Lbfahp32.exe 868 Lipjejgp.exe 868 Lipjejgp.exe 2108 Ldenbcge.exe 2108 Ldenbcge.exe 2316 Lgdjnofi.exe 2316 Lgdjnofi.exe 2720 Mcjkcplm.exe 2720 Mcjkcplm.exe 3048 Meigpkka.exe 3048 Meigpkka.exe 2308 Mpolmdkg.exe 2308 Mpolmdkg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fdpkbf32.exeGjfgqk32.exePbnoliap.exeHahlhkhi.exeOpnpimdf.exeLqhfhigj.exeLkkmdn32.exeNlekia32.exeKincipnk.exeNmpnhdfc.exeBidlgdlk.exeBagpopmj.exeDqelenlc.exeEdfpih32.exeDgjfek32.exeHllmcc32.exeDhjgal32.exeBbikgk32.exeMlhkpm32.exeCemjae32.exeInngcfid.exeLahkigca.exeIgainn32.exeHhpgpebh.exeKgefefnd.exeIdceea32.exeFblmglgm.exeNkiogn32.exeCcngld32.exeEibbcm32.exeNbhfke32.exeQqbecp32.exeKahojc32.exeNolhan32.exeDhplhc32.exeAbeemhkh.exeBpnddn32.exeEalnephf.exeMpbaebdd.exeKgkafo32.exeOlpdjf32.exeDbfabp32.exeIlncom32.exeHfgafadm.exeHeealhla.exeOelmai32.exePfbccp32.exedescription ioc process File created C:\Windows\SysWOW64\Innmlblo.dll Fdpkbf32.exe File created C:\Windows\SysWOW64\Giiglhjb.exe Gjfgqk32.exe File opened for modification C:\Windows\SysWOW64\Pcbncfjd.exe File created C:\Windows\SysWOW64\Mgcchb32.dll File opened for modification C:\Windows\SysWOW64\Fgdgcfmb.exe File created C:\Windows\SysWOW64\Pmccjbaf.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Hpkldg32.exe Hahlhkhi.exe File created C:\Windows\SysWOW64\Oifdbb32.exe Opnpimdf.exe File created C:\Windows\SysWOW64\Mfdopp32.exe Lqhfhigj.exe File opened for modification C:\Windows\SysWOW64\Edidqf32.exe File created C:\Windows\SysWOW64\Lbfahp32.exe Lkkmdn32.exe File created C:\Windows\SysWOW64\Nodgel32.exe Nlekia32.exe File created C:\Windows\SysWOW64\Kmfoak32.dll Kincipnk.exe File created C:\Windows\SysWOW64\Npojdpef.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Gadgjn32.dll Bidlgdlk.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bagpopmj.exe File opened for modification C:\Windows\SysWOW64\Dgodbh32.exe Dqelenlc.exe File created C:\Windows\SysWOW64\Hgbnifna.dll Edfpih32.exe File created C:\Windows\SysWOW64\Diibag32.exe Dgjfek32.exe File opened for modification C:\Windows\SysWOW64\Hbfepmmn.exe Hllmcc32.exe File created C:\Windows\SysWOW64\Pkifdd32.exe File created C:\Windows\SysWOW64\Mjaddn32.exe File created C:\Windows\SysWOW64\Lpflkb32.exe File opened for modification C:\Windows\SysWOW64\Dkhcmgnl.exe Dhjgal32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Bbikgk32.exe File opened for modification C:\Windows\SysWOW64\Mkklljmg.exe Mlhkpm32.exe File created C:\Windows\SysWOW64\Chlfnp32.exe Cemjae32.exe File created C:\Windows\SysWOW64\Hebnlb32.exe File opened for modification C:\Windows\SysWOW64\Ihbcmaje.exe File created C:\Windows\SysWOW64\Lhlqjone.exe File created C:\Windows\SysWOW64\Jobnme32.dll Inngcfid.exe File created C:\Windows\SysWOW64\Lecgje32.exe Lahkigca.exe File opened for modification C:\Windows\SysWOW64\Iolmbpfe.exe Igainn32.exe File created C:\Windows\SysWOW64\Hjndlqal.exe Hhpgpebh.exe File created C:\Windows\SysWOW64\Haihjdkf.dll Kgefefnd.exe File opened for modification C:\Windows\SysWOW64\Gjjmijme.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll File opened for modification C:\Windows\SysWOW64\Hffibceh.exe File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe Idceea32.exe File opened for modification C:\Windows\SysWOW64\Fdjidgfa.exe Fblmglgm.exe File opened for modification C:\Windows\SysWOW64\Nacgdhlp.exe Nkiogn32.exe File created C:\Windows\SysWOW64\Dfmdho32.exe Ccngld32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Eibbcm32.exe File created C:\Windows\SysWOW64\Fdjidgfa.exe Fblmglgm.exe File created C:\Windows\SysWOW64\Bqlldigd.dll Nbhfke32.exe File created C:\Windows\SysWOW64\Qcqaok32.exe Qqbecp32.exe File created C:\Windows\SysWOW64\Kcfkfo32.exe Kahojc32.exe File opened for modification C:\Windows\SysWOW64\Ncgdbmmp.exe Nolhan32.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Dpgcip32.exe Dhplhc32.exe File created C:\Windows\SysWOW64\Hofpgamj.dll File created C:\Windows\SysWOW64\Emfmdo32.dll Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Bbmapj32.exe Bpnddn32.exe File created C:\Windows\SysWOW64\Olpecfkn.dll File created C:\Windows\SysWOW64\Jiiegafd.dll Ealnephf.exe File opened for modification C:\Windows\SysWOW64\Mgljbm32.exe Mpbaebdd.exe File opened for modification C:\Windows\SysWOW64\Kjjmbj32.exe Kgkafo32.exe File created C:\Windows\SysWOW64\Inlepd32.dll Olpdjf32.exe File created C:\Windows\SysWOW64\Dhpiojfb.exe Dbfabp32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File created C:\Windows\SysWOW64\Hmaick32.exe Hfgafadm.exe File opened for modification C:\Windows\SysWOW64\Hpjeialg.exe Heealhla.exe File created C:\Windows\SysWOW64\Gqpnhgek.dll Oelmai32.exe File opened for modification C:\Windows\SysWOW64\Ppjglfon.exe Pfbccp32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 1680 1996 -
Modifies registry class 64 IoCs
Processes:
Jgnamk32.exeNadpgggp.exeEodnebpd.exeHbknkl32.exeIgdogl32.exeBnhoag32.exeKkolkk32.exeHgmalg32.exeAennba32.exeOgblbo32.exeFmmkcoap.exeGnbjlpom.exeEihfjo32.exeHjhhocjj.exeHoamgd32.exePomfkndo.exeCgmkmecg.exeKnmamp32.exeIkkjbe32.exeJlklnjoh.exeClcflkic.exePqkmjh32.exeAmcpie32.exeAkhfoldn.exeOklkmnbp.exePkfceo32.exeQmifhq32.exeFmekoalh.exeHpocfncj.exeNaoniipe.exeMoidahcn.exeDnlkmkpn.exeIgainn32.exeIdknoi32.exeFnejbmko.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll" Nadpgggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eodnebpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbknkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igdogl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncocffdb.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqelhkhc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpbmi32.dll" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlfg32.dll" Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddcahee.dll" Ogblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkol32.dll" Fmmkcoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnbjlpom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" Eihfjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhhocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hoamgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" Pomfkndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpccb32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ielqinkm.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmkmecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmamp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoiicijl.dll" Jlklnjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hghlaj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhfoldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkmnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" Pkfceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binoil32.dll" Qmifhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll" Fmekoalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpocfncj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokfbfnk.dll" Naoniipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moidahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaomg32.dll" Dnlkmkpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igainn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idknoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjdeeh.dll" Fnejbmko.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exeIgainn32.exeIolmbpfe.exeIoojhpdb.exeIkekmq32.exeIiikfehq.exeIfmlpigj.exeJbdlejmn.exeJjoailji.exeJcgfbb32.exeJakfkfpc.exeJclomamd.exeJiigehkl.exeKbalnnam.exeKikdkh32.exeKbfeimng.exedescription pid process target process PID 1860 wrote to memory of 2860 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Igainn32.exe PID 1860 wrote to memory of 2860 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Igainn32.exe PID 1860 wrote to memory of 2860 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Igainn32.exe PID 1860 wrote to memory of 2860 1860 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Igainn32.exe PID 2860 wrote to memory of 2648 2860 Igainn32.exe Iolmbpfe.exe PID 2860 wrote to memory of 2648 2860 Igainn32.exe Iolmbpfe.exe PID 2860 wrote to memory of 2648 2860 Igainn32.exe Iolmbpfe.exe PID 2860 wrote to memory of 2648 2860 Igainn32.exe Iolmbpfe.exe PID 2648 wrote to memory of 2876 2648 Iolmbpfe.exe Ioojhpdb.exe PID 2648 wrote to memory of 2876 2648 Iolmbpfe.exe Ioojhpdb.exe PID 2648 wrote to memory of 2876 2648 Iolmbpfe.exe Ioojhpdb.exe PID 2648 wrote to memory of 2876 2648 Iolmbpfe.exe Ioojhpdb.exe PID 2876 wrote to memory of 2728 2876 Ioojhpdb.exe Ikekmq32.exe PID 2876 wrote to memory of 2728 2876 Ioojhpdb.exe Ikekmq32.exe PID 2876 wrote to memory of 2728 2876 Ioojhpdb.exe Ikekmq32.exe PID 2876 wrote to memory of 2728 2876 Ioojhpdb.exe Ikekmq32.exe PID 2728 wrote to memory of 2376 2728 Ikekmq32.exe Iiikfehq.exe PID 2728 wrote to memory of 2376 2728 Ikekmq32.exe Iiikfehq.exe PID 2728 wrote to memory of 2376 2728 Ikekmq32.exe Iiikfehq.exe PID 2728 wrote to memory of 2376 2728 Ikekmq32.exe Iiikfehq.exe PID 2376 wrote to memory of 2132 2376 Iiikfehq.exe Ifmlpigj.exe PID 2376 wrote to memory of 2132 2376 Iiikfehq.exe Ifmlpigj.exe PID 2376 wrote to memory of 2132 2376 Iiikfehq.exe Ifmlpigj.exe PID 2376 wrote to memory of 2132 2376 Iiikfehq.exe Ifmlpigj.exe PID 2132 wrote to memory of 1596 2132 Ifmlpigj.exe Jbdlejmn.exe PID 2132 wrote to memory of 1596 2132 Ifmlpigj.exe Jbdlejmn.exe PID 2132 wrote to memory of 1596 2132 Ifmlpigj.exe Jbdlejmn.exe PID 2132 wrote to memory of 1596 2132 Ifmlpigj.exe Jbdlejmn.exe PID 1596 wrote to memory of 2680 1596 Jbdlejmn.exe Jjoailji.exe PID 1596 wrote to memory of 2680 1596 Jbdlejmn.exe Jjoailji.exe PID 1596 wrote to memory of 2680 1596 Jbdlejmn.exe Jjoailji.exe PID 1596 wrote to memory of 2680 1596 Jbdlejmn.exe Jjoailji.exe PID 2680 wrote to memory of 2148 2680 Jjoailji.exe Jcgfbb32.exe PID 2680 wrote to memory of 2148 2680 Jjoailji.exe Jcgfbb32.exe PID 2680 wrote to memory of 2148 2680 Jjoailji.exe Jcgfbb32.exe PID 2680 wrote to memory of 2148 2680 Jjoailji.exe Jcgfbb32.exe PID 2148 wrote to memory of 1504 2148 Jcgfbb32.exe Jakfkfpc.exe PID 2148 wrote to memory of 1504 2148 Jcgfbb32.exe Jakfkfpc.exe PID 2148 wrote to memory of 1504 2148 Jcgfbb32.exe Jakfkfpc.exe PID 2148 wrote to memory of 1504 2148 Jcgfbb32.exe Jakfkfpc.exe PID 1504 wrote to memory of 1556 1504 Jakfkfpc.exe Jclomamd.exe PID 1504 wrote to memory of 1556 1504 Jakfkfpc.exe Jclomamd.exe PID 1504 wrote to memory of 1556 1504 Jakfkfpc.exe Jclomamd.exe PID 1504 wrote to memory of 1556 1504 Jakfkfpc.exe Jclomamd.exe PID 1556 wrote to memory of 2840 1556 Jclomamd.exe Jiigehkl.exe PID 1556 wrote to memory of 2840 1556 Jclomamd.exe Jiigehkl.exe PID 1556 wrote to memory of 2840 1556 Jclomamd.exe Jiigehkl.exe PID 1556 wrote to memory of 2840 1556 Jclomamd.exe Jiigehkl.exe PID 2840 wrote to memory of 2204 2840 Jiigehkl.exe Kbalnnam.exe PID 2840 wrote to memory of 2204 2840 Jiigehkl.exe Kbalnnam.exe PID 2840 wrote to memory of 2204 2840 Jiigehkl.exe Kbalnnam.exe PID 2840 wrote to memory of 2204 2840 Jiigehkl.exe Kbalnnam.exe PID 2204 wrote to memory of 2212 2204 Kbalnnam.exe Kikdkh32.exe PID 2204 wrote to memory of 2212 2204 Kbalnnam.exe Kikdkh32.exe PID 2204 wrote to memory of 2212 2204 Kbalnnam.exe Kikdkh32.exe PID 2204 wrote to memory of 2212 2204 Kbalnnam.exe Kikdkh32.exe PID 2212 wrote to memory of 488 2212 Kikdkh32.exe Kbfeimng.exe PID 2212 wrote to memory of 488 2212 Kikdkh32.exe Kbfeimng.exe PID 2212 wrote to memory of 488 2212 Kikdkh32.exe Kbfeimng.exe PID 2212 wrote to memory of 488 2212 Kikdkh32.exe Kbfeimng.exe PID 488 wrote to memory of 828 488 Kbfeimng.exe Kedaeh32.exe PID 488 wrote to memory of 828 488 Kbfeimng.exe Kedaeh32.exe PID 488 wrote to memory of 828 488 Kbfeimng.exe Kedaeh32.exe PID 488 wrote to memory of 828 488 Kbfeimng.exe Kedaeh32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe"C:\Users\Admin\AppData\Local\Temp\b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Iolmbpfe.exeC:\Windows\system32\Iolmbpfe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Iiikfehq.exeC:\Windows\system32\Iiikfehq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Jjoailji.exeC:\Windows\system32\Jjoailji.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Jcgfbb32.exeC:\Windows\system32\Jcgfbb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2320 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe33⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe34⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe35⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe37⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe38⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe39⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe40⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe41⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe42⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe43⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe44⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe45⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe46⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe47⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe48⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe49⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe50⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe52⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe53⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe54⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe55⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe56⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe57⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe58⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe59⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe60⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe61⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe62⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe63⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Obnqem32.exeC:\Windows\system32\Obnqem32.exe64⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe66⤵PID:664
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe67⤵PID:2420
-
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe68⤵PID:1568
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe69⤵PID:832
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe70⤵PID:2124
-
C:\Windows\SysWOW64\Pminkk32.exeC:\Windows\system32\Pminkk32.exe71⤵PID:2000
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe72⤵PID:3020
-
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe73⤵PID:1740
-
C:\Windows\SysWOW64\Pfbccp32.exeC:\Windows\system32\Pfbccp32.exe74⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe75⤵PID:1632
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe76⤵PID:2460
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe77⤵PID:2484
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe78⤵PID:2968
-
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe79⤵PID:2672
-
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe80⤵PID:1116
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe81⤵PID:1204
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe82⤵PID:1880
-
C:\Windows\SysWOW64\Pnbacbac.exeC:\Windows\system32\Pnbacbac.exe83⤵PID:1716
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe85⤵PID:272
-
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe86⤵PID:1692
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe87⤵PID:1464
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe88⤵PID:1976
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe89⤵PID:2136
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe90⤵PID:2140
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe91⤵PID:2736
-
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe92⤵PID:2496
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe93⤵PID:2508
-
C:\Windows\SysWOW64\Qecoqk32.exeC:\Windows\system32\Qecoqk32.exe94⤵PID:2812
-
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe95⤵PID:1176
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe96⤵PID:1196
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe97⤵PID:2208
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe98⤵PID:1612
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe99⤵PID:572
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe100⤵PID:292
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe101⤵PID:2888
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe102⤵PID:1280
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe103⤵PID:1904
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe104⤵PID:1608
-
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe105⤵PID:1656
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe106⤵PID:3008
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe107⤵PID:300
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe108⤵PID:2492
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe109⤵PID:2472
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe110⤵PID:2272
-
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe111⤵PID:2684
-
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe112⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe113⤵PID:1668
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe114⤵PID:2964
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe115⤵PID:2092
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe116⤵PID:308
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe117⤵PID:792
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe118⤵PID:1944
-
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe119⤵PID:1532
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe120⤵PID:2312
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe121⤵PID:2572
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe122⤵PID:2016
-
C:\Windows\SysWOW64\Baqbenep.exeC:\Windows\system32\Baqbenep.exe123⤵PID:2512
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe124⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe125⤵PID:2644
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe126⤵PID:2448
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe127⤵PID:3036
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe128⤵PID:2904
-
C:\Windows\SysWOW64\Cphlljge.exeC:\Windows\system32\Cphlljge.exe129⤵PID:2088
-
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe130⤵PID:2880
-
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe131⤵PID:2436
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe132⤵PID:1764
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe133⤵PID:2344
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe134⤵PID:2856
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe135⤵PID:320
-
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe136⤵PID:1916
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe137⤵PID:376
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe138⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe139⤵PID:2912
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe140⤵PID:1560
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe142⤵PID:2960
-
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe143⤵PID:1416
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe145⤵PID:532
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe146⤵PID:984
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe147⤵PID:1040
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe148⤵PID:1932
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe149⤵PID:2664
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe150⤵PID:2568
-
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe151⤵PID:2300
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe152⤵PID:1452
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe153⤵PID:2224
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe154⤵PID:1664
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe155⤵PID:2084
-
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe156⤵PID:1220
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe157⤵PID:1644
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe158⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe159⤵PID:1912
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe160⤵PID:408
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe161⤵PID:1424
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe162⤵PID:2804
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe163⤵PID:1508
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe164⤵PID:1244
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe165⤵PID:1820
-
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe166⤵PID:1528
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe167⤵PID:2716
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe168⤵PID:1708
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe169⤵PID:892
-
C:\Windows\SysWOW64\Ebedndfa.exeC:\Windows\system32\Ebedndfa.exe170⤵PID:2908
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe171⤵PID:2228
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe172⤵PID:2120
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe173⤵PID:2768
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe174⤵PID:1540
-
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe175⤵PID:2100
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe176⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe177⤵PID:2116
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe178⤵PID:2444
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe179⤵PID:752
-
C:\Windows\SysWOW64\Fejgko32.exeC:\Windows\system32\Fejgko32.exe180⤵PID:2836
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe181⤵PID:1988
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe182⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe183⤵PID:1544
-
C:\Windows\SysWOW64\Fmhheqje.exeC:\Windows\system32\Fmhheqje.exe184⤵PID:1520
-
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe185⤵PID:2032
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe186⤵PID:1676
-
C:\Windows\SysWOW64\Flmefm32.exeC:\Windows\system32\Flmefm32.exe187⤵PID:1172
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe188⤵PID:2544
-
C:\Windows\SysWOW64\Fddmgjpo.exeC:\Windows\system32\Fddmgjpo.exe189⤵PID:1396
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe190⤵PID:2816
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe191⤵PID:2884
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe192⤵PID:1096
-
C:\Windows\SysWOW64\Gbkgnfbd.exeC:\Windows\system32\Gbkgnfbd.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Gejcjbah.exeC:\Windows\system32\Gejcjbah.exe194⤵PID:2772
-
C:\Windows\SysWOW64\Gieojq32.exeC:\Windows\system32\Gieojq32.exe195⤵PID:3004
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe196⤵PID:3100
-
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe197⤵PID:3140
-
C:\Windows\SysWOW64\Glfhll32.exeC:\Windows\system32\Glfhll32.exe198⤵PID:3180
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe199⤵PID:3220
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe200⤵PID:3260
-
C:\Windows\SysWOW64\Gogangdc.exeC:\Windows\system32\Gogangdc.exe201⤵PID:3300
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe202⤵PID:3340
-
C:\Windows\SysWOW64\Gddifnbk.exeC:\Windows\system32\Gddifnbk.exe203⤵PID:3380
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe204⤵PID:3420
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe205⤵PID:3460
-
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe206⤵PID:3500
-
C:\Windows\SysWOW64\Hpmgqnfl.exeC:\Windows\system32\Hpmgqnfl.exe207⤵PID:3540
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe208⤵PID:3580
-
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe209⤵PID:3624
-
C:\Windows\SysWOW64\Hpocfncj.exeC:\Windows\system32\Hpocfncj.exe210⤵
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Hcnpbi32.exeC:\Windows\system32\Hcnpbi32.exe211⤵PID:3704
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe212⤵
- Modifies registry class
PID:3744 -
C:\Windows\SysWOW64\Hhjhkq32.exeC:\Windows\system32\Hhjhkq32.exe213⤵PID:3784
-
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe214⤵PID:3824
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe215⤵PID:3864
-
C:\Windows\SysWOW64\Hhmepp32.exeC:\Windows\system32\Hhmepp32.exe216⤵PID:3904
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3944 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe218⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Ihoafpmp.exeC:\Windows\system32\Ihoafpmp.exe219⤵PID:4024
-
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe220⤵PID:4064
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe221⤵PID:3080
-
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe222⤵PID:3128
-
C:\Windows\SysWOW64\Igdogl32.exeC:\Windows\system32\Igdogl32.exe223⤵
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe224⤵
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe225⤵PID:3280
-
C:\Windows\SysWOW64\Ihdkao32.exeC:\Windows\system32\Ihdkao32.exe226⤵PID:3348
-
C:\Windows\SysWOW64\Inqcif32.exeC:\Windows\system32\Inqcif32.exe227⤵PID:3396
-
C:\Windows\SysWOW64\Idklfpon.exeC:\Windows\system32\Idklfpon.exe228⤵PID:3448
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe229⤵PID:3492
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe230⤵PID:3548
-
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe231⤵PID:3600
-
C:\Windows\SysWOW64\Idmhkpml.exeC:\Windows\system32\Idmhkpml.exe232⤵PID:3652
-
C:\Windows\SysWOW64\Igkdgk32.exeC:\Windows\system32\Igkdgk32.exe233⤵PID:3696
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe234⤵PID:3752
-
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe235⤵PID:3804
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe236⤵
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Jfqahgpg.exeC:\Windows\system32\Jfqahgpg.exe237⤵PID:3896
-
C:\Windows\SysWOW64\Jiondcpk.exeC:\Windows\system32\Jiondcpk.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3924 -
C:\Windows\SysWOW64\Jqfffqpm.exeC:\Windows\system32\Jqfffqpm.exe239⤵PID:4004
-
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe240⤵PID:4048
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe241⤵PID:3076
-
C:\Windows\SysWOW64\Jkpgfn32.exeC:\Windows\system32\Jkpgfn32.exe242⤵PID:3160