Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
Resource
win10v2004-20240426-en
General
-
Target
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
-
Size
163KB
-
MD5
1279c428f04724bef3db83bb55c8aade
-
SHA1
01ad883b33cdf4e3756e0611fd39fef2ef026e17
-
SHA256
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3
-
SHA512
cca92feec56f7d5e9570a5677a5ec2a09fc2194ad5bb4fd93d764f8566b0704723e3e40736db5629337076db52166ec22a835664ad63e4b1e4dcce48031d828f
-
SSDEEP
3072:aCTKQvguDl8OW9BtVlaltOrWKDBr+yJb:aCuQvguDl8OWVaLOf
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mlfacfpc.exeQqfkln32.exeAiimfi32.exeEjdfqogm.exeAddhcn32.exeLoefnpnn.exeFmaeho32.exeFgjjad32.exeEaebeoan.exePglojj32.exeLlmmpcfe.exeKcdlhj32.exeEfppqoil.exeFhngkm32.exeIfbaapfk.exeCpgecq32.exeGindjqnc.exeOippjl32.exeAfliclij.exeNcloha32.exeIngmmn32.exePhfoee32.exeOnjgkf32.exeBbannb32.exeLddlkg32.exeNlcibc32.exeNhkbmo32.exeOnldqejb.exeBikcbc32.exeMbcoio32.exeBjpdhifk.exeLkgifd32.exeHgckoofa.exeJdlacfca.exeJbbccgmp.exeBphooc32.exeEfoifiep.exeHekefkig.exeCkhbnb32.exeMgjnhaco.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfacfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdfqogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addhcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmaeho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhngkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbaapfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gindjqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afliclij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncloha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onjgkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbannb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddlkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpdhifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgckoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlacfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekefkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Abkhkgbb.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Aekqmbod.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Akeijlfq.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Akhfoldn.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bjmbqhif.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Bpjkiogm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bplhnoej.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Bcjqdmla.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bleeioil.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Cemjae32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Cikbhc32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Cjmopkla.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Caidaeak.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Comdkipe.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Dgjfek32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dbafjlaa.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2112-247-0x00000000002E0000-0x0000000000333000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dlndnacm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ekfndmfb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ednbncmb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Edqocbkp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Elnqmd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fhikme32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fkjdopeh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcahoqhf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Halbai32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hloiib32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hfbaql32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hbknkl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iinmfk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibfaopoi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Idfnicfl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imnbbi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibkkjp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iiecgjba.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iapgkl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jlelhe32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jenpajfb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jofejpmc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jaeafklf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jagnlkjd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jdejhfig.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jjbbpmgo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jdhgnf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jpogbgmi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kfkpknkq.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kofaicon.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kjihalag.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kgkleabc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kohnoc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kllnhg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Knnkpobc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lqncaj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lghlndfa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgkhdddo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lmgalkcf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lqcmmjko.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lfpeeqig.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lfbbjpgd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lmljgj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lokgcf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mjpkqonj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mlfacfpc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mndmoaog.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Abkhkgbb.exe UPX \Windows\SysWOW64\Aekqmbod.exe UPX C:\Windows\SysWOW64\Akeijlfq.exe UPX \Windows\SysWOW64\Akhfoldn.exe UPX C:\Windows\SysWOW64\Bjmbqhif.exe UPX \Windows\SysWOW64\Bpjkiogm.exe UPX C:\Windows\SysWOW64\Bplhnoej.exe UPX \Windows\SysWOW64\Bcjqdmla.exe UPX C:\Windows\SysWOW64\Bleeioil.exe UPX \Windows\SysWOW64\Cemjae32.exe UPX \Windows\SysWOW64\Cikbhc32.exe UPX \Windows\SysWOW64\Cjmopkla.exe UPX C:\Windows\SysWOW64\Caidaeak.exe UPX C:\Windows\SysWOW64\Comdkipe.exe UPX \Windows\SysWOW64\Dgjfek32.exe UPX C:\Windows\SysWOW64\Dbafjlaa.exe UPX behavioral1/memory/2112-247-0x00000000002E0000-0x0000000000333000-memory.dmp UPX C:\Windows\SysWOW64\Dlndnacm.exe UPX C:\Windows\SysWOW64\Ekfndmfb.exe UPX C:\Windows\SysWOW64\Ednbncmb.exe UPX C:\Windows\SysWOW64\Edqocbkp.exe UPX C:\Windows\SysWOW64\Elnqmd32.exe UPX C:\Windows\SysWOW64\Fhikme32.exe UPX C:\Windows\SysWOW64\Fkjdopeh.exe UPX C:\Windows\SysWOW64\Gcahoqhf.exe UPX C:\Windows\SysWOW64\Halbai32.exe UPX C:\Windows\SysWOW64\Hloiib32.exe UPX C:\Windows\SysWOW64\Hfbaql32.exe UPX C:\Windows\SysWOW64\Hbknkl32.exe UPX C:\Windows\SysWOW64\Iinmfk32.exe UPX C:\Windows\SysWOW64\Ibfaopoi.exe UPX C:\Windows\SysWOW64\Idfnicfl.exe UPX C:\Windows\SysWOW64\Imnbbi32.exe UPX C:\Windows\SysWOW64\Ibkkjp32.exe UPX C:\Windows\SysWOW64\Iiecgjba.exe UPX C:\Windows\SysWOW64\Iapgkl32.exe UPX C:\Windows\SysWOW64\Jlelhe32.exe UPX C:\Windows\SysWOW64\Jenpajfb.exe UPX C:\Windows\SysWOW64\Jofejpmc.exe UPX C:\Windows\SysWOW64\Jaeafklf.exe UPX C:\Windows\SysWOW64\Jagnlkjd.exe UPX C:\Windows\SysWOW64\Jdejhfig.exe UPX C:\Windows\SysWOW64\Jjbbpmgo.exe UPX C:\Windows\SysWOW64\Jdhgnf32.exe UPX C:\Windows\SysWOW64\Jpogbgmi.exe UPX C:\Windows\SysWOW64\Kfkpknkq.exe UPX C:\Windows\SysWOW64\Kofaicon.exe UPX C:\Windows\SysWOW64\Kjihalag.exe UPX C:\Windows\SysWOW64\Kgkleabc.exe UPX C:\Windows\SysWOW64\Kohnoc32.exe UPX C:\Windows\SysWOW64\Kllnhg32.exe UPX C:\Windows\SysWOW64\Knnkpobc.exe UPX C:\Windows\SysWOW64\Lqncaj32.exe UPX C:\Windows\SysWOW64\Lghlndfa.exe UPX C:\Windows\SysWOW64\Lgkhdddo.exe UPX C:\Windows\SysWOW64\Lmgalkcf.exe UPX C:\Windows\SysWOW64\Lqcmmjko.exe UPX C:\Windows\SysWOW64\Lfpeeqig.exe UPX C:\Windows\SysWOW64\Lfbbjpgd.exe UPX C:\Windows\SysWOW64\Lmljgj32.exe UPX C:\Windows\SysWOW64\Lokgcf32.exe UPX C:\Windows\SysWOW64\Mjpkqonj.exe UPX C:\Windows\SysWOW64\Mlfacfpc.exe UPX C:\Windows\SysWOW64\Mndmoaog.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Abkhkgbb.exeAekqmbod.exeAkeijlfq.exeAkhfoldn.exeBccjdnbi.exeBjmbqhif.exeBpjkiogm.exeBplhnoej.exeBcjqdmla.exeBleeioil.exeCemjae32.exeCikbhc32.exeCjmopkla.exeCaidaeak.exeComdkipe.exeDgjfek32.exeDbafjlaa.exeDebplg32.exeDpgcip32.exeDlndnacm.exeElqaca32.exeEkfndmfb.exeEdnbncmb.exeEjkkfjkj.exeEdqocbkp.exeEniclh32.exeElnqmd32.exeFqlicclo.exeFmcjhdbc.exeFhikme32.exeFfmkfifa.exeFkjdopeh.exeGqiimfam.exeGfhnjm32.exeGpabcbdb.exeGjfgqk32.exeGpcoib32.exeGcahoqhf.exeHfbaql32.exeHloiib32.exeHalbai32.exeHbknkl32.exeIinmfk32.exeIbfaopoi.exeIdfnicfl.exeImnbbi32.exeIbkkjp32.exeIiecgjba.exeIapgkl32.exeJlelhe32.exeJenpajfb.exeJofejpmc.exeJaeafklf.exeJgaiobjn.exeJagnlkjd.exeJdejhfig.exeJjbbpmgo.exeJdhgnf32.exeJkbojpna.exeJpogbgmi.exeKfkpknkq.exeKoddccaa.exeKgkleabc.exeKjihalag.exepid process 3028 Abkhkgbb.exe 2484 Aekqmbod.exe 2528 Akeijlfq.exe 2592 Akhfoldn.exe 2556 Bccjdnbi.exe 2496 Bjmbqhif.exe 800 Bpjkiogm.exe 2356 Bplhnoej.exe 1200 Bcjqdmla.exe 2696 Bleeioil.exe 2284 Cemjae32.exe 872 Cikbhc32.exe 2292 Cjmopkla.exe 1688 Caidaeak.exe 2236 Comdkipe.exe 1144 Dgjfek32.exe 1436 Dbafjlaa.exe 2112 Debplg32.exe 1984 Dpgcip32.exe 1012 Dlndnacm.exe 1712 Elqaca32.exe 904 Ekfndmfb.exe 2924 Ednbncmb.exe 2168 Ejkkfjkj.exe 1912 Edqocbkp.exe 2348 Eniclh32.exe 2900 Elnqmd32.exe 2780 Fqlicclo.exe 2612 Fmcjhdbc.exe 2860 Fhikme32.exe 920 Ffmkfifa.exe 2324 Fkjdopeh.exe 1340 Gqiimfam.exe 1624 Gfhnjm32.exe 2692 Gpabcbdb.exe 1944 Gjfgqk32.exe 1952 Gpcoib32.exe 2144 Gcahoqhf.exe 784 Hfbaql32.exe 1680 Hloiib32.exe 2744 Halbai32.exe 1216 Hbknkl32.exe 1684 Iinmfk32.exe 3056 Ibfaopoi.exe 1976 Idfnicfl.exe 928 Imnbbi32.exe 3052 Ibkkjp32.exe 1096 Iiecgjba.exe 1316 Iapgkl32.exe 1072 Jlelhe32.exe 2088 Jenpajfb.exe 1208 Jofejpmc.exe 1344 Jaeafklf.exe 2524 Jgaiobjn.exe 2884 Jagnlkjd.exe 2420 Jdejhfig.exe 3060 Jjbbpmgo.exe 2384 Jdhgnf32.exe 2768 Jkbojpna.exe 2428 Jpogbgmi.exe 2584 Kfkpknkq.exe 1112 Koddccaa.exe 940 Kgkleabc.exe 2688 Kjihalag.exe -
Loads dropped DLL 64 IoCs
Processes:
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exeAbkhkgbb.exeAekqmbod.exeAkeijlfq.exeAkhfoldn.exeBccjdnbi.exeBjmbqhif.exeBpjkiogm.exeBplhnoej.exeBcjqdmla.exeBleeioil.exeCemjae32.exeCikbhc32.exeCjmopkla.exeCaidaeak.exeComdkipe.exeDgjfek32.exeDbafjlaa.exeDebplg32.exeDpgcip32.exeDlndnacm.exeElqaca32.exeEkfndmfb.exeEdnbncmb.exeEjkkfjkj.exeEdqocbkp.exeEniclh32.exeElnqmd32.exeFqlicclo.exeFmcjhdbc.exeFhikme32.exeFfmkfifa.exepid process 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe 3028 Abkhkgbb.exe 3028 Abkhkgbb.exe 2484 Aekqmbod.exe 2484 Aekqmbod.exe 2528 Akeijlfq.exe 2528 Akeijlfq.exe 2592 Akhfoldn.exe 2592 Akhfoldn.exe 2556 Bccjdnbi.exe 2556 Bccjdnbi.exe 2496 Bjmbqhif.exe 2496 Bjmbqhif.exe 800 Bpjkiogm.exe 800 Bpjkiogm.exe 2356 Bplhnoej.exe 2356 Bplhnoej.exe 1200 Bcjqdmla.exe 1200 Bcjqdmla.exe 2696 Bleeioil.exe 2696 Bleeioil.exe 2284 Cemjae32.exe 2284 Cemjae32.exe 872 Cikbhc32.exe 872 Cikbhc32.exe 2292 Cjmopkla.exe 2292 Cjmopkla.exe 1688 Caidaeak.exe 1688 Caidaeak.exe 2236 Comdkipe.exe 2236 Comdkipe.exe 1144 Dgjfek32.exe 1144 Dgjfek32.exe 1436 Dbafjlaa.exe 1436 Dbafjlaa.exe 2112 Debplg32.exe 2112 Debplg32.exe 1984 Dpgcip32.exe 1984 Dpgcip32.exe 1012 Dlndnacm.exe 1012 Dlndnacm.exe 1712 Elqaca32.exe 1712 Elqaca32.exe 904 Ekfndmfb.exe 904 Ekfndmfb.exe 2924 Ednbncmb.exe 2924 Ednbncmb.exe 2168 Ejkkfjkj.exe 2168 Ejkkfjkj.exe 1912 Edqocbkp.exe 1912 Edqocbkp.exe 2348 Eniclh32.exe 2348 Eniclh32.exe 2900 Elnqmd32.exe 2900 Elnqmd32.exe 2780 Fqlicclo.exe 2780 Fqlicclo.exe 2612 Fmcjhdbc.exe 2612 Fmcjhdbc.exe 2860 Fhikme32.exe 2860 Fhikme32.exe 920 Ffmkfifa.exe 920 Ffmkfifa.exe -
Drops file in System32 directory 64 IoCs
Processes:
Fenphjei.exeKcmdjgbh.exeGpabcbdb.exeAkiobk32.exeEaednh32.exeGlomllkd.exePciddedl.exeAohgfm32.exePgnjde32.exeIcabeo32.exeFefqdl32.exeHfbaql32.exeMndmoaog.exeEkhmcelc.exeIeeqpi32.exeEeagimdf.exeCbpbgk32.exePaocnkph.exeBbjpil32.exeBjembh32.exePdonhj32.exeQldjdlgb.exeKbqgolpf.exeDefljp32.exeGindjqnc.exeOioggmmc.exeMcckcbgp.exeKenjgi32.exeGleqdb32.exeImcfjg32.exeAfhpca32.exeJnbkodci.exeEfljhq32.exeHekefkig.exeInebpgbf.exeNghpjn32.exeEgihcl32.exeOnjgkf32.exeLgkhdddo.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Gaeqmk32.exe Fenphjei.exe File created C:\Windows\SysWOW64\Keoabo32.exe Kcmdjgbh.exe File opened for modification C:\Windows\SysWOW64\Ppegdapd.exe File opened for modification C:\Windows\SysWOW64\Cjljpjjk.exe File created C:\Windows\SysWOW64\Gmbagf32.exe File created C:\Windows\SysWOW64\Nhmiqo32.dll File created C:\Windows\SysWOW64\Ipllldmi.dll File created C:\Windows\SysWOW64\Gjfgqk32.exe Gpabcbdb.exe File created C:\Windows\SysWOW64\Mleeaj32.dll Akiobk32.exe File opened for modification C:\Windows\SysWOW64\Fjnignob.exe Eaednh32.exe File created C:\Windows\SysWOW64\Gibmep32.exe Glomllkd.exe File opened for modification C:\Windows\SysWOW64\Bncpffdn.exe File opened for modification C:\Windows\SysWOW64\Hgmhcm32.exe File opened for modification C:\Windows\SysWOW64\Pjcmap32.exe Pciddedl.exe File created C:\Windows\SysWOW64\Qaejidpg.dll Aohgfm32.exe File created C:\Windows\SysWOW64\Dpgdad32.dll File opened for modification C:\Windows\SysWOW64\Pilfpqaa.exe Pgnjde32.exe File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe Icabeo32.exe File created C:\Windows\SysWOW64\Kjonihkc.dll File opened for modification C:\Windows\SysWOW64\Fmaeho32.exe Fefqdl32.exe File created C:\Windows\SysWOW64\Kneflplf.exe File created C:\Windows\SysWOW64\Ekaeoj32.dll File opened for modification C:\Windows\SysWOW64\Hloiib32.exe Hfbaql32.exe File created C:\Windows\SysWOW64\Aehnpfik.dll Mndmoaog.exe File created C:\Windows\SysWOW64\Cbjfpgpa.dll Ekhmcelc.exe File created C:\Windows\SysWOW64\Ionehnbm.exe Ieeqpi32.exe File opened for modification C:\Windows\SysWOW64\Idkcjk32.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Eeagimdf.exe File opened for modification C:\Windows\SysWOW64\Ckhfpp32.exe Cbpbgk32.exe File created C:\Windows\SysWOW64\Jkcfefdg.dll Paocnkph.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bbjpil32.exe File created C:\Windows\SysWOW64\Jmlpoade.dll Bjembh32.exe File opened for modification C:\Windows\SysWOW64\Hhhblgim.exe File opened for modification C:\Windows\SysWOW64\Pgnjde32.exe Pdonhj32.exe File created C:\Windows\SysWOW64\Npgihifq.dll Qldjdlgb.exe File created C:\Windows\SysWOW64\Kcpcho32.exe Kbqgolpf.exe File created C:\Windows\SysWOW64\Dhehfk32.exe Defljp32.exe File opened for modification C:\Windows\SysWOW64\Gbfhcf32.exe Gindjqnc.exe File created C:\Windows\SysWOW64\Lfkhch32.exe File created C:\Windows\SysWOW64\Nkimli32.dll File opened for modification C:\Windows\SysWOW64\Okpcoe32.exe Oioggmmc.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Lmlepi32.dll Kenjgi32.exe File created C:\Windows\SysWOW64\Opqjjalh.dll File created C:\Windows\SysWOW64\Edhnbelc.dll Gleqdb32.exe File opened for modification C:\Windows\SysWOW64\Igkjcm32.exe Imcfjg32.exe File opened for modification C:\Windows\SysWOW64\Bclqme32.exe Afhpca32.exe File created C:\Windows\SysWOW64\Jlekja32.exe Jnbkodci.exe File created C:\Windows\SysWOW64\Nqalkike.dll File created C:\Windows\SysWOW64\Nbiahjpi.dll Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Ipqicdim.exe Hekefkig.exe File opened for modification C:\Windows\SysWOW64\Idokma32.exe Inebpgbf.exe File created C:\Windows\SysWOW64\Plokomjo.dll File opened for modification C:\Windows\SysWOW64\Ddnhidmm.exe File opened for modification C:\Windows\SysWOW64\Akjjifji.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nghpjn32.exe File created C:\Windows\SysWOW64\Ebnmpemq.exe Egihcl32.exe File opened for modification C:\Windows\SysWOW64\Plcied32.exe File created C:\Windows\SysWOW64\Omoehf32.exe File opened for modification C:\Windows\SysWOW64\Aknnil32.exe File created C:\Windows\SysWOW64\Jqoljf32.dll Onjgkf32.exe File opened for modification C:\Windows\SysWOW64\Nplhooec.exe File opened for modification C:\Windows\SysWOW64\Fdpjcaij.exe File opened for modification C:\Windows\SysWOW64\Lmgalkcf.exe Lgkhdddo.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 4028 768 -
Modifies registry class 64 IoCs
Processes:
Elnqmd32.exeJeclebja.exeNnahgh32.exeApkihofl.exeLpanne32.exeGnaooi32.exeBnfddp32.exeBemkle32.exeCenmfbml.exeJpnkep32.exeEdoefl32.exeFigmjq32.exeNkaoemjm.exeDjdjalea.exeGnlpeh32.exeEcfnmh32.exeOfafgipc.exeCeqjla32.exeQoqhncgp.exeFpmbfbgo.exeIfgicg32.exeApmcefmf.exeGpabcbdb.exeLmnhgjmp.exeCelpqbon.exeDklddhka.exeOjblbgdg.exeBccjdnbi.exeElkofg32.exeLokgcf32.exePlpqim32.exeKbqgolpf.exeDjmknb32.exeColdmfkf.exeMdigoo32.exeAicmadmm.exeNmggllha.exeDcmpcjcf.exeAfcghbgp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkggbgh.dll" Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnahgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqechmg.dll" Apkihofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbknnn32.dll" Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfdaio.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bnfddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofeco32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edoefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feembf32.dll" Nkaoemjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdjalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnlpeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqiibc32.dll" Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqioe32.dll" Ofafgipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Ceqjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoqhncgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioajkkj.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Ifgicg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apmcefmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpabcbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdleiobf.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbeemg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojblbgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgflbcg.dll" Bccjdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deoipl32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plpqim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbqgolpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omopkm32.dll" Coldmfkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdigoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll" Aicmadmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmggllha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhbed32.dll" Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjbd32.dll" Afcghbgp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exeAbkhkgbb.exeAekqmbod.exeAkeijlfq.exeAkhfoldn.exeBccjdnbi.exeBjmbqhif.exeBpjkiogm.exeBplhnoej.exeBcjqdmla.exeBleeioil.exeCemjae32.exeCikbhc32.exeCjmopkla.exeCaidaeak.exeComdkipe.exedescription pid process target process PID 2876 wrote to memory of 3028 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Abkhkgbb.exe PID 2876 wrote to memory of 3028 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Abkhkgbb.exe PID 2876 wrote to memory of 3028 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Abkhkgbb.exe PID 2876 wrote to memory of 3028 2876 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Abkhkgbb.exe PID 3028 wrote to memory of 2484 3028 Abkhkgbb.exe Aekqmbod.exe PID 3028 wrote to memory of 2484 3028 Abkhkgbb.exe Aekqmbod.exe PID 3028 wrote to memory of 2484 3028 Abkhkgbb.exe Aekqmbod.exe PID 3028 wrote to memory of 2484 3028 Abkhkgbb.exe Aekqmbod.exe PID 2484 wrote to memory of 2528 2484 Aekqmbod.exe Akeijlfq.exe PID 2484 wrote to memory of 2528 2484 Aekqmbod.exe Akeijlfq.exe PID 2484 wrote to memory of 2528 2484 Aekqmbod.exe Akeijlfq.exe PID 2484 wrote to memory of 2528 2484 Aekqmbod.exe Akeijlfq.exe PID 2528 wrote to memory of 2592 2528 Akeijlfq.exe Akhfoldn.exe PID 2528 wrote to memory of 2592 2528 Akeijlfq.exe Akhfoldn.exe PID 2528 wrote to memory of 2592 2528 Akeijlfq.exe Akhfoldn.exe PID 2528 wrote to memory of 2592 2528 Akeijlfq.exe Akhfoldn.exe PID 2592 wrote to memory of 2556 2592 Akhfoldn.exe Bccjdnbi.exe PID 2592 wrote to memory of 2556 2592 Akhfoldn.exe Bccjdnbi.exe PID 2592 wrote to memory of 2556 2592 Akhfoldn.exe Bccjdnbi.exe PID 2592 wrote to memory of 2556 2592 Akhfoldn.exe Bccjdnbi.exe PID 2556 wrote to memory of 2496 2556 Bccjdnbi.exe Bjmbqhif.exe PID 2556 wrote to memory of 2496 2556 Bccjdnbi.exe Bjmbqhif.exe PID 2556 wrote to memory of 2496 2556 Bccjdnbi.exe Bjmbqhif.exe PID 2556 wrote to memory of 2496 2556 Bccjdnbi.exe Bjmbqhif.exe PID 2496 wrote to memory of 800 2496 Bjmbqhif.exe Bpjkiogm.exe PID 2496 wrote to memory of 800 2496 Bjmbqhif.exe Bpjkiogm.exe PID 2496 wrote to memory of 800 2496 Bjmbqhif.exe Bpjkiogm.exe PID 2496 wrote to memory of 800 2496 Bjmbqhif.exe Bpjkiogm.exe PID 800 wrote to memory of 2356 800 Bpjkiogm.exe Bplhnoej.exe PID 800 wrote to memory of 2356 800 Bpjkiogm.exe Bplhnoej.exe PID 800 wrote to memory of 2356 800 Bpjkiogm.exe Bplhnoej.exe PID 800 wrote to memory of 2356 800 Bpjkiogm.exe Bplhnoej.exe PID 2356 wrote to memory of 1200 2356 Bplhnoej.exe Bcjqdmla.exe PID 2356 wrote to memory of 1200 2356 Bplhnoej.exe Bcjqdmla.exe PID 2356 wrote to memory of 1200 2356 Bplhnoej.exe Bcjqdmla.exe PID 2356 wrote to memory of 1200 2356 Bplhnoej.exe Bcjqdmla.exe PID 1200 wrote to memory of 2696 1200 Bcjqdmla.exe Bleeioil.exe PID 1200 wrote to memory of 2696 1200 Bcjqdmla.exe Bleeioil.exe PID 1200 wrote to memory of 2696 1200 Bcjqdmla.exe Bleeioil.exe PID 1200 wrote to memory of 2696 1200 Bcjqdmla.exe Bleeioil.exe PID 2696 wrote to memory of 2284 2696 Bleeioil.exe Cemjae32.exe PID 2696 wrote to memory of 2284 2696 Bleeioil.exe Cemjae32.exe PID 2696 wrote to memory of 2284 2696 Bleeioil.exe Cemjae32.exe PID 2696 wrote to memory of 2284 2696 Bleeioil.exe Cemjae32.exe PID 2284 wrote to memory of 872 2284 Cemjae32.exe Cikbhc32.exe PID 2284 wrote to memory of 872 2284 Cemjae32.exe Cikbhc32.exe PID 2284 wrote to memory of 872 2284 Cemjae32.exe Cikbhc32.exe PID 2284 wrote to memory of 872 2284 Cemjae32.exe Cikbhc32.exe PID 872 wrote to memory of 2292 872 Cikbhc32.exe Cjmopkla.exe PID 872 wrote to memory of 2292 872 Cikbhc32.exe Cjmopkla.exe PID 872 wrote to memory of 2292 872 Cikbhc32.exe Cjmopkla.exe PID 872 wrote to memory of 2292 872 Cikbhc32.exe Cjmopkla.exe PID 2292 wrote to memory of 1688 2292 Cjmopkla.exe Caidaeak.exe PID 2292 wrote to memory of 1688 2292 Cjmopkla.exe Caidaeak.exe PID 2292 wrote to memory of 1688 2292 Cjmopkla.exe Caidaeak.exe PID 2292 wrote to memory of 1688 2292 Cjmopkla.exe Caidaeak.exe PID 1688 wrote to memory of 2236 1688 Caidaeak.exe Comdkipe.exe PID 1688 wrote to memory of 2236 1688 Caidaeak.exe Comdkipe.exe PID 1688 wrote to memory of 2236 1688 Caidaeak.exe Comdkipe.exe PID 1688 wrote to memory of 2236 1688 Caidaeak.exe Comdkipe.exe PID 2236 wrote to memory of 1144 2236 Comdkipe.exe Dgjfek32.exe PID 2236 wrote to memory of 1144 2236 Comdkipe.exe Dgjfek32.exe PID 2236 wrote to memory of 1144 2236 Comdkipe.exe Dgjfek32.exe PID 2236 wrote to memory of 1144 2236 Comdkipe.exe Dgjfek32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe"C:\Users\Admin\AppData\Local\Temp\9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe33⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe34⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe35⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe37⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe39⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe41⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe42⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe43⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe44⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe45⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe46⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe47⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe48⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe49⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe50⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe51⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe53⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe54⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe55⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe56⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe57⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe58⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe59⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe60⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe61⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe62⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe63⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe64⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe65⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe66⤵PID:2972
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe67⤵PID:1968
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe68⤵PID:944
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe69⤵PID:276
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe70⤵PID:2196
-
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe71⤵PID:2708
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe72⤵PID:2208
-
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe74⤵PID:1572
-
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe75⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe77⤵PID:2920
-
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe78⤵PID:1016
-
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe79⤵PID:2812
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe80⤵PID:1848
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe81⤵PID:2096
-
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe82⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe83⤵PID:1664
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe84⤵PID:1364
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe85⤵PID:3068
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe86⤵PID:432
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe87⤵PID:1868
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe90⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe91⤵PID:1616
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe92⤵PID:868
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe93⤵PID:2944
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe94⤵PID:772
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe96⤵PID:2448
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe97⤵PID:1248
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe98⤵PID:1492
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe99⤵PID:924
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe100⤵PID:1992
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe101⤵PID:1088
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe102⤵PID:2760
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe103⤵PID:752
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe104⤵PID:672
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe105⤵PID:272
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe106⤵PID:1508
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe107⤵PID:1720
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe109⤵PID:2616
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe110⤵
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe111⤵PID:572
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe112⤵PID:2460
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe113⤵PID:1064
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe114⤵PID:1440
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe115⤵PID:2396
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe116⤵PID:2440
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe117⤵PID:2808
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe118⤵PID:268
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe119⤵PID:2828
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe120⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe121⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe122⤵PID:2016
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe123⤵PID:624
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe124⤵PID:2320
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe125⤵PID:1060
-
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe126⤵PID:1612
-
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe127⤵PID:2588
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe128⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe129⤵PID:3020
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe130⤵PID:1864
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe131⤵PID:2560
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe132⤵PID:2520
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe133⤵PID:2908
-
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1964 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe135⤵PID:2984
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe136⤵PID:1740
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe137⤵PID:2896
-
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe138⤵PID:2060
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe139⤵PID:2664
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe140⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe141⤵PID:1336
-
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe142⤵PID:1500
-
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe143⤵PID:1932
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe144⤵PID:1796
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe145⤵PID:2748
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe146⤵PID:2120
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe147⤵PID:2680
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe148⤵PID:2264
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe149⤵PID:1528
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe150⤵PID:1304
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe151⤵PID:1080
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe152⤵PID:2624
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe153⤵PID:1156
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe154⤵PID:948
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe155⤵PID:2068
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe156⤵PID:740
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe157⤵PID:2632
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe158⤵PID:1808
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe159⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe160⤵PID:1100
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe161⤵PID:3012
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe162⤵PID:1292
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe163⤵PID:2724
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe164⤵PID:3064
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe165⤵PID:936
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe166⤵PID:1620
-
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe167⤵PID:1940
-
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe168⤵PID:2376
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe169⤵PID:2180
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe170⤵PID:2700
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe171⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe172⤵PID:2836
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe173⤵PID:1660
-
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe174⤵PID:876
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe175⤵PID:1784
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe176⤵PID:1936
-
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe177⤵PID:1724
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe178⤵PID:1768
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe179⤵PID:2572
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe180⤵PID:1592
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe181⤵PID:848
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe182⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe183⤵PID:1744
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe184⤵PID:2952
-
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe185⤵PID:2904
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe186⤵PID:1756
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe187⤵PID:2008
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe188⤵PID:2660
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe189⤵PID:1608
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe190⤵PID:932
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe191⤵PID:2280
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe192⤵PID:1196
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe193⤵PID:2796
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe194⤵PID:1520
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe195⤵PID:2648
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe196⤵PID:2684
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe197⤵PID:2464
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe198⤵PID:2488
-
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe199⤵PID:544
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe200⤵PID:3092
-
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe201⤵PID:3132
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe202⤵PID:3172
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe203⤵PID:3216
-
C:\Windows\SysWOW64\Jgabdlfb.exeC:\Windows\system32\Jgabdlfb.exe204⤵PID:3256
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe205⤵PID:3296
-
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe206⤵PID:3336
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe207⤵PID:3380
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe208⤵PID:3420
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe209⤵PID:3460
-
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe210⤵PID:3500
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe211⤵PID:3540
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe212⤵PID:3580
-
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe213⤵PID:3620
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe214⤵PID:3660
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe215⤵PID:3700
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe216⤵PID:3740
-
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe217⤵PID:3780
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe218⤵PID:3820
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe219⤵PID:3864
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe220⤵PID:3904
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe221⤵PID:3944
-
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe222⤵PID:3984
-
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe223⤵PID:4024
-
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4064 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe225⤵PID:3076
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe226⤵PID:3116
-
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe227⤵PID:3168
-
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3224 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe229⤵PID:3276
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe230⤵PID:3316
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe231⤵PID:3372
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe232⤵PID:3436
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe233⤵PID:3432
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3524 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe235⤵PID:3564
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe237⤵PID:3632
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe238⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe239⤵PID:3788
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe240⤵PID:3756
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe241⤵PID:3888
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3936