Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
Resource
win10v2004-20240426-en
General
-
Target
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
-
Size
163KB
-
MD5
a84ae699edf16a12fc3094445c982c32
-
SHA1
61f40fd56ba09eb51862e6aaab63610679cdfc42
-
SHA256
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751
-
SHA512
082fc22318187e895afa6a6ebb171e7cedd5c5d457435d2188c6ef516236e47953825a68df3e924f1deb898aaae856de06aad8cfc03ba1abf155bba1452939d9
-
SSDEEP
1536:PiByfeNWEfPSEpB3dUdhKVRlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:eC/UPSGVRltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gqkhjn32.exeFfimfqgm.exeGqfooodg.exePqpnombl.exeCdfbibnb.exeHopnqdan.exeChbnia32.exeHbanme32.exeIabgaklg.exeMciobn32.exeNkqpjidj.exeNbkhfc32.exePbpjhp32.exeAcmflf32.exeDeanodkh.exeHmfkoh32.exeKdhbec32.exeMgghhlhq.exePgopffec.exeAhmlgd32.exeGlhonj32.exeIcnpmp32.exeDopigd32.exeHadkpm32.exeEkcpbj32.exeGjocgdkg.exeCbqlfkmi.exeCliaoq32.exeNdcdmikd.exeOdapnf32.exeGmmocpjk.exeIbagcc32.exeJagqlj32.exeJkdnpo32.exeBclhhnca.exeIpckgh32.exeHaidklda.exeGogbdl32.exeAjfoiqll.exeGfpcgpae.exePqdqof32.exe2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exeFbnhphbp.exeMglack32.exeNqfbaq32.exeAgffge32.exeLdjhpl32.exeGmaioo32.exeLdaeka32.exeIfgbnlmj.exeIfllil32.exeAqkgpedc.exeHpbaqj32.exeHjolnb32.exeIicbehnq.exeBhikcb32.exeCddecc32.exeDkljak32.exeHiefcj32.exeLmppcbjd.exeLkdggmlj.exeOboaabga.exeBnnjen32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkhjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffimfqgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqfooodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqpnombl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfbibnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopnqdan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbanme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkhfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbpjhp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acmflf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deanodkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgghhlhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopffec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnpmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadkpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcpbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjocgdkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqlfkmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliaoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcdmikd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odapnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odapnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmocpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibagcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagqlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclhhnca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipckgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haidklda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gogbdl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfoiqll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfpcgpae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdqof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnhphbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agffge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjhpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmaioo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldaeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgbnlmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifllil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqkgpedc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbaqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhikcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkljak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmppcbjd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdggmlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oboaabga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnnjen32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Fmmfmbhn.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fcgoilpj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fbioei32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ficgacna.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqkocpod.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fcikolnh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ffggkgmk.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/5076-56-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqmlhpla.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fckhdk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fbnhphbp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fmapha32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fmclmabe.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqohnp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fbqefhpm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fjhmgeao.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqaeco32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fodeolof.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gjjjle32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcekkjcj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gjocgdkg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gmmocpjk.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gfedle32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gjapmdid.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gqkhjn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hfjmgdlf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hbanme32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hpenfjad.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibjqcd32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3016-444-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Icljbg32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4856-494-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4976-503-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5220-595-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jfkoeppq.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3876-642-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jigollag.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3208-630-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5520-629-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3448-628-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kmnjhioc.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/5276-603-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lcgblncm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jjpeepnb.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/780-558-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mahbje32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/316-520-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1844-514-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibagcc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ijfboafl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imbaemhc.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4700-438-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hfachc32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4900-378-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3256-296-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gqikdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gbgkfg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gqfooodg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Giofnacd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gbenqg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gbenqg32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3476-169-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gmhfhp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcpapkgp.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Fmmfmbhn.exe UPX C:\Windows\SysWOW64\Fcgoilpj.exe UPX C:\Windows\SysWOW64\Fbioei32.exe UPX C:\Windows\SysWOW64\Ficgacna.exe UPX C:\Windows\SysWOW64\Fqkocpod.exe UPX C:\Windows\SysWOW64\Fcikolnh.exe UPX C:\Windows\SysWOW64\Ffggkgmk.exe UPX behavioral2/memory/5076-56-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Fqmlhpla.exe UPX behavioral2/memory/1180-77-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Fckhdk32.exe UPX C:\Windows\SysWOW64\Fbnhphbp.exe UPX C:\Windows\SysWOW64\Fmapha32.exe UPX C:\Windows\SysWOW64\Fmclmabe.exe UPX C:\Windows\SysWOW64\Fqohnp32.exe UPX C:\Windows\SysWOW64\Fbqefhpm.exe UPX C:\Windows\SysWOW64\Fjhmgeao.exe UPX C:\Windows\SysWOW64\Fqaeco32.exe UPX C:\Windows\SysWOW64\Fodeolof.exe UPX C:\Windows\SysWOW64\Gjjjle32.exe UPX C:\Windows\SysWOW64\Gcekkjcj.exe UPX C:\Windows\SysWOW64\Gjocgdkg.exe UPX behavioral2/memory/768-215-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Gmmocpjk.exe UPX C:\Windows\SysWOW64\Gfedle32.exe UPX C:\Windows\SysWOW64\Gjapmdid.exe UPX C:\Windows\SysWOW64\Gqkhjn32.exe UPX C:\Windows\SysWOW64\Hfjmgdlf.exe UPX C:\Windows\SysWOW64\Hbanme32.exe UPX C:\Windows\SysWOW64\Hpenfjad.exe UPX C:\Windows\SysWOW64\Ibjqcd32.exe UPX behavioral2/memory/3016-444-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Icljbg32.exe UPX behavioral2/memory/4856-494-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4976-503-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/5220-595-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Jfkoeppq.exe UPX behavioral2/memory/3876-642-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2652-640-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Jigollag.exe UPX behavioral2/memory/3208-630-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3448-628-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Kmnjhioc.exe UPX behavioral2/memory/5276-603-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lcgblncm.exe UPX C:\Windows\SysWOW64\Jjpeepnb.exe UPX behavioral2/memory/780-558-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mahbje32.exe UPX behavioral2/memory/316-520-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1844-514-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ibagcc32.exe UPX C:\Windows\SysWOW64\Ijfboafl.exe UPX behavioral2/memory/844-464-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Imbaemhc.exe UPX behavioral2/memory/4700-438-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4784-389-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Hfachc32.exe UPX behavioral2/memory/4900-378-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3256-296-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4876-274-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4432-244-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Gqikdn32.exe UPX C:\Windows\SysWOW64\Gbgkfg32.exe UPX behavioral2/memory/3324-193-0x0000000000400000-0x0000000000453000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
Fmmfmbhn.exeFcgoilpj.exeFbioei32.exeFicgacna.exeFqkocpod.exeFcikolnh.exeFfggkgmk.exeFmapha32.exeFqmlhpla.exeFckhdk32.exeFbnhphbp.exeFmclmabe.exeFqohnp32.exeFbqefhpm.exeFjhmgeao.exeFqaeco32.exeFodeolof.exeGcpapkgp.exeGjjjle32.exeGmhfhp32.exeGogbdl32.exeGbenqg32.exeGiofnacd.exeGqfooodg.exeGcekkjcj.exeGbgkfg32.exeGjocgdkg.exeGmmocpjk.exeGqikdn32.exeGfedle32.exeGjapmdid.exeGqkhjn32.exeGpnhekgl.exeGcidfi32.exeGfhqbe32.exeGifmnpnl.exeGmaioo32.exeGppekj32.exeHboagf32.exeHfjmgdlf.exeHihicplj.exeHapaemll.exeHpbaqj32.exeHbanme32.exeHjhfnccl.exeHikfip32.exeHmfbjnbp.exeHpenfjad.exeHbckbepg.exeHjjbcbqj.exeHimcoo32.exeHadkpm32.exeHccglh32.exeHfachc32.exeHjmoibog.exeHaggelfd.exeHpihai32.exeHbhdmd32.exeHjolnb32.exeHaidklda.exeIbjqcd32.exeIffmccbi.exeIidipnal.exeIpnalhii.exepid process 1472 Fmmfmbhn.exe 924 Fcgoilpj.exe 3928 Fbioei32.exe 3916 Ficgacna.exe 2012 Fqkocpod.exe 3488 Fcikolnh.exe 5076 Ffggkgmk.exe 3800 Fmapha32.exe 1180 Fqmlhpla.exe 3752 Fckhdk32.exe 3448 Fbnhphbp.exe 3208 Fmclmabe.exe 2652 Fqohnp32.exe 3876 Fbqefhpm.exe 784 Fjhmgeao.exe 2020 Fqaeco32.exe 2096 Fodeolof.exe 4488 Gcpapkgp.exe 1996 Gjjjle32.exe 3004 Gmhfhp32.exe 3476 Gogbdl32.exe 4192 Gbenqg32.exe 2084 Giofnacd.exe 3324 Gqfooodg.exe 4864 Gcekkjcj.exe 3456 Gbgkfg32.exe 768 Gjocgdkg.exe 2528 Gmmocpjk.exe 3064 Gqikdn32.exe 4432 Gfedle32.exe 3860 Gjapmdid.exe 3920 Gqkhjn32.exe 3740 Gpnhekgl.exe 5028 Gcidfi32.exe 4876 Gfhqbe32.exe 3736 Gifmnpnl.exe 3644 Gmaioo32.exe 3256 Gppekj32.exe 3612 Hboagf32.exe 5036 Hfjmgdlf.exe 3536 Hihicplj.exe 1488 Hapaemll.exe 2240 Hpbaqj32.exe 1004 Hbanme32.exe 4728 Hjhfnccl.exe 4304 Hikfip32.exe 3652 Hmfbjnbp.exe 5108 Hpenfjad.exe 2364 Hbckbepg.exe 3968 Hjjbcbqj.exe 2112 Himcoo32.exe 4900 Hadkpm32.exe 4000 Hccglh32.exe 4784 Hfachc32.exe 2636 Hjmoibog.exe 3904 Haggelfd.exe 1840 Hpihai32.exe 4596 Hbhdmd32.exe 3272 Hjolnb32.exe 880 Haidklda.exe 3464 Ibjqcd32.exe 1292 Iffmccbi.exe 4700 Iidipnal.exe 3016 Ipnalhii.exe -
Drops file in System32 directory 64 IoCs
Processes:
Blmacb32.exeDldpkoil.exeFcfhof32.exeJbhfjljd.exeFcgoilpj.exeGbenqg32.exeMgnnhk32.exeAbpcon32.exeKfckahdj.exePflplnlg.exeCjinkg32.exeIefioj32.exeNeeqea32.exe2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exeHjolnb32.exeNbkhfc32.exeEkcpbj32.exeDobfld32.exeGmaioo32.exeBdolhc32.exeCbefaj32.exeBmbplc32.exeEkacmjgl.exeFkciihgg.exeFfkjlp32.exeHaidklda.exeLilanioo.exeAnpncp32.exeDdmhja32.exeNjciko32.exeKmnjhioc.exeObangb32.exeBblckl32.exeNnjlpo32.exeGfhqbe32.exeLddbqa32.exeLgpagm32.exeGqkhjn32.exeGpnhekgl.exeBgcknmop.exeEhnglm32.exeLdoaklml.exeAabmqd32.exeBgehcmmm.exeFfggkgmk.exeMnocof32.exeMaaepd32.exeOkloegjl.exeBclhhnca.exeHofdacke.exeDdakjkqi.exeGjapmdid.exeGifmnpnl.exeKaqcbi32.exeEcoangbg.exeIcljbg32.exeChghdqbf.exeDboigi32.exeIfopiajn.exeHcmgfbhd.exeNckndeni.exeBfdodjhm.exeCdfkolkf.exeGjocgdkg.exedescription ioc process File created C:\Windows\SysWOW64\Bjpaooda.exe Blmacb32.exe File created C:\Windows\SysWOW64\Dkgqfl32.exe Dldpkoil.exe File opened for modification C:\Windows\SysWOW64\Faihkbci.exe Fcfhof32.exe File opened for modification C:\Windows\SysWOW64\Jmmjgejj.exe Jbhfjljd.exe File created C:\Windows\SysWOW64\Fibgnfha.dll Fcgoilpj.exe File created C:\Windows\SysWOW64\Giofnacd.exe Gbenqg32.exe File created C:\Windows\SysWOW64\Njljefql.exe Mgnnhk32.exe File created C:\Windows\SysWOW64\Aeopki32.exe Abpcon32.exe File created C:\Windows\SysWOW64\Namdcd32.dll Kfckahdj.exe File created C:\Windows\SysWOW64\Elcmjaol.dll Pflplnlg.exe File created C:\Windows\SysWOW64\Cmgjgcgo.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Pldhcm32.dll Iefioj32.exe File created C:\Windows\SysWOW64\Nnlhfn32.exe Neeqea32.exe File created C:\Windows\SysWOW64\Ogaodjbe.dll 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe File created C:\Windows\SysWOW64\Lijiaonm.dll Hjolnb32.exe File created C:\Windows\SysWOW64\Nqmhbpba.exe Nbkhfc32.exe File opened for modification C:\Windows\SysWOW64\Ehgqln32.exe Ekcpbj32.exe File opened for modification C:\Windows\SysWOW64\Daqbip32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Gppekj32.exe Gmaioo32.exe File created C:\Windows\SysWOW64\Bhkhibmc.exe Bdolhc32.exe File opened for modification C:\Windows\SysWOW64\Cecbmf32.exe Cbefaj32.exe File created C:\Windows\SysWOW64\Jjlogcip.dll Bmbplc32.exe File opened for modification C:\Windows\SysWOW64\Eefhjc32.exe Ekacmjgl.exe File created C:\Windows\SysWOW64\Lhclbphg.dll Fkciihgg.exe File created C:\Windows\SysWOW64\Gkhbdg32.exe Ffkjlp32.exe File created C:\Windows\SysWOW64\Ibjqcd32.exe Haidklda.exe File created C:\Windows\SysWOW64\Khehmdgi.dll Lilanioo.exe File opened for modification C:\Windows\SysWOW64\Aanjpk32.exe Anpncp32.exe File created C:\Windows\SysWOW64\Dldpkoil.exe Ddmhja32.exe File created C:\Windows\SysWOW64\Empblm32.dll Njciko32.exe File created C:\Windows\SysWOW64\Kdhbec32.exe Kmnjhioc.exe File created C:\Windows\SysWOW64\Occkojkm.exe Obangb32.exe File opened for modification C:\Windows\SysWOW64\Baocghgi.exe Bblckl32.exe File created C:\Windows\SysWOW64\Nlmllkja.exe Nnjlpo32.exe File created C:\Windows\SysWOW64\Gifmnpnl.exe Gfhqbe32.exe File created C:\Windows\SysWOW64\Lcgblncm.exe Lddbqa32.exe File created C:\Windows\SysWOW64\Bheenp32.dll Lgpagm32.exe File opened for modification C:\Windows\SysWOW64\Gpnhekgl.exe Gqkhjn32.exe File created C:\Windows\SysWOW64\Gcidfi32.exe Gpnhekgl.exe File created C:\Windows\SysWOW64\Eflgme32.dll Bgcknmop.exe File opened for modification C:\Windows\SysWOW64\Fkmchi32.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Likjcbkc.exe Ldoaklml.exe File created C:\Windows\SysWOW64\Afoeiklb.exe Aabmqd32.exe File opened for modification C:\Windows\SysWOW64\Bnpppgdj.exe Bgehcmmm.exe File created C:\Windows\SysWOW64\Fmapha32.exe Ffggkgmk.exe File opened for modification C:\Windows\SysWOW64\Majopeii.exe Mnocof32.exe File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File created C:\Windows\SysWOW64\Odljbk32.dll Okloegjl.exe File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe File opened for modification C:\Windows\SysWOW64\Hfqlnm32.exe Hofdacke.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Gqkhjn32.exe Gjapmdid.exe File created C:\Windows\SysWOW64\Dkfpkkqa.dll Gifmnpnl.exe File created C:\Windows\SysWOW64\Kmnjhioc.exe Kaqcbi32.exe File created C:\Windows\SysWOW64\Lfjehk32.dll Ecoangbg.exe File opened for modification C:\Windows\SysWOW64\Ifjfnb32.exe Icljbg32.exe File created C:\Windows\SysWOW64\Dgifdn32.dll Chghdqbf.exe File opened for modification C:\Windows\SysWOW64\Daaicfgd.exe Dboigi32.exe File created C:\Windows\SysWOW64\Iinlemia.exe Ifopiajn.exe File opened for modification C:\Windows\SysWOW64\Heocnk32.exe Hcmgfbhd.exe File created C:\Windows\SysWOW64\Pjcbnbmg.dll Nckndeni.exe File created C:\Windows\SysWOW64\Pmgmnjcj.dll Bfdodjhm.exe File created C:\Windows\SysWOW64\Cfdhkhjj.exe Cdfkolkf.exe File created C:\Windows\SysWOW64\Odhibo32.dll Gjocgdkg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 12112 11816 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Mgkjhe32.exeKaqcbi32.exeBajjli32.exeChdkoa32.exeGkhbdg32.exeGokdeeec.exeImmapg32.exeKimnbd32.exeCffdpghg.exeBnkgeg32.exeIjfboafl.exeAjneip32.exeCojjqlpk.exeEkcpbj32.exeImdgqfbd.exeKfmepi32.exeIapjlk32.exeOdednmpm.exePaegjl32.exeQnkdhpjn.exeAhoimd32.exeDmgbnq32.exeDogogcpo.exeIidipnal.exeLgkhlnbn.exeOboaabga.exeCbefaj32.exeNjnpppkn.exeAndqdh32.exeBelebq32.exeFodeolof.exeGqkhjn32.exeHadkpm32.exeIikopmkd.exeQgallfcq.exeQjpiha32.exeCfdhkhjj.exeEhnglm32.exeFcfhof32.exeBblckl32.exeHbhdmd32.exeLkiqbl32.exeMcnhmm32.exeNkncdifl.exePkfblfab.exePjmlbbdg.exeAhmlgd32.exeDldpkoil.exeMcmabg32.exeKplpjn32.exeFmclmabe.exeHjolnb32.exeIapjlk32.exeOgjmdigk.exeQbimoo32.exeAegikj32.exeBlfdia32.exeIcljbg32.exeAnpncp32.exeAnbkio32.exeBecifhfj.exeCkpjfm32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkjhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll" Kaqcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" Bajjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdkoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhbdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll" Gokdeeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eheqhpfp.dll" Immapg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffdpghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" Bnkgeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijfboafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajneip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojjqlpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" Ekcpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll" Imdgqfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmepi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll" Kimnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odednmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjnpq32.dll" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibihdfhm.dll" Qnkdhpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahoimd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll" Lgkhlnbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oboaabga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpijopg.dll" Cbefaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll" Njnpppkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Belebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodeolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqkhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" Hadkpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikopmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimmfkfe.dll" Qgallfcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjpiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajneip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfdhkhjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdalf32.dll" Ehnglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcfhof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facagg32.dll" Bblckl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbhdmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll" Lkiqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfblfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjmlbbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahmlgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dldpkoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll" Mcmabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplpjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmclmabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjolnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll" Iapjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleeed32.dll" Ogjmdigk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copfjgjf.dll" Qbimoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aegikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfcibe32.dll" Blfdia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll" Icljbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Becifhfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckpjfm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exeFmmfmbhn.exeFcgoilpj.exeFbioei32.exeFicgacna.exeFqkocpod.exeFcikolnh.exeFfggkgmk.exeFmapha32.exeFqmlhpla.exeFckhdk32.exeFbnhphbp.exeFmclmabe.exeFqohnp32.exeFbqefhpm.exeFjhmgeao.exeFqaeco32.exeFodeolof.exeGcpapkgp.exeGjjjle32.exeGmhfhp32.exeGogbdl32.exedescription pid process target process PID 3540 wrote to memory of 1472 3540 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Fmmfmbhn.exe PID 3540 wrote to memory of 1472 3540 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Fmmfmbhn.exe PID 3540 wrote to memory of 1472 3540 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Fmmfmbhn.exe PID 1472 wrote to memory of 924 1472 Fmmfmbhn.exe Fcgoilpj.exe PID 1472 wrote to memory of 924 1472 Fmmfmbhn.exe Fcgoilpj.exe PID 1472 wrote to memory of 924 1472 Fmmfmbhn.exe Fcgoilpj.exe PID 924 wrote to memory of 3928 924 Fcgoilpj.exe Fbioei32.exe PID 924 wrote to memory of 3928 924 Fcgoilpj.exe Fbioei32.exe PID 924 wrote to memory of 3928 924 Fcgoilpj.exe Fbioei32.exe PID 3928 wrote to memory of 3916 3928 Fbioei32.exe Ficgacna.exe PID 3928 wrote to memory of 3916 3928 Fbioei32.exe Ficgacna.exe PID 3928 wrote to memory of 3916 3928 Fbioei32.exe Ficgacna.exe PID 3916 wrote to memory of 2012 3916 Ficgacna.exe Fqkocpod.exe PID 3916 wrote to memory of 2012 3916 Ficgacna.exe Fqkocpod.exe PID 3916 wrote to memory of 2012 3916 Ficgacna.exe Fqkocpod.exe PID 2012 wrote to memory of 3488 2012 Fqkocpod.exe Fcikolnh.exe PID 2012 wrote to memory of 3488 2012 Fqkocpod.exe Fcikolnh.exe PID 2012 wrote to memory of 3488 2012 Fqkocpod.exe Fcikolnh.exe PID 3488 wrote to memory of 5076 3488 Fcikolnh.exe Ffggkgmk.exe PID 3488 wrote to memory of 5076 3488 Fcikolnh.exe Ffggkgmk.exe PID 3488 wrote to memory of 5076 3488 Fcikolnh.exe Ffggkgmk.exe PID 5076 wrote to memory of 3800 5076 Ffggkgmk.exe Fmapha32.exe PID 5076 wrote to memory of 3800 5076 Ffggkgmk.exe Fmapha32.exe PID 5076 wrote to memory of 3800 5076 Ffggkgmk.exe Fmapha32.exe PID 3800 wrote to memory of 1180 3800 Fmapha32.exe Fqmlhpla.exe PID 3800 wrote to memory of 1180 3800 Fmapha32.exe Fqmlhpla.exe PID 3800 wrote to memory of 1180 3800 Fmapha32.exe Fqmlhpla.exe PID 1180 wrote to memory of 3752 1180 Fqmlhpla.exe Fckhdk32.exe PID 1180 wrote to memory of 3752 1180 Fqmlhpla.exe Fckhdk32.exe PID 1180 wrote to memory of 3752 1180 Fqmlhpla.exe Fckhdk32.exe PID 3752 wrote to memory of 3448 3752 Fckhdk32.exe Fbnhphbp.exe PID 3752 wrote to memory of 3448 3752 Fckhdk32.exe Fbnhphbp.exe PID 3752 wrote to memory of 3448 3752 Fckhdk32.exe Fbnhphbp.exe PID 3448 wrote to memory of 3208 3448 Fbnhphbp.exe Fmclmabe.exe PID 3448 wrote to memory of 3208 3448 Fbnhphbp.exe Fmclmabe.exe PID 3448 wrote to memory of 3208 3448 Fbnhphbp.exe Fmclmabe.exe PID 3208 wrote to memory of 2652 3208 Fmclmabe.exe Fqohnp32.exe PID 3208 wrote to memory of 2652 3208 Fmclmabe.exe Fqohnp32.exe PID 3208 wrote to memory of 2652 3208 Fmclmabe.exe Fqohnp32.exe PID 2652 wrote to memory of 3876 2652 Fqohnp32.exe Fbqefhpm.exe PID 2652 wrote to memory of 3876 2652 Fqohnp32.exe Fbqefhpm.exe PID 2652 wrote to memory of 3876 2652 Fqohnp32.exe Fbqefhpm.exe PID 3876 wrote to memory of 784 3876 Fbqefhpm.exe Fjhmgeao.exe PID 3876 wrote to memory of 784 3876 Fbqefhpm.exe Fjhmgeao.exe PID 3876 wrote to memory of 784 3876 Fbqefhpm.exe Fjhmgeao.exe PID 784 wrote to memory of 2020 784 Fjhmgeao.exe Fqaeco32.exe PID 784 wrote to memory of 2020 784 Fjhmgeao.exe Fqaeco32.exe PID 784 wrote to memory of 2020 784 Fjhmgeao.exe Fqaeco32.exe PID 2020 wrote to memory of 2096 2020 Fqaeco32.exe Fodeolof.exe PID 2020 wrote to memory of 2096 2020 Fqaeco32.exe Fodeolof.exe PID 2020 wrote to memory of 2096 2020 Fqaeco32.exe Fodeolof.exe PID 2096 wrote to memory of 4488 2096 Fodeolof.exe Gcpapkgp.exe PID 2096 wrote to memory of 4488 2096 Fodeolof.exe Gcpapkgp.exe PID 2096 wrote to memory of 4488 2096 Fodeolof.exe Gcpapkgp.exe PID 4488 wrote to memory of 1996 4488 Gcpapkgp.exe Gjjjle32.exe PID 4488 wrote to memory of 1996 4488 Gcpapkgp.exe Gjjjle32.exe PID 4488 wrote to memory of 1996 4488 Gcpapkgp.exe Gjjjle32.exe PID 1996 wrote to memory of 3004 1996 Gjjjle32.exe Gmhfhp32.exe PID 1996 wrote to memory of 3004 1996 Gjjjle32.exe Gmhfhp32.exe PID 1996 wrote to memory of 3004 1996 Gjjjle32.exe Gmhfhp32.exe PID 3004 wrote to memory of 3476 3004 Gmhfhp32.exe Gogbdl32.exe PID 3004 wrote to memory of 3476 3004 Gmhfhp32.exe Gogbdl32.exe PID 3004 wrote to memory of 3476 3004 Gmhfhp32.exe Gogbdl32.exe PID 3476 wrote to memory of 4192 3476 Gogbdl32.exe Gbenqg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe"C:\Users\Admin\AppData\Local\Temp\2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Fbioei32.exeC:\Windows\system32\Fbioei32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Ficgacna.exeC:\Windows\system32\Ficgacna.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Fqkocpod.exeC:\Windows\system32\Fqkocpod.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Fmapha32.exeC:\Windows\system32\Fmapha32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Fbnhphbp.exeC:\Windows\system32\Fbnhphbp.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Fqohnp32.exeC:\Windows\system32\Fqohnp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Fjhmgeao.exeC:\Windows\system32\Fjhmgeao.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Gogbdl32.exeC:\Windows\system32\Gogbdl32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192 -
C:\Windows\SysWOW64\Giofnacd.exeC:\Windows\system32\Giofnacd.exe24⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Gcekkjcj.exeC:\Windows\system32\Gcekkjcj.exe26⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe27⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe30⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe31⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3920 -
C:\Windows\SysWOW64\Gpnhekgl.exeC:\Windows\system32\Gpnhekgl.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3740 -
C:\Windows\SysWOW64\Gcidfi32.exeC:\Windows\system32\Gcidfi32.exe35⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Gfhqbe32.exeC:\Windows\system32\Gfhqbe32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4876 -
C:\Windows\SysWOW64\Gifmnpnl.exeC:\Windows\system32\Gifmnpnl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3736 -
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe39⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe40⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe41⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe42⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\SysWOW64\Hapaemll.exeC:\Windows\system32\Hapaemll.exe43⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe46⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Hikfip32.exeC:\Windows\system32\Hikfip32.exe47⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe48⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe49⤵
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe50⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe51⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe52⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe54⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe55⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe57⤵
- Executes dropped EXE
PID:3904 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe58⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Hbhdmd32.exeC:\Windows\system32\Hbhdmd32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:4596 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe62⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe63⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe66⤵PID:2684
-
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe67⤵PID:4720
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe68⤵PID:844
-
C:\Windows\SysWOW64\Ipqnahgf.exeC:\Windows\system32\Ipqnahgf.exe69⤵PID:2492
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe71⤵PID:4872
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe72⤵
- Modifies registry class
PID:8 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe73⤵
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Iapjlk32.exeC:\Windows\system32\Iapjlk32.exe74⤵
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4976 -
C:\Windows\SysWOW64\Ibagcc32.exeC:\Windows\system32\Ibagcc32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5008 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe77⤵PID:3356
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe78⤵
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe80⤵PID:3268
-
C:\Windows\SysWOW64\Ifopiajn.exeC:\Windows\system32\Ifopiajn.exe81⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe82⤵PID:664
-
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe83⤵PID:4588
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe84⤵PID:1456
-
C:\Windows\SysWOW64\Jjmhppqd.exeC:\Windows\system32\Jjmhppqd.exe85⤵PID:4768
-
C:\Windows\SysWOW64\Jmkdlkph.exeC:\Windows\system32\Jmkdlkph.exe86⤵PID:780
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe88⤵PID:556
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe89⤵PID:5136
-
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe90⤵PID:5172
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe91⤵PID:5220
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe92⤵PID:5276
-
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe93⤵PID:5344
-
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe94⤵PID:5404
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe95⤵PID:5444
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe96⤵PID:5484
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe97⤵PID:5520
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5568 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe99⤵PID:5608
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe100⤵PID:5652
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe101⤵PID:5696
-
C:\Windows\SysWOW64\Jfkoeppq.exeC:\Windows\system32\Jfkoeppq.exe102⤵PID:5736
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe103⤵PID:5776
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:5820 -
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe105⤵
- Drops file in System32 directory
PID:5868 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe106⤵PID:5908
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe108⤵PID:5972
-
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe109⤵PID:6012
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe110⤵PID:6048
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe111⤵PID:6100
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe112⤵PID:6132
-
C:\Windows\SysWOW64\Ldkojb32.exeC:\Windows\system32\Ldkojb32.exe113⤵PID:5260
-
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe114⤵PID:5316
-
C:\Windows\SysWOW64\Lkdggmlj.exeC:\Windows\system32\Lkdggmlj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe116⤵PID:5560
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe117⤵PID:5284
-
C:\Windows\SysWOW64\Lcpllo32.exeC:\Windows\system32\Lcpllo32.exe118⤵PID:5728
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe119⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Lkgdml32.exeC:\Windows\system32\Lkgdml32.exe120⤵PID:5836
-
C:\Windows\SysWOW64\Lnepih32.exeC:\Windows\system32\Lnepih32.exe121⤵PID:5360
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe122⤵PID:5956
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe123⤵PID:6032
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe124⤵PID:6108
-
C:\Windows\SysWOW64\Lkiqbl32.exeC:\Windows\system32\Lkiqbl32.exe125⤵
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe126⤵
- Drops file in System32 directory
PID:5556 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe127⤵PID:2348
-
C:\Windows\SysWOW64\Ldaeka32.exeC:\Windows\system32\Ldaeka32.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5588 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe129⤵
- Drops file in System32 directory
PID:5628 -
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe130⤵PID:6020
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe131⤵PID:904
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe132⤵PID:5600
-
C:\Windows\SysWOW64\Lphfpbdi.exeC:\Windows\system32\Lphfpbdi.exe133⤵PID:5508
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe134⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Lcgblncm.exeC:\Windows\system32\Lcgblncm.exe135⤵PID:6080
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe136⤵PID:5424
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe137⤵PID:5544
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe138⤵PID:5428
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe139⤵PID:6088
-
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5616 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe141⤵PID:6184
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe142⤵
- Drops file in System32 directory
PID:6228 -
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe143⤵PID:6264
-
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6320 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe145⤵PID:6384
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe146⤵PID:6440
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe147⤵PID:6480
-
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe148⤵
- Modifies registry class
PID:6516 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe149⤵PID:6568
-
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe150⤵PID:6608
-
C:\Windows\SysWOW64\Maohkd32.exeC:\Windows\system32\Maohkd32.exe151⤵PID:6640
-
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe152⤵PID:6688
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6724 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe154⤵PID:6768
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe155⤵PID:6816
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe156⤵
- Drops file in System32 directory
PID:6856 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe157⤵PID:6900
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe158⤵
- Drops file in System32 directory
PID:6944 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe159⤵PID:6996
-
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe160⤵PID:7032
-
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7068 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe162⤵PID:7112
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe163⤵PID:7148
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe164⤵PID:6164
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe165⤵PID:6208
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe166⤵PID:6300
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe167⤵PID:6400
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe168⤵
- Modifies registry class
PID:6476 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe169⤵PID:6512
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe170⤵PID:6596
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe171⤵PID:6676
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6732 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe173⤵PID:6796
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6840 -
C:\Windows\SysWOW64\Nqmhbpba.exeC:\Windows\system32\Nqmhbpba.exe175⤵PID:6928
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe176⤵PID:6984
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe177⤵PID:7060
-
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe178⤵PID:7140
-
C:\Windows\SysWOW64\Ncnadk32.exeC:\Windows\system32\Ncnadk32.exe179⤵PID:5832
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe180⤵
- Modifies registry class
PID:6256 -
C:\Windows\SysWOW64\Ojhiqefo.exeC:\Windows\system32\Ojhiqefo.exe181⤵PID:6376
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6524 -
C:\Windows\SysWOW64\Odnnnnfe.exeC:\Windows\system32\Odnnnnfe.exe183⤵PID:6616
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe184⤵PID:6716
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe185⤵PID:6844
-
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe186⤵
- Drops file in System32 directory
PID:6980 -
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe187⤵PID:7056
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe188⤵PID:5288
-
C:\Windows\SysWOW64\Onholckc.exeC:\Windows\system32\Onholckc.exe189⤵PID:6340
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe190⤵PID:6556
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe191⤵PID:6680
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe192⤵PID:6892
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe193⤵
- Drops file in System32 directory
PID:7052 -
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe194⤵PID:6276
-
C:\Windows\SysWOW64\Odednmpm.exeC:\Windows\system32\Odednmpm.exe195⤵
- Modifies registry class
PID:6636 -
C:\Windows\SysWOW64\Odgqdlnj.exeC:\Windows\system32\Odgqdlnj.exe196⤵PID:6968
-
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe197⤵PID:6212
-
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe198⤵PID:6848
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe199⤵PID:6148
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe200⤵PID:6576
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe201⤵PID:7180
-
C:\Windows\SysWOW64\Pjffbc32.exeC:\Windows\system32\Pjffbc32.exe202⤵PID:7216
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe203⤵PID:7260
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7296 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe205⤵PID:7336
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe206⤵
- Modifies registry class
PID:7376 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe207⤵PID:7416
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7452 -
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe209⤵PID:7488
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe210⤵PID:7536
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe211⤵PID:7572
-
C:\Windows\SysWOW64\Pbbgnpgl.exeC:\Windows\system32\Pbbgnpgl.exe212⤵PID:7608
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe213⤵
- Modifies registry class
PID:7644 -
C:\Windows\SysWOW64\Peqcjkfp.exeC:\Windows\system32\Peqcjkfp.exe214⤵PID:7688
-
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7728 -
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe216⤵
- Modifies registry class
PID:7764 -
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe217⤵PID:7816
-
C:\Windows\SysWOW64\Qecppkdm.exeC:\Windows\system32\Qecppkdm.exe218⤵PID:7876
-
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe219⤵
- Modifies registry class
PID:7916 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe220⤵
- Modifies registry class
PID:7952 -
C:\Windows\SysWOW64\Qnkdhpjn.exeC:\Windows\system32\Qnkdhpjn.exe221⤵
- Modifies registry class
PID:7992 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe222⤵PID:8028
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe223⤵PID:8064
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe224⤵PID:8104
-
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe225⤵PID:8144
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe226⤵
- Modifies registry class
PID:8180 -
C:\Windows\SysWOW64\Aegikj32.exeC:\Windows\system32\Aegikj32.exe227⤵
- Modifies registry class
PID:7236 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7288 -
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe229⤵PID:7392
-
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe230⤵
- Drops file in System32 directory
- Modifies registry class
PID:7444 -
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe231⤵PID:7532
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7600 -
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe233⤵PID:7656
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7736 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe235⤵
- Modifies registry class
PID:7800 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe236⤵PID:7856
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe237⤵PID:7960
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe238⤵
- Drops file in System32 directory
PID:8008 -
C:\Windows\SysWOW64\Aeopki32.exeC:\Windows\system32\Aeopki32.exe239⤵PID:8092
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:8140 -
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe241⤵PID:7204
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe242⤵PID:7384