Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/05/2024, 23:49
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe
-
Size
464KB
-
MD5
3048873bcff0c607089160768500de9c
-
SHA1
777d7dbffbffdc2b01c1a1649a6b51cee6321acf
-
SHA256
5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c
-
SHA512
8eef9249915bb38704388c387900a73fc5e4c3458fa1d1fcdd49451892afa6deffb41afcaef5c7596cb5c58120a3c2e07bcbd3cea7df6bf3daf27698c08d2f5f
-
SSDEEP
6144:788PPNwEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:IdEVI2C4EVu2JEVcBEVI2C
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbnhng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflomnkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeekh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabbhcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pqkmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnicmdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkppbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgljfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkiogn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfeog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bbokmqie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cclkfdnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhjki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nigome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glaoalkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhkbkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llohjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hipkdnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdipqbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdfmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcakaipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkppbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mkclhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npfgpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgimmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cddaphkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ichllgfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmgbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifpdelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obafnlpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fmpkjkma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjhkjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmjedoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqkqkdne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mggpgmof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mooaljkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Niebhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gelppaof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqnjk32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000d000000012674-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014358-18.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000700000001443b-32.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2484-39-0x0000000000300000-0x000000000039D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000014597-52.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001535e-59.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2568-62-0x00000000020E0000-0x000000000217D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015653-79.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015677-86.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c87-105.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cae-114.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0030000000014228-129.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2024-143-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cd9-144.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cff-164.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d42-174.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d56-189.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/272-203-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d6b-211.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d87-223.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e32-235.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015f65-244.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001610f-257.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1548-263-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2808-261-0x0000000000340000-0x00000000003DD000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001630a-266.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001658a-279.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016851-288.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c44-301.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c64-310.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cdc-321.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d18-329.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2468-334-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d34-343.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d3e-353.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d5f-365.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d8e-375.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2632-378-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016da5-388.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016db9-398.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2380-397-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001704a-409.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000171df-420.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017437-431.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2180-441-0x0000000000400000-0x000000000049D000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0031000000018649-443.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186f6-455.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001875a-464.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001876e-475.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018785-486.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bb0-497.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bd6-507.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000192e7-518.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019357-529.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019397-539.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001941e-548.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001944b-556.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019489-564.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ba-573.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019568-581.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195de-592.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001960a-601.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019610-610.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019619-625.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2972 Emhlfmgj.exe 2484 Eecqjpee.exe 2536 Eiomkn32.exe 2568 Ebinic32.exe 2644 Fmcoja32.exe 2548 Fmekoalh.exe 2304 Filldb32.exe 2684 Fdapak32.exe 1956 Ffbicfoc.exe 2024 Gegfdb32.exe 2164 Glaoalkh.exe 1752 Gelppaof.exe 2260 Geolea32.exe 272 Ghoegl32.exe 768 Hiqbndpb.exe 2364 Hahjpbad.exe 2964 Hodpgjha.exe 2808 Henidd32.exe 1548 Ilknfn32.exe 808 Ioijbj32.exe 928 Inngcfid.exe 2152 Iqmcpahh.exe 2664 Igihbknb.exe 556 Ijgdngmf.exe 2468 Iqalka32.exe 1692 Jmhmpb32.exe 2668 Jqdipqbp.exe 2576 Jfcnngnd.exe 2632 Jokcgmee.exe 2672 Jkbcln32.exe 2380 Jbnhng32.exe 2428 Kemejc32.exe 1776 Kbqecg32.exe 2616 Kjljhjkl.exe 2180 Kgpjanje.exe 2124 Kpkofpgq.exe 900 Kfegbj32.exe 1688 Kfgdhjmk.exe 1580 Kifpdelo.exe 1740 Lpphap32.exe 576 Lfjqnjkh.exe 1864 Llfifq32.exe 1600 Lpbefoai.exe 3068 Leonofpp.exe 2612 Lhmjkaoc.exe 1648 Logbhl32.exe 980 Leajdfnm.exe 3012 Llkbap32.exe 3048 Lojomkdn.exe 2264 Lecgje32.exe 1364 Lhbcfa32.exe 1568 Lkppbl32.exe 2056 Lajhofao.exe 1556 Mkclhl32.exe 2508 Mmahdggc.exe 2628 Mdkqqa32.exe 1284 Mgimmm32.exe 2448 Mmceigep.exe 2500 Mdmmfa32.exe 2028 Mijfnh32.exe 2624 Mmfbogcn.exe 2736 Mcbjgn32.exe 1968 Mmhodf32.exe 2204 Mlkopcge.exe -
Loads dropped DLL 64 IoCs
pid Process 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 2972 Emhlfmgj.exe 2972 Emhlfmgj.exe 2484 Eecqjpee.exe 2484 Eecqjpee.exe 2536 Eiomkn32.exe 2536 Eiomkn32.exe 2568 Ebinic32.exe 2568 Ebinic32.exe 2644 Fmcoja32.exe 2644 Fmcoja32.exe 2548 Fmekoalh.exe 2548 Fmekoalh.exe 2304 Filldb32.exe 2304 Filldb32.exe 2684 Fdapak32.exe 2684 Fdapak32.exe 1956 Ffbicfoc.exe 1956 Ffbicfoc.exe 2024 Gegfdb32.exe 2024 Gegfdb32.exe 2164 Glaoalkh.exe 2164 Glaoalkh.exe 1752 Gelppaof.exe 1752 Gelppaof.exe 2260 Geolea32.exe 2260 Geolea32.exe 272 Ghoegl32.exe 272 Ghoegl32.exe 768 Hiqbndpb.exe 768 Hiqbndpb.exe 2364 Hahjpbad.exe 2364 Hahjpbad.exe 2964 Hodpgjha.exe 2964 Hodpgjha.exe 2808 Henidd32.exe 2808 Henidd32.exe 1548 Ilknfn32.exe 1548 Ilknfn32.exe 808 Ioijbj32.exe 808 Ioijbj32.exe 928 Inngcfid.exe 928 Inngcfid.exe 2152 Iqmcpahh.exe 2152 Iqmcpahh.exe 2664 Igihbknb.exe 2664 Igihbknb.exe 556 Ijgdngmf.exe 556 Ijgdngmf.exe 2468 Iqalka32.exe 2468 Iqalka32.exe 1692 Jmhmpb32.exe 1692 Jmhmpb32.exe 2668 Jqdipqbp.exe 2668 Jqdipqbp.exe 2576 Jfcnngnd.exe 2576 Jfcnngnd.exe 2632 Jokcgmee.exe 2632 Jokcgmee.exe 2672 Jkbcln32.exe 2672 Jkbcln32.exe 2380 Jbnhng32.exe 2380 Jbnhng32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bmoado32.dll Ijgdngmf.exe File created C:\Windows\SysWOW64\Pjadmnic.exe Piphee32.exe File opened for modification C:\Windows\SysWOW64\Ilqpdm32.exe Iefhhbef.exe File opened for modification C:\Windows\SysWOW64\Lnbbbffj.exe Llcefjgf.exe File opened for modification C:\Windows\SysWOW64\Gfkdmglc.dll Mpjqiq32.exe File created C:\Windows\SysWOW64\Pabakh32.dll Glaoalkh.exe File opened for modification C:\Windows\SysWOW64\Iqalka32.exe Ijgdngmf.exe File created C:\Windows\SysWOW64\Aefbii32.dll Llkbap32.exe File created C:\Windows\SysWOW64\Oghmhi32.dll Ndkmpe32.exe File created C:\Windows\SysWOW64\Iefhhbef.exe Ichllgfb.exe File created C:\Windows\SysWOW64\Fbldmm32.dll Ilqpdm32.exe File opened for modification C:\Windows\SysWOW64\Pmanoifd.exe Pkpagq32.exe File created C:\Windows\SysWOW64\Ffklhqao.exe Fncdgcqm.exe File created C:\Windows\SysWOW64\Fjmaaddo.exe Fikejl32.exe File created C:\Windows\SysWOW64\Mncfoa32.dll Glgaok32.exe File opened for modification C:\Windows\SysWOW64\Hkfagfop.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Mabgcd32.exe Mbpgggol.exe File opened for modification C:\Windows\SysWOW64\Pdaoog32.exe Pfoocjfd.exe File created C:\Windows\SysWOW64\Bkddcl32.dll Pqhpdhcc.exe File opened for modification C:\Windows\SysWOW64\Cddaphkn.exe Cafecmlj.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kmjojo32.exe File created C:\Windows\SysWOW64\Nffjeaid.dll Lnbbbffj.exe File created C:\Windows\SysWOW64\Fmekoalh.exe Fmcoja32.exe File created C:\Windows\SysWOW64\Nopodm32.dll Filldb32.exe File opened for modification C:\Windows\SysWOW64\Ilknfn32.exe Henidd32.exe File opened for modification C:\Windows\SysWOW64\Kpkofpgq.exe Kgpjanje.exe File created C:\Windows\SysWOW64\Ncfnmo32.dll Blpjegfm.exe File opened for modification C:\Windows\SysWOW64\Glgaok32.exe Giieco32.exe File opened for modification C:\Windows\SysWOW64\Pklhlael.exe Pdaoog32.exe File opened for modification C:\Windows\SysWOW64\Fbmcbbki.exe Fpngfgle.exe File opened for modification C:\Windows\SysWOW64\Nigome32.exe Ngibaj32.exe File created C:\Windows\SysWOW64\Leimip32.exe Kbkameaf.exe File created C:\Windows\SysWOW64\Bjdmohgl.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Gljilnja.dll Pciifc32.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Ppbfpd32.exe File opened for modification C:\Windows\SysWOW64\Hgjefg32.exe Heihnoph.exe File created C:\Windows\SysWOW64\Dfdjhndl.exe Dknekeef.exe File opened for modification C:\Windows\SysWOW64\Iefhhbef.exe Ichllgfb.exe File opened for modification C:\Windows\SysWOW64\Jmhmpb32.exe Iqalka32.exe File created C:\Windows\SysWOW64\Onmjak32.dll Ofelmloo.exe File opened for modification C:\Windows\SysWOW64\Ofmbnkhg.exe Obafnlpn.exe File created C:\Windows\SysWOW64\Peiepfgg.exe Pmanoifd.exe File opened for modification C:\Windows\SysWOW64\Qlkdkd32.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Jgojpjem.exe Jfnnha32.exe File created C:\Windows\SysWOW64\Eqnolc32.dll Nlcnda32.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Igakgfpn.exe File opened for modification C:\Windows\SysWOW64\Mhhfdo32.exe Meijhc32.exe File created C:\Windows\SysWOW64\Bhglodcb.dll Qlkdkd32.exe File created C:\Windows\SysWOW64\Iakdqgfi.dll Qbelgood.exe File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qbcpbo32.exe File created C:\Windows\SysWOW64\Hadfjo32.dll Cpnojioo.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Ejhlgaeh.exe File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe Effcma32.exe File created C:\Windows\SysWOW64\Kkmgjljo.dll Iamimc32.exe File opened for modification C:\Windows\SysWOW64\Kpjhkjde.exe Kiqpop32.exe File created C:\Windows\SysWOW64\Ilbgbe32.dll Pmanoifd.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Eqijej32.exe File created C:\Windows\SysWOW64\Oglegn32.dll Anccmo32.exe File created C:\Windows\SysWOW64\Mmjhjhkh.dll Gfhladfn.exe File created C:\Windows\SysWOW64\Ipnndn32.dll Jofbag32.exe File created C:\Windows\SysWOW64\Kfegbj32.exe Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Ocgpappk.exe Oddpfc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4628 4596 WerFault.exe 406 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddcl32.dll" Pqhpdhcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qabcjgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npojdpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnkpbcjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll" Jchhkjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbbngf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll" Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pqkmjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bppoqeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijigk32.dll" Hpbiommg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iefhhbef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nceclqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmaqpohl.dll" Gmbdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cadhnmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efcfga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcagpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addnil32.dll" Gegfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcbjgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pogclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Biamilfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Glaoalkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbqecg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpigfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadddkfi.dll" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqdipqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhhfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll" Dhdcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ofelmloo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ofelmloo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfcampgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hapicp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jokcgmee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Effcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghqnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmgjljo.dll" Iamimc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kfbcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncpcfkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlegpjp.dll" Ncgdbmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll" Dbkknojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll" Ngibaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qlkdkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll" Chnqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Giieco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll" Dccagcgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkjcplpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lclnemgd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2972 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 28 PID 2992 wrote to memory of 2972 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 28 PID 2992 wrote to memory of 2972 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 28 PID 2992 wrote to memory of 2972 2992 5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe 28 PID 2972 wrote to memory of 2484 2972 Emhlfmgj.exe 29 PID 2972 wrote to memory of 2484 2972 Emhlfmgj.exe 29 PID 2972 wrote to memory of 2484 2972 Emhlfmgj.exe 29 PID 2972 wrote to memory of 2484 2972 Emhlfmgj.exe 29 PID 2484 wrote to memory of 2536 2484 Eecqjpee.exe 30 PID 2484 wrote to memory of 2536 2484 Eecqjpee.exe 30 PID 2484 wrote to memory of 2536 2484 Eecqjpee.exe 30 PID 2484 wrote to memory of 2536 2484 Eecqjpee.exe 30 PID 2536 wrote to memory of 2568 2536 Eiomkn32.exe 31 PID 2536 wrote to memory of 2568 2536 Eiomkn32.exe 31 PID 2536 wrote to memory of 2568 2536 Eiomkn32.exe 31 PID 2536 wrote to memory of 2568 2536 Eiomkn32.exe 31 PID 2568 wrote to memory of 2644 2568 Ebinic32.exe 32 PID 2568 wrote to memory of 2644 2568 Ebinic32.exe 32 PID 2568 wrote to memory of 2644 2568 Ebinic32.exe 32 PID 2568 wrote to memory of 2644 2568 Ebinic32.exe 32 PID 2644 wrote to memory of 2548 2644 Fmcoja32.exe 33 PID 2644 wrote to memory of 2548 2644 Fmcoja32.exe 33 PID 2644 wrote to memory of 2548 2644 Fmcoja32.exe 33 PID 2644 wrote to memory of 2548 2644 Fmcoja32.exe 33 PID 2548 wrote to memory of 2304 2548 Fmekoalh.exe 34 PID 2548 wrote to memory of 2304 2548 Fmekoalh.exe 34 PID 2548 wrote to memory of 2304 2548 Fmekoalh.exe 34 PID 2548 wrote to memory of 2304 2548 Fmekoalh.exe 34 PID 2304 wrote to memory of 2684 2304 Filldb32.exe 35 PID 2304 wrote to memory of 2684 2304 Filldb32.exe 35 PID 2304 wrote to memory of 2684 2304 Filldb32.exe 35 PID 2304 wrote to memory of 2684 2304 Filldb32.exe 35 PID 2684 wrote to memory of 1956 2684 Fdapak32.exe 36 PID 2684 wrote to memory of 1956 2684 Fdapak32.exe 36 PID 2684 wrote to memory of 1956 2684 Fdapak32.exe 36 PID 2684 wrote to memory of 1956 2684 Fdapak32.exe 36 PID 1956 wrote to memory of 2024 1956 Ffbicfoc.exe 37 PID 1956 wrote to memory of 2024 1956 Ffbicfoc.exe 37 PID 1956 wrote to memory of 2024 1956 Ffbicfoc.exe 37 PID 1956 wrote to memory of 2024 1956 Ffbicfoc.exe 37 PID 2024 wrote to memory of 2164 2024 Gegfdb32.exe 38 PID 2024 wrote to memory of 2164 2024 Gegfdb32.exe 38 PID 2024 wrote to memory of 2164 2024 Gegfdb32.exe 38 PID 2024 wrote to memory of 2164 2024 Gegfdb32.exe 38 PID 2164 wrote to memory of 1752 2164 Glaoalkh.exe 39 PID 2164 wrote to memory of 1752 2164 Glaoalkh.exe 39 PID 2164 wrote to memory of 1752 2164 Glaoalkh.exe 39 PID 2164 wrote to memory of 1752 2164 Glaoalkh.exe 39 PID 1752 wrote to memory of 2260 1752 Gelppaof.exe 40 PID 1752 wrote to memory of 2260 1752 Gelppaof.exe 40 PID 1752 wrote to memory of 2260 1752 Gelppaof.exe 40 PID 1752 wrote to memory of 2260 1752 Gelppaof.exe 40 PID 2260 wrote to memory of 272 2260 Geolea32.exe 41 PID 2260 wrote to memory of 272 2260 Geolea32.exe 41 PID 2260 wrote to memory of 272 2260 Geolea32.exe 41 PID 2260 wrote to memory of 272 2260 Geolea32.exe 41 PID 272 wrote to memory of 768 272 Ghoegl32.exe 42 PID 272 wrote to memory of 768 272 Ghoegl32.exe 42 PID 272 wrote to memory of 768 272 Ghoegl32.exe 42 PID 272 wrote to memory of 768 272 Ghoegl32.exe 42 PID 768 wrote to memory of 2364 768 Hiqbndpb.exe 43 PID 768 wrote to memory of 2364 768 Hiqbndpb.exe 43 PID 768 wrote to memory of 2364 768 Hiqbndpb.exe 43 PID 768 wrote to memory of 2364 768 Hiqbndpb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe"C:\Users\Admin\AppData\Local\Temp\5f63dad0086c1dbac22d7d9b95532a086c1ef3975d9f7fad3232d1079c2eff9c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Fdapak32.exeC:\Windows\system32\Fdapak32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Ffbicfoc.exeC:\Windows\system32\Ffbicfoc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Gelppaof.exeC:\Windows\system32\Gelppaof.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Ghoegl32.exeC:\Windows\system32\Ghoegl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Hahjpbad.exeC:\Windows\system32\Hahjpbad.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Henidd32.exeC:\Windows\system32\Henidd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Ilknfn32.exeC:\Windows\system32\Ilknfn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Ioijbj32.exeC:\Windows\system32\Ioijbj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Inngcfid.exeC:\Windows\system32\Inngcfid.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\Iqalka32.exeC:\Windows\system32\Iqalka32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Jmhmpb32.exeC:\Windows\system32\Jmhmpb32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Jqdipqbp.exeC:\Windows\system32\Jqdipqbp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Jfcnngnd.exeC:\Windows\system32\Jfcnngnd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Jbnhng32.exeC:\Windows\system32\Jbnhng32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe33⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kbqecg32.exeC:\Windows\system32\Kbqecg32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Kjljhjkl.exeC:\Windows\system32\Kjljhjkl.exe35⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Kgpjanje.exeC:\Windows\system32\Kgpjanje.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Kfegbj32.exeC:\Windows\system32\Kfegbj32.exe38⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kfgdhjmk.exeC:\Windows\system32\Kfgdhjmk.exe39⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Kifpdelo.exeC:\Windows\system32\Kifpdelo.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Lpphap32.exeC:\Windows\system32\Lpphap32.exe41⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lfjqnjkh.exeC:\Windows\system32\Lfjqnjkh.exe42⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe43⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Lpbefoai.exeC:\Windows\system32\Lpbefoai.exe44⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Leonofpp.exeC:\Windows\system32\Leonofpp.exe45⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Lhmjkaoc.exeC:\Windows\system32\Lhmjkaoc.exe46⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Logbhl32.exeC:\Windows\system32\Logbhl32.exe47⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Leajdfnm.exeC:\Windows\system32\Leajdfnm.exe48⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Lojomkdn.exeC:\Windows\system32\Lojomkdn.exe50⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Lecgje32.exeC:\Windows\system32\Lecgje32.exe51⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Lhbcfa32.exeC:\Windows\system32\Lhbcfa32.exe52⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Lkppbl32.exeC:\Windows\system32\Lkppbl32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Lajhofao.exeC:\Windows\system32\Lajhofao.exe54⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Mggpgmof.exeC:\Windows\system32\Mggpgmof.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Mkclhl32.exeC:\Windows\system32\Mkclhl32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Mmahdggc.exeC:\Windows\system32\Mmahdggc.exe57⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mdkqqa32.exeC:\Windows\system32\Mdkqqa32.exe58⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Mgimmm32.exeC:\Windows\system32\Mgimmm32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Mmceigep.exeC:\Windows\system32\Mmceigep.exe60⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Mdmmfa32.exeC:\Windows\system32\Mdmmfa32.exe61⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mijfnh32.exeC:\Windows\system32\Mijfnh32.exe62⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mmfbogcn.exeC:\Windows\system32\Mmfbogcn.exe63⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Mcbjgn32.exeC:\Windows\system32\Mcbjgn32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Mmhodf32.exeC:\Windows\system32\Mmhodf32.exe65⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mlkopcge.exeC:\Windows\system32\Mlkopcge.exe66⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Moiklogi.exeC:\Windows\system32\Moiklogi.exe67⤵PID:1656
-
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe68⤵PID:772
-
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe69⤵PID:2084
-
C:\Windows\SysWOW64\Mpigfa32.exeC:\Windows\system32\Mpigfa32.exe70⤵
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Ncgdbmmp.exeC:\Windows\system32\Ncgdbmmp.exe71⤵
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Nefpnhlc.exeC:\Windows\system32\Nefpnhlc.exe72⤵PID:1068
-
C:\Windows\SysWOW64\Nhdlkdkg.exeC:\Windows\system32\Nhdlkdkg.exe73⤵PID:2820
-
C:\Windows\SysWOW64\Nondgn32.exeC:\Windows\system32\Nondgn32.exe74⤵PID:1208
-
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe75⤵PID:2096
-
C:\Windows\SysWOW64\Ndkmpe32.exeC:\Windows\system32\Ndkmpe32.exe76⤵
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe77⤵PID:288
-
C:\Windows\SysWOW64\Noqamn32.exeC:\Windows\system32\Noqamn32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Naoniipe.exeC:\Windows\system32\Naoniipe.exe79⤵PID:2928
-
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Naajoinb.exeC:\Windows\system32\Naajoinb.exe82⤵PID:1628
-
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Nkiogn32.exeC:\Windows\system32\Nkiogn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe85⤵PID:2596
-
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Nceclqan.exeC:\Windows\system32\Nceclqan.exe87⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Oklkmnbp.exeC:\Windows\system32\Oklkmnbp.exe88⤵PID:2880
-
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe89⤵PID:2356
-
C:\Windows\SysWOW64\Oddpfc32.exeC:\Windows\system32\Oddpfc32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Ocgpappk.exeC:\Windows\system32\Ocgpappk.exe91⤵PID:2276
-
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Onmdoioa.exeC:\Windows\system32\Onmdoioa.exe93⤵PID:2772
-
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Oonafa32.exeC:\Windows\system32\Oonafa32.exe95⤵PID:2208
-
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe96⤵PID:584
-
C:\Windows\SysWOW64\Ohfeog32.exeC:\Windows\system32\Ohfeog32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe98⤵PID:592
-
C:\Windows\SysWOW64\Ofjfhk32.exeC:\Windows\system32\Ofjfhk32.exe99⤵PID:1132
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe100⤵PID:3060
-
C:\Windows\SysWOW64\Okgnab32.exeC:\Windows\system32\Okgnab32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Ofmbnkhg.exeC:\Windows\system32\Ofmbnkhg.exe103⤵PID:1636
-
C:\Windows\SysWOW64\Okikfagn.exeC:\Windows\system32\Okikfagn.exe104⤵PID:2144
-
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe105⤵PID:1476
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe106⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe107⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Pklhlael.exeC:\Windows\system32\Pklhlael.exe108⤵PID:2512
-
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Pqhpdhcc.exeC:\Windows\system32\Pqhpdhcc.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Piphee32.exeC:\Windows\system32\Piphee32.exe111⤵
- Drops file in System32 directory
PID:1792 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe112⤵PID:2676
-
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Pciifc32.exeC:\Windows\system32\Pciifc32.exe114⤵
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Pkpagq32.exeC:\Windows\system32\Pkpagq32.exe115⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Pmanoifd.exeC:\Windows\system32\Pmanoifd.exe116⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Peiepfgg.exeC:\Windows\system32\Peiepfgg.exe117⤵PID:1952
-
C:\Windows\SysWOW64\Pggbla32.exeC:\Windows\system32\Pggbla32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:604 -
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe119⤵PID:964
-
C:\Windows\SysWOW64\Papfegmk.exeC:\Windows\system32\Papfegmk.exe120⤵PID:852
-
C:\Windows\SysWOW64\Ppbfpd32.exeC:\Windows\system32\Ppbfpd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-