Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
Resource
win10v2004-20240508-en
General
-
Target
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
-
Size
73KB
-
MD5
a3368229ddb00cc79ed5fb472956acd0
-
SHA1
647259fc6241f82743ace7895cc9359c5461fb39
-
SHA256
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf
-
SHA512
187cc5a7ee082a0ae98f5b4269c2cdb74e31551d691fba9fb869114c17ee3465e76fda98fd2477377f3b269ba44c7f682afbe0ecaacc3cfd901b3b4761209c0b
-
SSDEEP
1536:IYZ9hBPFXEh6xEn8lj29NvmZu0K92LQ0dryyA:Tn3x/lsmZuLO15C
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fgohna32.exeHklhae32.exeQndkpmkm.exeAkcomepg.exeDeakjjbk.exeDjgkii32.exeGcgnnlle.exeOhipla32.exeBgblmk32.exePkcbnanl.exeDifqji32.exeLiqoflfh.exeNmlgfnal.exePljcllqe.exeKkoncdcp.exeQqfkln32.exeBlkjkflb.exeEknmhk32.exeHmbndmkb.exeIjmipn32.exeIbhndp32.exeAqmamm32.exeGildahhp.exeCeebklai.exeOiljam32.exeHihlqeib.exeCebeem32.exePblcbn32.exeFihfnp32.exeGpggei32.exeBbeded32.exeDahifbpk.exeGjjmijme.exeLohjnf32.exeBbgqjdce.exeAlnalh32.exeCkcepj32.exeDmjqpdje.exeGmpcgace.exeOhfcfb32.exeOnqkclni.exeBdfooh32.exeIliebpfc.exeJdnmma32.exeMobfgdcl.exeBjkhdacm.exeLegaoehg.exeAlageg32.exeAcnlgajg.exeDemaoj32.exeQaqnkafa.exeElipgofb.exeGbohehoj.exeDaipqhdg.exeGaagcpdl.exeFbbofjnh.exeFfaaoh32.exeHinbppna.exeHmeolj32.exePincfpoo.exePopeif32.exeJlfnangf.exeBcbfbp32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgohna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcbnanl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liqoflfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljcllqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhndp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceebklai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihlqeib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahifbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgqjdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckcepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqkclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgajg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaqnkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbohehoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daipqhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbohehoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmeolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pincfpoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbfbp32.exe -
Executes dropped EXE 64 IoCs
Processes:
Cikbhc32.exeCdecha32.exeChcloo32.exeCkcepj32.exeDiibag32.exeDepbfhpe.exeDllhhaep.exeDaipqhdg.exeDegiggjm.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEniclh32.exeElnqmd32.exeFheabelm.exeFmcjhdbc.exeFbpbpkpj.exeFbbofjnh.exeFgohna32.exeFindhdcb.exeGjpqpl32.exeGcheib32.exeGjbmelgm.exeGnpflj32.exeGghkdp32.exeGildahhp.exeGbdhjm32.exeHllmcc32.exeHpjeialg.exeHlccdboi.exeHmeolj32.exeHjipenda.exeIpehmebh.exeIjmipn32.exeIbhndp32.exeIbkkjp32.exeIiecgjba.exeIelclkhe.exeJenpajfb.exeJofejpmc.exeJkmeoa32.exeKnbhlkkc.exeKfbfkmeh.exeKkoncdcp.exeKgfoie32.exeLqncaj32.exeLkdhoc32.exeLdllgiek.exeLjieppcb.exeLqcmmjko.exeLgmeid32.exeLjkaeo32.exeLohjnf32.exeLiqoflfh.exeMfdopp32.exeMpmcielb.exeMejlalji.exeMkddnf32.exeMfihkoal.exeMgjebg32.exeMacilmnk.exeMaefamlh.exeNmlgfnal.exeNcfoch32.exepid process 1944 Cikbhc32.exe 2668 Cdecha32.exe 2708 Chcloo32.exe 2816 Ckcepj32.exe 2340 Diibag32.exe 2648 Depbfhpe.exe 2540 Dllhhaep.exe 2904 Daipqhdg.exe 1664 Degiggjm.exe 2544 Eeielfhk.exe 932 Endjaief.exe 936 Ednbncmb.exe 1720 Eniclh32.exe 1188 Elnqmd32.exe 1624 Fheabelm.exe 1492 Fmcjhdbc.exe 2172 Fbpbpkpj.exe 3060 Fbbofjnh.exe 1512 Fgohna32.exe 768 Findhdcb.exe 1648 Gjpqpl32.exe 2224 Gcheib32.exe 752 Gjbmelgm.exe 2992 Gnpflj32.exe 2040 Gghkdp32.exe 2980 Gildahhp.exe 1696 Gbdhjm32.exe 1628 Hllmcc32.exe 1304 Hpjeialg.exe 2624 Hlccdboi.exe 2712 Hmeolj32.exe 2328 Hjipenda.exe 2652 Ipehmebh.exe 2528 Ijmipn32.exe 2484 Ibhndp32.exe 1148 Ibkkjp32.exe 2456 Iiecgjba.exe 1308 Ielclkhe.exe 2772 Jenpajfb.exe 2148 Jofejpmc.exe 2180 Jkmeoa32.exe 1256 Knbhlkkc.exe 1760 Kfbfkmeh.exe 860 Kkoncdcp.exe 2124 Kgfoie32.exe 1384 Lqncaj32.exe 1336 Lkdhoc32.exe 1636 Ldllgiek.exe 1804 Ljieppcb.exe 600 Lqcmmjko.exe 2132 Lgmeid32.exe 2096 Ljkaeo32.exe 2388 Lohjnf32.exe 1916 Liqoflfh.exe 1704 Mfdopp32.exe 2248 Mpmcielb.exe 3012 Mejlalji.exe 2828 Mkddnf32.exe 2612 Mfihkoal.exe 2896 Mgjebg32.exe 2524 Macilmnk.exe 316 Maefamlh.exe 2564 Nmlgfnal.exe 1252 Ncfoch32.exe -
Loads dropped DLL 64 IoCs
Processes:
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exeCikbhc32.exeCdecha32.exeChcloo32.exeCkcepj32.exeDiibag32.exeDepbfhpe.exeDllhhaep.exeDaipqhdg.exeDegiggjm.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEniclh32.exeElnqmd32.exeFheabelm.exeFmcjhdbc.exeFbpbpkpj.exeFbbofjnh.exeFgohna32.exeFindhdcb.exeGjpqpl32.exeGcheib32.exeGjbmelgm.exeGnpflj32.exeGghkdp32.exeGildahhp.exeGbdhjm32.exeHllmcc32.exeHpjeialg.exeHlccdboi.exeHmeolj32.exepid process 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe 1944 Cikbhc32.exe 1944 Cikbhc32.exe 2668 Cdecha32.exe 2668 Cdecha32.exe 2708 Chcloo32.exe 2708 Chcloo32.exe 2816 Ckcepj32.exe 2816 Ckcepj32.exe 2340 Diibag32.exe 2340 Diibag32.exe 2648 Depbfhpe.exe 2648 Depbfhpe.exe 2540 Dllhhaep.exe 2540 Dllhhaep.exe 2904 Daipqhdg.exe 2904 Daipqhdg.exe 1664 Degiggjm.exe 1664 Degiggjm.exe 2544 Eeielfhk.exe 2544 Eeielfhk.exe 932 Endjaief.exe 932 Endjaief.exe 936 Ednbncmb.exe 936 Ednbncmb.exe 1720 Eniclh32.exe 1720 Eniclh32.exe 1188 Elnqmd32.exe 1188 Elnqmd32.exe 1624 Fheabelm.exe 1624 Fheabelm.exe 1492 Fmcjhdbc.exe 1492 Fmcjhdbc.exe 2172 Fbpbpkpj.exe 2172 Fbpbpkpj.exe 3060 Fbbofjnh.exe 3060 Fbbofjnh.exe 1512 Fgohna32.exe 1512 Fgohna32.exe 768 Findhdcb.exe 768 Findhdcb.exe 1648 Gjpqpl32.exe 1648 Gjpqpl32.exe 2224 Gcheib32.exe 2224 Gcheib32.exe 752 Gjbmelgm.exe 752 Gjbmelgm.exe 2992 Gnpflj32.exe 2992 Gnpflj32.exe 2040 Gghkdp32.exe 2040 Gghkdp32.exe 2980 Gildahhp.exe 2980 Gildahhp.exe 1696 Gbdhjm32.exe 1696 Gbdhjm32.exe 1628 Hllmcc32.exe 1628 Hllmcc32.exe 1304 Hpjeialg.exe 1304 Hpjeialg.exe 2624 Hlccdboi.exe 2624 Hlccdboi.exe 2712 Hmeolj32.exe 2712 Hmeolj32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Pafdjmkq.exeBjkhdacm.exeEniclh32.exeMacilmnk.exeLpabpcdf.exeAcnlgajg.exeAodkci32.exeDppigchi.exeFdiqpigl.exeLqncaj32.exeGbhbdi32.exeJgabdlfb.exeNlefhcnc.exePhlclgfc.exeHaqnea32.exeKdmban32.exeLopfhk32.exeApkgpf32.exeBqmpdioa.exeHqkmplen.exePopeif32.exeKddomchg.exeQnghel32.exeJhmofo32.exeOoabmbbe.exeCfkloq32.exeOnqkclni.exeDiibag32.exeDegiggjm.exeHlccdboi.exeIliebpfc.exeMdogedmh.exeQhilkege.exeCcbbachm.exeEdnbncmb.exeOijjka32.exeOlpilg32.exePkmlmbcd.exeGckdgjeb.exeFolhgbid.exeFdpgph32.exeBbeded32.exeBcbfbp32.exeCjhabndo.exeHllmcc32.exeMkddnf32.exeDdblgn32.exeEhkhaqpk.exeNipdkieg.exeKhadpa32.exeJenpajfb.exeOhhmcinf.exeDmjqpdje.exeEknpadcn.exeHfhfhbce.exePljcllqe.exePpkhhjei.exePjcmap32.exeIpjdameg.exeGaagcpdl.exeGjpqpl32.exeMfihkoal.exeGbohehoj.exedescription ioc process File created C:\Windows\SysWOW64\Dahapj32.dll Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Bdqlajbb.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Elnqmd32.exe Eniclh32.exe File created C:\Windows\SysWOW64\Kielkojm.dll Macilmnk.exe File created C:\Windows\SysWOW64\Bpoenh32.dll Lpabpcdf.exe File opened for modification C:\Windows\SysWOW64\Bpbmqe32.exe Acnlgajg.exe File created C:\Windows\SysWOW64\Bmhkmm32.exe Aodkci32.exe File opened for modification C:\Windows\SysWOW64\Demaoj32.exe Dppigchi.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fdiqpigl.exe File created C:\Windows\SysWOW64\Bihmcd32.dll Lqncaj32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gbhbdi32.exe File created C:\Windows\SysWOW64\Majdmi32.dll Jgabdlfb.exe File opened for modification C:\Windows\SysWOW64\Omioekbo.exe Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Padhdm32.exe Phlclgfc.exe File opened for modification C:\Windows\SysWOW64\Ijibng32.exe Haqnea32.exe File created C:\Windows\SysWOW64\Kmegjdad.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Lpabpcdf.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Kjigmkld.dll Apkgpf32.exe File created C:\Windows\SysWOW64\Lclknm32.dll Bqmpdioa.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Hqkmplen.exe File created C:\Windows\SysWOW64\Ljcmklhm.dll Popeif32.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kddomchg.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Qnghel32.exe File created C:\Windows\SysWOW64\Lklfipaq.dll Jhmofo32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Ooabmbbe.exe File created C:\Windows\SysWOW64\Cocphf32.exe Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Ohipla32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Depbfhpe.exe Diibag32.exe File opened for modification C:\Windows\SysWOW64\Eeielfhk.exe Degiggjm.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hlccdboi.exe File created C:\Windows\SysWOW64\Pkfope32.dll Iliebpfc.exe File opened for modification C:\Windows\SysWOW64\Mimpkcdn.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Hagojlib.dll Qhilkege.exe File created C:\Windows\SysWOW64\Cjljnn32.exe Ccbbachm.exe File opened for modification C:\Windows\SysWOW64\Eniclh32.exe Ednbncmb.exe File created C:\Windows\SysWOW64\Pphcfh32.dll Oijjka32.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Olpilg32.exe File created C:\Windows\SysWOW64\Pafdjmkq.exe Pkmlmbcd.exe File created C:\Windows\SysWOW64\Lanlcl32.dll Gckdgjeb.exe File created C:\Windows\SysWOW64\Jmfjecle.dll Folhgbid.exe File opened for modification C:\Windows\SysWOW64\Feachqgb.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Ljqglfel.dll Bbeded32.exe File created C:\Windows\SysWOW64\Glgcpc32.dll Bcbfbp32.exe File created C:\Windows\SysWOW64\Ncmljjmf.dll Cjhabndo.exe File created C:\Windows\SysWOW64\Infaph32.dll Hllmcc32.exe File created C:\Windows\SysWOW64\Anjcbljh.dll Mkddnf32.exe File created C:\Windows\SysWOW64\Pqgono32.dll Ddblgn32.exe File created C:\Windows\SysWOW64\Elipgofb.exe Ehkhaqpk.exe File created C:\Windows\SysWOW64\Plcaioco.dll Nipdkieg.exe File created C:\Windows\SysWOW64\Kajiigba.exe Khadpa32.exe File opened for modification C:\Windows\SysWOW64\Jofejpmc.exe Jenpajfb.exe File opened for modification C:\Windows\SysWOW64\Oijjka32.exe Ohhmcinf.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dmjqpdje.exe File created C:\Windows\SysWOW64\Ifemminl.dll Eknpadcn.exe File created C:\Windows\SysWOW64\Hmbndmkb.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Eeielfhk.exe Degiggjm.exe File created C:\Windows\SysWOW64\Onffhdlh.dll Pljcllqe.exe File opened for modification C:\Windows\SysWOW64\Pjcmap32.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Bljbql32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Nfjmnpei.dll Ipjdameg.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Gaagcpdl.exe File opened for modification C:\Windows\SysWOW64\Gcheib32.exe Gjpqpl32.exe File created C:\Windows\SysWOW64\Mgjebg32.exe Mfihkoal.exe File created C:\Windows\SysWOW64\Gmqbcm32.dll Gbohehoj.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4356 4144 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Cdecha32.exeAakjdo32.exeHqkmplen.exeFbpbpkpj.exeIimfld32.exeEhnfpifm.exeDcghkf32.exePgnjde32.exeGfhgpg32.exeMggabaea.exeCfkloq32.exeGbohehoj.exeIliebpfc.exeIahkpg32.exeGkoobhhg.exeFheabelm.exeFbbofjnh.exeAodkci32.exeElipgofb.exeKljdkpfl.exeOeindm32.exeAcfmcc32.exeJbclgf32.exeFgohna32.exeIpehmebh.exeBbjmpcab.exeGqdefddb.exeLopfhk32.exeMkdffoij.exeCcbbachm.exeGmpcgace.exeGjjmijme.exeGdegfn32.exeIfbphh32.exeDppigchi.exeNoffdd32.exePlmpblnb.exeDlofgj32.exeHbggif32.exeFofbhgde.exeHkdemk32.exePfbfhm32.exeEndjaief.exeMobfgdcl.exeAebmjo32.exeCebeem32.exeCbgobp32.exeDlifadkk.exeLmpcca32.exeEdnbncmb.exeHmeolj32.exeMacilmnk.exeClojhf32.exeKdkelolf.exeElnqmd32.exeGjbmelgm.exeKnmdeioh.exeBjkhdacm.exeHqnapb32.exeHaqnea32.exeOhcdhi32.exePljcllqe.exeIgqhpj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Aakjdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqkmplen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocbagqd.dll" Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcohnaep.dll" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbohehoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fheabelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonedp32.dll" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfhj32.dll" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kljdkpfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll" Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgohna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipehmebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdlojdbk.dll" Lopfhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjmijme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbphh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplkimih.dll" Noffdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmpblnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlofgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpiba32.dll" Fofbhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnpaigk.dll" Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdmoj32.dll" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpkl32.dll" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnokbe32.dll" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmeolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macilmnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjkajop.dll" Kdkelolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnqmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjbmelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benmkbnn.dll" Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkkpmda.dll" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibejjo32.dll" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll" Igqhpj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exeCikbhc32.exeCdecha32.exeChcloo32.exeCkcepj32.exeDiibag32.exeDepbfhpe.exeDllhhaep.exeDaipqhdg.exeDegiggjm.exeEeielfhk.exeEndjaief.exeEdnbncmb.exeEniclh32.exeElnqmd32.exeFheabelm.exedescription pid process target process PID 2916 wrote to memory of 1944 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Cikbhc32.exe PID 2916 wrote to memory of 1944 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Cikbhc32.exe PID 2916 wrote to memory of 1944 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Cikbhc32.exe PID 2916 wrote to memory of 1944 2916 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Cikbhc32.exe PID 1944 wrote to memory of 2668 1944 Cikbhc32.exe Cdecha32.exe PID 1944 wrote to memory of 2668 1944 Cikbhc32.exe Cdecha32.exe PID 1944 wrote to memory of 2668 1944 Cikbhc32.exe Cdecha32.exe PID 1944 wrote to memory of 2668 1944 Cikbhc32.exe Cdecha32.exe PID 2668 wrote to memory of 2708 2668 Cdecha32.exe Chcloo32.exe PID 2668 wrote to memory of 2708 2668 Cdecha32.exe Chcloo32.exe PID 2668 wrote to memory of 2708 2668 Cdecha32.exe Chcloo32.exe PID 2668 wrote to memory of 2708 2668 Cdecha32.exe Chcloo32.exe PID 2708 wrote to memory of 2816 2708 Chcloo32.exe Ckcepj32.exe PID 2708 wrote to memory of 2816 2708 Chcloo32.exe Ckcepj32.exe PID 2708 wrote to memory of 2816 2708 Chcloo32.exe Ckcepj32.exe PID 2708 wrote to memory of 2816 2708 Chcloo32.exe Ckcepj32.exe PID 2816 wrote to memory of 2340 2816 Ckcepj32.exe Diibag32.exe PID 2816 wrote to memory of 2340 2816 Ckcepj32.exe Diibag32.exe PID 2816 wrote to memory of 2340 2816 Ckcepj32.exe Diibag32.exe PID 2816 wrote to memory of 2340 2816 Ckcepj32.exe Diibag32.exe PID 2340 wrote to memory of 2648 2340 Diibag32.exe Depbfhpe.exe PID 2340 wrote to memory of 2648 2340 Diibag32.exe Depbfhpe.exe PID 2340 wrote to memory of 2648 2340 Diibag32.exe Depbfhpe.exe PID 2340 wrote to memory of 2648 2340 Diibag32.exe Depbfhpe.exe PID 2648 wrote to memory of 2540 2648 Depbfhpe.exe Dllhhaep.exe PID 2648 wrote to memory of 2540 2648 Depbfhpe.exe Dllhhaep.exe PID 2648 wrote to memory of 2540 2648 Depbfhpe.exe Dllhhaep.exe PID 2648 wrote to memory of 2540 2648 Depbfhpe.exe Dllhhaep.exe PID 2540 wrote to memory of 2904 2540 Dllhhaep.exe Daipqhdg.exe PID 2540 wrote to memory of 2904 2540 Dllhhaep.exe Daipqhdg.exe PID 2540 wrote to memory of 2904 2540 Dllhhaep.exe Daipqhdg.exe PID 2540 wrote to memory of 2904 2540 Dllhhaep.exe Daipqhdg.exe PID 2904 wrote to memory of 1664 2904 Daipqhdg.exe Degiggjm.exe PID 2904 wrote to memory of 1664 2904 Daipqhdg.exe Degiggjm.exe PID 2904 wrote to memory of 1664 2904 Daipqhdg.exe Degiggjm.exe PID 2904 wrote to memory of 1664 2904 Daipqhdg.exe Degiggjm.exe PID 1664 wrote to memory of 2544 1664 Degiggjm.exe Eeielfhk.exe PID 1664 wrote to memory of 2544 1664 Degiggjm.exe Eeielfhk.exe PID 1664 wrote to memory of 2544 1664 Degiggjm.exe Eeielfhk.exe PID 1664 wrote to memory of 2544 1664 Degiggjm.exe Eeielfhk.exe PID 2544 wrote to memory of 932 2544 Eeielfhk.exe Endjaief.exe PID 2544 wrote to memory of 932 2544 Eeielfhk.exe Endjaief.exe PID 2544 wrote to memory of 932 2544 Eeielfhk.exe Endjaief.exe PID 2544 wrote to memory of 932 2544 Eeielfhk.exe Endjaief.exe PID 932 wrote to memory of 936 932 Endjaief.exe Ednbncmb.exe PID 932 wrote to memory of 936 932 Endjaief.exe Ednbncmb.exe PID 932 wrote to memory of 936 932 Endjaief.exe Ednbncmb.exe PID 932 wrote to memory of 936 932 Endjaief.exe Ednbncmb.exe PID 936 wrote to memory of 1720 936 Ednbncmb.exe Eniclh32.exe PID 936 wrote to memory of 1720 936 Ednbncmb.exe Eniclh32.exe PID 936 wrote to memory of 1720 936 Ednbncmb.exe Eniclh32.exe PID 936 wrote to memory of 1720 936 Ednbncmb.exe Eniclh32.exe PID 1720 wrote to memory of 1188 1720 Eniclh32.exe Elnqmd32.exe PID 1720 wrote to memory of 1188 1720 Eniclh32.exe Elnqmd32.exe PID 1720 wrote to memory of 1188 1720 Eniclh32.exe Elnqmd32.exe PID 1720 wrote to memory of 1188 1720 Eniclh32.exe Elnqmd32.exe PID 1188 wrote to memory of 1624 1188 Elnqmd32.exe Fheabelm.exe PID 1188 wrote to memory of 1624 1188 Elnqmd32.exe Fheabelm.exe PID 1188 wrote to memory of 1624 1188 Elnqmd32.exe Fheabelm.exe PID 1188 wrote to memory of 1624 1188 Elnqmd32.exe Fheabelm.exe PID 1624 wrote to memory of 1492 1624 Fheabelm.exe Fmcjhdbc.exe PID 1624 wrote to memory of 1492 1624 Fheabelm.exe Fmcjhdbc.exe PID 1624 wrote to memory of 1492 1624 Fheabelm.exe Fmcjhdbc.exe PID 1624 wrote to memory of 1492 1624 Fheabelm.exe Fmcjhdbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe"C:\Users\Admin\AppData\Local\Temp\632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe33⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe37⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe38⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe39⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe41⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe42⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe43⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe46⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe48⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe49⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe50⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe51⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe52⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe53⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe56⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe57⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe58⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe61⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe63⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe65⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe66⤵PID:2408
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe67⤵PID:2152
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe68⤵PID:2260
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe69⤵PID:320
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe70⤵PID:396
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe71⤵PID:384
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe72⤵PID:924
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe73⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe75⤵PID:2808
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe76⤵PID:2240
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe77⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe78⤵PID:2684
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe79⤵PID:2736
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe80⤵PID:2516
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe81⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe82⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe83⤵PID:1816
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe84⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe87⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe88⤵PID:1324
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe89⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe90⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1228 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe95⤵PID:2928
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe96⤵PID:2760
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe97⤵PID:2704
-
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe98⤵PID:2448
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe100⤵PID:1484
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe102⤵PID:1968
-
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe104⤵PID:2084
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe108⤵PID:2020
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe109⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe110⤵PID:1212
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe111⤵PID:2556
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe112⤵PID:2676
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe113⤵PID:2812
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe114⤵PID:2596
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe115⤵PID:2536
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe116⤵PID:1616
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe117⤵PID:2032
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe118⤵PID:1140
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe120⤵PID:2352
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe121⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe123⤵PID:2616
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe124⤵PID:2520
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1288 -
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe126⤵PID:564
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe127⤵PID:1436
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe128⤵PID:2308
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe129⤵PID:324
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe130⤵
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe132⤵PID:2820
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe133⤵PID:2400
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe135⤵PID:2412
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe136⤵PID:2460
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe137⤵PID:1808
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe138⤵PID:1264
-
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe139⤵PID:1328
-
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe140⤵PID:1784
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe141⤵PID:892
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1764 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe143⤵PID:1744
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe144⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe145⤵PID:2900
-
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe148⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe150⤵PID:1932
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe152⤵
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe153⤵PID:2212
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe154⤵PID:1852
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe155⤵PID:1564
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe156⤵PID:2228
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe157⤵PID:528
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe158⤵PID:864
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe159⤵PID:2204
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe161⤵PID:2764
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe163⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe164⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe165⤵PID:920
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe166⤵PID:1652
-
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe167⤵PID:2256
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe168⤵PID:1872
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe169⤵PID:3044
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe170⤵PID:972
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe172⤵PID:2252
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe173⤵PID:2320
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe174⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe175⤵PID:2776
-
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe176⤵PID:2504
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe177⤵PID:1268
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe178⤵PID:584
-
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe179⤵PID:2580
-
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe180⤵PID:2636
-
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe181⤵PID:2360
-
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe182⤵PID:2832
-
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe183⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe184⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe185⤵PID:2788
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe186⤵PID:1544
-
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe187⤵PID:2156
-
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe188⤵
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe189⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe190⤵PID:2756
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe191⤵PID:2144
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe192⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe193⤵PID:1876
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe194⤵PID:2428
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe195⤵PID:2972
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe196⤵PID:1556
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe197⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe198⤵PID:2732
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe199⤵PID:3104
-
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe200⤵PID:3144
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe201⤵
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe202⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe203⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe204⤵PID:3304
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe205⤵
- Drops file in System32 directory
PID:3344 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe206⤵PID:3388
-
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe207⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe208⤵
- Drops file in System32 directory
PID:3468 -
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe209⤵PID:3508
-
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe210⤵PID:3548
-
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe211⤵PID:3588
-
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3628 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe213⤵PID:3668
-
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe214⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe215⤵PID:3748
-
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe216⤵
- Drops file in System32 directory
PID:3788 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe217⤵
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe218⤵
- Modifies registry class
PID:3868 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe219⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3908 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe220⤵
- Modifies registry class
PID:3948 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3988 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe222⤵PID:4032
-
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe223⤵PID:4072
-
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe225⤵PID:3140
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe226⤵PID:3172
-
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe227⤵PID:3220
-
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe228⤵PID:3272
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe229⤵PID:3324
-
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe230⤵PID:3384
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe231⤵PID:3420
-
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe232⤵
- Drops file in System32 directory
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe233⤵PID:3524
-
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe234⤵PID:3572
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe235⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3620 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3688 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe237⤵
- Modifies registry class
PID:3732 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe238⤵PID:3780
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe239⤵PID:3824
-
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe240⤵PID:3876
-
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe241⤵PID:3940
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe242⤵PID:4016