Analysis
-
max time kernel
96s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 23:28
Static task
static1
Behavioral task
behavioral1
Sample
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
Resource
win10v2004-20240508-en
General
-
Target
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
-
Size
163KB
-
MD5
5d8dc291be1ed5ff76e667ebaf120f34
-
SHA1
b646513b0b918297043010a6187ed1c273f2e1f9
-
SHA256
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a
-
SHA512
558093f1b2882878b8b90968ae1d059a01bfe354793b8fee418b3eb9768a8aeb8382c6deb8301682c522d858d2db5b34ec6a0e7e1bf7a0ca3ed40c490eb2d7d0
-
SSDEEP
1536:PrbbElqSmD+o++1E/H8C2piGCvKZ5lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:jnElqx+o9+cC7nKDltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Odednmpm.exeBhfonc32.exeOeicejia.exeGnjjfegi.exeAlcfei32.exeHgkkkcbc.exeEdkdkplj.exePdifoehl.exeFibojhim.exeIdbodn32.exeQcclld32.exeKnchpiom.exeKcbnnpka.exeFlqimk32.exeFkqeib32.exeGkiaej32.exeJgcamf32.exeLingibiq.exeJnhpoamf.exeBljlfh32.exeJcdala32.exeCbgbgj32.exeQgcbgo32.exeChagok32.exeHfningai.exeQepkbpak.exeGlengm32.exeJcgnbaeo.exeNelfeo32.exeBjbndobo.exeGempgj32.exeHhgloc32.exeGododflk.exeMiomdk32.exeGmeakf32.exeHjjnae32.exeAfinioip.exeBobcpmfc.exeFbpnkama.exeFfkjlp32.exeDpdaepai.exeGkkgpc32.exeKdbjhbbd.exeAnadoi32.exeNpjnhc32.exeCcnncgmc.exeJlhljhbg.exeLgikfn32.exeLjnnch32.exeNgdmod32.exeDhkapp32.exeJodjhkkj.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odednmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfonc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeicejia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgkkkcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkdkplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdifoehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibojhim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbodn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqimk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkiaej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lingibiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnhpoamf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bljlfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdala32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgbgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgcbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chagok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfningai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glengm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgnbaeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nelfeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndobo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gempgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gododflk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miomdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmeakf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afinioip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobcpmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpnkama.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkjlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anadoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjnhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnncgmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjjfegi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhljhbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgikfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodjhkkj.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Lalcng32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldkojb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgikfn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Liggbi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lmccchkn.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lkgdml32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lnepih32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lcbiao32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lnhmng32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldaeka32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1944-80-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ljnnch32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4612-87-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lphfpbdi.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/5036-95-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lknjmkdo.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2616-104-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mpkbebbf.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2492-115-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3764-120-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mciobn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mjcgohig.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4608-128-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mdiklqhm.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/992-136-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mjeddggd.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4032-144-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mpolqa32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcnhmm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Maohkd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcpebmkb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mjjmog32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mdpalp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njljefql.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nceonl32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1780-206-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nqiogp32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3940-214-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnmopdep.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4092-223-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ngedij32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3568-231-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndidbn32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2172-238-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbmelbid.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1384-247-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ondeac32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4440-254-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2168-261-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ojjffddl.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2456-267-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4660-273-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4516-279-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okloegjl.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1600-285-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4788-295-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2992-299-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1412-303-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pjdilcla.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/652-333-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pgjfkg32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4472-343-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4512-373-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4148-379-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Lalcng32.exe UPX C:\Windows\SysWOW64\Ldkojb32.exe UPX C:\Windows\SysWOW64\Lgikfn32.exe UPX C:\Windows\SysWOW64\Liggbi32.exe UPX C:\Windows\SysWOW64\Lmccchkn.exe UPX C:\Windows\SysWOW64\Lkgdml32.exe UPX C:\Windows\SysWOW64\Lnepih32.exe UPX C:\Windows\SysWOW64\Lcbiao32.exe UPX C:\Windows\SysWOW64\Lnhmng32.exe UPX C:\Windows\SysWOW64\Ldaeka32.exe UPX behavioral2/memory/1944-80-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ljnnch32.exe UPX behavioral2/memory/4612-87-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lphfpbdi.exe UPX behavioral2/memory/5036-95-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lknjmkdo.exe UPX behavioral2/memory/2616-104-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mpkbebbf.exe UPX behavioral2/memory/2492-115-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3764-120-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mciobn32.exe UPX C:\Windows\SysWOW64\Mjcgohig.exe UPX behavioral2/memory/4608-128-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mdiklqhm.exe UPX behavioral2/memory/992-136-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mjeddggd.exe UPX behavioral2/memory/4032-144-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mpolqa32.exe UPX C:\Windows\SysWOW64\Mcnhmm32.exe UPX C:\Windows\SysWOW64\Maohkd32.exe UPX C:\Windows\SysWOW64\Mcpebmkb.exe UPX C:\Windows\SysWOW64\Mjjmog32.exe UPX C:\Windows\SysWOW64\Mdpalp32.exe UPX C:\Windows\SysWOW64\Njljefql.exe UPX C:\Windows\SysWOW64\Nceonl32.exe UPX behavioral2/memory/1780-206-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Nqiogp32.exe UPX behavioral2/memory/3940-214-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Nnmopdep.exe UPX behavioral2/memory/4092-223-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ngedij32.exe UPX behavioral2/memory/3568-231-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ndidbn32.exe UPX behavioral2/memory/2172-238-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Nbmelbid.exe UPX behavioral2/memory/1384-247-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ondeac32.exe UPX behavioral2/memory/4440-254-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2168-261-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ojjffddl.exe UPX behavioral2/memory/2456-267-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4660-273-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4516-279-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Okloegjl.exe UPX behavioral2/memory/1600-285-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4788-295-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2992-299-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1412-303-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Pjdilcla.exe UPX behavioral2/memory/652-333-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Pgjfkg32.exe UPX behavioral2/memory/4472-343-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4512-373-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4148-379-0x0000000000400000-0x0000000000453000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
Lalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLkgdml32.exeLnepih32.exeLcbiao32.exeLnhmng32.exeLdaeka32.exeLjnnch32.exeLphfpbdi.exeLknjmkdo.exeMpkbebbf.exeMciobn32.exeMjcgohig.exeMdiklqhm.exeMjeddggd.exeMpolqa32.exeMcnhmm32.exeMaohkd32.exeMcpebmkb.exeMjjmog32.exeMdpalp32.exeNjljefql.exeNceonl32.exeNqiogp32.exeNnmopdep.exeNgedij32.exeNdidbn32.exeNbmelbid.exeOndeac32.exeOgljjiei.exeOjjffddl.exeOkjbpglo.exeOjmcld32.exeOkloegjl.exeOdednmpm.exeOkolkg32.exeOnmhgb32.exeOdgqdlnj.exePjdilcla.exePqnaim32.exePjffbc32.exePeljol32.exePgjfkg32.exePndohaqe.exePbpjhp32.exePengdk32.exePkhoae32.exePnfkma32.exePaegjl32.exePgopffec.exePkjlge32.exePnihcq32.exePagdol32.exeQcepkg32.exeQgallfcq.exeQkmhlekj.exeQajadlja.exeQeemej32.exeQgciaf32.exeQjbena32.exeQbimoo32.exepid process 4388 Lalcng32.exe 4316 Ldkojb32.exe 404 Lgikfn32.exe 2680 Liggbi32.exe 928 Lmccchkn.exe 2852 Lkgdml32.exe 4596 Lnepih32.exe 4828 Lcbiao32.exe 3704 Lnhmng32.exe 1944 Ldaeka32.exe 4612 Ljnnch32.exe 5036 Lphfpbdi.exe 2616 Lknjmkdo.exe 2492 Mpkbebbf.exe 3764 Mciobn32.exe 4608 Mjcgohig.exe 992 Mdiklqhm.exe 4032 Mjeddggd.exe 876 Mpolqa32.exe 3316 Mcnhmm32.exe 3580 Maohkd32.exe 3252 Mcpebmkb.exe 4568 Mjjmog32.exe 2608 Mdpalp32.exe 468 Njljefql.exe 1780 Nceonl32.exe 3940 Nqiogp32.exe 4092 Nnmopdep.exe 3568 Ngedij32.exe 2172 Ndidbn32.exe 1384 Nbmelbid.exe 4440 Ondeac32.exe 2168 Ogljjiei.exe 2456 Ojjffddl.exe 4660 Okjbpglo.exe 4516 Ojmcld32.exe 1600 Okloegjl.exe 4788 Odednmpm.exe 2992 Okolkg32.exe 1412 Onmhgb32.exe 2304 Odgqdlnj.exe 4540 Pjdilcla.exe 3800 Pqnaim32.exe 1100 Pjffbc32.exe 652 Peljol32.exe 4472 Pgjfkg32.exe 3588 Pndohaqe.exe 3436 Pbpjhp32.exe 4492 Pengdk32.exe 3608 Pkhoae32.exe 1152 Pnfkma32.exe 4512 Paegjl32.exe 4148 Pgopffec.exe 2020 Pkjlge32.exe 2372 Pnihcq32.exe 4800 Pagdol32.exe 2908 Qcepkg32.exe 4448 Qgallfcq.exe 2284 Qkmhlekj.exe 3384 Qajadlja.exe 3884 Qeemej32.exe 1872 Qgciaf32.exe 4544 Qjbena32.exe 4964 Qbimoo32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fgjccb32.exeEidbij32.exeNlkgmh32.exeMdiklqhm.exeMelnob32.exeHdlpneli.exeAhchda32.exeDpphjp32.exeDbcmakpl.exeDhkapp32.exeEolhbc32.exeKdmqmc32.exeIlghlc32.exeNlkngo32.exeQgciaf32.exeMjellmbp.exeAleckinj.exeKkconn32.exeMdhdajea.exeDdmaok32.exeAoabad32.exeLjclki32.exeNnfgcd32.exeFdegandp.exeBmbplc32.exeJgeghp32.exeMaohkd32.exeIikhfg32.exeCdabcm32.exeDjdflp32.exeDannij32.exeFjhacf32.exeLpneegel.exeKenggi32.exeKdigadjo.exeMkohaj32.exeAbkjdnoa.exeEabbjc32.exeIpnjab32.exeImdgqfbd.exeFpggamqc.exeGfpcgpae.exeQgpogili.exeAckigjmh.exeFahaplon.exeEfafgifc.exeLknjmkdo.exeQgallfcq.exeGkhbdg32.exePqnaim32.exeNjpdnedf.exeIbpiogmp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Fnckpmql.exe Fgjccb32.exe File created C:\Windows\SysWOW64\Gpcpak32.dll Eidbij32.exe File created C:\Windows\SysWOW64\Khoana32.dll Nlkgmh32.exe File created C:\Windows\SysWOW64\Jjblifaf.dll Mdiklqhm.exe File created C:\Windows\SysWOW64\Emanjldl.exe File opened for modification C:\Windows\SysWOW64\Mlefklpj.exe Melnob32.exe File created C:\Windows\SysWOW64\Pnhcelbo.dll Hdlpneli.exe File opened for modification C:\Windows\SysWOW64\Aompak32.exe Ahchda32.exe File created C:\Windows\SysWOW64\Bcpeei32.dll Dpphjp32.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dbcmakpl.exe File created C:\Windows\SysWOW64\Dkjmlk32.exe Dhkapp32.exe File opened for modification C:\Windows\SysWOW64\Eajeon32.exe Eolhbc32.exe File created C:\Windows\SysWOW64\Ncgjlnfh.dll Kdmqmc32.exe File created C:\Windows\SysWOW64\Mglpdp32.dll File created C:\Windows\SysWOW64\Ifllil32.exe Ilghlc32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nlkngo32.exe File opened for modification C:\Windows\SysWOW64\Jghpbk32.exe File created C:\Windows\SysWOW64\Qjbena32.exe Qgciaf32.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mjellmbp.exe File opened for modification C:\Windows\SysWOW64\Aodogdmn.exe Aleckinj.exe File created C:\Windows\SysWOW64\Ekooihip.dll Kkconn32.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe File opened for modification C:\Windows\SysWOW64\Mgfqmfde.exe Mdhdajea.exe File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Igliicdk.dll Aoabad32.exe File opened for modification C:\Windows\SysWOW64\Lmbhgd32.exe Ljclki32.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Nnfgcd32.exe File opened for modification C:\Windows\SysWOW64\Fllpbldb.exe Fdegandp.exe File created C:\Windows\SysWOW64\Gblnkg32.dll Bmbplc32.exe File created C:\Windows\SysWOW64\Kkpbin32.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe File created C:\Windows\SysWOW64\Mcpebmkb.exe Maohkd32.exe File created C:\Windows\SysWOW64\Npibja32.dll Iikhfg32.exe File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe Cdabcm32.exe File created C:\Windows\SysWOW64\Nhfjcpfb.dll File opened for modification C:\Windows\SysWOW64\Dannij32.exe Djdflp32.exe File opened for modification C:\Windows\SysWOW64\Dclkee32.exe Dannij32.exe File created C:\Windows\SysWOW64\Kolkod32.dll Fjhacf32.exe File created C:\Windows\SysWOW64\Gmnala32.dll File opened for modification C:\Windows\SysWOW64\Lblaabdp.exe Lpneegel.exe File opened for modification C:\Windows\SysWOW64\Qachgk32.exe File created C:\Windows\SysWOW64\Ckjknfnh.exe File created C:\Windows\SysWOW64\Kijchhbo.exe Kenggi32.exe File opened for modification C:\Windows\SysWOW64\Kkconn32.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mkohaj32.exe File created C:\Windows\SysWOW64\Oiqbfn32.dll Abkjdnoa.exe File opened for modification C:\Windows\SysWOW64\Edpnfo32.exe Eabbjc32.exe File created C:\Windows\SysWOW64\Iblfnn32.exe Ipnjab32.exe File created C:\Windows\SysWOW64\Ihoofe32.dll Imdgqfbd.exe File created C:\Windows\SysWOW64\Gajaoo32.dll Fpggamqc.exe File opened for modification C:\Windows\SysWOW64\Gmjlcj32.exe Gfpcgpae.exe File opened for modification C:\Windows\SysWOW64\Qhakoa32.exe Qgpogili.exe File created C:\Windows\SysWOW64\Cdjnam32.dll Ackigjmh.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe File created C:\Windows\SysWOW64\Cipqnf32.dll Fahaplon.exe File opened for modification C:\Windows\SysWOW64\Ejlbhh32.exe Efafgifc.exe File created C:\Windows\SysWOW64\Kmdigkkd.dll Lknjmkdo.exe File created C:\Windows\SysWOW64\Qkmhlekj.exe Qgallfcq.exe File opened for modification C:\Windows\SysWOW64\Gododflk.exe Gkhbdg32.exe File created C:\Windows\SysWOW64\Abdkep32.dll File created C:\Windows\SysWOW64\Pjffbc32.exe Pqnaim32.exe File created C:\Windows\SysWOW64\Qofmkc32.dll Njpdnedf.exe File opened for modification C:\Windows\SysWOW64\Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Igmagnkg.exe Ibpiogmp.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 13096 13184 -
Modifies registry class 64 IoCs
Processes:
Fbpnkama.exeIcgjmapi.exeJbhfjljd.exeNdcdmikd.exeMjellmbp.exeBgehcmmm.exeHnoklk32.exeDaconoae.exeMbhamajc.exeCbgnemjj.exeGgeboaob.exeHdokdg32.exeLjhefhha.exeKlkcdj32.exeEhjlaaig.exeQohpkf32.exeIdfaefkd.exeEefhjc32.exePfnegggi.exeAfghneoo.exeJfaedkdp.exeJianff32.exeEecdjmfi.exeNefped32.exeCbgbgj32.exeOhghgodi.exeCehkhecb.exeOocddono.exeBheffh32.exeKkconn32.exeHbeqmoji.exeJplfcpin.exeQmmnjfnl.exeIljpij32.exeJlkagbej.exeNiipjj32.exeHjedffig.exeKinmcg32.exeAjanck32.exeLpneegel.exeHofmfmhj.exePgdokkfg.exeNjfagf32.exeBjmnoi32.exeIkfabm32.exeCbeapmll.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhindhb.dll" Fbpnkama.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icgjmapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddiqoc.dll" Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll" Ndcdmikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll" Bgehcmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nholna32.dll" Hnoklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkbfh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbblcj32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Daconoae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdgdlac.dll" Mbhamajc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeboaob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfikmcdh.dll" Klkcdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdclcbj.dll" Ehjlaaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Idfaefkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eefhjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnegggi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afghneoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbaokim.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jianff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnaefb32.dll" Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhmla32.dll" Nefped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akalojih.dll" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfaap32.dll" Ohghgodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehkhecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oocddono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bheffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlqgg32.dll" Hbeqmoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfcpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmmnjfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibingd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaedfje.dll" Jlkagbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niipjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijjli32.dll" Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajanck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciepangh.dll" Lpneegel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofmfmhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdokkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njfagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" Bjmnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbeapmll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLkgdml32.exeLnepih32.exeLcbiao32.exeLnhmng32.exeLdaeka32.exeLjnnch32.exeLphfpbdi.exeLknjmkdo.exeMpkbebbf.exeMciobn32.exeMjcgohig.exeMdiklqhm.exeMjeddggd.exeMpolqa32.exeMcnhmm32.exeMaohkd32.exedescription pid process target process PID 1800 wrote to memory of 4388 1800 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Lalcng32.exe PID 1800 wrote to memory of 4388 1800 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Lalcng32.exe PID 1800 wrote to memory of 4388 1800 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Lalcng32.exe PID 4388 wrote to memory of 4316 4388 Lalcng32.exe Ldkojb32.exe PID 4388 wrote to memory of 4316 4388 Lalcng32.exe Ldkojb32.exe PID 4388 wrote to memory of 4316 4388 Lalcng32.exe Ldkojb32.exe PID 4316 wrote to memory of 404 4316 Ldkojb32.exe Lgikfn32.exe PID 4316 wrote to memory of 404 4316 Ldkojb32.exe Lgikfn32.exe PID 4316 wrote to memory of 404 4316 Ldkojb32.exe Lgikfn32.exe PID 404 wrote to memory of 2680 404 Lgikfn32.exe Liggbi32.exe PID 404 wrote to memory of 2680 404 Lgikfn32.exe Liggbi32.exe PID 404 wrote to memory of 2680 404 Lgikfn32.exe Liggbi32.exe PID 2680 wrote to memory of 928 2680 Liggbi32.exe Lmccchkn.exe PID 2680 wrote to memory of 928 2680 Liggbi32.exe Lmccchkn.exe PID 2680 wrote to memory of 928 2680 Liggbi32.exe Lmccchkn.exe PID 928 wrote to memory of 2852 928 Lmccchkn.exe Lkgdml32.exe PID 928 wrote to memory of 2852 928 Lmccchkn.exe Lkgdml32.exe PID 928 wrote to memory of 2852 928 Lmccchkn.exe Lkgdml32.exe PID 2852 wrote to memory of 4596 2852 Lkgdml32.exe Lnepih32.exe PID 2852 wrote to memory of 4596 2852 Lkgdml32.exe Lnepih32.exe PID 2852 wrote to memory of 4596 2852 Lkgdml32.exe Lnepih32.exe PID 4596 wrote to memory of 4828 4596 Lnepih32.exe Lcbiao32.exe PID 4596 wrote to memory of 4828 4596 Lnepih32.exe Lcbiao32.exe PID 4596 wrote to memory of 4828 4596 Lnepih32.exe Lcbiao32.exe PID 4828 wrote to memory of 3704 4828 Lcbiao32.exe Lnhmng32.exe PID 4828 wrote to memory of 3704 4828 Lcbiao32.exe Lnhmng32.exe PID 4828 wrote to memory of 3704 4828 Lcbiao32.exe Lnhmng32.exe PID 3704 wrote to memory of 1944 3704 Lnhmng32.exe Ldaeka32.exe PID 3704 wrote to memory of 1944 3704 Lnhmng32.exe Ldaeka32.exe PID 3704 wrote to memory of 1944 3704 Lnhmng32.exe Ldaeka32.exe PID 1944 wrote to memory of 4612 1944 Ldaeka32.exe Ljnnch32.exe PID 1944 wrote to memory of 4612 1944 Ldaeka32.exe Ljnnch32.exe PID 1944 wrote to memory of 4612 1944 Ldaeka32.exe Ljnnch32.exe PID 4612 wrote to memory of 5036 4612 Ljnnch32.exe Lphfpbdi.exe PID 4612 wrote to memory of 5036 4612 Ljnnch32.exe Lphfpbdi.exe PID 4612 wrote to memory of 5036 4612 Ljnnch32.exe Lphfpbdi.exe PID 5036 wrote to memory of 2616 5036 Lphfpbdi.exe Lknjmkdo.exe PID 5036 wrote to memory of 2616 5036 Lphfpbdi.exe Lknjmkdo.exe PID 5036 wrote to memory of 2616 5036 Lphfpbdi.exe Lknjmkdo.exe PID 2616 wrote to memory of 2492 2616 Lknjmkdo.exe Mpkbebbf.exe PID 2616 wrote to memory of 2492 2616 Lknjmkdo.exe Mpkbebbf.exe PID 2616 wrote to memory of 2492 2616 Lknjmkdo.exe Mpkbebbf.exe PID 2492 wrote to memory of 3764 2492 Mpkbebbf.exe Mciobn32.exe PID 2492 wrote to memory of 3764 2492 Mpkbebbf.exe Mciobn32.exe PID 2492 wrote to memory of 3764 2492 Mpkbebbf.exe Mciobn32.exe PID 3764 wrote to memory of 4608 3764 Mciobn32.exe Mjcgohig.exe PID 3764 wrote to memory of 4608 3764 Mciobn32.exe Mjcgohig.exe PID 3764 wrote to memory of 4608 3764 Mciobn32.exe Mjcgohig.exe PID 4608 wrote to memory of 992 4608 Mjcgohig.exe Mdiklqhm.exe PID 4608 wrote to memory of 992 4608 Mjcgohig.exe Mdiklqhm.exe PID 4608 wrote to memory of 992 4608 Mjcgohig.exe Mdiklqhm.exe PID 992 wrote to memory of 4032 992 Mdiklqhm.exe Mjeddggd.exe PID 992 wrote to memory of 4032 992 Mdiklqhm.exe Mjeddggd.exe PID 992 wrote to memory of 4032 992 Mdiklqhm.exe Mjeddggd.exe PID 4032 wrote to memory of 876 4032 Mjeddggd.exe Mpolqa32.exe PID 4032 wrote to memory of 876 4032 Mjeddggd.exe Mpolqa32.exe PID 4032 wrote to memory of 876 4032 Mjeddggd.exe Mpolqa32.exe PID 876 wrote to memory of 3316 876 Mpolqa32.exe Mcnhmm32.exe PID 876 wrote to memory of 3316 876 Mpolqa32.exe Mcnhmm32.exe PID 876 wrote to memory of 3316 876 Mpolqa32.exe Mcnhmm32.exe PID 3316 wrote to memory of 3580 3316 Mcnhmm32.exe Maohkd32.exe PID 3316 wrote to memory of 3580 3316 Mcnhmm32.exe Maohkd32.exe PID 3316 wrote to memory of 3580 3316 Mcnhmm32.exe Maohkd32.exe PID 3580 wrote to memory of 3252 3580 Maohkd32.exe Mcpebmkb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe"C:\Users\Admin\AppData\Local\Temp\7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe23⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe24⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe25⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe26⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe27⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nqiogp32.exeC:\Windows\system32\Nqiogp32.exe28⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe29⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe30⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe31⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Nbmelbid.exeC:\Windows\system32\Nbmelbid.exe32⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Ondeac32.exeC:\Windows\system32\Ondeac32.exe33⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Ogljjiei.exeC:\Windows\system32\Ogljjiei.exe34⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe35⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe36⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe37⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe38⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe40⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe41⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe42⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe43⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3800 -
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe45⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Peljol32.exeC:\Windows\system32\Peljol32.exe46⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe47⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe48⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe49⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe50⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe51⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe52⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe53⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe54⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe55⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe56⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe57⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe58⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448 -
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe60⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe61⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe62⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe64⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe65⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe66⤵PID:4408
-
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe67⤵PID:4772
-
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe68⤵PID:3888
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe69⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe70⤵PID:2460
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe71⤵PID:1084
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe72⤵PID:3652
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe73⤵PID:1208
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe74⤵PID:2940
-
C:\Windows\SysWOW64\Ahkobekf.exeC:\Windows\system32\Ahkobekf.exe75⤵PID:412
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe76⤵PID:2196
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe77⤵PID:536
-
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe78⤵PID:3832
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe79⤵PID:4748
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe80⤵PID:1560
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe81⤵PID:4452
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe82⤵PID:2732
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe83⤵PID:4268
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe84⤵PID:5004
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe85⤵PID:2232
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe86⤵PID:1136
-
C:\Windows\SysWOW64\Bhdbhcck.exeC:\Windows\system32\Bhdbhcck.exe87⤵PID:3268
-
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4344 -
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe89⤵PID:1040
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe91⤵PID:1596
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe92⤵PID:3504
-
C:\Windows\SysWOW64\Bdmpcdfm.exeC:\Windows\system32\Bdmpcdfm.exe93⤵PID:4436
-
C:\Windows\SysWOW64\Bobcpmfc.exeC:\Windows\system32\Bobcpmfc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3968 -
C:\Windows\SysWOW64\Baaplhef.exeC:\Windows\system32\Baaplhef.exe95⤵PID:1564
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe96⤵PID:5156
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe97⤵PID:5212
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe98⤵PID:5260
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe99⤵PID:5304
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe100⤵PID:5340
-
C:\Windows\SysWOW64\Cliaoq32.exeC:\Windows\system32\Cliaoq32.exe101⤵PID:5380
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe102⤵PID:5428
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe103⤵PID:5472
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe104⤵PID:5532
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe105⤵PID:5572
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe106⤵PID:5616
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe107⤵PID:5656
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe108⤵PID:5700
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe110⤵PID:5788
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe111⤵PID:5832
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe112⤵PID:5872
-
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5912 -
C:\Windows\SysWOW64\Cefoce32.exeC:\Windows\system32\Cefoce32.exe114⤵PID:5960
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe115⤵PID:6004
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe116⤵PID:6052
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe117⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe118⤵PID:6136
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe119⤵PID:5172
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe120⤵PID:5228
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe121⤵PID:5288
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe122⤵PID:5240
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe123⤵PID:5376
-
C:\Windows\SysWOW64\Dldpkoil.exeC:\Windows\system32\Dldpkoil.exe124⤵PID:5468
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe125⤵PID:5548
-
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe126⤵PID:5600
-
C:\Windows\SysWOW64\Daaicfgd.exeC:\Windows\system32\Daaicfgd.exe127⤵PID:5676
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe128⤵PID:5748
-
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe130⤵PID:5904
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe131⤵PID:5944
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe132⤵PID:6016
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe133⤵PID:6072
-
C:\Windows\SysWOW64\Dhnnep32.exeC:\Windows\system32\Dhnnep32.exe134⤵PID:1184
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe135⤵PID:5208
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe136⤵PID:1060
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe137⤵PID:5368
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe138⤵PID:5508
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe139⤵PID:5592
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe140⤵PID:5688
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe141⤵PID:5808
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe142⤵PID:5924
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe143⤵PID:5988
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe144⤵PID:6120
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe145⤵PID:5256
-
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe146⤵PID:5364
-
C:\Windows\SysWOW64\Eefhjc32.exeC:\Windows\system32\Eefhjc32.exe147⤵
- Modifies registry class
PID:5584 -
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe148⤵PID:5804
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe149⤵PID:5996
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe150⤵PID:6132
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe152⤵PID:5648
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe153⤵PID:5936
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe154⤵PID:5292
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe155⤵PID:5672
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe156⤵PID:5168
-
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe157⤵
- Drops file in System32 directory
PID:5252 -
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe158⤵PID:5780
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe159⤵PID:5812
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe160⤵PID:6164
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe161⤵PID:6208
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe162⤵PID:6248
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe163⤵PID:6292
-
C:\Windows\SysWOW64\Fdegandp.exeC:\Windows\system32\Fdegandp.exe164⤵
- Drops file in System32 directory
PID:6344 -
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe165⤵PID:6384
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe166⤵PID:6424
-
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe167⤵PID:6464
-
C:\Windows\SysWOW64\Fdgdgnbm.exeC:\Windows\system32\Fdgdgnbm.exe168⤵PID:6504
-
C:\Windows\SysWOW64\Flnlhk32.exeC:\Windows\system32\Flnlhk32.exe169⤵PID:6544
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe170⤵PID:6584
-
C:\Windows\SysWOW64\Fakdpb32.exeC:\Windows\system32\Fakdpb32.exe171⤵PID:6624
-
C:\Windows\SysWOW64\Flqimk32.exeC:\Windows\system32\Flqimk32.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6664 -
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe173⤵PID:6700
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe174⤵PID:6736
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe175⤵PID:6780
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe176⤵PID:6820
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe177⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6860 -
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6896 -
C:\Windows\SysWOW64\Fhjfhl32.exeC:\Windows\system32\Fhjfhl32.exe179⤵PID:6932
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe180⤵
- Drops file in System32 directory
PID:6972 -
C:\Windows\SysWOW64\Gododflk.exeC:\Windows\system32\Gododflk.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7012 -
C:\Windows\SysWOW64\Gdqgmmjb.exeC:\Windows\system32\Gdqgmmjb.exe182⤵PID:7052
-
C:\Windows\SysWOW64\Glhonj32.exeC:\Windows\system32\Glhonj32.exe183⤵PID:7096
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe184⤵
- Drops file in System32 directory
PID:7136 -
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe185⤵PID:6152
-
C:\Windows\SysWOW64\Gbgdlq32.exeC:\Windows\system32\Gbgdlq32.exe186⤵PID:6216
-
C:\Windows\SysWOW64\Ghaliknf.exeC:\Windows\system32\Ghaliknf.exe187⤵PID:6276
-
C:\Windows\SysWOW64\Gokdeeec.exeC:\Windows\system32\Gokdeeec.exe188⤵PID:6352
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe189⤵PID:6412
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe190⤵PID:6500
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe191⤵PID:6552
-
C:\Windows\SysWOW64\Gfgjgo32.exeC:\Windows\system32\Gfgjgo32.exe192⤵PID:6616
-
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe193⤵PID:6684
-
C:\Windows\SysWOW64\Hckjacjg.exeC:\Windows\system32\Hckjacjg.exe194⤵PID:6756
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe195⤵PID:6804
-
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe196⤵PID:6884
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe197⤵PID:6940
-
C:\Windows\SysWOW64\Hijooifk.exeC:\Windows\system32\Hijooifk.exe198⤵PID:3292
-
C:\Windows\SysWOW64\Hodgkc32.exeC:\Windows\system32\Hodgkc32.exe199⤵PID:2592
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe200⤵PID:6996
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe201⤵
- Modifies registry class
PID:7060 -
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe202⤵PID:7132
-
C:\Windows\SysWOW64\Iiaephpc.exeC:\Windows\system32\Iiaephpc.exe203⤵PID:6204
-
C:\Windows\SysWOW64\Icgjmapi.exeC:\Windows\system32\Icgjmapi.exe204⤵
- Modifies registry class
PID:6316 -
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe205⤵PID:6432
-
C:\Windows\SysWOW64\Ipnjab32.exeC:\Windows\system32\Ipnjab32.exe206⤵
- Drops file in System32 directory
PID:6536 -
C:\Windows\SysWOW64\Iblfnn32.exeC:\Windows\system32\Iblfnn32.exe207⤵PID:6660
-
C:\Windows\SysWOW64\Imakkfdg.exeC:\Windows\system32\Imakkfdg.exe208⤵PID:6748
-
C:\Windows\SysWOW64\Ickchq32.exeC:\Windows\system32\Ickchq32.exe209⤵PID:6852
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe210⤵
- Drops file in System32 directory
PID:6920 -
C:\Windows\SysWOW64\Ilghlc32.exeC:\Windows\system32\Ilghlc32.exe211⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe212⤵PID:7048
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe213⤵
- Drops file in System32 directory
PID:7144 -
C:\Windows\SysWOW64\Icplcpgo.exeC:\Windows\system32\Icplcpgo.exe214⤵PID:6288
-
C:\Windows\SysWOW64\Jfoiokfb.exeC:\Windows\system32\Jfoiokfb.exe215⤵PID:6532
-
C:\Windows\SysWOW64\Jlkagbej.exeC:\Windows\system32\Jlkagbej.exe216⤵
- Modifies registry class
PID:6680 -
C:\Windows\SysWOW64\Jcbihpel.exeC:\Windows\system32\Jcbihpel.exe217⤵PID:6844
-
C:\Windows\SysWOW64\Jfaedkdp.exeC:\Windows\system32\Jfaedkdp.exe218⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Jlnnmb32.exeC:\Windows\system32\Jlnnmb32.exe219⤵PID:7044
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe220⤵
- Modifies registry class
PID:6256 -
C:\Windows\SysWOW64\Jianff32.exeC:\Windows\system32\Jianff32.exe221⤵
- Modifies registry class
PID:6632 -
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe222⤵
- Modifies registry class
PID:6924 -
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe223⤵PID:7008
-
C:\Windows\SysWOW64\Jifhaenk.exeC:\Windows\system32\Jifhaenk.exe224⤵PID:6728
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe225⤵PID:7004
-
C:\Windows\SysWOW64\Kboljk32.exeC:\Windows\system32\Kboljk32.exe226⤵PID:6964
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe227⤵PID:6796
-
C:\Windows\SysWOW64\Kpbmco32.exeC:\Windows\system32\Kpbmco32.exe228⤵PID:6828
-
C:\Windows\SysWOW64\Kikame32.exeC:\Windows\system32\Kikame32.exe229⤵PID:7204
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe230⤵PID:7248
-
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe231⤵PID:7288
-
C:\Windows\SysWOW64\Kipkhdeq.exeC:\Windows\system32\Kipkhdeq.exe232⤵PID:7328
-
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe233⤵PID:7368
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe234⤵PID:7408
-
C:\Windows\SysWOW64\Kmncnb32.exeC:\Windows\system32\Kmncnb32.exe235⤵PID:7448
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe236⤵PID:7492
-
C:\Windows\SysWOW64\Lffhfh32.exeC:\Windows\system32\Lffhfh32.exe237⤵PID:7536
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe238⤵PID:7584
-
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe239⤵PID:7624
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe240⤵PID:7680
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe241⤵PID:7720
-
C:\Windows\SysWOW64\Lpcfkm32.exeC:\Windows\system32\Lpcfkm32.exe242⤵PID:7760