Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
Resource
win10v2004-20240508-en
General
-
Target
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe
-
Size
73KB
-
MD5
a3368229ddb00cc79ed5fb472956acd0
-
SHA1
647259fc6241f82743ace7895cc9359c5461fb39
-
SHA256
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf
-
SHA512
187cc5a7ee082a0ae98f5b4269c2cdb74e31551d691fba9fb869114c17ee3465e76fda98fd2477377f3b269ba44c7f682afbe0ecaacc3cfd901b3b4761209c0b
-
SSDEEP
1536:IYZ9hBPFXEh6xEn8lj29NvmZu0K92LQ0dryyA:Tn3x/lsmZuLO15C
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Egijmegb.exeLnqeqd32.exeBqilgmdg.exeGkiaej32.exeAaiimadl.exeDekhneap.exeHnagak32.exeKdgljmcd.exeCajlhqjp.exeBopocbcq.exeBaocghgi.exePlejdkmm.exePjcbbmif.exeAfjeceml.exeNoehba32.exePhcomcng.exeQlggjk32.exeGigaka32.exeMplhql32.exePmoahijl.exeKldmckic.exeHpmpnp32.exeEfccmidp.exeAejfpjne.exeFdegandp.exeAgdhbi32.exeFdfmlhna.exeKihnmohm.exePgflqkdd.exeGnmnfkia.exeHkjafn32.exeEhjlaaig.exeNggjdc32.exeOdkjng32.exePggbkagp.exeDdakjkqi.exeKnbbep32.exeJfpojead.exeMcmabg32.exeLhijijbg.exeIkejgf32.exeGkoiefmj.exeHelfik32.exeAbponp32.exeCcbadp32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egijmegb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqeqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilgmdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkiaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaiimadl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekhneap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgljmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egijmegb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajlhqjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopocbcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baocghgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noehba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcomcng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efccmidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejfpjne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdegandp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdhbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdfmlhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihnmohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgflqkdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmnfkia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odkjng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbkagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbbep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpojead.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoiefmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helfik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abponp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Executes dropped EXE 64 IoCs
Processes:
Lcgblncm.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMkpgck32.exeMjcgohig.exeMpmokb32.exeMcklgm32.exeMkbchk32.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMglack32.exeMnfipekh.exeMdpalp32.exeNkjjij32.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exeNqklmpdd.exeNnolfdcn.exeNjfmke32.exeNbmelbid.exeOgjmdigk.exeOndeac32.exeOdnnnnfe.exeOgljjiei.exeOkhfjh32.exeOcckojkm.exeOjmcld32.exeObdkma32.exeOgaceh32.exeOkloegjl.exeObfhba32.exeOcgdji32.exeOkolkg32.exeObidhaog.exePcjapi32.exePgemphmn.exePnpemb32.exePeimil32.exePghieg32.exePjffbc32.exePqpnombl.exePcojkhap.exePndohaqe.exePcagphom.exePkhoae32.exePnfkma32.exePaegjl32.exePkjlge32.exePnihcq32.exeQgallfcq.exeQjpiha32.exeQeemej32.exeQloebdig.exeQnnanphk.exeQalnjkgo.exeAgffge32.exeAjdbcano.exeAnpncp32.exeAejfpjne.exepid process 1332 Lcgblncm.exe 1536 Mjqjih32.exe 2804 Mahbje32.exe 4504 Mdfofakp.exe 3504 Mkpgck32.exe 3040 Mjcgohig.exe 3312 Mpmokb32.exe 3944 Mcklgm32.exe 4280 Mkbchk32.exe 2740 Mpolqa32.exe 2828 Mgidml32.exe 392 Mjhqjg32.exe 4180 Maohkd32.exe 1512 Mglack32.exe 1036 Mnfipekh.exe 1548 Mdpalp32.exe 2148 Nkjjij32.exe 3384 Nnhfee32.exe 1404 Ndbnboqb.exe 1776 Nklfoi32.exe 5096 Nnjbke32.exe 1008 Nqklmpdd.exe 4712 Nnolfdcn.exe 1416 Njfmke32.exe 760 Nbmelbid.exe 4608 Ogjmdigk.exe 1740 Ondeac32.exe 3656 Odnnnnfe.exe 2508 Ogljjiei.exe 5068 Okhfjh32.exe 396 Occkojkm.exe 3452 Ojmcld32.exe 3812 Obdkma32.exe 2216 Ogaceh32.exe 2660 Okloegjl.exe 924 Obfhba32.exe 2040 Ocgdji32.exe 4912 Okolkg32.exe 1836 Obidhaog.exe 1084 Pcjapi32.exe 3388 Pgemphmn.exe 3304 Pnpemb32.exe 2024 Peimil32.exe 1360 Pghieg32.exe 1868 Pjffbc32.exe 2276 Pqpnombl.exe 2512 Pcojkhap.exe 3224 Pndohaqe.exe 2668 Pcagphom.exe 1040 Pkhoae32.exe 3288 Pnfkma32.exe 2596 Paegjl32.exe 2228 Pkjlge32.exe 4692 Pnihcq32.exe 5108 Qgallfcq.exe 5092 Qjpiha32.exe 4320 Qeemej32.exe 4908 Qloebdig.exe 688 Qnnanphk.exe 1716 Qalnjkgo.exe 2080 Agffge32.exe 4204 Ajdbcano.exe 1612 Anpncp32.exe 3076 Aejfpjne.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ihphkl32.exeFfddka32.exeEgnchd32.exeOjjolnaq.exeGkkojgao.exeLmbmibhb.exeBiadeoce.exeFhjfhl32.exeIfdonfka.exeFdhcgaic.exeJkjcbe32.exePkenjh32.exeFddqghpd.exeMidfokpm.exeIcplcpgo.exeJbkbpoog.exeKdgljmcd.exeNcdgcf32.exeAlkdnboj.exeIpknlb32.exeFfclcgfn.exeElppfmoo.exeDelnin32.exeIgchfiof.exeLdleel32.exeGgeboaob.exeGlgjlm32.exeHckjacjg.exeQohpkf32.exeFacqkg32.exeJcefno32.exeCibmlmeb.exeKbekqdjh.exeEhailbaa.exeCjnffjkl.exeNdbnboqb.exeDahode32.exeBfngdn32.exeLiimncmf.exedescription ioc process File created C:\Windows\SysWOW64\Emmoafdl.dll Ihphkl32.exe File opened for modification C:\Windows\SysWOW64\Fhcpgmjf.exe Ffddka32.exe File created C:\Windows\SysWOW64\Qbkbgfif.dll Egnchd32.exe File created C:\Windows\SysWOW64\Bmfpfmmm.dll Ojjolnaq.exe File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe Gkkojgao.exe File opened for modification C:\Windows\SysWOW64\Ldleel32.exe Lmbmibhb.exe File opened for modification C:\Windows\SysWOW64\Pnplfj32.exe File opened for modification C:\Windows\SysWOW64\Ncofplba.exe File created C:\Windows\SysWOW64\Odjeljhd.exe File created C:\Windows\SysWOW64\Lnmeliho.dll Biadeoce.exe File created C:\Windows\SysWOW64\Nhmofj32.exe File created C:\Windows\SysWOW64\Gododflk.exe Fhjfhl32.exe File created C:\Windows\SysWOW64\Iickkbje.exe Ifdonfka.exe File opened for modification C:\Windows\SysWOW64\Fggocmhf.exe Fdhcgaic.exe File created C:\Windows\SysWOW64\Dphefd32.dll Jkjcbe32.exe File created C:\Windows\SysWOW64\Pcmeke32.exe Pkenjh32.exe File created C:\Windows\SysWOW64\Gedapeof.dll File opened for modification C:\Windows\SysWOW64\Nndjndbh.exe File created C:\Windows\SysWOW64\Aknifq32.exe File created C:\Windows\SysWOW64\Omnlgb32.dll Fddqghpd.exe File created C:\Windows\SysWOW64\Ohnefj32.dll Midfokpm.exe File created C:\Windows\SysWOW64\Phdnngdn.exe File created C:\Windows\SysWOW64\Jeaikh32.exe Icplcpgo.exe File opened for modification C:\Windows\SysWOW64\Kdinljnk.exe Jbkbpoog.exe File created C:\Windows\SysWOW64\Gfkfpo32.dll Kdgljmcd.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ncdgcf32.exe File created C:\Windows\SysWOW64\Jlkipgpe.exe File created C:\Windows\SysWOW64\Habmmpbg.dll Alkdnboj.exe File created C:\Windows\SysWOW64\Ifefimom.exe Ipknlb32.exe File created C:\Windows\SysWOW64\Ejhmqp32.dll Ffclcgfn.exe File opened for modification C:\Windows\SysWOW64\Olicnfco.exe File created C:\Windows\SysWOW64\Dbkqfe32.exe File created C:\Windows\SysWOW64\Cboeco32.dll File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe File created C:\Windows\SysWOW64\Ecjhcg32.exe Elppfmoo.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Inmpcc32.exe Igchfiof.exe File created C:\Windows\SysWOW64\Qfdngj32.dll File created C:\Windows\SysWOW64\Hlegnjbm.exe File opened for modification C:\Windows\SysWOW64\Lfkaag32.exe Ldleel32.exe File created C:\Windows\SysWOW64\Lciagi32.dll Ggeboaob.exe File opened for modification C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Imhkcaln.dll Hckjacjg.exe File created C:\Windows\SysWOW64\Qaflgago.exe Qohpkf32.exe File created C:\Windows\SysWOW64\Kednfemc.dll Facqkg32.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe File created C:\Windows\SysWOW64\Pecellgl.exe File opened for modification C:\Windows\SysWOW64\Nnafno32.exe File created C:\Windows\SysWOW64\Ckbemgcp.exe File created C:\Windows\SysWOW64\Jefbfgig.exe Jcefno32.exe File created C:\Windows\SysWOW64\Aojjhafd.dll Cibmlmeb.exe File created C:\Windows\SysWOW64\Kechmoil.exe Kbekqdjh.exe File created C:\Windows\SysWOW64\Qeekll32.dll Ehailbaa.exe File created C:\Windows\SysWOW64\Omlokmha.dll Fdhcgaic.exe File created C:\Windows\SysWOW64\Cmmbbejp.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Jcdala32.exe File created C:\Windows\SysWOW64\Mnhdgpii.exe File created C:\Windows\SysWOW64\Nklfoi32.exe Ndbnboqb.exe File opened for modification C:\Windows\SysWOW64\Ddgkpp32.exe Dahode32.exe File opened for modification C:\Windows\SysWOW64\Dojqjdbl.exe File created C:\Windows\SysWOW64\Bhldpj32.exe Bfngdn32.exe File opened for modification C:\Windows\SysWOW64\Jepjhg32.exe File created C:\Windows\SysWOW64\Pcmdgodo.dll File created C:\Windows\SysWOW64\Llgjjnlj.exe Liimncmf.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 13500 11440 -
Modifies registry class 64 IoCs
Processes:
Fohoigfh.exeAqaffn32.exeDinmhkke.exeBjlpjm32.exeQnnanphk.exeCklaknjd.exeFacqkg32.exeIdkbkl32.exeJjamia32.exeMlnipg32.exePqcjepfo.exeBcoenmao.exeIkfabm32.exeAopmfk32.exeBiadeoce.exeNbnpcj32.exeFcniglmb.exeNchjdo32.exeEfccmidp.exeCceddf32.exeJibmgi32.exeKbbhqn32.exeEhljfnpn.exeLdleel32.exeDjfcaohp.exeGigheh32.exeNajceeoo.exeGblngpbd.exeDfgcakon.exeKfmepi32.exeDgbdlf32.exeGdfoio32.exeMhdckaeo.exePnfdcjkg.exeIbkpcg32.exeQqhcpo32.exeKiggbhda.exeOkchnk32.exeMdmnlj32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohoigfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbiaci32.dll" Aqaffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dinmhkke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnnanphk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idkbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjamia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlnipg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqcjepfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbnffffp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll" Nbnpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmheim32.dll" Fcniglmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enabbk32.dll" Efccmidp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimcmnpn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkcnbje.dll" Jibmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpjda32.dll" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehljfnpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll" Ldleel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djfcaohp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbilgi32.dll" Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbiffko.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmmkl32.dll" Mlnipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcpka32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnffda32.dll" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginacp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjdgbbi.dll" Gdfoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdckaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcgdbco.dll" Ibkpcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqhcpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiggbhda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okchnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdmnlj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exeLcgblncm.exeMjqjih32.exeMahbje32.exeMdfofakp.exeMkpgck32.exeMjcgohig.exeMpmokb32.exeMcklgm32.exeMkbchk32.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMglack32.exeMnfipekh.exeMdpalp32.exeNkjjij32.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exedescription pid process target process PID 1768 wrote to memory of 1332 1768 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Lcgblncm.exe PID 1768 wrote to memory of 1332 1768 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Lcgblncm.exe PID 1768 wrote to memory of 1332 1768 632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe Lcgblncm.exe PID 1332 wrote to memory of 1536 1332 Lcgblncm.exe Mjqjih32.exe PID 1332 wrote to memory of 1536 1332 Lcgblncm.exe Mjqjih32.exe PID 1332 wrote to memory of 1536 1332 Lcgblncm.exe Mjqjih32.exe PID 1536 wrote to memory of 2804 1536 Mjqjih32.exe Mahbje32.exe PID 1536 wrote to memory of 2804 1536 Mjqjih32.exe Mahbje32.exe PID 1536 wrote to memory of 2804 1536 Mjqjih32.exe Mahbje32.exe PID 2804 wrote to memory of 4504 2804 Mahbje32.exe Mdfofakp.exe PID 2804 wrote to memory of 4504 2804 Mahbje32.exe Mdfofakp.exe PID 2804 wrote to memory of 4504 2804 Mahbje32.exe Mdfofakp.exe PID 4504 wrote to memory of 3504 4504 Mdfofakp.exe Mkpgck32.exe PID 4504 wrote to memory of 3504 4504 Mdfofakp.exe Mkpgck32.exe PID 4504 wrote to memory of 3504 4504 Mdfofakp.exe Mkpgck32.exe PID 3504 wrote to memory of 3040 3504 Mkpgck32.exe Mjcgohig.exe PID 3504 wrote to memory of 3040 3504 Mkpgck32.exe Mjcgohig.exe PID 3504 wrote to memory of 3040 3504 Mkpgck32.exe Mjcgohig.exe PID 3040 wrote to memory of 3312 3040 Mjcgohig.exe Mpmokb32.exe PID 3040 wrote to memory of 3312 3040 Mjcgohig.exe Mpmokb32.exe PID 3040 wrote to memory of 3312 3040 Mjcgohig.exe Mpmokb32.exe PID 3312 wrote to memory of 3944 3312 Mpmokb32.exe Mcklgm32.exe PID 3312 wrote to memory of 3944 3312 Mpmokb32.exe Mcklgm32.exe PID 3312 wrote to memory of 3944 3312 Mpmokb32.exe Mcklgm32.exe PID 3944 wrote to memory of 4280 3944 Mcklgm32.exe Mkbchk32.exe PID 3944 wrote to memory of 4280 3944 Mcklgm32.exe Mkbchk32.exe PID 3944 wrote to memory of 4280 3944 Mcklgm32.exe Mkbchk32.exe PID 4280 wrote to memory of 2740 4280 Mkbchk32.exe Mpolqa32.exe PID 4280 wrote to memory of 2740 4280 Mkbchk32.exe Mpolqa32.exe PID 4280 wrote to memory of 2740 4280 Mkbchk32.exe Mpolqa32.exe PID 2740 wrote to memory of 2828 2740 Mpolqa32.exe Mgidml32.exe PID 2740 wrote to memory of 2828 2740 Mpolqa32.exe Mgidml32.exe PID 2740 wrote to memory of 2828 2740 Mpolqa32.exe Mgidml32.exe PID 2828 wrote to memory of 392 2828 Mgidml32.exe Mjhqjg32.exe PID 2828 wrote to memory of 392 2828 Mgidml32.exe Mjhqjg32.exe PID 2828 wrote to memory of 392 2828 Mgidml32.exe Mjhqjg32.exe PID 392 wrote to memory of 4180 392 Mjhqjg32.exe Maohkd32.exe PID 392 wrote to memory of 4180 392 Mjhqjg32.exe Maohkd32.exe PID 392 wrote to memory of 4180 392 Mjhqjg32.exe Maohkd32.exe PID 4180 wrote to memory of 1512 4180 Maohkd32.exe Mglack32.exe PID 4180 wrote to memory of 1512 4180 Maohkd32.exe Mglack32.exe PID 4180 wrote to memory of 1512 4180 Maohkd32.exe Mglack32.exe PID 1512 wrote to memory of 1036 1512 Mglack32.exe Mnfipekh.exe PID 1512 wrote to memory of 1036 1512 Mglack32.exe Mnfipekh.exe PID 1512 wrote to memory of 1036 1512 Mglack32.exe Mnfipekh.exe PID 1036 wrote to memory of 1548 1036 Mnfipekh.exe Mdpalp32.exe PID 1036 wrote to memory of 1548 1036 Mnfipekh.exe Mdpalp32.exe PID 1036 wrote to memory of 1548 1036 Mnfipekh.exe Mdpalp32.exe PID 1548 wrote to memory of 2148 1548 Mdpalp32.exe Nkjjij32.exe PID 1548 wrote to memory of 2148 1548 Mdpalp32.exe Nkjjij32.exe PID 1548 wrote to memory of 2148 1548 Mdpalp32.exe Nkjjij32.exe PID 2148 wrote to memory of 3384 2148 Nkjjij32.exe Nnhfee32.exe PID 2148 wrote to memory of 3384 2148 Nkjjij32.exe Nnhfee32.exe PID 2148 wrote to memory of 3384 2148 Nkjjij32.exe Nnhfee32.exe PID 3384 wrote to memory of 1404 3384 Nnhfee32.exe Ndbnboqb.exe PID 3384 wrote to memory of 1404 3384 Nnhfee32.exe Ndbnboqb.exe PID 3384 wrote to memory of 1404 3384 Nnhfee32.exe Ndbnboqb.exe PID 1404 wrote to memory of 1776 1404 Ndbnboqb.exe Nklfoi32.exe PID 1404 wrote to memory of 1776 1404 Ndbnboqb.exe Nklfoi32.exe PID 1404 wrote to memory of 1776 1404 Ndbnboqb.exe Nklfoi32.exe PID 1776 wrote to memory of 5096 1776 Nklfoi32.exe Nnjbke32.exe PID 1776 wrote to memory of 5096 1776 Nklfoi32.exe Nnjbke32.exe PID 1776 wrote to memory of 5096 1776 Nklfoi32.exe Nnjbke32.exe PID 5096 wrote to memory of 1008 5096 Nnjbke32.exe Nqklmpdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe"C:\Users\Admin\AppData\Local\Temp\632f0dcbf96e6ff877a4308060341d8e8e7b02d27c8754c12219ea2e3366becf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe23⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe24⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe25⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe26⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe27⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe28⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe29⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe30⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe31⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe32⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe33⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe34⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe35⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe36⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe37⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe38⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe39⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe40⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe41⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe42⤵
- Executes dropped EXE
PID:3388 -
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe43⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe44⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe45⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe46⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe47⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe48⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe49⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Pcagphom.exeC:\Windows\system32\Pcagphom.exe50⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe51⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe52⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe53⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe54⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe55⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe56⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe57⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe58⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe59⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe61⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe62⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe63⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe64⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe66⤵PID:2088
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe67⤵PID:2092
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe68⤵PID:884
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe69⤵PID:4276
-
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe70⤵PID:2392
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe71⤵PID:4916
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe72⤵PID:2136
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe73⤵PID:2204
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe74⤵PID:3840
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe75⤵
- Drops file in System32 directory
PID:4520 -
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe76⤵PID:228
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe77⤵PID:4144
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe78⤵PID:744
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe79⤵PID:5048
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe80⤵PID:2156
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe81⤵PID:2268
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe82⤵PID:4568
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe83⤵PID:3104
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe84⤵PID:4388
-
C:\Windows\SysWOW64\Baocghgi.exeC:\Windows\system32\Baocghgi.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3212 -
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe86⤵PID:3796
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe87⤵PID:2384
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe88⤵PID:3236
-
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe89⤵PID:1644
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe90⤵PID:3628
-
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe91⤵PID:2288
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe92⤵PID:3308
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe93⤵
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe94⤵PID:4492
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe95⤵PID:4240
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe96⤵PID:5028
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe97⤵PID:2408
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe98⤵PID:2920
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe99⤵PID:3976
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe100⤵PID:5076
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe101⤵PID:3980
-
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe102⤵PID:2056
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe103⤵PID:752
-
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe104⤵PID:3476
-
C:\Windows\SysWOW64\Camphf32.exeC:\Windows\system32\Camphf32.exe105⤵PID:2504
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe106⤵PID:3584
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe107⤵PID:1892
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe108⤵PID:4120
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4904 -
C:\Windows\SysWOW64\Dhidjpqc.exeC:\Windows\system32\Dhidjpqc.exe110⤵PID:2520
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe111⤵PID:4244
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe112⤵PID:2316
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe113⤵PID:2576
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe114⤵PID:4052
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe115⤵PID:888
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe116⤵PID:3440
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe117⤵PID:2964
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe118⤵PID:4100
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe119⤵PID:4460
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe120⤵PID:4700
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe121⤵PID:4696
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe122⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe123⤵PID:1344
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe124⤵PID:5136
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe125⤵PID:5180
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe126⤵PID:5224
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe127⤵PID:5268
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe128⤵
- Drops file in System32 directory
PID:5312 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe129⤵PID:5356
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe130⤵PID:5400
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe131⤵PID:5440
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe132⤵PID:5480
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe133⤵PID:5524
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe134⤵PID:5572
-
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe135⤵PID:5616
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe136⤵PID:5656
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe137⤵PID:5700
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe138⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe139⤵PID:5784
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe140⤵PID:5832
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe141⤵PID:5872
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe142⤵
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe143⤵PID:5960
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6004 -
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe145⤵PID:6052
-
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe146⤵PID:6096
-
C:\Windows\SysWOW64\Ffddka32.exeC:\Windows\system32\Ffddka32.exe147⤵
- Drops file in System32 directory
PID:6132 -
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe148⤵PID:5156
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe149⤵PID:5244
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe150⤵PID:5296
-
C:\Windows\SysWOW64\Fdialn32.exeC:\Windows\system32\Fdialn32.exe151⤵PID:5380
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe152⤵PID:5452
-
C:\Windows\SysWOW64\Fooeif32.exeC:\Windows\system32\Fooeif32.exe153⤵PID:5520
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe154⤵PID:5592
-
C:\Windows\SysWOW64\Fhgjblfq.exeC:\Windows\system32\Fhgjblfq.exe155⤵PID:5652
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe156⤵PID:5684
-
C:\Windows\SysWOW64\Fcmnpe32.exeC:\Windows\system32\Fcmnpe32.exe157⤵PID:5792
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe158⤵PID:5852
-
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe159⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe160⤵PID:5992
-
C:\Windows\SysWOW64\Gbbkaako.exeC:\Windows\system32\Gbbkaako.exe161⤵PID:6064
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe162⤵PID:6124
-
C:\Windows\SysWOW64\Gkkojgao.exeC:\Windows\system32\Gkkojgao.exe163⤵
- Drops file in System32 directory
PID:5200 -
C:\Windows\SysWOW64\Gcagkdba.exeC:\Windows\system32\Gcagkdba.exe164⤵PID:5280
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe165⤵PID:5428
-
C:\Windows\SysWOW64\Ghopckpi.exeC:\Windows\system32\Ghopckpi.exe166⤵PID:5532
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe167⤵PID:5644
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe168⤵PID:5764
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe169⤵PID:5860
-
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6000 -
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe171⤵PID:6092
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe172⤵PID:5208
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe173⤵PID:5388
-
C:\Windows\SysWOW64\Gomakdcp.exeC:\Windows\system32\Gomakdcp.exe174⤵PID:5508
-
C:\Windows\SysWOW64\Gblngpbd.exeC:\Windows\system32\Gblngpbd.exe175⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Gdjjckag.exeC:\Windows\system32\Gdjjckag.exe176⤵PID:5904
-
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe177⤵PID:6044
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe178⤵
- Drops file in System32 directory
PID:3296 -
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe179⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5476 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe180⤵PID:5868
-
C:\Windows\SysWOW64\Hcmgfbhd.exeC:\Windows\system32\Hcmgfbhd.exe181⤵PID:6024
-
C:\Windows\SysWOW64\Hflcbngh.exeC:\Windows\system32\Hflcbngh.exe182⤵PID:5392
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe183⤵PID:5840
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe184⤵PID:5216
-
C:\Windows\SysWOW64\Hbbdholl.exeC:\Windows\system32\Hbbdholl.exe185⤵PID:6048
-
C:\Windows\SysWOW64\Himldi32.exeC:\Windows\system32\Himldi32.exe186⤵PID:5956
-
C:\Windows\SysWOW64\Hmhhehlb.exeC:\Windows\system32\Hmhhehlb.exe187⤵PID:5752
-
C:\Windows\SysWOW64\Hofdacke.exeC:\Windows\system32\Hofdacke.exe188⤵PID:6196
-
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe189⤵PID:6236
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe190⤵PID:6276
-
C:\Windows\SysWOW64\Hkmefd32.exeC:\Windows\system32\Hkmefd32.exe191⤵PID:6320
-
C:\Windows\SysWOW64\Hcdmga32.exeC:\Windows\system32\Hcdmga32.exe192⤵PID:6360
-
C:\Windows\SysWOW64\Hbgmcnhf.exeC:\Windows\system32\Hbgmcnhf.exe193⤵PID:6396
-
C:\Windows\SysWOW64\Iefioj32.exeC:\Windows\system32\Iefioj32.exe194⤵PID:6444
-
C:\Windows\SysWOW64\Ipknlb32.exeC:\Windows\system32\Ipknlb32.exe195⤵
- Drops file in System32 directory
PID:6488 -
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe196⤵PID:6532
-
C:\Windows\SysWOW64\Iicbehnq.exeC:\Windows\system32\Iicbehnq.exe197⤵PID:6572
-
C:\Windows\SysWOW64\Ikbnacmd.exeC:\Windows\system32\Ikbnacmd.exe198⤵PID:6612
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe199⤵PID:6652
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe200⤵PID:6696
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe201⤵PID:6736
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe202⤵PID:6772
-
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe203⤵PID:6824
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe204⤵PID:6868
-
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe205⤵PID:6904
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe206⤵PID:6948
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe207⤵PID:7000
-
C:\Windows\SysWOW64\Ieolehop.exeC:\Windows\system32\Ieolehop.exe208⤵PID:7044
-
C:\Windows\SysWOW64\Ilidbbgl.exeC:\Windows\system32\Ilidbbgl.exe209⤵PID:7088
-
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe210⤵
- Drops file in System32 directory
PID:7132 -
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe211⤵PID:5240
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe212⤵PID:6184
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe213⤵PID:6264
-
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe214⤵PID:6348
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe215⤵PID:6412
-
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe216⤵PID:6476
-
C:\Windows\SysWOW64\Jcefno32.exeC:\Windows\system32\Jcefno32.exe217⤵
- Drops file in System32 directory
PID:6548 -
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe218⤵PID:6620
-
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe219⤵PID:6684
-
C:\Windows\SysWOW64\Jlpkba32.exeC:\Windows\system32\Jlpkba32.exe220⤵PID:6744
-
C:\Windows\SysWOW64\Jcgbco32.exeC:\Windows\system32\Jcgbco32.exe221⤵PID:6812
-
C:\Windows\SysWOW64\Jfeopj32.exeC:\Windows\system32\Jfeopj32.exe222⤵PID:6896
-
C:\Windows\SysWOW64\Jidklf32.exeC:\Windows\system32\Jidklf32.exe223⤵PID:6944
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe224⤵PID:7020
-
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe225⤵PID:7084
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe226⤵PID:7156
-
C:\Windows\SysWOW64\Jlednamo.exeC:\Windows\system32\Jlednamo.exe227⤵PID:6248
-
C:\Windows\SysWOW64\Jcllonma.exeC:\Windows\system32\Jcllonma.exe228⤵PID:6356
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe229⤵PID:6460
-
C:\Windows\SysWOW64\Kiidgeki.exeC:\Windows\system32\Kiidgeki.exe230⤵PID:6604
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe231⤵PID:6680
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe232⤵PID:6808
-
C:\Windows\SysWOW64\Kfmepi32.exeC:\Windows\system32\Kfmepi32.exe233⤵
- Modifies registry class
PID:6928 -
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe234⤵PID:7028
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe235⤵PID:7164
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe236⤵PID:6304
-
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe237⤵PID:6484
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe238⤵PID:6672
-
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe239⤵PID:6836
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe240⤵PID:7008
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe241⤵PID:7068
-
C:\Windows\SysWOW64\Klngdpdd.exeC:\Windows\system32\Klngdpdd.exe242⤵PID:6452