Analysis
-
max time kernel
96s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:30
Static task
static1
Behavioral task
behavioral1
Sample
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
Resource
win10v2004-20240611-en
General
-
Target
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe
-
Size
582KB
-
MD5
efb58d7cb7f1cceb600a80f932704b99
-
SHA1
f32d564b9a8ca769b963f0a5937f942d1d2fba64
-
SHA256
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c
-
SHA512
c3ea7f21bc077a589c1568a4658fddd424a62e109fcf3cf591b5389ee6aa4c5bda06dfcc851658e44f5c91c37904f3654113f061843c6dec20fdf7ea87bb3477
-
SSDEEP
12288:+vJNCVYNrekcPYNrq6+gmCAYNrekcPYNrB:+hNCVakaF+gqakad
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hfachc32.exeQalnjkgo.exeBejogg32.exeIehfdi32.exeJmpgldhg.exeHikfip32.exeJiphkm32.exeGfpcgpae.exeNdaggimg.exeJjpeepnb.exeQeemej32.exeBcoenmao.exeBibigmpl.exeMnapdf32.exeOkeieh32.exeDddojq32.exeNggjdc32.exeQdbiedpa.exeBhdbhcck.exeCbqlfkmi.exeQcgffqei.exeCagobalc.exeDmgbnq32.exePqpnombl.exeEhgqln32.exeJimekgff.exeKdnidn32.exeOgnpebpj.exeIbmmhdhm.exeGimjhafg.exeIpldfi32.exeMegdccmb.exePfjcgn32.exeBcjlcn32.exeOgcpjhoq.exeEocenh32.exeLdjhpl32.exeAhblmjhj.exeJdjfcecp.exeBlmacb32.exeGiofnacd.exeIjkljp32.exeKbdmpqcb.exeDbaemi32.exeLdleel32.exeMpdelajl.exeKefkme32.exePqmjog32.exeAfoeiklb.exeJidbflcj.exeKgmlkp32.exeBlennh32.exeDlgmpogj.exeFoabofnn.exeNjnpppkn.exeDaekdooc.exeBlbaihmn.exeMncmjfmk.exeCdfbibnb.exeJmmjgejj.exeJaljgidl.exeGcfqfc32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qalnjkgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejogg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpgldhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikfip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jiphkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpcgpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndaggimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpeepnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeemej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoenmao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bibigmpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okeieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dddojq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdbiedpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdbhcck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlfkmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagobalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqpnombl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgqln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jimekgff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnidn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibmmhdhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimjhafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megdccmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfjcgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcjlcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcpjhoq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eocenh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjhpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahblmjhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjfcecp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blmacb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giofnacd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijkljp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmpqcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbaemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldleel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbiedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbdmpqcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdelajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kefkme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afoeiklb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jidbflcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmlkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blennh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgmpogj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foabofnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njnpppkn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blbaihmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbibnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmjgejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaljgidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcfqfc32.exe -
Executes dropped EXE 64 IoCs
Processes:
Ahblmjhj.exeBbhqjchp.exeBibigmpl.exeBpladg32.exeBlbaihmn.exeBifbbllg.exeBlennh32.exeBaaggo32.exeBoegpc32.exeClihig32.exeCccpfa32.exeCpgqpe32.exeCedihl32.exeCpjmee32.exeCommqb32.exeCcjfgphj.exeCidncj32.exeCoagla32.exeDpacfd32.exeDiihojkb.exeDcalgo32.exeDjlddi32.exeDohmlp32.exeDhqaefng.exeDaifnk32.exeDchbhn32.exeEjbkehcg.exeEjegjh32.exeEflhoigi.exeEqalmafo.exeEhlaaddj.exeEfpajh32.exeEcdbdl32.exeFmmfmbhn.exeFbioei32.exeFjqgff32.exeFomonm32.exeFfggkgmk.exeFmapha32.exeFopldmcl.exeFbnhphbp.exeFihqmb32.exeFqohnp32.exeFbqefhpm.exeFflaff32.exeFodeolof.exeGbcakg32.exeGimjhafg.exeGmhfhp32.exeGogbdl32.exeGbenqg32.exeGiofnacd.exeGqfooodg.exeGcekkjcj.exeGfcgge32.exeGmmocpjk.exeGcggpj32.exeGjapmdid.exeGqkhjn32.exeGbldaffp.exeGifmnpnl.exeGppekj32.exeHfjmgdlf.exeHapaemll.exepid process 2964 Ahblmjhj.exe 5004 Bbhqjchp.exe 4692 Bibigmpl.exe 3856 Bpladg32.exe 4800 Blbaihmn.exe 4848 Bifbbllg.exe 2924 Blennh32.exe 452 Baaggo32.exe 664 Boegpc32.exe 3848 Clihig32.exe 4380 Cccpfa32.exe 1012 Cpgqpe32.exe 3504 Cedihl32.exe 1620 Cpjmee32.exe 1736 Commqb32.exe 3584 Ccjfgphj.exe 3440 Cidncj32.exe 5008 Coagla32.exe 752 Dpacfd32.exe 4548 Diihojkb.exe 4840 Dcalgo32.exe 1800 Djlddi32.exe 3488 Dohmlp32.exe 3124 Dhqaefng.exe 4916 Daifnk32.exe 2272 Dchbhn32.exe 2832 Ejbkehcg.exe 4940 Ejegjh32.exe 2024 Eflhoigi.exe 4388 Eqalmafo.exe 4520 Ehlaaddj.exe 4936 Efpajh32.exe 4288 Ecdbdl32.exe 2108 Fmmfmbhn.exe 4356 Fbioei32.exe 916 Fjqgff32.exe 4064 Fomonm32.exe 3812 Ffggkgmk.exe 3428 Fmapha32.exe 2648 Fopldmcl.exe 4872 Fbnhphbp.exe 1212 Fihqmb32.exe 3960 Fqohnp32.exe 3092 Fbqefhpm.exe 3140 Fflaff32.exe 2692 Fodeolof.exe 1772 Gbcakg32.exe 5032 Gimjhafg.exe 1844 Gmhfhp32.exe 4860 Gogbdl32.exe 3596 Gbenqg32.exe 4568 Giofnacd.exe 2912 Gqfooodg.exe 4420 Gcekkjcj.exe 60 Gfcgge32.exe 1144 Gmmocpjk.exe 4732 Gcggpj32.exe 540 Gjapmdid.exe 4724 Gqkhjn32.exe 4460 Gbldaffp.exe 388 Gifmnpnl.exe 4432 Gppekj32.exe 4652 Hfjmgdlf.exe 2996 Hapaemll.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qnnanphk.exeChpada32.exeMipcob32.exePcncpbmd.exeEfpajh32.exeKaqcbi32.exeBejogg32.exePqmjog32.exeMiifeq32.exeCpjmee32.exePgmcqggf.exeBbifelba.exeHbpgbo32.exeFdgdgnbm.exeGcojed32.exeHapaemll.exeAnogiicl.exeEkemhj32.exeCehkhecb.exeClbceo32.exeJdhine32.exeKphmie32.exeCbqlfkmi.exeLebkhc32.exeOgnpebpj.exeGbcakg32.exeEcandfpd.exeDdonekbl.exeJbfpobpb.exeAldomc32.exeOponmilc.exeGhopckpi.exeMcklgm32.exeBldgdago.exeClpgpp32.exeDemecd32.exeMpoefk32.exeNcianepl.exeHikfip32.exeOdpjcm32.exeJimekgff.exeCfbkeh32.exeKmegbjgn.exeFckajehi.exeOdmgcgbi.exeBapiabak.exeQeemej32.exeHmabdibj.exeJbhfjljd.exeAnmjcieo.exeHioiji32.exeIbjqcd32.exeNnhfee32.exeBkidenlg.exeOgkcpbam.exeAgeolo32.exeBnkgeg32.exeBfhhoi32.exeGbgdlq32.exeGbenqg32.exedescription ioc process File created C:\Windows\SysWOW64\Meknidfo.dll Qnnanphk.exe File created C:\Windows\SysWOW64\Keoakjca.dll Chpada32.exe File created C:\Windows\SysWOW64\Ecaobgnf.dll Mipcob32.exe File opened for modification C:\Windows\SysWOW64\Pflplnlg.exe Pcncpbmd.exe File created C:\Windows\SysWOW64\Ogedoeae.dll Efpajh32.exe File created C:\Windows\SysWOW64\Kdopod32.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Nconcm32.dll Bejogg32.exe File created C:\Windows\SysWOW64\Ekphijkm.dll Pqmjog32.exe File created C:\Windows\SysWOW64\Lafdhogo.dll Miifeq32.exe File opened for modification C:\Windows\SysWOW64\Commqb32.exe Cpjmee32.exe File created C:\Windows\SysWOW64\Pbbgnpgl.exe Pgmcqggf.exe File created C:\Windows\SysWOW64\Behbag32.exe Bbifelba.exe File created C:\Windows\SysWOW64\Mjegoo32.dll Hbpgbo32.exe File opened for modification C:\Windows\SysWOW64\Flnlhk32.exe Fdgdgnbm.exe File created C:\Windows\SysWOW64\Glhonj32.exe Gcojed32.exe File created C:\Windows\SysWOW64\Hfljmdjc.exe Hapaemll.exe File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File opened for modification C:\Windows\SysWOW64\Eapedd32.exe Ekemhj32.exe File opened for modification C:\Windows\SysWOW64\Pfjcgn32.exe Pqmjog32.exe File created C:\Windows\SysWOW64\Dgifdn32.dll Cehkhecb.exe File created C:\Windows\SysWOW64\Doqpak32.exe Clbceo32.exe File created C:\Windows\SysWOW64\Olmeac32.dll Jdhine32.exe File created C:\Windows\SysWOW64\Ppaaagol.dll Kphmie32.exe File opened for modification C:\Windows\SysWOW64\Ceoibflm.exe Cbqlfkmi.exe File opened for modification C:\Windows\SysWOW64\Lmiciaaj.exe Lebkhc32.exe File created C:\Windows\SysWOW64\Dfdjmlhn.dll Ognpebpj.exe File created C:\Windows\SysWOW64\Gimjhafg.exe Gbcakg32.exe File opened for modification C:\Windows\SysWOW64\Eepjpb32.exe Ecandfpd.exe File created C:\Windows\SysWOW64\Dkifae32.exe Ddonekbl.exe File opened for modification C:\Windows\SysWOW64\Jjmhppqd.exe Jbfpobpb.exe File opened for modification C:\Windows\SysWOW64\Abngjnmo.exe Aldomc32.exe File created C:\Windows\SysWOW64\Ogifjcdp.exe Oponmilc.exe File opened for modification C:\Windows\SysWOW64\Gohhpe32.exe Ghopckpi.exe File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe Mcklgm32.exe File created C:\Windows\SysWOW64\Jdencjac.dll Bldgdago.exe File opened for modification C:\Windows\SysWOW64\Conclk32.exe Clpgpp32.exe File created C:\Windows\SysWOW64\Jjqehkaf.dll Demecd32.exe File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe Mpoefk32.exe File created C:\Windows\SysWOW64\Njciko32.exe Ncianepl.exe File opened for modification C:\Windows\SysWOW64\Hcqjfh32.exe Hikfip32.exe File created C:\Windows\SysWOW64\Ogogoi32.exe Odpjcm32.exe File created C:\Windows\SysWOW64\Gcbifaej.dll Jimekgff.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cfbkeh32.exe File created C:\Windows\SysWOW64\Kaqcbi32.exe Kmegbjgn.exe File created C:\Windows\SysWOW64\Ffimfqgm.exe Fckajehi.exe File created C:\Windows\SysWOW64\Lcnhho32.dll Odmgcgbi.exe File created C:\Windows\SysWOW64\Aqncedbp.exe Anogiicl.exe File created C:\Windows\SysWOW64\Mmnbeadp.dll Bapiabak.exe File created C:\Windows\SysWOW64\Jccejahl.dll Qeemej32.exe File created C:\Windows\SysWOW64\Mgcdak32.dll Hmabdibj.exe File created C:\Windows\SysWOW64\Jefbfgig.exe Jbhfjljd.exe File created C:\Windows\SysWOW64\Baacma32.dll Anmjcieo.exe File opened for modification C:\Windows\SysWOW64\Hkmefd32.exe Hioiji32.exe File created C:\Windows\SysWOW64\Mmpfpdoi.dll Ibjqcd32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Cbqlfkmi.exe Bkidenlg.exe File opened for modification C:\Windows\SysWOW64\Glhonj32.exe Gcojed32.exe File opened for modification C:\Windows\SysWOW64\Mpjlklok.exe Mipcob32.exe File created C:\Windows\SysWOW64\Ojjolnaq.exe Ogkcpbam.exe File created C:\Windows\SysWOW64\Qoqbfpfe.dll Ageolo32.exe File created C:\Windows\SysWOW64\Bneljh32.dll Bnkgeg32.exe File opened for modification C:\Windows\SysWOW64\Bmbplc32.exe Bfhhoi32.exe File opened for modification C:\Windows\SysWOW64\Gdeqhl32.exe Gbgdlq32.exe File created C:\Windows\SysWOW64\Hifqbnpb.dll Gbenqg32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12192 12068 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Efpajh32.exeJangmibi.exeEamhodmf.exeIpbdmaah.exeImfdff32.exeDohmlp32.exeMcnhmm32.exeDeanodkh.exeNjciko32.exeBlbaihmn.exeCdcoim32.exeDhfajjoj.exeNqklmpdd.exeKikame32.exeLljfpnjg.exeBfhhoi32.exeBbhqjchp.exeCccpfa32.exeHapaemll.exeDeoaid32.exeHfifmnij.exeAbkjdnoa.exeAnmjcieo.exeAdgbpc32.exeFmapha32.exeHmklen32.exeImpepm32.exeQecppkdm.exeAccfbokl.exeIinlemia.exeAgeolo32.exeCmqmma32.exeCdabcm32.exeCfbkeh32.exeGmmocpjk.exeFckajehi.exeCaebma32.exeGimjhafg.exeGofkje32.exePjcbbmif.exeBcoenmao.exeHfjmgdlf.exeEcdbdl32.exeLdleel32.exeJjmhppqd.exeFdnjgmle.exeFodeolof.exeKdffocib.exeIeolehop.exeOjgbfocc.exeOdbgim32.exeGdjjckag.exeEdpnfo32.exeKefkme32.exeBifbbllg.exeFomonm32.exeHikfip32.exeJjpeepnb.exeOnholckc.exeGppekj32.exeKagichjo.exeLnepih32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll" Efpajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jangmibi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eamhodmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll" Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dohmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcnhmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njciko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blbaihmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdcoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqklmpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kikame32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" Bfhhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmpga32.dll" Bbhqjchp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cccpfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hapaemll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deoaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcddpd.dll" Hfifmnij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abkjdnoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmjcieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll" Fmapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmklen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll" Impepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qecppkdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Accfbokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iinlemia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ageolo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmqmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Cfbkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmmocpjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fckajehi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Caebma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gimjhafg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gofkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcoenmao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfjmgdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecdbdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldleel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjmhppqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fodeolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdffocib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieolehop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojgbfocc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odbgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdjjckag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imfdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edpnfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakipgan.dll" Kefkme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bifbbllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll" Fomonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll" Hikfip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjpeepnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onholckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gppekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnepih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exeAhblmjhj.exeBbhqjchp.exeBibigmpl.exeBpladg32.exeBlbaihmn.exeBifbbllg.exeBlennh32.exeBaaggo32.exeBoegpc32.exeClihig32.exeCccpfa32.exeCpgqpe32.exeCedihl32.exeCpjmee32.exeCommqb32.exeCcjfgphj.exeCidncj32.exeCoagla32.exeDpacfd32.exeDiihojkb.exeDcalgo32.exedescription pid process target process PID 4764 wrote to memory of 2964 4764 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Ahblmjhj.exe PID 4764 wrote to memory of 2964 4764 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Ahblmjhj.exe PID 4764 wrote to memory of 2964 4764 62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe Ahblmjhj.exe PID 2964 wrote to memory of 5004 2964 Ahblmjhj.exe Bbhqjchp.exe PID 2964 wrote to memory of 5004 2964 Ahblmjhj.exe Bbhqjchp.exe PID 2964 wrote to memory of 5004 2964 Ahblmjhj.exe Bbhqjchp.exe PID 5004 wrote to memory of 4692 5004 Bbhqjchp.exe Bibigmpl.exe PID 5004 wrote to memory of 4692 5004 Bbhqjchp.exe Bibigmpl.exe PID 5004 wrote to memory of 4692 5004 Bbhqjchp.exe Bibigmpl.exe PID 4692 wrote to memory of 3856 4692 Bibigmpl.exe Bpladg32.exe PID 4692 wrote to memory of 3856 4692 Bibigmpl.exe Bpladg32.exe PID 4692 wrote to memory of 3856 4692 Bibigmpl.exe Bpladg32.exe PID 3856 wrote to memory of 4800 3856 Bpladg32.exe Blbaihmn.exe PID 3856 wrote to memory of 4800 3856 Bpladg32.exe Blbaihmn.exe PID 3856 wrote to memory of 4800 3856 Bpladg32.exe Blbaihmn.exe PID 4800 wrote to memory of 4848 4800 Blbaihmn.exe Bifbbllg.exe PID 4800 wrote to memory of 4848 4800 Blbaihmn.exe Bifbbllg.exe PID 4800 wrote to memory of 4848 4800 Blbaihmn.exe Bifbbllg.exe PID 4848 wrote to memory of 2924 4848 Bifbbllg.exe Blennh32.exe PID 4848 wrote to memory of 2924 4848 Bifbbllg.exe Blennh32.exe PID 4848 wrote to memory of 2924 4848 Bifbbllg.exe Blennh32.exe PID 2924 wrote to memory of 452 2924 Blennh32.exe Baaggo32.exe PID 2924 wrote to memory of 452 2924 Blennh32.exe Baaggo32.exe PID 2924 wrote to memory of 452 2924 Blennh32.exe Baaggo32.exe PID 452 wrote to memory of 664 452 Baaggo32.exe Boegpc32.exe PID 452 wrote to memory of 664 452 Baaggo32.exe Boegpc32.exe PID 452 wrote to memory of 664 452 Baaggo32.exe Boegpc32.exe PID 664 wrote to memory of 3848 664 Boegpc32.exe Clihig32.exe PID 664 wrote to memory of 3848 664 Boegpc32.exe Clihig32.exe PID 664 wrote to memory of 3848 664 Boegpc32.exe Clihig32.exe PID 3848 wrote to memory of 4380 3848 Clihig32.exe Cccpfa32.exe PID 3848 wrote to memory of 4380 3848 Clihig32.exe Cccpfa32.exe PID 3848 wrote to memory of 4380 3848 Clihig32.exe Cccpfa32.exe PID 4380 wrote to memory of 1012 4380 Cccpfa32.exe Cpgqpe32.exe PID 4380 wrote to memory of 1012 4380 Cccpfa32.exe Cpgqpe32.exe PID 4380 wrote to memory of 1012 4380 Cccpfa32.exe Cpgqpe32.exe PID 1012 wrote to memory of 3504 1012 Cpgqpe32.exe Cedihl32.exe PID 1012 wrote to memory of 3504 1012 Cpgqpe32.exe Cedihl32.exe PID 1012 wrote to memory of 3504 1012 Cpgqpe32.exe Cedihl32.exe PID 3504 wrote to memory of 1620 3504 Cedihl32.exe Cpjmee32.exe PID 3504 wrote to memory of 1620 3504 Cedihl32.exe Cpjmee32.exe PID 3504 wrote to memory of 1620 3504 Cedihl32.exe Cpjmee32.exe PID 1620 wrote to memory of 1736 1620 Cpjmee32.exe Commqb32.exe PID 1620 wrote to memory of 1736 1620 Cpjmee32.exe Commqb32.exe PID 1620 wrote to memory of 1736 1620 Cpjmee32.exe Commqb32.exe PID 1736 wrote to memory of 3584 1736 Commqb32.exe Ccjfgphj.exe PID 1736 wrote to memory of 3584 1736 Commqb32.exe Ccjfgphj.exe PID 1736 wrote to memory of 3584 1736 Commqb32.exe Ccjfgphj.exe PID 3584 wrote to memory of 3440 3584 Ccjfgphj.exe Cidncj32.exe PID 3584 wrote to memory of 3440 3584 Ccjfgphj.exe Cidncj32.exe PID 3584 wrote to memory of 3440 3584 Ccjfgphj.exe Cidncj32.exe PID 3440 wrote to memory of 5008 3440 Cidncj32.exe Coagla32.exe PID 3440 wrote to memory of 5008 3440 Cidncj32.exe Coagla32.exe PID 3440 wrote to memory of 5008 3440 Cidncj32.exe Coagla32.exe PID 5008 wrote to memory of 752 5008 Coagla32.exe Dpacfd32.exe PID 5008 wrote to memory of 752 5008 Coagla32.exe Dpacfd32.exe PID 5008 wrote to memory of 752 5008 Coagla32.exe Dpacfd32.exe PID 752 wrote to memory of 4548 752 Dpacfd32.exe Diihojkb.exe PID 752 wrote to memory of 4548 752 Dpacfd32.exe Diihojkb.exe PID 752 wrote to memory of 4548 752 Dpacfd32.exe Diihojkb.exe PID 4548 wrote to memory of 4840 4548 Diihojkb.exe Dcalgo32.exe PID 4548 wrote to memory of 4840 4548 Diihojkb.exe Dcalgo32.exe PID 4548 wrote to memory of 4840 4548 Diihojkb.exe Dcalgo32.exe PID 4840 wrote to memory of 1800 4840 Dcalgo32.exe Djlddi32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe"C:\Users\Admin\AppData\Local\Temp\62d1cc6824002d98e0b4f46b4dbe2b090daef8dce672732662d472015d94625c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Ahblmjhj.exeC:\Windows\system32\Ahblmjhj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bbhqjchp.exeC:\Windows\system32\Bbhqjchp.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Bibigmpl.exeC:\Windows\system32\Bibigmpl.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Bifbbllg.exeC:\Windows\system32\Bifbbllg.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Clihig32.exeC:\Windows\system32\Clihig32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Cccpfa32.exeC:\Windows\system32\Cccpfa32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Cedihl32.exeC:\Windows\system32\Cedihl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Cpjmee32.exeC:\Windows\system32\Cpjmee32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Coagla32.exeC:\Windows\system32\Coagla32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Dcalgo32.exeC:\Windows\system32\Dcalgo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Djlddi32.exeC:\Windows\system32\Djlddi32.exe23⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Dohmlp32.exeC:\Windows\system32\Dohmlp32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Dhqaefng.exeC:\Windows\system32\Dhqaefng.exe25⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe26⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe27⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe28⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ejegjh32.exeC:\Windows\system32\Ejegjh32.exe29⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Ebploj32.exeC:\Windows\system32\Ebploj32.exe30⤵PID:4312
-
C:\Windows\SysWOW64\Eflhoigi.exeC:\Windows\system32\Eflhoigi.exe31⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Eqalmafo.exeC:\Windows\system32\Eqalmafo.exe32⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe33⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:4288 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe36⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe37⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe38⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe40⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe42⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe43⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe44⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe45⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe46⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe47⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Gbcakg32.exeC:\Windows\system32\Gbcakg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Gimjhafg.exeC:\Windows\system32\Gimjhafg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5032 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe51⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe52⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe55⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe56⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Gfcgge32.exeC:\Windows\system32\Gfcgge32.exe57⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe59⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe61⤵
- Executes dropped EXE
PID:4724 -
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe62⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4432 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4652 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe67⤵PID:2860
-
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hcqjfh32.exeC:\Windows\system32\Hcqjfh32.exe69⤵PID:4344
-
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe70⤵PID:4244
-
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe71⤵PID:1156
-
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe73⤵
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe75⤵PID:4416
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe77⤵
- Drops file in System32 directory
PID:3076 -
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe78⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe81⤵PID:3656
-
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe82⤵PID:944
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe84⤵PID:3564
-
C:\Windows\SysWOW64\Imdnklfp.exeC:\Windows\system32\Imdnklfp.exe85⤵PID:2220
-
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe86⤵PID:368
-
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe87⤵PID:2160
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe88⤵PID:4072
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe89⤵PID:5064
-
C:\Windows\SysWOW64\Ijkljp32.exeC:\Windows\system32\Ijkljp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe91⤵
- Modifies registry class
PID:5164 -
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe92⤵PID:5208
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe93⤵
- Drops file in System32 directory
PID:5256 -
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe94⤵
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe96⤵PID:5388
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe97⤵PID:5428
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Jaimbj32.exeC:\Windows\system32\Jaimbj32.exe99⤵PID:5516
-
C:\Windows\SysWOW64\Jdhine32.exeC:\Windows\system32\Jdhine32.exe100⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe101⤵PID:5604
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5640 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5684 -
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Jfhbppbc.exeC:\Windows\system32\Jfhbppbc.exe105⤵PID:5780
-
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe106⤵PID:5816
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe107⤵
- Modifies registry class
PID:5868 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe108⤵PID:5912
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe109⤵PID:5956
-
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe111⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe112⤵
- Drops file in System32 directory
PID:6084 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe113⤵PID:6124
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3116 -
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe115⤵PID:5204
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe116⤵PID:5272
-
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe117⤵PID:5352
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe119⤵PID:5492
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe120⤵
- Drops file in System32 directory
PID:5544 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe121⤵PID:5632
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe122⤵
- Modifies registry class
PID:5696 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe123⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe124⤵PID:5836
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe125⤵PID:5896
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe126⤵PID:5976
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe127⤵PID:6052
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe128⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe129⤵PID:5188
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe130⤵PID:5292
-
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe131⤵PID:5384
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe132⤵PID:5496
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe133⤵PID:4476
-
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe134⤵PID:4884
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe135⤵PID:4852
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe136⤵PID:5692
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe137⤵PID:5804
-
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe138⤵PID:5900
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe139⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe140⤵PID:1952
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5252 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe142⤵
- Modifies registry class
PID:5464 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe143⤵PID:4360
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3624 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe145⤵PID:5700
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe146⤵PID:5884
-
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe148⤵PID:5248
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe149⤵
- Drops file in System32 directory
PID:5468 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe150⤵PID:2428
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe151⤵PID:5648
-
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe152⤵PID:5964
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe153⤵PID:5400
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe154⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe155⤵PID:5992
-
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe156⤵PID:5568
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe158⤵PID:5624
-
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe159⤵PID:5824
-
C:\Windows\SysWOW64\Onfbfc32.exeC:\Windows\system32\Onfbfc32.exe160⤵PID:5828
-
C:\Windows\SysWOW64\Odpjcm32.exeC:\Windows\system32\Odpjcm32.exe161⤵
- Drops file in System32 directory
PID:6172 -
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe162⤵PID:6220
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe163⤵
- Modifies registry class
PID:6264 -
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe164⤵
- Modifies registry class
PID:6308 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe165⤵PID:6356
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe166⤵PID:6400
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6444 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe168⤵PID:6488
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe169⤵PID:6532
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe170⤵PID:6572
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe171⤵PID:6612
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe172⤵PID:6652
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe173⤵PID:6696
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe174⤵PID:6740
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6784 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe176⤵PID:6828
-
C:\Windows\SysWOW64\Pjhbgb32.exeC:\Windows\system32\Pjhbgb32.exe177⤵PID:6872
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe178⤵PID:6920
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe179⤵PID:6964
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe180⤵
- Drops file in System32 directory
PID:7004 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe181⤵PID:7048
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe182⤵PID:7088
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe183⤵PID:7128
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe184⤵PID:6148
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe185⤵
- Modifies registry class
PID:6204 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe186⤵PID:6284
-
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe187⤵PID:6340
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe188⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6420 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe189⤵PID:6484
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe190⤵
- Drops file in System32 directory
PID:6560 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6636 -
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe192⤵PID:6704
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe193⤵PID:6772
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe194⤵
- Modifies registry class
PID:6820 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe195⤵PID:6916
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe196⤵
- Drops file in System32 directory
PID:6984 -
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe197⤵PID:6988
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe198⤵PID:7120
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe199⤵PID:6180
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe200⤵PID:6304
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe201⤵PID:6408
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe202⤵PID:6516
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe203⤵PID:6620
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe204⤵PID:6720
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe205⤵PID:6864
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe206⤵PID:6936
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe207⤵PID:7096
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe208⤵PID:6216
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe209⤵PID:6252
-
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6556 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe211⤵PID:6752
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe212⤵PID:6948
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7152 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe214⤵PID:6364
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe215⤵
- Drops file in System32 directory
PID:6600 -
C:\Windows\SysWOW64\Behbag32.exeC:\Windows\system32\Behbag32.exe216⤵PID:6900
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe217⤵PID:7080
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe218⤵PID:6528
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7040 -
C:\Windows\SysWOW64\Bldgdago.exeC:\Windows\system32\Bldgdago.exe220⤵
- Drops file in System32 directory
PID:6500 -
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe221⤵PID:6292
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe222⤵PID:6996
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe223⤵
- Drops file in System32 directory
PID:6896 -
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7212 -
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe225⤵PID:7256
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe226⤵PID:7300
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe227⤵PID:7348
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe228⤵
- Drops file in System32 directory
PID:7396 -
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe229⤵PID:7440
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe230⤵PID:7484
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7528 -
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe232⤵PID:7572
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe233⤵PID:7612
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe234⤵PID:7664
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe235⤵
- Drops file in System32 directory
PID:7708 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe236⤵PID:7760
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe237⤵
- Drops file in System32 directory
PID:7804 -
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe238⤵
- Drops file in System32 directory
PID:7844 -
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe239⤵PID:7896
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe240⤵PID:7944
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe241⤵PID:7988
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe242⤵PID:8032