Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
Resource
win10v2004-20240226-en
General
-
Target
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
-
Size
163KB
-
MD5
bc165a02361411203a67b93723f1854f
-
SHA1
bea74d163740c55ed9838985f5210630b7c0d94a
-
SHA256
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e
-
SHA512
3e877568b844a31665e77698d0f9ad3321b84b18750fe2f745bf02f4569500fce5080fcf74bb14b6778cc718288ffd12a68cfb6e9ddbb05472e4b5a0fe61ff85
-
SSDEEP
1536:Pllp8hWR8XZFT06Rnm+sEWoB6ovcCNLTum6ZlProNVU4qNVUrk/9QbfBr+7GwKrj:db8lmVEWg6Wcub6ZltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenamdem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbbmif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbmefbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acocaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmfhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnjmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojalgcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkceffcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekaebcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecoangbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqfmde32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogiicl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnakhkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipabjil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojalgcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpjkojk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfngap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblngpbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqnaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkepnjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdkoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajcbgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbmka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbnmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjcolha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mipcob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mplhql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgefeajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okhfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoiefmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjjckag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcfkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okhfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agffge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfkgjdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdqjceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfkbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpgbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboeaifi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncmjfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcilkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcioiood.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpppnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chokikeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdbcano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becifhfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdolhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbeade.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbddcoei.exe -
Detects executables built or packed with MPress PE compressor 57 IoCs
resource yara_rule behavioral2/files/0x000300000001e9a0-7.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000d0000000231b0-15.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/396-16-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023220-23.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1548-24-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023222-31.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/864-33-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023224-39.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023226-47.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023228-56.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322b-65.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322d-71.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002322f-80.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023231-88.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023233-96.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023235-104.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023237-112.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323b-127.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323d-135.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002323f-141.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4336-142-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023239-120.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023241-150.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023243-159.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023245-166.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023247-174.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/456-176-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023249-182.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4332-184-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002324b-190.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4372-196-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000a0000000231ce-198.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002324e-206.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/3776-208-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023250-214.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1344-216-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023252-222.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023254-230.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023256-239.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023258-246.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002325a-254.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002326c-305.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002327a-347.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/5048-400-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023290-413.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023298-437.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000232b4-520.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233c9-1350.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000233d5-1381.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234c0-2065.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000234d4-2127.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000235ee-2933.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x00070000000235f6-2956.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023600-2984.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023614-3041.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x000700000002361c-3065.dat INDICATOR_EXE_Packed_MPress behavioral2/files/0x0007000000023622-3081.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 61 IoCs
resource yara_rule behavioral2/files/0x000300000001e9a0-7.dat UPX behavioral2/files/0x000d0000000231b0-15.dat UPX behavioral2/files/0x0007000000023220-23.dat UPX behavioral2/files/0x0007000000023222-31.dat UPX behavioral2/files/0x0007000000023224-39.dat UPX behavioral2/files/0x0007000000023226-47.dat UPX behavioral2/files/0x0007000000023228-56.dat UPX behavioral2/files/0x000700000002322b-65.dat UPX behavioral2/files/0x000700000002322d-71.dat UPX behavioral2/files/0x000700000002322f-80.dat UPX behavioral2/files/0x0007000000023231-88.dat UPX behavioral2/files/0x0007000000023233-96.dat UPX behavioral2/files/0x0007000000023235-104.dat UPX behavioral2/files/0x0007000000023237-112.dat UPX behavioral2/files/0x000700000002323b-127.dat UPX behavioral2/memory/5036-133-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x000700000002323d-135.dat UPX behavioral2/files/0x000700000002323f-141.dat UPX behavioral2/memory/4336-142-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023239-120.dat UPX behavioral2/memory/1596-144-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023241-150.dat UPX behavioral2/memory/4768-152-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023243-159.dat UPX behavioral2/memory/2996-160-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023245-166.dat UPX behavioral2/memory/4144-168-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023247-174.dat UPX behavioral2/memory/456-176-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023249-182.dat UPX behavioral2/memory/4332-184-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x000700000002324b-190.dat UPX behavioral2/memory/4372-196-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x000a0000000231ce-198.dat UPX behavioral2/files/0x000700000002324e-206.dat UPX behavioral2/memory/3776-208-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023250-214.dat UPX behavioral2/memory/1344-216-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023252-222.dat UPX behavioral2/files/0x0007000000023254-230.dat UPX behavioral2/files/0x0007000000023256-239.dat UPX behavioral2/files/0x0007000000023258-246.dat UPX behavioral2/files/0x000700000002325a-254.dat UPX behavioral2/files/0x000700000002326c-305.dat UPX behavioral2/files/0x000700000002327a-347.dat UPX behavioral2/memory/5048-400-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023290-413.dat UPX behavioral2/memory/4052-436-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x0007000000023298-437.dat UPX behavioral2/memory/2452-442-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/files/0x00070000000232b4-520.dat UPX behavioral2/files/0x00070000000233c9-1350.dat UPX behavioral2/files/0x00070000000233d5-1381.dat UPX behavioral2/files/0x00070000000234c0-2065.dat UPX behavioral2/files/0x00070000000234d4-2127.dat UPX behavioral2/files/0x00070000000235ee-2933.dat UPX behavioral2/files/0x00070000000235f6-2956.dat UPX behavioral2/files/0x0007000000023600-2984.dat UPX behavioral2/files/0x0007000000023614-3041.dat UPX behavioral2/files/0x000700000002361c-3065.dat UPX behavioral2/files/0x0007000000023622-3081.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 384 Kaqcbi32.exe 396 Kkihknfg.exe 1548 Kdaldd32.exe 864 Kbdmpqcb.exe 3640 Kinemkko.exe 2864 Kdcijcke.exe 2644 Kipabjil.exe 4968 Kmlnbi32.exe 4820 Kpjjod32.exe 1600 Kcifkp32.exe 4424 Kkpnlm32.exe 872 Kmnjhioc.exe 4616 Kpmfddnf.exe 4912 Kckbqpnj.exe 5036 Kkbkamnl.exe 3452 Lmqgnhmp.exe 4336 Lalcng32.exe 1596 Lpocjdld.exe 4768 Liggbi32.exe 2996 Lpappc32.exe 4144 Lcpllo32.exe 456 Lijdhiaa.exe 4332 Lnepih32.exe 4372 Ldohebqh.exe 3088 Lgneampk.exe 3776 Lnhmng32.exe 1344 Lpfijcfl.exe 1276 Lgpagm32.exe 4376 Lnjjdgee.exe 4984 Lphfpbdi.exe 3216 Lgbnmm32.exe 1804 Mahbje32.exe 3076 Mpkbebbf.exe 3596 Mgekbljc.exe 5068 Mjcgohig.exe 4676 Majopeii.exe 1592 Mdiklqhm.exe 3876 Mgghhlhq.exe 752 Mcnhmm32.exe 5100 Mkepnjng.exe 532 Mncmjfmk.exe 4012 Mcpebmkb.exe 4500 Mkgmcjld.exe 3536 Mpdelajl.exe 1320 Mcbahlip.exe 1872 Nnhfee32.exe 1084 Nqfbaq32.exe 3244 Nceonl32.exe 2572 Nddkgonp.exe 3168 Ngcgcjnc.exe 1376 Njacpf32.exe 1464 Nbhkac32.exe 3000 Ncihikcg.exe 5072 Njcpee32.exe 2424 Nbkhfc32.exe 5048 Ndidbn32.exe 3116 Nnaikd32.exe 412 Ndkahnhh.exe 1940 Ondeac32.exe 3448 Ocqnij32.exe 4956 Okhfjh32.exe 4052 Obangb32.exe 2452 Occkojkm.exe 1988 Okjbpglo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jnmkhg32.dll Ojalgcnd.exe File opened for modification C:\Windows\SysWOW64\Dlijfneg.exe Ddbbeade.exe File created C:\Windows\SysWOW64\Ohjgdmkj.dll Flceckoj.exe File created C:\Windows\SysWOW64\Ikkokgea.dll Lllcen32.exe File created C:\Windows\SysWOW64\Fbpnkama.exe Fcmnpe32.exe File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe Bchomn32.exe File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe Cnkplejl.exe File created C:\Windows\SysWOW64\Gjihje32.dll Ddgkpp32.exe File created C:\Windows\SysWOW64\Ehedfo32.exe Eefhjc32.exe File created C:\Windows\SysWOW64\Ipenkiei.dll Ddbbeade.exe File created C:\Windows\SysWOW64\Enlqgg32.dll Hmjdjgjo.exe File created C:\Windows\SysWOW64\Imakkfdg.exe Iejcji32.exe File created C:\Windows\SysWOW64\Mipcob32.exe Medgncoe.exe File created C:\Windows\SysWOW64\Maghgl32.dll Aqppkd32.exe File created C:\Windows\SysWOW64\Nngcpm32.dll Lijdhiaa.exe File created C:\Windows\SysWOW64\Immapg32.exe Iefioj32.exe File created C:\Windows\SysWOW64\Npckna32.dll Nnhfee32.exe File opened for modification C:\Windows\SysWOW64\Bldgdago.exe Bdmpcdfm.exe File created C:\Windows\SysWOW64\Jpppnp32.exe Jlednamo.exe File opened for modification C:\Windows\SysWOW64\Kmfmmcbo.exe Kepelfam.exe File opened for modification C:\Windows\SysWOW64\Pdmpje32.exe Pmfhig32.exe File created C:\Windows\SysWOW64\Gkhbdg32.exe Fhjfhl32.exe File created C:\Windows\SysWOW64\Kpeiioac.exe Klimip32.exe File opened for modification C:\Windows\SysWOW64\Npmagine.exe Nnneknob.exe File created C:\Windows\SysWOW64\Llmglb32.dll Opdghh32.exe File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe Opakbi32.exe File created C:\Windows\SysWOW64\Hpoddikd.dll Acnlgp32.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Majopeii.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File created C:\Windows\SysWOW64\Pcnakq32.dll Ogcpjhoq.exe File created C:\Windows\SysWOW64\Dhbbhk32.dll Kpeiioac.exe File created C:\Windows\SysWOW64\Ofcmfodb.exe Ocdqjceo.exe File created C:\Windows\SysWOW64\Cmnpgb32.exe Cnkplejl.exe File opened for modification C:\Windows\SysWOW64\Edbklofb.exe Eepjpb32.exe File opened for modification C:\Windows\SysWOW64\Mplhql32.exe Mibpda32.exe File created C:\Windows\SysWOW64\Dqfhilhd.dll Aepefb32.exe File created C:\Windows\SysWOW64\Hfbcpl32.dll Chbnia32.exe File created C:\Windows\SysWOW64\Gofkje32.exe Gkkojgao.exe File opened for modification C:\Windows\SysWOW64\Jlpkba32.exe Jianff32.exe File created C:\Windows\SysWOW64\Olhlhjpd.exe Ojjolnaq.exe File opened for modification C:\Windows\SysWOW64\Pqknig32.exe Ojaelm32.exe File opened for modification C:\Windows\SysWOW64\Pdifoehl.exe Pqmjog32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Ecoangbg.exe Eocenh32.exe File created C:\Windows\SysWOW64\Mpdelajl.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Kplpjn32.exe Kmncnb32.exe File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe Ocgmpccl.exe File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe Cfpnph32.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nbkhfc32.exe File created C:\Windows\SysWOW64\Ifjigbdo.dll Hcbpab32.exe File opened for modification C:\Windows\SysWOW64\Aglemn32.exe Aeniabfd.exe File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe Cabfga32.exe File created C:\Windows\SysWOW64\Ogijli32.dll Lcpllo32.exe File opened for modification C:\Windows\SysWOW64\Ajdbcano.exe Agffge32.exe File created C:\Windows\SysWOW64\Ochpdn32.dll Pnfdcjkg.exe File opened for modification C:\Windows\SysWOW64\Afjlnk32.exe Agglboim.exe File created C:\Windows\SysWOW64\Keajjc32.dll Hoiafcic.exe File created C:\Windows\SysWOW64\Leedqpci.dll Ldjhpl32.exe File created C:\Windows\SysWOW64\Bclhhnca.exe Beihma32.exe File created C:\Windows\SysWOW64\Lcnhho32.dll Opakbi32.exe File created C:\Windows\SysWOW64\Pjdilcla.exe Pcjapi32.exe File created C:\Windows\SysWOW64\Acmflf32.exe Aanjpk32.exe File created C:\Windows\SysWOW64\Elhcgeja.dll Gblngpbd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12388 12308 WerFault.exe 609 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdaldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dekhneap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfoiokfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmhja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhemmlhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikpaldog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Hihbijhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoilahe.dll" Jmbdbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmqkjel.dll" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higchddh.dll" Dceohhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgapeea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peljol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogkcpbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdabcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbkagp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bclhhnca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll" Mdckfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll" Kfjhkjle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpnhfhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklaknjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll" Ilghlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" Kkpnlm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkombfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll" Fhemmlhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adecfl32.dll" Ipnjab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll" Ocbddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjpdi32.dll" Pkhoae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjegled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiejmbkl.dll" Obfhba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlbaq32.dll" Gcojed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" Pnonbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deanodkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llemdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcijeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmlbbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidjfdep.dll" Chghdqbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eocenh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcppfaka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dadeieea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbgkimpf.dll" Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hijooifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpnlpnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agkbbg32.dll" Ddmhja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" Bganhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" Ncianepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aglemn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becifhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmbmibhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpjcdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlopkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippggbck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdjjckag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 384 2172 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 88 PID 2172 wrote to memory of 384 2172 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 88 PID 2172 wrote to memory of 384 2172 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 88 PID 384 wrote to memory of 396 384 Kaqcbi32.exe 89 PID 384 wrote to memory of 396 384 Kaqcbi32.exe 89 PID 384 wrote to memory of 396 384 Kaqcbi32.exe 89 PID 396 wrote to memory of 1548 396 Kkihknfg.exe 90 PID 396 wrote to memory of 1548 396 Kkihknfg.exe 90 PID 396 wrote to memory of 1548 396 Kkihknfg.exe 90 PID 1548 wrote to memory of 864 1548 Kdaldd32.exe 91 PID 1548 wrote to memory of 864 1548 Kdaldd32.exe 91 PID 1548 wrote to memory of 864 1548 Kdaldd32.exe 91 PID 864 wrote to memory of 3640 864 Kbdmpqcb.exe 92 PID 864 wrote to memory of 3640 864 Kbdmpqcb.exe 92 PID 864 wrote to memory of 3640 864 Kbdmpqcb.exe 92 PID 3640 wrote to memory of 2864 3640 Kinemkko.exe 93 PID 3640 wrote to memory of 2864 3640 Kinemkko.exe 93 PID 3640 wrote to memory of 2864 3640 Kinemkko.exe 93 PID 2864 wrote to memory of 2644 2864 Kdcijcke.exe 94 PID 2864 wrote to memory of 2644 2864 Kdcijcke.exe 94 PID 2864 wrote to memory of 2644 2864 Kdcijcke.exe 94 PID 2644 wrote to memory of 4968 2644 Kipabjil.exe 95 PID 2644 wrote to memory of 4968 2644 Kipabjil.exe 95 PID 2644 wrote to memory of 4968 2644 Kipabjil.exe 95 PID 4968 wrote to memory of 4820 4968 Kmlnbi32.exe 96 PID 4968 wrote to memory of 4820 4968 Kmlnbi32.exe 96 PID 4968 wrote to memory of 4820 4968 Kmlnbi32.exe 96 PID 4820 wrote to memory of 1600 4820 Kpjjod32.exe 97 PID 4820 wrote to memory of 1600 4820 Kpjjod32.exe 97 PID 4820 wrote to memory of 1600 4820 Kpjjod32.exe 97 PID 1600 wrote to memory of 4424 1600 Kcifkp32.exe 98 PID 1600 wrote to memory of 4424 1600 Kcifkp32.exe 98 PID 1600 wrote to memory of 4424 1600 Kcifkp32.exe 98 PID 4424 wrote to memory of 872 4424 Kkpnlm32.exe 99 PID 4424 wrote to memory of 872 4424 Kkpnlm32.exe 99 PID 4424 wrote to memory of 872 4424 Kkpnlm32.exe 99 PID 872 wrote to memory of 4616 872 Kmnjhioc.exe 100 PID 872 wrote to memory of 4616 872 Kmnjhioc.exe 100 PID 872 wrote to memory of 4616 872 Kmnjhioc.exe 100 PID 4616 wrote to memory of 4912 4616 Kpmfddnf.exe 101 PID 4616 wrote to memory of 4912 4616 Kpmfddnf.exe 101 PID 4616 wrote to memory of 4912 4616 Kpmfddnf.exe 101 PID 4912 wrote to memory of 5036 4912 Kckbqpnj.exe 102 PID 4912 wrote to memory of 5036 4912 Kckbqpnj.exe 102 PID 4912 wrote to memory of 5036 4912 Kckbqpnj.exe 102 PID 5036 wrote to memory of 3452 5036 Kkbkamnl.exe 103 PID 5036 wrote to memory of 3452 5036 Kkbkamnl.exe 103 PID 5036 wrote to memory of 3452 5036 Kkbkamnl.exe 103 PID 3452 wrote to memory of 4336 3452 Lmqgnhmp.exe 105 PID 3452 wrote to memory of 4336 3452 Lmqgnhmp.exe 105 PID 3452 wrote to memory of 4336 3452 Lmqgnhmp.exe 105 PID 4336 wrote to memory of 1596 4336 Lalcng32.exe 106 PID 4336 wrote to memory of 1596 4336 Lalcng32.exe 106 PID 4336 wrote to memory of 1596 4336 Lalcng32.exe 106 PID 1596 wrote to memory of 4768 1596 Lpocjdld.exe 107 PID 1596 wrote to memory of 4768 1596 Lpocjdld.exe 107 PID 1596 wrote to memory of 4768 1596 Lpocjdld.exe 107 PID 4768 wrote to memory of 2996 4768 Liggbi32.exe 109 PID 4768 wrote to memory of 2996 4768 Liggbi32.exe 109 PID 4768 wrote to memory of 2996 4768 Liggbi32.exe 109 PID 2996 wrote to memory of 4144 2996 Lpappc32.exe 110 PID 2996 wrote to memory of 4144 2996 Lpappc32.exe 110 PID 2996 wrote to memory of 4144 2996 Lpappc32.exe 110 PID 4144 wrote to memory of 456 4144 Lcpllo32.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe"C:\Users\Admin\AppData\Local\Temp\22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Kdaldd32.exeC:\Windows\system32\Kdaldd32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Kinemkko.exeC:\Windows\system32\Kinemkko.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Kipabjil.exeC:\Windows\system32\Kipabjil.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kmlnbi32.exeC:\Windows\system32\Kmlnbi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Kcifkp32.exeC:\Windows\system32\Kcifkp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Kpmfddnf.exeC:\Windows\system32\Kpmfddnf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\Kckbqpnj.exeC:\Windows\system32\Kckbqpnj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe24⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe25⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe26⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe28⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe29⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe30⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe31⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe33⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe34⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe35⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe36⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4676 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe38⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe39⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe40⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4012 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4500 -
C:\Windows\SysWOW64\Mpdelajl.exeC:\Windows\system32\Mpdelajl.exe45⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe46⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe48⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe50⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe51⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe52⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe53⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe54⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe55⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe57⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Nnaikd32.exeC:\Windows\system32\Nnaikd32.exe58⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe59⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe60⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe61⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe63⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe64⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe65⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe66⤵PID:3392
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe67⤵PID:3984
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe68⤵PID:2704
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe69⤵PID:3612
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe70⤵
- Modifies registry class
PID:4456 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe71⤵PID:2952
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe72⤵
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe74⤵PID:3332
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe75⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe76⤵PID:5052
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Pkceffcd.exeC:\Windows\system32\Pkceffcd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4104 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe79⤵PID:2688
-
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe81⤵PID:2728
-
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe82⤵PID:1772
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe83⤵PID:868
-
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe84⤵PID:2528
-
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe85⤵
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe86⤵
- Modifies registry class
PID:5088 -
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe87⤵PID:3456
-
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe88⤵PID:5156
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe89⤵PID:5192
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe90⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe92⤵PID:5324
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe93⤵PID:5364
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe94⤵PID:5404
-
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe95⤵PID:5440
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe96⤵PID:5480
-
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe97⤵PID:5520
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe100⤵
- Drops file in System32 directory
PID:5652 -
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe101⤵PID:5692
-
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe102⤵PID:5736
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe103⤵PID:5776
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe104⤵PID:5820
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5856 -
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5892 -
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe107⤵PID:5936
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe108⤵PID:5976
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe109⤵
- Modifies registry class
PID:6020 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe110⤵PID:6056
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe111⤵PID:6092
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe112⤵PID:6136
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe113⤵PID:5128
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe114⤵PID:5208
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe115⤵PID:5288
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe116⤵PID:5340
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe118⤵PID:5476
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe119⤵PID:5544
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe120⤵PID:5600
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe121⤵PID:5644
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe122⤵PID:5720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-