Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 01:36
Behavioral task
behavioral1
Sample
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
Resource
win10v2004-20240426-en
General
-
Target
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe
-
Size
337KB
-
MD5
a3a3c768555316c9c9c08055c617888f
-
SHA1
aa24835a85cd1a998529146e5dbcfa78b456b72b
-
SHA256
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80
-
SHA512
e15be89f48c1d7f8e04fdbbdf62c087d0bf00fe48be9b8761acd1784a87e58186a14586ae709eae163882e0d88982eddaecd01412726c0de0bf9921ead3650a3
-
SSDEEP
3072:4TpcDjUJr+/zLgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:4TiDj6r+/n1+fIyG5jZkCwi8r
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ikpjbq32.exeBjdkjo32.exeGhopckpi.exeDahhio32.exeIomcgl32.exeLidmhmnp.exeGbabigfj.exeKkjeomld.exeCbeapmll.exeGkkojgao.exeFlnlhk32.exePjeoglgc.exeKfnkkb32.exeDpgnjo32.exeHfcicmqp.exeKdgljmcd.exeEjpfhnpe.exeKkpbin32.exeGfokoelp.exeBifmqo32.exeAjneip32.exeColffknh.exeMpjlklok.exeCdhhdlid.exeDanecp32.exeQkmdkgob.exeDkgqfl32.exeIhdafkdg.exeEofbch32.exeMiifeq32.exeCafigg32.exeAfinioip.exeGhlcnk32.exeIickkbje.exeAnadoi32.exeOcffempp.exeOlgncmim.exeKmdlffhj.exeInjcmc32.exeJhlgfj32.exeEmphocjj.exeLnjnqh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghopckpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahhio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lidmhmnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkojgao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjeoglgc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnkkb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgnjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcicmqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpfhnpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpbin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfokoelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajneip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colffknh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlklok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmdkgob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofbch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miifeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cafigg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afinioip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlcnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iickkbje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocffempp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injcmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjnqh32.exe -
Executes dropped EXE 64 IoCs
Processes:
Lcmofolg.exeLiggbi32.exeLaopdgcg.exeLcbiao32.exeLgpagm32.exeLcgblncm.exeMahbje32.exeMciobn32.exeMajopeii.exeMgghhlhq.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMglack32.exeMnfipekh.exeMdpalp32.exeNnhfee32.exeNceonl32.exeNjogjfoj.exeNafokcol.exeNddkgonp.exeNcgkcl32.exeNqklmpdd.exeNgedij32.exeNqmhbpba.exeOgjmdigk.exeOjhiqefo.exeOndeac32.exeOcqnij32.exeOgljjiei.exeOjjffddl.exeObangb32.exeOjmcld32.exeOgaceh32.exeOqihnn32.exeOcgdji32.exeOjalgcnd.exeObidhaog.exeOdgqdlnj.exePgemphmn.exePjdilcla.exePeimil32.exePkceffcd.exePjffbc32.exePbmncp32.exePeljol32.exePgjfkg32.exePjhbgb32.exePbpjhp32.exePcagphom.exePkhoae32.exePnfkma32.exePaegjl32.exePcccfh32.exePkjlge32.exePnihcq32.exePagdol32.exeQcepkg32.exeQkmhlekj.exeQbgqio32.exeQeemej32.exeQgciaf32.exeQloebdig.exeQalnjkgo.exepid process 2740 Lcmofolg.exe 3328 Liggbi32.exe 4172 Laopdgcg.exe 1736 Lcbiao32.exe 4828 Lgpagm32.exe 4904 Lcgblncm.exe 4772 Mahbje32.exe 4356 Mciobn32.exe 4936 Majopeii.exe 4868 Mgghhlhq.exe 5052 Mpolqa32.exe 2292 Mgidml32.exe 400 Mjhqjg32.exe 396 Mglack32.exe 1420 Mnfipekh.exe 2468 Mdpalp32.exe 3236 Nnhfee32.exe 4528 Nceonl32.exe 932 Njogjfoj.exe 3948 Nafokcol.exe 4972 Nddkgonp.exe 224 Ncgkcl32.exe 3104 Nqklmpdd.exe 4036 Ngedij32.exe 2264 Nqmhbpba.exe 4684 Ogjmdigk.exe 4848 Ojhiqefo.exe 3080 Ondeac32.exe 4476 Ocqnij32.exe 4492 Ogljjiei.exe 3032 Ojjffddl.exe 2056 Obangb32.exe 2856 Ojmcld32.exe 4412 Ogaceh32.exe 912 Oqihnn32.exe 1704 Ocgdji32.exe 4500 Ojalgcnd.exe 3184 Obidhaog.exe 1640 Odgqdlnj.exe 2180 Pgemphmn.exe 2700 Pjdilcla.exe 1644 Peimil32.exe 2156 Pkceffcd.exe 4976 Pjffbc32.exe 2868 Pbmncp32.exe 1380 Peljol32.exe 3672 Pgjfkg32.exe 1128 Pjhbgb32.exe 2816 Pbpjhp32.exe 4560 Pcagphom.exe 1864 Pkhoae32.exe 1388 Pnfkma32.exe 988 Paegjl32.exe 2020 Pcccfh32.exe 4144 Pkjlge32.exe 3588 Pnihcq32.exe 2556 Pagdol32.exe 3500 Qcepkg32.exe 4496 Qkmhlekj.exe 3848 Qbgqio32.exe 4644 Qeemej32.exe 1132 Qgciaf32.exe 1884 Qloebdig.exe 2692 Qalnjkgo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hgabkoee.exeJecofa32.exePloknb32.exeOfqpqo32.exeEdfdej32.exeJedeph32.exeMdhdajea.exeKmfmmcbo.exeJbdbjf32.exePnfkma32.exeGcojed32.exeJlhljhbg.exeMgghhlhq.exeEcjhcg32.exeHbbmmi32.exeMhilfa32.exeFjjnifbl.exeGafmaj32.exeKfqgab32.exeIfllil32.exeEkbihd32.exeHnfamjqg.exeJkhngl32.exeJgonlm32.exeIcdheded.exeOjalgcnd.exePgemphmn.exeJcphab32.exeEchknh32.exeDlghoa32.exeGfpcgpae.exeKlimip32.exeKkpbin32.exeKfckahdj.exeIggjga32.exeJpgmha32.exeEdhakj32.exeFohoigfh.exeNdokbi32.exeAeiofcji.exeIfleoe32.exeNgmpcn32.exedescription ioc process File created C:\Windows\SysWOW64\Iohjlmeg.exe Hgabkoee.exe File opened for modification C:\Windows\SysWOW64\Jgakbm32.exe Jecofa32.exe File opened for modification C:\Windows\SysWOW64\Pomgjn32.exe Ploknb32.exe File created C:\Windows\SysWOW64\Bcflijmh.dll File created C:\Windows\SysWOW64\Fiqjke32.exe File opened for modification C:\Windows\SysWOW64\Odapnf32.exe Ofqpqo32.exe File opened for modification C:\Windows\SysWOW64\Eolhbc32.exe Edfdej32.exe File created C:\Windows\SysWOW64\Fllifblf.dll Jedeph32.exe File created C:\Windows\SysWOW64\Flfelggh.dll Mdhdajea.exe File created C:\Windows\SysWOW64\Djkahqga.dll Kmfmmcbo.exe File created C:\Windows\SysWOW64\Jfpojead.exe Jbdbjf32.exe File created C:\Windows\SysWOW64\Nmlddqem.exe File created C:\Windows\SysWOW64\Micgbemj.dll File created C:\Windows\SysWOW64\Mhegobpi.dll File opened for modification C:\Windows\SysWOW64\Paegjl32.exe Pnfkma32.exe File created C:\Windows\SysWOW64\Nghjpm32.dll Gcojed32.exe File created C:\Windows\SysWOW64\Lflpengd.dll Jlhljhbg.exe File created C:\Windows\SysWOW64\Npepkf32.exe File created C:\Windows\SysWOW64\Odegmceb.dll Mgghhlhq.exe File created C:\Windows\SysWOW64\Eeidoc32.exe Ecjhcg32.exe File created C:\Windows\SysWOW64\Mdkgabfn.dll File created C:\Windows\SysWOW64\Fbgbnkfm.exe File created C:\Windows\SysWOW64\Kdffjgpj.exe File created C:\Windows\SysWOW64\Mdghhb32.exe File opened for modification C:\Windows\SysWOW64\Hdpiid32.exe Hbbmmi32.exe File created C:\Windows\SysWOW64\Anmfbl32.exe File created C:\Windows\SysWOW64\Nihipdhl.exe Mhilfa32.exe File created C:\Windows\SysWOW64\Fmikeaap.exe Fjjnifbl.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe File created C:\Windows\SysWOW64\Nclikl32.exe File created C:\Windows\SysWOW64\Ogjembbd.dll File created C:\Windows\SysWOW64\Ialqkblh.dll Gafmaj32.exe File opened for modification C:\Windows\SysWOW64\Kiodmn32.exe Kfqgab32.exe File created C:\Windows\SysWOW64\Aaqfok32.dll Ifllil32.exe File created C:\Windows\SysWOW64\Emaedo32.exe Ekbihd32.exe File opened for modification C:\Windows\SysWOW64\Hbbmmi32.exe Hnfamjqg.exe File opened for modification C:\Windows\SysWOW64\Jbbfdfkn.exe Jkhngl32.exe File created C:\Windows\SysWOW64\Jkkjmlan.exe Jgonlm32.exe File created C:\Windows\SysWOW64\Ikkpgafg.exe Icdheded.exe File created C:\Windows\SysWOW64\Obidhaog.exe Ojalgcnd.exe File created C:\Windows\SysWOW64\Pjdilcla.exe Pgemphmn.exe File created C:\Windows\SysWOW64\Ecipcemb.dll File created C:\Windows\SysWOW64\Dnbbhnma.dll Jcphab32.exe File opened for modification C:\Windows\SysWOW64\Mjahlgpf.exe File created C:\Windows\SysWOW64\Gfpggnan.dll Echknh32.exe File created C:\Windows\SysWOW64\Djhimica.exe Dlghoa32.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe File created C:\Windows\SysWOW64\Gceegdko.dll File created C:\Windows\SysWOW64\Gdcdbl32.exe Gfpcgpae.exe File created C:\Windows\SysWOW64\Nlplhfon.dll Klimip32.exe File created C:\Windows\SysWOW64\Eonklp32.dll Kkpbin32.exe File created C:\Windows\SysWOW64\Eegiklal.dll File opened for modification C:\Windows\SysWOW64\Abhqefpg.exe File created C:\Windows\SysWOW64\Kdgljmcd.exe Kfckahdj.exe File created C:\Windows\SysWOW64\Ijegcm32.exe Iggjga32.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jpgmha32.exe File opened for modification C:\Windows\SysWOW64\Okceaikl.exe File created C:\Windows\SysWOW64\Eggmge32.exe Edhakj32.exe File opened for modification C:\Windows\SysWOW64\Dqbcbkab.exe File created C:\Windows\SysWOW64\Fafkecel.exe Fohoigfh.exe File created C:\Windows\SysWOW64\Ngmgne32.exe Ndokbi32.exe File created C:\Windows\SysWOW64\Anadoi32.exe Aeiofcji.exe File opened for modification C:\Windows\SysWOW64\Ienekbld.exe Ifleoe32.exe File created C:\Windows\SysWOW64\Ngpock32.dll Ngmpcn32.exe -
Modifies registry class 64 IoCs
Processes:
Lgpagm32.exeBjdkjo32.exeInjmcmej.exeHhihdcbp.exeEhailbaa.exeLgcjdd32.exeNajceeoo.exeBhdbhcck.exeDojcgi32.exeMhilfa32.exeJklinohd.exeGlebhjlg.exeOoagno32.exeEchknh32.exeEoekia32.exeCmipblaq.exeEdmclccp.exeOeaoab32.exeBalfaiil.exeOcnjidkf.exeChjaol32.exeDgbdlf32.exeDfgcakon.exeOgjmdigk.exeBaocghgi.exeFkciihgg.exeAlnmjjdb.exeLelchgne.exeQepkbpak.exeHildmn32.exeKfjhkjle.exeKnippe32.exeLnqeqd32.exeHkjjlhle.exePapfgbmg.exeOjhiqefo.exeColffknh.exeDceohhja.exeElppfmoo.exeCojjqlpk.exeEmaedo32.exeKcbnnpka.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpagm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhihdcbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehailbaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcjdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgmickl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegopgia.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdbhcck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dojcgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhilfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glebhjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooagno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoekia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihoif32.dll" Edmclccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll" Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbbmhgf.dll" Balfaiil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" Ocnjidkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chjaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfghc32.dll" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleeed32.dll" Ogjmdigk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baocghgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkciihgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnmjjdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lelchgne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjhkjle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knippe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnqeqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjppk32.dll" Hkjjlhle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqklch32.dll" Papfgbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhiqefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colffknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dceohhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnepdqjg.dll" Elppfmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipfed32.dll" Emaedo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exeLcmofolg.exeLiggbi32.exeLaopdgcg.exeLcbiao32.exeLgpagm32.exeLcgblncm.exeMahbje32.exeMciobn32.exeMajopeii.exeMgghhlhq.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMglack32.exeMnfipekh.exeMdpalp32.exeNnhfee32.exeNceonl32.exeNjogjfoj.exeNafokcol.exeNddkgonp.exedescription pid process target process PID 704 wrote to memory of 2740 704 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Lcmofolg.exe PID 704 wrote to memory of 2740 704 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Lcmofolg.exe PID 704 wrote to memory of 2740 704 b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe Lcmofolg.exe PID 2740 wrote to memory of 3328 2740 Lcmofolg.exe Liggbi32.exe PID 2740 wrote to memory of 3328 2740 Lcmofolg.exe Liggbi32.exe PID 2740 wrote to memory of 3328 2740 Lcmofolg.exe Liggbi32.exe PID 3328 wrote to memory of 4172 3328 Liggbi32.exe Laopdgcg.exe PID 3328 wrote to memory of 4172 3328 Liggbi32.exe Laopdgcg.exe PID 3328 wrote to memory of 4172 3328 Liggbi32.exe Laopdgcg.exe PID 4172 wrote to memory of 1736 4172 Laopdgcg.exe Lcbiao32.exe PID 4172 wrote to memory of 1736 4172 Laopdgcg.exe Lcbiao32.exe PID 4172 wrote to memory of 1736 4172 Laopdgcg.exe Lcbiao32.exe PID 1736 wrote to memory of 4828 1736 Lcbiao32.exe Lgpagm32.exe PID 1736 wrote to memory of 4828 1736 Lcbiao32.exe Lgpagm32.exe PID 1736 wrote to memory of 4828 1736 Lcbiao32.exe Lgpagm32.exe PID 4828 wrote to memory of 4904 4828 Lgpagm32.exe Lcgblncm.exe PID 4828 wrote to memory of 4904 4828 Lgpagm32.exe Lcgblncm.exe PID 4828 wrote to memory of 4904 4828 Lgpagm32.exe Lcgblncm.exe PID 4904 wrote to memory of 4772 4904 Lcgblncm.exe Mahbje32.exe PID 4904 wrote to memory of 4772 4904 Lcgblncm.exe Mahbje32.exe PID 4904 wrote to memory of 4772 4904 Lcgblncm.exe Mahbje32.exe PID 4772 wrote to memory of 4356 4772 Mahbje32.exe Mciobn32.exe PID 4772 wrote to memory of 4356 4772 Mahbje32.exe Mciobn32.exe PID 4772 wrote to memory of 4356 4772 Mahbje32.exe Mciobn32.exe PID 4356 wrote to memory of 4936 4356 Mciobn32.exe Majopeii.exe PID 4356 wrote to memory of 4936 4356 Mciobn32.exe Majopeii.exe PID 4356 wrote to memory of 4936 4356 Mciobn32.exe Majopeii.exe PID 4936 wrote to memory of 4868 4936 Majopeii.exe Mgghhlhq.exe PID 4936 wrote to memory of 4868 4936 Majopeii.exe Mgghhlhq.exe PID 4936 wrote to memory of 4868 4936 Majopeii.exe Mgghhlhq.exe PID 4868 wrote to memory of 5052 4868 Mgghhlhq.exe Mpolqa32.exe PID 4868 wrote to memory of 5052 4868 Mgghhlhq.exe Mpolqa32.exe PID 4868 wrote to memory of 5052 4868 Mgghhlhq.exe Mpolqa32.exe PID 5052 wrote to memory of 2292 5052 Mpolqa32.exe Mgidml32.exe PID 5052 wrote to memory of 2292 5052 Mpolqa32.exe Mgidml32.exe PID 5052 wrote to memory of 2292 5052 Mpolqa32.exe Mgidml32.exe PID 2292 wrote to memory of 400 2292 Mgidml32.exe Mjhqjg32.exe PID 2292 wrote to memory of 400 2292 Mgidml32.exe Mjhqjg32.exe PID 2292 wrote to memory of 400 2292 Mgidml32.exe Mjhqjg32.exe PID 400 wrote to memory of 396 400 Mjhqjg32.exe Mglack32.exe PID 400 wrote to memory of 396 400 Mjhqjg32.exe Mglack32.exe PID 400 wrote to memory of 396 400 Mjhqjg32.exe Mglack32.exe PID 396 wrote to memory of 1420 396 Mglack32.exe Mnfipekh.exe PID 396 wrote to memory of 1420 396 Mglack32.exe Mnfipekh.exe PID 396 wrote to memory of 1420 396 Mglack32.exe Mnfipekh.exe PID 1420 wrote to memory of 2468 1420 Mnfipekh.exe Mdpalp32.exe PID 1420 wrote to memory of 2468 1420 Mnfipekh.exe Mdpalp32.exe PID 1420 wrote to memory of 2468 1420 Mnfipekh.exe Mdpalp32.exe PID 2468 wrote to memory of 3236 2468 Mdpalp32.exe Nnhfee32.exe PID 2468 wrote to memory of 3236 2468 Mdpalp32.exe Nnhfee32.exe PID 2468 wrote to memory of 3236 2468 Mdpalp32.exe Nnhfee32.exe PID 3236 wrote to memory of 4528 3236 Nnhfee32.exe Nceonl32.exe PID 3236 wrote to memory of 4528 3236 Nnhfee32.exe Nceonl32.exe PID 3236 wrote to memory of 4528 3236 Nnhfee32.exe Nceonl32.exe PID 4528 wrote to memory of 932 4528 Nceonl32.exe Njogjfoj.exe PID 4528 wrote to memory of 932 4528 Nceonl32.exe Njogjfoj.exe PID 4528 wrote to memory of 932 4528 Nceonl32.exe Njogjfoj.exe PID 932 wrote to memory of 3948 932 Njogjfoj.exe Nafokcol.exe PID 932 wrote to memory of 3948 932 Njogjfoj.exe Nafokcol.exe PID 932 wrote to memory of 3948 932 Njogjfoj.exe Nafokcol.exe PID 3948 wrote to memory of 4972 3948 Nafokcol.exe Nddkgonp.exe PID 3948 wrote to memory of 4972 3948 Nafokcol.exe Nddkgonp.exe PID 3948 wrote to memory of 4972 3948 Nafokcol.exe Nddkgonp.exe PID 4972 wrote to memory of 224 4972 Nddkgonp.exe Ncgkcl32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe"C:\Users\Admin\AppData\Local\Temp\b90ab56978aaff112cf6fc201885ec0049a57d3785e44116bc655e7ec9c34e80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe23⤵
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe24⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe25⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe26⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4684 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe29⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe30⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe31⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe32⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe33⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe34⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe35⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe36⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe37⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe39⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe40⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe42⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe43⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe44⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe45⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe46⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe47⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe48⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe49⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe50⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe51⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe52⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe54⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe56⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe57⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe58⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe59⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe60⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe61⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe62⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe63⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe64⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe65⤵PID:3488
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe66⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe67⤵PID:5072
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe68⤵PID:3624
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe69⤵PID:2376
-
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe70⤵PID:4092
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe71⤵PID:764
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe72⤵PID:2392
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe73⤵PID:4808
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe74⤵PID:4908
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe75⤵PID:4960
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe76⤵PID:2560
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe77⤵PID:2752
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe78⤵PID:4912
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe79⤵PID:4208
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe80⤵PID:412
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe81⤵PID:1240
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe83⤵PID:4612
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe84⤵PID:3572
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe85⤵PID:2304
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe86⤵PID:3424
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe88⤵PID:896
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe89⤵PID:2516
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe90⤵
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe91⤵PID:3816
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe92⤵
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe93⤵PID:348
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4160 -
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe95⤵PID:116
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe96⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe97⤵PID:4060
-
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe98⤵PID:3592
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe99⤵PID:2552
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe100⤵PID:5164
-
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe101⤵PID:5208
-
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe102⤵PID:5252
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe103⤵PID:5300
-
C:\Windows\SysWOW64\Boepel32.exeC:\Windows\system32\Boepel32.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe105⤵PID:5384
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe106⤵PID:5456
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe107⤵PID:5516
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe108⤵PID:5560
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5604 -
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe110⤵PID:5644
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe111⤵PID:5688
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe112⤵PID:5732
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe113⤵
- Modifies registry class
PID:5768 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe114⤵PID:5816
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe115⤵PID:5856
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe116⤵PID:5896
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5940 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe118⤵PID:5980
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe119⤵PID:6028
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe120⤵PID:6068
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe121⤵PID:6108
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe122⤵PID:5124
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe123⤵PID:5188
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe124⤵PID:5264
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe125⤵PID:5348
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe126⤵PID:3272
-
C:\Windows\SysWOW64\Daolnf32.exeC:\Windows\system32\Daolnf32.exe127⤵PID:5380
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe128⤵PID:5480
-
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe129⤵PID:5556
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe130⤵PID:5612
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe132⤵PID:5740
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe133⤵PID:5808
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe134⤵PID:5880
-
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe135⤵PID:5948
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe136⤵PID:6016
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe137⤵PID:6096
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe138⤵PID:632
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe139⤵PID:5192
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe140⤵PID:5328
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe141⤵PID:3388
-
C:\Windows\SysWOW64\Dccbbhld.exeC:\Windows\system32\Dccbbhld.exe142⤵PID:1164
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe143⤵PID:5568
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe144⤵PID:5708
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe145⤵PID:5804
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe146⤵
- Modifies registry class
PID:5932 -
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe147⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Dedkdcie.exeC:\Windows\system32\Dedkdcie.exe148⤵PID:5316
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe149⤵PID:5324
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe150⤵PID:5540
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe151⤵PID:5796
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe152⤵
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe153⤵PID:2452
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe154⤵PID:6064
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe155⤵PID:6076
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe156⤵
- Modifies registry class
PID:5764 -
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe157⤵PID:6184
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe158⤵
- Drops file in System32 directory
PID:6232 -
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe159⤵PID:6280
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe160⤵PID:6328
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe161⤵PID:6384
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe162⤵PID:6428
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe163⤵PID:6472
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe164⤵PID:6512
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe165⤵PID:6552
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe166⤵PID:6600
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe167⤵PID:6644
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe168⤵PID:6680
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe169⤵PID:6728
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe170⤵PID:6768
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe171⤵PID:6808
-
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe172⤵PID:6856
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6900 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe174⤵PID:6944
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe175⤵PID:6984
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe176⤵PID:7020
-
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe177⤵PID:7064
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe178⤵
- Drops file in System32 directory
PID:7112 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe179⤵PID:7152
-
C:\Windows\SysWOW64\Febgea32.exeC:\Windows\system32\Febgea32.exe180⤵PID:6164
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe181⤵PID:6224
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe182⤵PID:6300
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe183⤵PID:6368
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe184⤵PID:6452
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe185⤵PID:6508
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe186⤵PID:6588
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6668 -
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe188⤵PID:6740
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe189⤵PID:6816
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe190⤵PID:6876
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe191⤵PID:6952
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe192⤵PID:7032
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe193⤵
- Modifies registry class
PID:7108 -
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe194⤵PID:5172
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe195⤵PID:5448
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe196⤵PID:6364
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe197⤵PID:6464
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe198⤵PID:6460
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe199⤵PID:6636
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe200⤵PID:6776
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe201⤵PID:6908
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe202⤵PID:7008
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe203⤵PID:7148
-
C:\Windows\SysWOW64\Glebhjlg.exeC:\Windows\system32\Glebhjlg.exe204⤵
- Modifies registry class
PID:6276 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe205⤵PID:6496
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe206⤵
- Drops file in System32 directory
PID:6620 -
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe207⤵PID:6800
-
C:\Windows\SysWOW64\Gfngap32.exeC:\Windows\system32\Gfngap32.exe208⤵PID:6940
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe210⤵PID:6380
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6716 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe212⤵PID:6928
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe213⤵
- Drops file in System32 directory
PID:6192 -
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe214⤵PID:6568
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6980 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe216⤵PID:6792
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe217⤵PID:7092
-
C:\Windows\SysWOW64\Gcddpdpo.exeC:\Windows\system32\Gcddpdpo.exe218⤵PID:7128
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe219⤵PID:7052
-
C:\Windows\SysWOW64\Gfbploob.exeC:\Windows\system32\Gfbploob.exe220⤵PID:7188
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe221⤵PID:7236
-
C:\Windows\SysWOW64\Gmlhii32.exeC:\Windows\system32\Gmlhii32.exe222⤵PID:7280
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe223⤵PID:7316
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe224⤵PID:7368
-
C:\Windows\SysWOW64\Gbiaapdf.exeC:\Windows\system32\Gbiaapdf.exe225⤵PID:7408
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe226⤵PID:7448
-
C:\Windows\SysWOW64\Gicinj32.exeC:\Windows\system32\Gicinj32.exe227⤵PID:7480
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe228⤵PID:7532
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe229⤵PID:7576
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe230⤵PID:7616
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe231⤵PID:7660
-
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe232⤵PID:7700
-
C:\Windows\SysWOW64\Hmabdibj.exeC:\Windows\system32\Hmabdibj.exe233⤵PID:7744
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe234⤵PID:7788
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe235⤵PID:7828
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe236⤵PID:7868
-
C:\Windows\SysWOW64\Hfifmnij.exeC:\Windows\system32\Hfifmnij.exe237⤵PID:7904
-
C:\Windows\SysWOW64\Hihbijhn.exeC:\Windows\system32\Hihbijhn.exe238⤵PID:7956
-
C:\Windows\SysWOW64\Hkfoeega.exeC:\Windows\system32\Hkfoeega.exe239⤵PID:8000
-
C:\Windows\SysWOW64\Hobkfd32.exeC:\Windows\system32\Hobkfd32.exe240⤵PID:8040
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe241⤵PID:8080
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe242⤵PID:8128