Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:30
Static task
static1
Behavioral task
behavioral1
Sample
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
Resource
win10v2004-20240611-en
General
-
Target
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
-
Size
582KB
-
MD5
efb58d7cb7f1cceb600a80f932704b99
-
SHA1
f32d564b9a8ca769b963f0a5937f942d1d2fba64
-
SHA256
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c
-
SHA512
c3ea7f21bc077a589c1568a4658fddd424a62e109fcf3cf591b5389ee6aa4c5bda06dfcc851658e44f5c91c37904f3654113f061843c6dec20fdf7ea87bb3477
-
SSDEEP
12288:+vJNCVYNrekcPYNrq6+gmCAYNrekcPYNrB:+hNCVakaF+gqakad
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Ajjcbpdd.exeEdkcojga.exeHdildlie.exeIdcokkak.exeJqlhdo32.exeKofopj32.exeOjolhk32.exeAjhgmpfg.exeLjmlbfhi.exeOjigbhlp.exeBfpnmj32.exeKpjhkjde.exeKnpemf32.exeLpekon32.exeNdhipoob.exeCdanpb32.exeDggcffhg.exeEbmgcohn.exeMieeibkn.exeOcdmaj32.exeOqcpob32.exeBmclhi32.exePflomnkb.exeIcjhagdp.exeKocbkk32.exePicnndmb.exeAcfaeq32.exeEojnkg32.exeIefhhbef.exeLlcefjgf.exeLcojjmea.exeAgfgqo32.exeAhlgfdeq.exeDoehqead.exeLmgocb32.exeMponel32.exeHhjapjmi.exeOnpjghhn.exeQgmdjp32.exeNcjqhmkm.exeGljnej32.exeLeimip32.exeLmikibio.exeMaedhd32.exeMdcpdp32.exeNlekia32.exePfgngh32.exeBpiipf32.exeGmdadnkh.exeJgfqaiod.exeKkolkk32.exeEndhhp32.exeFglipi32.exeBjdplm32.exeDlgldibq.exeOmbapedi.exeCgejac32.exeDhnmij32.exeFbamma32.exeGdniqh32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkcojga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idcokkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojolhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljmlbfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigbhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpekon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhipoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdanpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mieeibkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdmaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmclhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pflomnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icjhagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acfaeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojnkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefhhbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcefjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcojjmea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agfgqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlgfdeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doehqead.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmgocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhjapjmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncjqhmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljnej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leimip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmikibio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdcpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfgngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpiipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgfqaiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlekia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdplm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgldibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgejac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdniqh32.exe -
Executes dropped EXE 64 IoCs
Processes:
Kafbec32.exeKpkofpgq.exeKjcpii32.exeLfjqnjkh.exeLijjoe32.exeLlkbap32.exeLlnofpcg.exeMkclhl32.exeMihiih32.exeMijfnh32.exeMlkopcge.exeMcegmm32.exeNcjqhmkm.exeNhfipcid.exeNpdjje32.exeNjlockkm.exeNgpolo32.exeOjolhk32.exeOgeigofa.exeOmbapedi.exeOclilp32.exeOjfaijcc.exeOobjaqaj.exeOcnfbo32.exeOoeggp32.exeObcccl32.exePogclp32.exePqhpdhcc.exePnlqnl32.exePefijfii.exePamiog32.exePeiepfgg.exePapfegmk.exePpbfpd32.exePflomnkb.exeQcpofbjl.exeQlkdkd32.exeQcbllb32.exeAmkpegnj.exeApimacnn.exeAhdaee32.exeAplifb32.exeAidnohbk.exeAlbjlcao.exeAekodi32.exeAdnopfoj.exeAjhgmpfg.exeAemkjiem.exeAhlgfdeq.exeAjjcbpdd.exeAmhpnkch.exeBdbhke32.exeBjlqhoba.exeBpiipf32.exeBfcampgf.exeBmmiij32.exeBlpjegfm.exeBfenbpec.exeBidjnkdg.exeBlbfjg32.exeBoqbfb32.exeBekkcljk.exeBppoqeja.exeBbokmqie.exepid process 2028 Kafbec32.exe 2172 Kpkofpgq.exe 2744 Kjcpii32.exe 2640 Lfjqnjkh.exe 2660 Lijjoe32.exe 2536 Llkbap32.exe 2964 Llnofpcg.exe 1608 Mkclhl32.exe 2764 Mihiih32.exe 1672 Mijfnh32.exe 1624 Mlkopcge.exe 2200 Mcegmm32.exe 1336 Ncjqhmkm.exe 2480 Nhfipcid.exe 2892 Npdjje32.exe 1320 Njlockkm.exe 1780 Ngpolo32.exe 2024 Ojolhk32.exe 340 Ogeigofa.exe 1368 Ombapedi.exe 1856 Oclilp32.exe 888 Ojfaijcc.exe 2392 Oobjaqaj.exe 2372 Ocnfbo32.exe 900 Ooeggp32.exe 2604 Obcccl32.exe 2912 Pogclp32.exe 2336 Pqhpdhcc.exe 2664 Pnlqnl32.exe 2792 Pefijfii.exe 2840 Pamiog32.exe 2692 Peiepfgg.exe 2596 Papfegmk.exe 820 Ppbfpd32.exe 1920 Pflomnkb.exe 2592 Qcpofbjl.exe 2816 Qlkdkd32.exe 1028 Qcbllb32.exe 1168 Amkpegnj.exe 2932 Apimacnn.exe 2312 Ahdaee32.exe 2300 Aplifb32.exe 1120 Aidnohbk.exe 1636 Albjlcao.exe 1544 Aekodi32.exe 856 Adnopfoj.exe 772 Ajhgmpfg.exe 968 Aemkjiem.exe 2016 Ahlgfdeq.exe 2112 Ajjcbpdd.exe 2984 Amhpnkch.exe 1704 Bdbhke32.exe 2628 Bjlqhoba.exe 2736 Bpiipf32.exe 2768 Bfcampgf.exe 2756 Bmmiij32.exe 2600 Blpjegfm.exe 2420 Bfenbpec.exe 1668 Bidjnkdg.exe 2700 Blbfjg32.exe 1936 Boqbfb32.exe 1640 Bekkcljk.exe 1340 Bppoqeja.exe 2356 Bbokmqie.exe -
Loads dropped DLL 64 IoCs
Processes:
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exeKafbec32.exeKpkofpgq.exeKjcpii32.exeLfjqnjkh.exeLijjoe32.exeLlkbap32.exeLlnofpcg.exeMkclhl32.exeMihiih32.exeMijfnh32.exeMlkopcge.exeMcegmm32.exeNcjqhmkm.exeNhfipcid.exeNpdjje32.exeNjlockkm.exeNgpolo32.exeOjolhk32.exeOgeigofa.exeOmbapedi.exeOclilp32.exeOjfaijcc.exeOobjaqaj.exeOcnfbo32.exeOoeggp32.exeObcccl32.exePogclp32.exePqhpdhcc.exePnlqnl32.exePefijfii.exePamiog32.exepid process 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe 2028 Kafbec32.exe 2028 Kafbec32.exe 2172 Kpkofpgq.exe 2172 Kpkofpgq.exe 2744 Kjcpii32.exe 2744 Kjcpii32.exe 2640 Lfjqnjkh.exe 2640 Lfjqnjkh.exe 2660 Lijjoe32.exe 2660 Lijjoe32.exe 2536 Llkbap32.exe 2536 Llkbap32.exe 2964 Llnofpcg.exe 2964 Llnofpcg.exe 1608 Mkclhl32.exe 1608 Mkclhl32.exe 2764 Mihiih32.exe 2764 Mihiih32.exe 1672 Mijfnh32.exe 1672 Mijfnh32.exe 1624 Mlkopcge.exe 1624 Mlkopcge.exe 2200 Mcegmm32.exe 2200 Mcegmm32.exe 1336 Ncjqhmkm.exe 1336 Ncjqhmkm.exe 2480 Nhfipcid.exe 2480 Nhfipcid.exe 2892 Npdjje32.exe 2892 Npdjje32.exe 1320 Njlockkm.exe 1320 Njlockkm.exe 1780 Ngpolo32.exe 1780 Ngpolo32.exe 2024 Ojolhk32.exe 2024 Ojolhk32.exe 340 Ogeigofa.exe 340 Ogeigofa.exe 1368 Ombapedi.exe 1368 Ombapedi.exe 1856 Oclilp32.exe 1856 Oclilp32.exe 888 Ojfaijcc.exe 888 Ojfaijcc.exe 2392 Oobjaqaj.exe 2392 Oobjaqaj.exe 2372 Ocnfbo32.exe 2372 Ocnfbo32.exe 900 Ooeggp32.exe 900 Ooeggp32.exe 2604 Obcccl32.exe 2604 Obcccl32.exe 2912 Pogclp32.exe 2912 Pogclp32.exe 2336 Pqhpdhcc.exe 2336 Pqhpdhcc.exe 2664 Pnlqnl32.exe 2664 Pnlqnl32.exe 2792 Pefijfii.exe 2792 Pefijfii.exe 2840 Pamiog32.exe 2840 Pamiog32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nhaikn32.exeBjdplm32.exeFaigdn32.exeJgfqaiod.exeNlcnda32.exeOlonpp32.exeQjnmlk32.exeBfpnmj32.exeMlkopcge.exeEgafleqm.exeIlncom32.exeGdllkhdg.exeHiknhbcg.exeOjfaijcc.exeGdjpeifj.exeGifhnpea.exeOqacic32.exeAdnopfoj.exeCjfccn32.exeIedkbc32.exeLibicbma.exeLlcefjgf.exeAmkpegnj.exeAjhgmpfg.exeHpgfki32.exeEcqqpgli.exeFglipi32.exeNgfflj32.exeAmhpnkch.exeKqqboncb.exeGdgcpi32.exeKkolkk32.exeBehgcf32.exeClmbddgp.exeOdjbdb32.exeBalkchpi.exeMkclhl32.exeFhqbkhch.exeCafecmlj.exeEchfaf32.exeJnicmdli.exePfbelipa.exePqjfoa32.exeAlbjlcao.exeBdbhke32.exeKofopj32.exeLcojjmea.exeNljddpfe.exeOjigbhlp.exeAajbne32.exeLlnofpcg.exePeiepfgg.exeNplmop32.exePoapfn32.exeCmgechbh.exeCklmgb32.exeHoopae32.exeIefhhbef.exePcfefmnk.exeCfnmfn32.exeOobjaqaj.exeHdildlie.exeEdkcojga.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nkpegi32.exe Nhaikn32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Bjdplm32.exe File created C:\Windows\SysWOW64\Gdgcpi32.exe Faigdn32.exe File opened for modification C:\Windows\SysWOW64\Jnpinc32.exe Jgfqaiod.exe File created C:\Windows\SysWOW64\Kgdjgo32.dll Nlcnda32.exe File created C:\Windows\SysWOW64\Lgenio32.dll Olonpp32.exe File created C:\Windows\SysWOW64\Emfmdo32.dll Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Biojif32.exe Bfpnmj32.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Mlkopcge.exe File opened for modification C:\Windows\SysWOW64\Eibbcm32.exe Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Iefhhbef.exe Ilncom32.exe File created C:\Windows\SysWOW64\Gbomfe32.exe Gdllkhdg.exe File created C:\Windows\SysWOW64\Eokjlf32.dll Hiknhbcg.exe File created C:\Windows\SysWOW64\Oobjaqaj.exe Ojfaijcc.exe File created C:\Windows\SysWOW64\Ghelfg32.exe Gdjpeifj.exe File created C:\Windows\SysWOW64\Gdllkhdg.exe Gifhnpea.exe File opened for modification C:\Windows\SysWOW64\Ohhkjp32.exe Oqacic32.exe File created C:\Windows\SysWOW64\Ajhgmpfg.exe Adnopfoj.exe File created C:\Windows\SysWOW64\Loinmo32.dll Cjfccn32.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Iedkbc32.exe File created C:\Windows\SysWOW64\Pecomlgc.dll Libicbma.exe File created C:\Windows\SysWOW64\Alfadj32.dll Llcefjgf.exe File created C:\Windows\SysWOW64\Abjlmo32.dll Amkpegnj.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Ajhgmpfg.exe File opened for modification C:\Windows\SysWOW64\Hedocp32.exe Hpgfki32.exe File opened for modification C:\Windows\SysWOW64\Enfenplo.exe Ecqqpgli.exe File created C:\Windows\SysWOW64\Cpinomjo.dll Fglipi32.exe File created C:\Windows\SysWOW64\Lmnppf32.dll Ngfflj32.exe File opened for modification C:\Windows\SysWOW64\Bdbhke32.exe Amhpnkch.exe File created C:\Windows\SysWOW64\Kocbkk32.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Onpjghhn.exe Olonpp32.exe File created C:\Windows\SysWOW64\Obknqjig.dll Gdgcpi32.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kkolkk32.exe File created C:\Windows\SysWOW64\Fpcopobi.dll Behgcf32.exe File created C:\Windows\SysWOW64\Bhdmagqq.dll Clmbddgp.exe File created C:\Windows\SysWOW64\Aaapnkij.dll Odjbdb32.exe File created C:\Windows\SysWOW64\Dhnook32.dll Balkchpi.exe File opened for modification C:\Windows\SysWOW64\Mihiih32.exe Mkclhl32.exe File opened for modification C:\Windows\SysWOW64\Fjongcbl.exe Fhqbkhch.exe File created C:\Windows\SysWOW64\Cgcmlcja.exe Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Effcma32.exe Echfaf32.exe File created C:\Windows\SysWOW64\Jhngjmlo.exe Jnicmdli.exe File created C:\Windows\SysWOW64\Pjnamh32.exe Pfbelipa.exe File opened for modification C:\Windows\SysWOW64\Pfgngh32.exe Pqjfoa32.exe File created C:\Windows\SysWOW64\Aekodi32.exe Albjlcao.exe File created C:\Windows\SysWOW64\Oegjkb32.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Kebgia32.exe Kofopj32.exe File created C:\Windows\SysWOW64\Opdnhdpo.dll Lcojjmea.exe File opened for modification C:\Windows\SysWOW64\Ocdmaj32.exe Nljddpfe.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Ojigbhlp.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Aajbne32.exe File created C:\Windows\SysWOW64\Hgeegb32.dll Llnofpcg.exe File opened for modification C:\Windows\SysWOW64\Papfegmk.exe Peiepfgg.exe File created C:\Windows\SysWOW64\Ndhipoob.exe Nplmop32.exe File created C:\Windows\SysWOW64\Qeohnd32.exe Poapfn32.exe File opened for modification C:\Windows\SysWOW64\Cdanpb32.exe Cmgechbh.exe File opened for modification C:\Windows\SysWOW64\Cafecmlj.exe Cklmgb32.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hoopae32.exe File created C:\Windows\SysWOW64\Iheddndj.exe Iefhhbef.exe File created C:\Windows\SysWOW64\Jjmoilnn.dll Pcfefmnk.exe File opened for modification C:\Windows\SysWOW64\Cmgechbh.exe Cfnmfn32.exe File created C:\Windows\SysWOW64\Ocnfbo32.exe Oobjaqaj.exe File created C:\Windows\SysWOW64\Agkfljge.dll Hdildlie.exe File created C:\Windows\SysWOW64\Aabagnfc.dll Edkcojga.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3360 4040 WerFault.exe Ceegmj32.exe -
Modifies registry class 64 IoCs
Processes:
Pqjfoa32.exePjbjhgde.exeBjdplm32.exeDdgjdk32.exeHkfagfop.exeKaldcb32.exeNadpgggp.exeOgeigofa.exeJgcdki32.exeMieeibkn.exeQcbllb32.exeIedkbc32.exeAjjcbpdd.exeCahail32.exeDlkepi32.exeNplmop32.exeBbgnak32.exeCafecmlj.exeKnpemf32.exeMelfncqb.exeNlcnda32.exeOebimf32.exeBlobjaba.exePoapfn32.exeBiafnecn.exePogclp32.exeCgejac32.exeDhnmij32.exeOnpjghhn.exeNjlockkm.exeGdllkhdg.exeJkmcfhkc.exeGdniqh32.exeIheddndj.exeJhngjmlo.exeClmbddgp.exeGnmgmbhb.exeNgfflj32.exeLijjoe32.exeOjolhk32.exeOjfaijcc.exeBidjnkdg.exeMeijhc32.exeOcfigjlp.exeQcpofbjl.exeFmbhok32.exeHmfjha32.exeNcmfqkdj.exePbnoliap.exeKpkofpgq.exePeiepfgg.exeQlkdkd32.exeFlgeqgog.exeAjhgmpfg.exeEndhhp32.exePngphgbf.exePfgngh32.exeBalkchpi.exeKjcpii32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbjhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkfagfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papnde32.dll" Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaieh32.dll" Nadpgggp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogeigofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpoifde.dll" Jgcdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mieeibkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbllb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlkepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nplmop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbgnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cafecmlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knpemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlcnda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blobjaba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poapfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhnmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onpjghhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqapllgh.dll" Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkmcfhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" Clmbddgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Algdlcdm.dll" Gnmgmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjmjp32.dll" Iedkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngfflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfcml32.dll" Lijjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojolhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knlafm32.dll" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll" Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meijhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfigjlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcpofbjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbhok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpajg32.dll" Hmfjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" Pbnoliap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpkofpgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanjadqp.dll" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flgeqgog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkdaf32.dll" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjnkb32.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Endhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" Pfgngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdjfphi.dll" Kjcpii32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exeKafbec32.exeKpkofpgq.exeKjcpii32.exeLfjqnjkh.exeLijjoe32.exeLlkbap32.exeLlnofpcg.exeMkclhl32.exeMihiih32.exeMijfnh32.exeMlkopcge.exeMcegmm32.exeNcjqhmkm.exeNhfipcid.exeNpdjje32.exedescription pid process target process PID 1700 wrote to memory of 2028 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Kafbec32.exe PID 1700 wrote to memory of 2028 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Kafbec32.exe PID 1700 wrote to memory of 2028 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Kafbec32.exe PID 1700 wrote to memory of 2028 1700 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Kafbec32.exe PID 2028 wrote to memory of 2172 2028 Kafbec32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2172 2028 Kafbec32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2172 2028 Kafbec32.exe Kpkofpgq.exe PID 2028 wrote to memory of 2172 2028 Kafbec32.exe Kpkofpgq.exe PID 2172 wrote to memory of 2744 2172 Kpkofpgq.exe Kjcpii32.exe PID 2172 wrote to memory of 2744 2172 Kpkofpgq.exe Kjcpii32.exe PID 2172 wrote to memory of 2744 2172 Kpkofpgq.exe Kjcpii32.exe PID 2172 wrote to memory of 2744 2172 Kpkofpgq.exe Kjcpii32.exe PID 2744 wrote to memory of 2640 2744 Kjcpii32.exe Lfjqnjkh.exe PID 2744 wrote to memory of 2640 2744 Kjcpii32.exe Lfjqnjkh.exe PID 2744 wrote to memory of 2640 2744 Kjcpii32.exe Lfjqnjkh.exe PID 2744 wrote to memory of 2640 2744 Kjcpii32.exe Lfjqnjkh.exe PID 2640 wrote to memory of 2660 2640 Lfjqnjkh.exe Lijjoe32.exe PID 2640 wrote to memory of 2660 2640 Lfjqnjkh.exe Lijjoe32.exe PID 2640 wrote to memory of 2660 2640 Lfjqnjkh.exe Lijjoe32.exe PID 2640 wrote to memory of 2660 2640 Lfjqnjkh.exe Lijjoe32.exe PID 2660 wrote to memory of 2536 2660 Lijjoe32.exe Llkbap32.exe PID 2660 wrote to memory of 2536 2660 Lijjoe32.exe Llkbap32.exe PID 2660 wrote to memory of 2536 2660 Lijjoe32.exe Llkbap32.exe PID 2660 wrote to memory of 2536 2660 Lijjoe32.exe Llkbap32.exe PID 2536 wrote to memory of 2964 2536 Llkbap32.exe Llnofpcg.exe PID 2536 wrote to memory of 2964 2536 Llkbap32.exe Llnofpcg.exe PID 2536 wrote to memory of 2964 2536 Llkbap32.exe Llnofpcg.exe PID 2536 wrote to memory of 2964 2536 Llkbap32.exe Llnofpcg.exe PID 2964 wrote to memory of 1608 2964 Llnofpcg.exe Mkclhl32.exe PID 2964 wrote to memory of 1608 2964 Llnofpcg.exe Mkclhl32.exe PID 2964 wrote to memory of 1608 2964 Llnofpcg.exe Mkclhl32.exe PID 2964 wrote to memory of 1608 2964 Llnofpcg.exe Mkclhl32.exe PID 1608 wrote to memory of 2764 1608 Mkclhl32.exe Mihiih32.exe PID 1608 wrote to memory of 2764 1608 Mkclhl32.exe Mihiih32.exe PID 1608 wrote to memory of 2764 1608 Mkclhl32.exe Mihiih32.exe PID 1608 wrote to memory of 2764 1608 Mkclhl32.exe Mihiih32.exe PID 2764 wrote to memory of 1672 2764 Mihiih32.exe Mijfnh32.exe PID 2764 wrote to memory of 1672 2764 Mihiih32.exe Mijfnh32.exe PID 2764 wrote to memory of 1672 2764 Mihiih32.exe Mijfnh32.exe PID 2764 wrote to memory of 1672 2764 Mihiih32.exe Mijfnh32.exe PID 1672 wrote to memory of 1624 1672 Mijfnh32.exe Mlkopcge.exe PID 1672 wrote to memory of 1624 1672 Mijfnh32.exe Mlkopcge.exe PID 1672 wrote to memory of 1624 1672 Mijfnh32.exe Mlkopcge.exe PID 1672 wrote to memory of 1624 1672 Mijfnh32.exe Mlkopcge.exe PID 1624 wrote to memory of 2200 1624 Mlkopcge.exe Mcegmm32.exe PID 1624 wrote to memory of 2200 1624 Mlkopcge.exe Mcegmm32.exe PID 1624 wrote to memory of 2200 1624 Mlkopcge.exe Mcegmm32.exe PID 1624 wrote to memory of 2200 1624 Mlkopcge.exe Mcegmm32.exe PID 2200 wrote to memory of 1336 2200 Mcegmm32.exe Ncjqhmkm.exe PID 2200 wrote to memory of 1336 2200 Mcegmm32.exe Ncjqhmkm.exe PID 2200 wrote to memory of 1336 2200 Mcegmm32.exe Ncjqhmkm.exe PID 2200 wrote to memory of 1336 2200 Mcegmm32.exe Ncjqhmkm.exe PID 1336 wrote to memory of 2480 1336 Ncjqhmkm.exe Nhfipcid.exe PID 1336 wrote to memory of 2480 1336 Ncjqhmkm.exe Nhfipcid.exe PID 1336 wrote to memory of 2480 1336 Ncjqhmkm.exe Nhfipcid.exe PID 1336 wrote to memory of 2480 1336 Ncjqhmkm.exe Nhfipcid.exe PID 2480 wrote to memory of 2892 2480 Nhfipcid.exe Npdjje32.exe PID 2480 wrote to memory of 2892 2480 Nhfipcid.exe Npdjje32.exe PID 2480 wrote to memory of 2892 2480 Nhfipcid.exe Npdjje32.exe PID 2480 wrote to memory of 2892 2480 Nhfipcid.exe Npdjje32.exe PID 2892 wrote to memory of 1320 2892 Npdjje32.exe Njlockkm.exe PID 2892 wrote to memory of 1320 2892 Npdjje32.exe Njlockkm.exe PID 2892 wrote to memory of 1320 2892 Npdjje32.exe Njlockkm.exe PID 2892 wrote to memory of 1320 2892 Npdjje32.exe Njlockkm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe"C:\Users\Admin\AppData\Local\Temp\62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Kafbec32.exeC:\Windows\system32\Kafbec32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kjcpii32.exeC:\Windows\system32\Kjcpii32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Lijjoe32.exeC:\Windows\system32\Lijjoe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Llnofpcg.exeC:\Windows\system32\Llnofpcg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Mihiih32.exeC:\Windows\system32\Mihiih32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Mcegmm32.exeC:\Windows\system32\Mcegmm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Npdjje32.exeC:\Windows\system32\Npdjje32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Njlockkm.exeC:\Windows\system32\Njlockkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Ojolhk32.exeC:\Windows\system32\Ojolhk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ogeigofa.exeC:\Windows\system32\Ogeigofa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ocnfbo32.exeC:\Windows\system32\Ocnfbo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Obcccl32.exeC:\Windows\system32\Obcccl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Pnlqnl32.exeC:\Windows\system32\Pnlqnl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Pefijfii.exeC:\Windows\system32\Pefijfii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Pamiog32.exeC:\Windows\system32\Pamiog32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe34⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe35⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Pflomnkb.exeC:\Windows\system32\Pflomnkb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Qcpofbjl.exeC:\Windows\system32\Qcpofbjl.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Apimacnn.exeC:\Windows\system32\Apimacnn.exe41⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Aplifb32.exeC:\Windows\system32\Aplifb32.exe43⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe44⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Aekodi32.exeC:\Windows\system32\Aekodi32.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe49⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Ahlgfdeq.exeC:\Windows\system32\Ahlgfdeq.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Ajjcbpdd.exeC:\Windows\system32\Ajjcbpdd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe56⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Bmmiij32.exeC:\Windows\system32\Bmmiij32.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Blpjegfm.exeC:\Windows\system32\Blpjegfm.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe59⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Blbfjg32.exeC:\Windows\system32\Blbfjg32.exe61⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe62⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bekkcljk.exeC:\Windows\system32\Bekkcljk.exe63⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bppoqeja.exeC:\Windows\system32\Bppoqeja.exe64⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe65⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe66⤵PID:2484
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe67⤵PID:2152
-
C:\Windows\SysWOW64\Chnqkg32.exeC:\Windows\system32\Chnqkg32.exe68⤵PID:1820
-
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe69⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe71⤵PID:3040
-
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe72⤵PID:2012
-
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe73⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Cdgneh32.exeC:\Windows\system32\Cdgneh32.exe74⤵PID:1720
-
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Cnobnmpl.exeC:\Windows\system32\Cnobnmpl.exe76⤵PID:2680
-
C:\Windows\SysWOW64\Cghggc32.exeC:\Windows\system32\Cghggc32.exe77⤵PID:2532
-
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe78⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe79⤵PID:2808
-
C:\Windows\SysWOW64\Dfmdho32.exeC:\Windows\system32\Dfmdho32.exe80⤵PID:2164
-
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1404 -
C:\Windows\SysWOW64\Doehqead.exeC:\Windows\system32\Doehqead.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1772 -
C:\Windows\SysWOW64\Dfoqmo32.exeC:\Windows\system32\Dfoqmo32.exe83⤵PID:2476
-
C:\Windows\SysWOW64\Dhnmij32.exeC:\Windows\system32\Dhnmij32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Dccagcgk.exeC:\Windows\system32\Dccagcgk.exe85⤵PID:2428
-
C:\Windows\SysWOW64\Dhpiojfb.exeC:\Windows\system32\Dhpiojfb.exe86⤵PID:1116
-
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe87⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe88⤵PID:1752
-
C:\Windows\SysWOW64\Ddgjdk32.exeC:\Windows\system32\Ddgjdk32.exe89⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe90⤵PID:2396
-
C:\Windows\SysWOW64\Dbkknojp.exeC:\Windows\system32\Dbkknojp.exe91⤵PID:2656
-
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe93⤵PID:2588
-
C:\Windows\SysWOW64\Ebmgcohn.exeC:\Windows\system32\Ebmgcohn.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:468 -
C:\Windows\SysWOW64\Edkcojga.exeC:\Windows\system32\Edkcojga.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Endhhp32.exeC:\Windows\system32\Endhhp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe97⤵PID:2364
-
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe98⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe99⤵PID:2176
-
C:\Windows\SysWOW64\Eqdajkkb.exeC:\Windows\system32\Eqdajkkb.exe100⤵PID:1832
-
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe101⤵PID:2116
-
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe102⤵PID:2076
-
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Egafleqm.exeC:\Windows\system32\Egafleqm.exe104⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Eibbcm32.exeC:\Windows\system32\Eibbcm32.exe105⤵PID:2652
-
C:\Windows\SysWOW64\Echfaf32.exeC:\Windows\system32\Echfaf32.exe106⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe107⤵PID:2552
-
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe108⤵PID:2496
-
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe109⤵PID:780
-
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe110⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe111⤵PID:2292
-
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe112⤵PID:2368
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe114⤵
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Fbamma32.exeC:\Windows\system32\Fbamma32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe116⤵PID:568
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe117⤵PID:2456
-
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe118⤵PID:2668
-
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe119⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe120⤵PID:2352
-
C:\Windows\SysWOW64\Faigdn32.exeC:\Windows\system32\Faigdn32.exe121⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe122⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe123⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe124⤵PID:592
-
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe125⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe126⤵PID:1160
-
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe127⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe128⤵
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Gbomfe32.exeC:\Windows\system32\Gbomfe32.exe129⤵PID:2788
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe131⤵PID:320
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe133⤵PID:1284
-
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe135⤵PID:620
-
C:\Windows\SysWOW64\Gebbnpfp.exeC:\Windows\system32\Gebbnpfp.exe136⤵PID:1296
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe137⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe138⤵PID:2944
-
C:\Windows\SysWOW64\Hhckpk32.exeC:\Windows\system32\Hhckpk32.exe139⤵PID:2344
-
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe140⤵PID:2936
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe142⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe143⤵PID:916
-
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe144⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe145⤵PID:3064
-
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe147⤵
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe148⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe149⤵PID:584
-
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe150⤵PID:1744
-
C:\Windows\SysWOW64\Idcokkak.exeC:\Windows\system32\Idcokkak.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe152⤵
- Drops file in System32 directory
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe153⤵PID:2796
-
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe154⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe155⤵PID:684
-
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe156⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Iheddndj.exeC:\Windows\system32\Iheddndj.exe157⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Ipllekdl.exeC:\Windows\system32\Ipllekdl.exe158⤵PID:2264
-
C:\Windows\SysWOW64\Icjhagdp.exeC:\Windows\system32\Icjhagdp.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe160⤵PID:2580
-
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe161⤵PID:1948
-
C:\Windows\SysWOW64\Ikfmfi32.exeC:\Windows\system32\Ikfmfi32.exe162⤵PID:2620
-
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe163⤵PID:2360
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe164⤵PID:1828
-
C:\Windows\SysWOW64\Ikhjki32.exeC:\Windows\system32\Ikhjki32.exe165⤵PID:2760
-
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe166⤵PID:1508
-
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe167⤵PID:3008
-
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe168⤵PID:1060
-
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe169⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe170⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe171⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe172⤵PID:1520
-
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe173⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Jnpinc32.exeC:\Windows\system32\Jnpinc32.exe176⤵PID:1696
-
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe177⤵PID:2220
-
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe178⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe180⤵PID:1360
-
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Kebgia32.exeC:\Windows\system32\Kebgia32.exe182⤵PID:1924
-
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe183⤵PID:2348
-
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe184⤵PID:2232
-
C:\Windows\SysWOW64\Kfbcbd32.exeC:\Windows\system32\Kfbcbd32.exe185⤵PID:1840
-
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe188⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe189⤵PID:1824
-
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe190⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:396 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe193⤵PID:3144
-
C:\Windows\SysWOW64\Lapnnafn.exeC:\Windows\system32\Lapnnafn.exe194⤵PID:3184
-
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe195⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe196⤵PID:3264
-
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3304 -
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe199⤵PID:3384
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe200⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3424 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe201⤵PID:3464
-
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe203⤵PID:3548
-
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe204⤵PID:3588
-
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe205⤵PID:3628
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe206⤵
- Drops file in System32 directory
PID:3668 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe207⤵PID:3708
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe208⤵PID:3748
-
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe209⤵
- Modifies registry class
PID:3788 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe211⤵PID:3868
-
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3908 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe213⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe214⤵PID:3988
-
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe215⤵PID:4028
-
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe216⤵PID:4068
-
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe217⤵PID:2752
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe218⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3120 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3180 -
C:\Windows\SysWOW64\Mkmhaj32.exeC:\Windows\system32\Mkmhaj32.exe220⤵PID:3216
-
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe221⤵PID:3260
-
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe222⤵
- Drops file in System32 directory
PID:3372 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe223⤵PID:3432
-
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe224⤵
- Drops file in System32 directory
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3536 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe226⤵
- Drops file in System32 directory
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe227⤵PID:3644
-
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe228⤵
- Drops file in System32 directory
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Ncmfqkdj.exeC:\Windows\system32\Ncmfqkdj.exe229⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3784 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe231⤵PID:3840
-
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe232⤵PID:3896
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe233⤵PID:3944
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe234⤵PID:3984
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe235⤵
- Modifies registry class
PID:4048 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe236⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe237⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe238⤵
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe239⤵PID:3244
-
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe240⤵
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe241⤵PID:3328
-
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe242⤵
- Drops file in System32 directory
PID:3404