Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
Resource
win10v2004-20240426-en
General
-
Target
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe
-
Size
163KB
-
MD5
1279c428f04724bef3db83bb55c8aade
-
SHA1
01ad883b33cdf4e3756e0611fd39fef2ef026e17
-
SHA256
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3
-
SHA512
cca92feec56f7d5e9570a5677a5ec2a09fc2194ad5bb4fd93d764f8566b0704723e3e40736db5629337076db52166ec22a835664ad63e4b1e4dcce48031d828f
-
SSDEEP
3072:aCTKQvguDl8OW9BtVlaltOrWKDBr+yJb:aCuQvguDl8OWVaLOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Gmmocpjk.exeMamleegg.exeQqijje32.exeAnfmjhmd.exeBbljeb32.exeFqmlhpla.exeFihqmb32.exeFmficqpc.exeLaefdf32.exeGfngap32.exeKemhff32.exeNqpego32.exeBhdibj32.exeBhgehi32.exeEleplc32.exeAldomc32.exeIeolehop.exePqknig32.exeIpldfi32.exeAngddopp.exeDkjmlk32.exeDmgbnq32.exePbbnhfjh.exeBpnnig32.exeLnhmng32.exePjffbc32.exeQnnanphk.exeBcoenmao.exeBpladg32.exeBadcln32.exeJbfpobpb.exePeqcjkfp.exeNfjjppmm.exeQceiaa32.exeLbmhlihl.exeCapchmmb.exeFokbim32.exeHpihai32.exeJibeql32.exeMgekbljc.exePeljol32.exeEaklidoi.exeOneklm32.exeGmkbnp32.exeGbldaffp.exeIpnalhii.exeLbabgh32.exePgllfp32.exePdpmpdbd.exeQlpllkmc.exeEhjdldfl.exeHmfbjnbp.exeNbhkac32.exePbmncp32.exeNcfdie32.exePgnilpah.exePlmogkoe.exeKkkdan32.exeJbhfjljd.exeLllcen32.exeDgbdlf32.exePhpfqmio.exeJdmcidam.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmocpjk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamleegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqijje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anfmjhmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbljeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqmlhpla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmficqpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laefdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemhff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpego32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhgehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieolehop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqknig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipldfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbbnhfjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnnig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjffbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcoenmao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpladg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Badcln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfpobpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peqcjkfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qceiaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmhlihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Capchmmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokbim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpihai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibeql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgekbljc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peljol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaklidoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oneklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbldaffp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipnalhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipnalhii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbabgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgllfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpmpdbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpllkmc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjdldfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfbjnbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbmncp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnilpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmogkoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkdan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhfjljd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbdlf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpfqmio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmcidam.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Peonoaln.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Phmjkmka.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pngbhg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pbbnhfjh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Phpfqmio.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Plkbak32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pbekne32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Piockppb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Plmogkoe.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qbggce32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qiappono.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2860-88-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qlpllkmc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qbjdiedp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qehqepcc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qiclfo32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1052-121-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Albibj32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2152-128-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aaoaja32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aocace32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3196-152-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/744-160-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aaanpa32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aldegj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aihfanhg.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/916-181-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aackeqeb.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3380-193-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4856-185-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aoeniefo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aikbfnfd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aliobieh.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4792-201-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4120-209-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Abcgoc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aeacko32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4196-217-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Alkkhi32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2992-233-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aiolam32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1928-290-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4708-432-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Chebighd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cidncj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Digkijmd.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3604-532-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dcdimopp.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/2472-564-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3596-577-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3080-590-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1312-602-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2792-604-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4676-589-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eleplc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Efpajh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eqciba32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eqfeha32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ffggkgmk.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fjnjqfij.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqmlhpla.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Epopgbia.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fihqmb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Chbedh32.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Peonoaln.exe UPX behavioral2/memory/4972-13-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Phmjkmka.exe UPX C:\Windows\SysWOW64\Pngbhg32.exe UPX C:\Windows\SysWOW64\Pbbnhfjh.exe UPX C:\Windows\SysWOW64\Phpfqmio.exe UPX C:\Windows\SysWOW64\Plkbak32.exe UPX C:\Windows\SysWOW64\Pbekne32.exe UPX C:\Windows\SysWOW64\Piockppb.exe UPX C:\Windows\SysWOW64\Plmogkoe.exe UPX C:\Windows\SysWOW64\Qbggce32.exe UPX C:\Windows\SysWOW64\Qiappono.exe UPX behavioral2/memory/2860-88-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Qlpllkmc.exe UPX C:\Windows\SysWOW64\Qbjdiedp.exe UPX C:\Windows\SysWOW64\Qehqepcc.exe UPX C:\Windows\SysWOW64\Qiclfo32.exe UPX behavioral2/memory/1052-121-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Albibj32.exe UPX C:\Windows\SysWOW64\Aaoaja32.exe UPX C:\Windows\SysWOW64\Aocace32.exe UPX behavioral2/memory/744-160-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Aaanpa32.exe UPX C:\Windows\SysWOW64\Aldegj32.exe UPX C:\Windows\SysWOW64\Aihfanhg.exe UPX behavioral2/memory/916-181-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Aackeqeb.exe UPX behavioral2/memory/3380-193-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4856-185-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Aoeniefo.exe UPX C:\Windows\SysWOW64\Aikbfnfd.exe UPX C:\Windows\SysWOW64\Aliobieh.exe UPX behavioral2/memory/4792-201-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4120-209-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Abcgoc32.exe UPX C:\Windows\SysWOW64\Aeacko32.exe UPX behavioral2/memory/4196-217-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Alkkhi32.exe UPX behavioral2/memory/2992-233-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2812-225-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4552-241-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Aiolam32.exe UPX behavioral2/memory/3000-273-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1928-290-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2276-331-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Chebighd.exe UPX C:\Windows\SysWOW64\Cidncj32.exe UPX behavioral2/memory/3056-463-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Digkijmd.exe UPX behavioral2/memory/2720-519-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Dcdimopp.exe UPX behavioral2/memory/3596-577-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3080-590-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2236-596-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1312-602-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2792-604-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4676-589-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Eleplc32.exe UPX C:\Windows\SysWOW64\Efpajh32.exe UPX C:\Windows\SysWOW64\Eqciba32.exe UPX C:\Windows\SysWOW64\Eqfeha32.exe UPX C:\Windows\SysWOW64\Ffggkgmk.exe UPX C:\Windows\SysWOW64\Fjnjqfij.exe UPX C:\Windows\SysWOW64\Fqmlhpla.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Peonoaln.exePhmjkmka.exePngbhg32.exePbbnhfjh.exePhpfqmio.exePlkbak32.exePbekne32.exePiockppb.exePlmogkoe.exeQbggce32.exeQiappono.exeQlpllkmc.exeQbjdiedp.exeQehqepcc.exeQiclfo32.exeAlbibj32.exeAaoaja32.exeAldegj32.exeAocace32.exeAaanpa32.exeAihfanhg.exeAlgbmjgk.exeAoeniefo.exeAackeqeb.exeAikbfnfd.exeAliobieh.exeAbcgoc32.exeAeacko32.exeAlkkhi32.exeAojhdd32.exeAbedecjb.exeAiolam32.exeBpidngil.exeBoldjd32.exeBakqfp32.exeBefmfngc.exeBhdibj32.exeBpladg32.exeBooaodnd.exeBammlomg.exeBehiln32.exeBhgehi32.exeBlbaihmn.exeBpnnig32.exeBbljeb32.exeBekfan32.exeBhibni32.exeBlennh32.exeBockjc32.exeBaaggo32.exeBemcgmak.exeBhlocipo.exeBoegpc32.exeBadcln32.exeBikkml32.exeCpedjf32.exeChphoh32.exeCpgqpe32.exeCcfmla32.exeCaimgncj.exeCipehkcl.exeChbedh32.exeCommqb32.exeCakjmm32.exepid process 4972 Peonoaln.exe 2548 Phmjkmka.exe 2472 Pngbhg32.exe 3260 Pbbnhfjh.exe 3596 Phpfqmio.exe 2456 Plkbak32.exe 4676 Pbekne32.exe 2236 Piockppb.exe 1312 Plmogkoe.exe 1820 Qbggce32.exe 2860 Qiappono.exe 2460 Qlpllkmc.exe 3200 Qbjdiedp.exe 4424 Qehqepcc.exe 1052 Qiclfo32.exe 2152 Albibj32.exe 2088 Aaoaja32.exe 1248 Aldegj32.exe 3196 Aocace32.exe 744 Aaanpa32.exe 1008 Aihfanhg.exe 916 Algbmjgk.exe 4856 Aoeniefo.exe 3380 Aackeqeb.exe 4792 Aikbfnfd.exe 4120 Aliobieh.exe 4196 Abcgoc32.exe 2812 Aeacko32.exe 2992 Alkkhi32.exe 4552 Aojhdd32.exe 4420 Abedecjb.exe 4692 Aiolam32.exe 4380 Bpidngil.exe 3000 Boldjd32.exe 4588 Bakqfp32.exe 4240 Befmfngc.exe 4080 Bhdibj32.exe 1928 Bpladg32.exe 2920 Booaodnd.exe 532 Bammlomg.exe 2468 Behiln32.exe 3648 Bhgehi32.exe 4348 Blbaihmn.exe 5000 Bpnnig32.exe 2276 Bbljeb32.exe 4784 Bekfan32.exe 3588 Bhibni32.exe 3492 Blennh32.exe 436 Bockjc32.exe 684 Baaggo32.exe 2216 Bemcgmak.exe 424 Bhlocipo.exe 3936 Boegpc32.exe 2908 Badcln32.exe 8 Bikkml32.exe 4392 Cpedjf32.exe 2440 Chphoh32.exe 3176 Cpgqpe32.exe 5100 Ccfmla32.exe 2476 Caimgncj.exe 4708 Cipehkcl.exe 4336 Chbedh32.exe 2132 Commqb32.exe 4636 Cakjmm32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hmioonpn.exeJmknaell.exeNcfdie32.exePqknig32.exeCmqmma32.exeCidncj32.exeDphifcoi.exeLnhmng32.exeAaqgek32.exeQbggce32.exeJdmcidam.exeKdopod32.exeMcpnhfhf.exeDopigd32.exeHmfbjnbp.exePclneicb.exeDhnnep32.exeIcnpmp32.exeKedoge32.exeBmbplc32.exeFfggkgmk.exeKepelfam.exeKefkme32.exeOjllan32.exeBockjc32.exeFokbim32.exeNckndeni.exeBemcgmak.exeHpenfjad.exeJagqlj32.exeOdgqdlnj.exePjmlbbdg.exePhpfqmio.exeJpojcf32.exeMncmjfmk.exeBdmpcdfm.exeLljfpnjg.exeDchbhn32.exeHccglh32.exeElgfgl32.exeGcggpj32.exeNqfbaq32.exeAjiknpjj.exePjeoglgc.exeLgneampk.exeLdjhpl32.exeNloiakho.exeDeokon32.exeDpacfd32.exeLpebpm32.exeBanllbdn.exeDmjocp32.exeNfgmjqop.exeBbljeb32.exeBikkml32.exeGbgkfg32.exeGfedle32.exeKbdmpqcb.exeBejogg32.exeGcfqfc32.exeImmapg32.exeAqppkd32.exeBclhhnca.exedescription ioc process File created C:\Windows\SysWOW64\Hccglh32.exe Hmioonpn.exe File created C:\Windows\SysWOW64\Jpijnqkp.exe Jmknaell.exe File opened for modification C:\Windows\SysWOW64\Ngbpidjh.exe Ncfdie32.exe File created C:\Windows\SysWOW64\Pcijeb32.exe Pqknig32.exe File created C:\Windows\SysWOW64\Naeheh32.dll Cmqmma32.exe File created C:\Windows\SysWOW64\Cmlnpc32.dll Cidncj32.exe File created C:\Windows\SysWOW64\Fkokhc32.dll Dphifcoi.exe File created C:\Windows\SysWOW64\Bbgkjl32.dll Lnhmng32.exe File opened for modification C:\Windows\SysWOW64\Ahkobekf.exe Aaqgek32.exe File created C:\Windows\SysWOW64\Qiappono.exe Qbggce32.exe File opened for modification C:\Windows\SysWOW64\Jiikak32.exe Jdmcidam.exe File created C:\Windows\SysWOW64\Hehifldd.dll Kdopod32.exe File created C:\Windows\SysWOW64\Menjdbgj.exe Mcpnhfhf.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Dopigd32.exe File opened for modification C:\Windows\SysWOW64\Hpenfjad.exe Hmfbjnbp.exe File created C:\Windows\SysWOW64\Aafdghob.dll Pclneicb.exe File created C:\Windows\SysWOW64\Bcfmgfde.dll Dhnnep32.exe File created C:\Windows\SysWOW64\Mgdjapoo.dll Icnpmp32.exe File created C:\Windows\SysWOW64\Canidb32.dll Kedoge32.exe File opened for modification C:\Windows\SysWOW64\Banllbdn.exe Bmbplc32.exe File opened for modification C:\Windows\SysWOW64\Fifdgblo.exe Ffggkgmk.exe File created C:\Windows\SysWOW64\Kmfmmcbo.exe Kepelfam.exe File created C:\Windows\SysWOW64\Dakipgan.dll Kefkme32.exe File opened for modification C:\Windows\SysWOW64\Olkhmi32.exe Ojllan32.exe File opened for modification C:\Windows\SysWOW64\Baaggo32.exe Bockjc32.exe File created C:\Windows\SysWOW64\Fcgoilpj.exe Fokbim32.exe File opened for modification C:\Windows\SysWOW64\Nfjjppmm.exe Nckndeni.exe File created C:\Windows\SysWOW64\Nbdgmn32.dll Bemcgmak.exe File created C:\Windows\SysWOW64\Hbckbepg.exe Hpenfjad.exe File created C:\Windows\SysWOW64\Mjlcankg.dll Jagqlj32.exe File opened for modification C:\Windows\SysWOW64\Pgemphmn.exe Odgqdlnj.exe File created C:\Windows\SysWOW64\Pbddcoei.exe Pjmlbbdg.exe File created C:\Windows\SysWOW64\Plkbak32.exe Phpfqmio.exe File created C:\Windows\SysWOW64\Jeiooj32.dll Jpojcf32.exe File created C:\Windows\SysWOW64\Fneiph32.dll Mncmjfmk.exe File created C:\Windows\SysWOW64\Jdencjac.dll Bdmpcdfm.exe File opened for modification C:\Windows\SysWOW64\Lpebpm32.exe Lljfpnjg.exe File created C:\Windows\SysWOW64\Ggmlbfpm.dll Dchbhn32.exe File created C:\Windows\SysWOW64\Hfachc32.exe Hccglh32.exe File opened for modification C:\Windows\SysWOW64\Dohfbj32.exe Dhnnep32.exe File created C:\Windows\SysWOW64\Eofbch32.exe Elgfgl32.exe File created C:\Windows\SysWOW64\Gfedle32.exe Gcggpj32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nqfbaq32.exe File created C:\Windows\SysWOW64\Aacckjaf.exe Ajiknpjj.exe File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe Pjeoglgc.exe File created C:\Windows\SysWOW64\Lnhmng32.exe Lgneampk.exe File created C:\Windows\SysWOW64\Lbmhlihl.exe Ldjhpl32.exe File created C:\Windows\SysWOW64\Ndfqbhia.exe Nloiakho.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe Deokon32.exe File opened for modification C:\Windows\SysWOW64\Doccaall.exe Dpacfd32.exe File created C:\Windows\SysWOW64\Lbdolh32.exe Lpebpm32.exe File created C:\Windows\SysWOW64\Bclhhnca.exe Banllbdn.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe File created C:\Windows\SysWOW64\Nnneknob.exe Nfgmjqop.exe File opened for modification C:\Windows\SysWOW64\Bekfan32.exe Bbljeb32.exe File created C:\Windows\SysWOW64\Cpedjf32.exe Bikkml32.exe File created C:\Windows\SysWOW64\Gjocgdkg.exe Gbgkfg32.exe File opened for modification C:\Windows\SysWOW64\Gjapmdid.exe Gfedle32.exe File opened for modification C:\Windows\SysWOW64\Kkkdan32.exe Kbdmpqcb.exe File created C:\Windows\SysWOW64\Dajbcgdm.dll Bejogg32.exe File opened for modification C:\Windows\SysWOW64\Gfembo32.exe Gcfqfc32.exe File opened for modification C:\Windows\SysWOW64\Ikpaldog.exe Immapg32.exe File created C:\Windows\SysWOW64\Acnlgp32.exe Aqppkd32.exe File created C:\Windows\SysWOW64\Bfkedibe.exe Bclhhnca.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 14148 14332 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Bhlocipo.exeEoolbinc.exeLekehdgp.exeJbkjjblm.exeIfjodl32.exePbekne32.exeHobkfd32.exeBooaodnd.exeKlimip32.exeLpqiemge.exeCjkjpgfi.exeGmhfhp32.exeCndikf32.exeDpemacql.exeLalcng32.exeHoiafcic.exeNcdgcf32.exeIicbehnq.exeBeglgani.exeAoeniefo.exeDpcpkc32.exeEcbenm32.exeFmmfmbhn.exeJbhmdbnp.exeLddbqa32.exeHbgmcnhf.exeLljfpnjg.exeNgbpidjh.exeNfjjppmm.exeAacckjaf.exeOddmdf32.exeBajjli32.exeHcmgfbhd.exeAqppkd32.exeBnbmefbg.exeKagichjo.exeBlbknaib.exeLbdolh32.exeLllcen32.exeBnmcjg32.exeDhfajjoj.exeAlgbmjgk.exeFckhdk32.exeHpenfjad.exeJpijnqkp.exeNpcoakfp.exeDgbdlf32.exeBhgehi32.exeDhmgki32.exeAihfanhg.exeFkalchij.exeAqkgpedc.exeLnhmng32.exeNilcjp32.exeAfjlnk32.exeDddhpjof.exeEmjjgbjp.exeElgfgl32.exeIpbdmaah.exeOjgbfocc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhlocipo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhglla32.dll" Eoolbinc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lekehdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbkjjblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifjodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccealon.dll" Pbekne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoolbinc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Booaodnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpqiemge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" Cjkjpgfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhfhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehocmdp.dll" Dpemacql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" Lalcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnaemnl.dll" Hoiafcic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" Ncdgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iicbehnq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beglgani.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoeniefo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpcpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecbenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll" Fmmfmbhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddbqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" Hbgmcnhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" Lljfpnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" Ngbpidjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll" Nfjjppmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aklmno32.dll" Aacckjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddmdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcmgfbhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqppkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbmefbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll" Kagichjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blbknaib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll" Lbdolh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" Bnmcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhfajjoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Algbmjgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckhdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpijnqkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll" Npcoakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihfanhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll" Gmhfhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpenfjad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkalchij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqkgpedc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilcjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjlnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll" Emjjgbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmldgi32.dll" Iicbehnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll" Ipbdmaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojgbfocc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exePeonoaln.exePhmjkmka.exePngbhg32.exePbbnhfjh.exePhpfqmio.exePlkbak32.exePbekne32.exePiockppb.exePlmogkoe.exeQbggce32.exeQiappono.exeQlpllkmc.exeQbjdiedp.exeQehqepcc.exeQiclfo32.exeAlbibj32.exeAaoaja32.exeAldegj32.exeAocace32.exeAaanpa32.exeAihfanhg.exedescription pid process target process PID 2484 wrote to memory of 4972 2484 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Peonoaln.exe PID 2484 wrote to memory of 4972 2484 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Peonoaln.exe PID 2484 wrote to memory of 4972 2484 9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe Peonoaln.exe PID 4972 wrote to memory of 2548 4972 Peonoaln.exe Phmjkmka.exe PID 4972 wrote to memory of 2548 4972 Peonoaln.exe Phmjkmka.exe PID 4972 wrote to memory of 2548 4972 Peonoaln.exe Phmjkmka.exe PID 2548 wrote to memory of 2472 2548 Phmjkmka.exe Pngbhg32.exe PID 2548 wrote to memory of 2472 2548 Phmjkmka.exe Pngbhg32.exe PID 2548 wrote to memory of 2472 2548 Phmjkmka.exe Pngbhg32.exe PID 2472 wrote to memory of 3260 2472 Pngbhg32.exe Pbbnhfjh.exe PID 2472 wrote to memory of 3260 2472 Pngbhg32.exe Pbbnhfjh.exe PID 2472 wrote to memory of 3260 2472 Pngbhg32.exe Pbbnhfjh.exe PID 3260 wrote to memory of 3596 3260 Pbbnhfjh.exe Phpfqmio.exe PID 3260 wrote to memory of 3596 3260 Pbbnhfjh.exe Phpfqmio.exe PID 3260 wrote to memory of 3596 3260 Pbbnhfjh.exe Phpfqmio.exe PID 3596 wrote to memory of 2456 3596 Phpfqmio.exe Plkbak32.exe PID 3596 wrote to memory of 2456 3596 Phpfqmio.exe Plkbak32.exe PID 3596 wrote to memory of 2456 3596 Phpfqmio.exe Plkbak32.exe PID 2456 wrote to memory of 4676 2456 Plkbak32.exe Pbekne32.exe PID 2456 wrote to memory of 4676 2456 Plkbak32.exe Pbekne32.exe PID 2456 wrote to memory of 4676 2456 Plkbak32.exe Pbekne32.exe PID 4676 wrote to memory of 2236 4676 Pbekne32.exe Piockppb.exe PID 4676 wrote to memory of 2236 4676 Pbekne32.exe Piockppb.exe PID 4676 wrote to memory of 2236 4676 Pbekne32.exe Piockppb.exe PID 2236 wrote to memory of 1312 2236 Piockppb.exe Plmogkoe.exe PID 2236 wrote to memory of 1312 2236 Piockppb.exe Plmogkoe.exe PID 2236 wrote to memory of 1312 2236 Piockppb.exe Plmogkoe.exe PID 1312 wrote to memory of 1820 1312 Plmogkoe.exe Qbggce32.exe PID 1312 wrote to memory of 1820 1312 Plmogkoe.exe Qbggce32.exe PID 1312 wrote to memory of 1820 1312 Plmogkoe.exe Qbggce32.exe PID 1820 wrote to memory of 2860 1820 Qbggce32.exe Qiappono.exe PID 1820 wrote to memory of 2860 1820 Qbggce32.exe Qiappono.exe PID 1820 wrote to memory of 2860 1820 Qbggce32.exe Qiappono.exe PID 2860 wrote to memory of 2460 2860 Qiappono.exe Qlpllkmc.exe PID 2860 wrote to memory of 2460 2860 Qiappono.exe Qlpllkmc.exe PID 2860 wrote to memory of 2460 2860 Qiappono.exe Qlpllkmc.exe PID 2460 wrote to memory of 3200 2460 Qlpllkmc.exe Qbjdiedp.exe PID 2460 wrote to memory of 3200 2460 Qlpllkmc.exe Qbjdiedp.exe PID 2460 wrote to memory of 3200 2460 Qlpllkmc.exe Qbjdiedp.exe PID 3200 wrote to memory of 4424 3200 Qbjdiedp.exe Qehqepcc.exe PID 3200 wrote to memory of 4424 3200 Qbjdiedp.exe Qehqepcc.exe PID 3200 wrote to memory of 4424 3200 Qbjdiedp.exe Qehqepcc.exe PID 4424 wrote to memory of 1052 4424 Qehqepcc.exe Qiclfo32.exe PID 4424 wrote to memory of 1052 4424 Qehqepcc.exe Qiclfo32.exe PID 4424 wrote to memory of 1052 4424 Qehqepcc.exe Qiclfo32.exe PID 1052 wrote to memory of 2152 1052 Qiclfo32.exe Albibj32.exe PID 1052 wrote to memory of 2152 1052 Qiclfo32.exe Albibj32.exe PID 1052 wrote to memory of 2152 1052 Qiclfo32.exe Albibj32.exe PID 2152 wrote to memory of 2088 2152 Albibj32.exe Aaoaja32.exe PID 2152 wrote to memory of 2088 2152 Albibj32.exe Aaoaja32.exe PID 2152 wrote to memory of 2088 2152 Albibj32.exe Aaoaja32.exe PID 2088 wrote to memory of 1248 2088 Aaoaja32.exe Aldegj32.exe PID 2088 wrote to memory of 1248 2088 Aaoaja32.exe Aldegj32.exe PID 2088 wrote to memory of 1248 2088 Aaoaja32.exe Aldegj32.exe PID 1248 wrote to memory of 3196 1248 Aldegj32.exe Aocace32.exe PID 1248 wrote to memory of 3196 1248 Aldegj32.exe Aocace32.exe PID 1248 wrote to memory of 3196 1248 Aldegj32.exe Aocace32.exe PID 3196 wrote to memory of 744 3196 Aocace32.exe Aaanpa32.exe PID 3196 wrote to memory of 744 3196 Aocace32.exe Aaanpa32.exe PID 3196 wrote to memory of 744 3196 Aocace32.exe Aaanpa32.exe PID 744 wrote to memory of 1008 744 Aaanpa32.exe Aihfanhg.exe PID 744 wrote to memory of 1008 744 Aaanpa32.exe Aihfanhg.exe PID 744 wrote to memory of 1008 744 Aaanpa32.exe Aihfanhg.exe PID 1008 wrote to memory of 916 1008 Aihfanhg.exe Algbmjgk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe"C:\Users\Admin\AppData\Local\Temp\9f2a59fe22f60bdba7db3642da77df8a5c6fecfdf9b5961e61d10217ac6af8a3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Peonoaln.exeC:\Windows\system32\Peonoaln.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Phmjkmka.exeC:\Windows\system32\Phmjkmka.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Pngbhg32.exeC:\Windows\system32\Pngbhg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Pbbnhfjh.exeC:\Windows\system32\Pbbnhfjh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Phpfqmio.exeC:\Windows\system32\Phpfqmio.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Plkbak32.exeC:\Windows\system32\Plkbak32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Pbekne32.exeC:\Windows\system32\Pbekne32.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Piockppb.exeC:\Windows\system32\Piockppb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Plmogkoe.exeC:\Windows\system32\Plmogkoe.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Qbggce32.exeC:\Windows\system32\Qbggce32.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Qiappono.exeC:\Windows\system32\Qiappono.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Qlpllkmc.exeC:\Windows\system32\Qlpllkmc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Qbjdiedp.exeC:\Windows\system32\Qbjdiedp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Qehqepcc.exeC:\Windows\system32\Qehqepcc.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Qiclfo32.exeC:\Windows\system32\Qiclfo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Albibj32.exeC:\Windows\system32\Albibj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Aaoaja32.exeC:\Windows\system32\Aaoaja32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Aldegj32.exeC:\Windows\system32\Aldegj32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Aocace32.exeC:\Windows\system32\Aocace32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\Aaanpa32.exeC:\Windows\system32\Aaanpa32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\Aihfanhg.exeC:\Windows\system32\Aihfanhg.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\Algbmjgk.exeC:\Windows\system32\Algbmjgk.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:916 -
C:\Windows\SysWOW64\Aoeniefo.exeC:\Windows\system32\Aoeniefo.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Aackeqeb.exeC:\Windows\system32\Aackeqeb.exe25⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Aikbfnfd.exeC:\Windows\system32\Aikbfnfd.exe26⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Aliobieh.exeC:\Windows\system32\Aliobieh.exe27⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Abcgoc32.exeC:\Windows\system32\Abcgoc32.exe28⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\Aeacko32.exeC:\Windows\system32\Aeacko32.exe29⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Alkkhi32.exeC:\Windows\system32\Alkkhi32.exe30⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Aojhdd32.exeC:\Windows\system32\Aojhdd32.exe31⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Abedecjb.exeC:\Windows\system32\Abedecjb.exe32⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Aiolam32.exeC:\Windows\system32\Aiolam32.exe33⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Bpidngil.exeC:\Windows\system32\Bpidngil.exe34⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Boldjd32.exeC:\Windows\system32\Boldjd32.exe35⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Bakqfp32.exeC:\Windows\system32\Bakqfp32.exe36⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Befmfngc.exeC:\Windows\system32\Befmfngc.exe37⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\Bhdibj32.exeC:\Windows\system32\Bhdibj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Bpladg32.exeC:\Windows\system32\Bpladg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Booaodnd.exeC:\Windows\system32\Booaodnd.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Bammlomg.exeC:\Windows\system32\Bammlomg.exe41⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Behiln32.exeC:\Windows\system32\Behiln32.exe42⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Bhgehi32.exeC:\Windows\system32\Bhgehi32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3648 -
C:\Windows\SysWOW64\Blbaihmn.exeC:\Windows\system32\Blbaihmn.exe44⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Bpnnig32.exeC:\Windows\system32\Bpnnig32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Bbljeb32.exeC:\Windows\system32\Bbljeb32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Bekfan32.exeC:\Windows\system32\Bekfan32.exe47⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Bhibni32.exeC:\Windows\system32\Bhibni32.exe48⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Blennh32.exeC:\Windows\system32\Blennh32.exe49⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Bockjc32.exeC:\Windows\system32\Bockjc32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Baaggo32.exeC:\Windows\system32\Baaggo32.exe51⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Bemcgmak.exeC:\Windows\system32\Bemcgmak.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Bhlocipo.exeC:\Windows\system32\Bhlocipo.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:424 -
C:\Windows\SysWOW64\Boegpc32.exeC:\Windows\system32\Boegpc32.exe54⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\Badcln32.exeC:\Windows\system32\Badcln32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bikkml32.exeC:\Windows\system32\Bikkml32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Cpedjf32.exeC:\Windows\system32\Cpedjf32.exe57⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Ceblbm32.exeC:\Windows\system32\Ceblbm32.exe58⤵PID:1588
-
C:\Windows\SysWOW64\Chphoh32.exeC:\Windows\system32\Chphoh32.exe59⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Cpgqpe32.exeC:\Windows\system32\Cpgqpe32.exe60⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Ccfmla32.exeC:\Windows\system32\Ccfmla32.exe61⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Caimgncj.exeC:\Windows\system32\Caimgncj.exe62⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Cipehkcl.exeC:\Windows\system32\Cipehkcl.exe63⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Chbedh32.exeC:\Windows\system32\Chbedh32.exe64⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Commqb32.exeC:\Windows\system32\Commqb32.exe65⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cakjmm32.exeC:\Windows\system32\Cakjmm32.exe66⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Chebighd.exeC:\Windows\system32\Chebighd.exe67⤵PID:2320
-
C:\Windows\SysWOW64\Cpljkdig.exeC:\Windows\system32\Cpljkdig.exe68⤵PID:32
-
C:\Windows\SysWOW64\Ccjfgphj.exeC:\Windows\system32\Ccjfgphj.exe69⤵PID:3056
-
C:\Windows\SysWOW64\Cidncj32.exeC:\Windows\system32\Cidncj32.exe70⤵
- Drops file in System32 directory
PID:860 -
C:\Windows\SysWOW64\Cpofpdgd.exeC:\Windows\system32\Cpofpdgd.exe71⤵PID:4520
-
C:\Windows\SysWOW64\Ccmclp32.exeC:\Windows\system32\Ccmclp32.exe72⤵PID:3792
-
C:\Windows\SysWOW64\Capchmmb.exeC:\Windows\system32\Capchmmb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Digkijmd.exeC:\Windows\system32\Digkijmd.exe74⤵PID:3440
-
C:\Windows\SysWOW64\Dpacfd32.exeC:\Windows\system32\Dpacfd32.exe75⤵
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Doccaall.exeC:\Windows\system32\Doccaall.exe76⤵PID:4256
-
C:\Windows\SysWOW64\Dabpnlkp.exeC:\Windows\system32\Dabpnlkp.exe77⤵PID:1372
-
C:\Windows\SysWOW64\Diihojkb.exeC:\Windows\system32\Diihojkb.exe78⤵PID:2720
-
C:\Windows\SysWOW64\Dlgdkeje.exeC:\Windows\system32\Dlgdkeje.exe79⤵PID:3296
-
C:\Windows\SysWOW64\Dpcpkc32.exeC:\Windows\system32\Dpcpkc32.exe80⤵
- Modifies registry class
PID:4472 -
C:\Windows\SysWOW64\Dadlclim.exeC:\Windows\system32\Dadlclim.exe81⤵PID:3604
-
C:\Windows\SysWOW64\Dhnepfpj.exeC:\Windows\system32\Dhnepfpj.exe82⤵PID:1032
-
C:\Windows\SysWOW64\Dpemacql.exeC:\Windows\system32\Dpemacql.exe83⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Dcdimopp.exeC:\Windows\system32\Dcdimopp.exe84⤵PID:1028
-
C:\Windows\SysWOW64\Djnaji32.exeC:\Windows\system32\Djnaji32.exe85⤵PID:3956
-
C:\Windows\SysWOW64\Dllmfd32.exeC:\Windows\system32\Dllmfd32.exe86⤵PID:2848
-
C:\Windows\SysWOW64\Dphifcoi.exeC:\Windows\system32\Dphifcoi.exe87⤵
- Drops file in System32 directory
PID:448 -
C:\Windows\SysWOW64\Daifnk32.exeC:\Windows\system32\Daifnk32.exe88⤵PID:3920
-
C:\Windows\SysWOW64\Djpnohej.exeC:\Windows\system32\Djpnohej.exe89⤵PID:4912
-
C:\Windows\SysWOW64\Dhcnke32.exeC:\Windows\system32\Dhcnke32.exe90⤵PID:3080
-
C:\Windows\SysWOW64\Dpjflb32.exeC:\Windows\system32\Dpjflb32.exe91⤵PID:2512
-
C:\Windows\SysWOW64\Dchbhn32.exeC:\Windows\system32\Dchbhn32.exe92⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Dakbckbe.exeC:\Windows\system32\Dakbckbe.exe93⤵PID:4116
-
C:\Windows\SysWOW64\Ejbkehcg.exeC:\Windows\system32\Ejbkehcg.exe94⤵PID:912
-
C:\Windows\SysWOW64\Elagacbk.exeC:\Windows\system32\Elagacbk.exe95⤵PID:5144
-
C:\Windows\SysWOW64\Eoocmoao.exeC:\Windows\system32\Eoocmoao.exe96⤵PID:5204
-
C:\Windows\SysWOW64\Ehhgfdho.exeC:\Windows\system32\Ehhgfdho.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Epopgbia.exeC:\Windows\system32\Epopgbia.exe98⤵PID:5320
-
C:\Windows\SysWOW64\Ehjdldfl.exeC:\Windows\system32\Ehjdldfl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360 -
C:\Windows\SysWOW64\Eleplc32.exeC:\Windows\system32\Eleplc32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Eodlho32.exeC:\Windows\system32\Eodlho32.exe101⤵PID:5444
-
C:\Windows\SysWOW64\Ebbidj32.exeC:\Windows\system32\Ebbidj32.exe102⤵PID:5484
-
C:\Windows\SysWOW64\Efneehef.exeC:\Windows\system32\Efneehef.exe103⤵PID:5524
-
C:\Windows\SysWOW64\Ejjqeg32.exeC:\Windows\system32\Ejjqeg32.exe104⤵PID:5572
-
C:\Windows\SysWOW64\Ehlaaddj.exeC:\Windows\system32\Ehlaaddj.exe105⤵PID:5608
-
C:\Windows\SysWOW64\Elhmablc.exeC:\Windows\system32\Elhmablc.exe106⤵PID:5656
-
C:\Windows\SysWOW64\Eqciba32.exeC:\Windows\system32\Eqciba32.exe107⤵PID:5696
-
C:\Windows\SysWOW64\Ecbenm32.exeC:\Windows\system32\Ecbenm32.exe108⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Ebeejijj.exeC:\Windows\system32\Ebeejijj.exe109⤵PID:5772
-
C:\Windows\SysWOW64\Efpajh32.exeC:\Windows\system32\Efpajh32.exe110⤵PID:5808
-
C:\Windows\SysWOW64\Ejlmkgkl.exeC:\Windows\system32\Ejlmkgkl.exe111⤵PID:5852
-
C:\Windows\SysWOW64\Emjjgbjp.exeC:\Windows\system32\Emjjgbjp.exe112⤵
- Modifies registry class
PID:5896 -
C:\Windows\SysWOW64\Eqfeha32.exeC:\Windows\system32\Eqfeha32.exe113⤵PID:5940
-
C:\Windows\SysWOW64\Eoifcnid.exeC:\Windows\system32\Eoifcnid.exe114⤵PID:5976
-
C:\Windows\SysWOW64\Ecdbdl32.exeC:\Windows\system32\Ecdbdl32.exe115⤵PID:6020
-
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe116⤵PID:6064
-
C:\Windows\SysWOW64\Fjnjqfij.exeC:\Windows\system32\Fjnjqfij.exe117⤵PID:6104
-
C:\Windows\SysWOW64\Fhajlc32.exeC:\Windows\system32\Fhajlc32.exe118⤵PID:5152
-
C:\Windows\SysWOW64\Fmmfmbhn.exeC:\Windows\system32\Fmmfmbhn.exe119⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Fokbim32.exeC:\Windows\system32\Fokbim32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\Fcgoilpj.exeC:\Windows\system32\Fcgoilpj.exe121⤵PID:5340
-
C:\Windows\SysWOW64\Ffekegon.exeC:\Windows\system32\Ffekegon.exe122⤵PID:5408
-
C:\Windows\SysWOW64\Fjqgff32.exeC:\Windows\system32\Fjqgff32.exe123⤵PID:5464
-
C:\Windows\SysWOW64\Fmocba32.exeC:\Windows\system32\Fmocba32.exe124⤵PID:5516
-
C:\Windows\SysWOW64\Fomonm32.exeC:\Windows\system32\Fomonm32.exe125⤵PID:5564
-
C:\Windows\SysWOW64\Fcikolnh.exeC:\Windows\system32\Fcikolnh.exe126⤵PID:5636
-
C:\Windows\SysWOW64\Ffggkgmk.exeC:\Windows\system32\Ffggkgmk.exe127⤵
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\Fifdgblo.exeC:\Windows\system32\Fifdgblo.exe128⤵PID:5768
-
C:\Windows\SysWOW64\Fqmlhpla.exeC:\Windows\system32\Fqmlhpla.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5844 -
C:\Windows\SysWOW64\Fopldmcl.exeC:\Windows\system32\Fopldmcl.exe130⤵PID:5920
-
C:\Windows\SysWOW64\Fckhdk32.exeC:\Windows\system32\Fckhdk32.exe131⤵
- Modifies registry class
PID:5984 -
C:\Windows\SysWOW64\Ffjdqg32.exeC:\Windows\system32\Ffjdqg32.exe132⤵PID:6048
-
C:\Windows\SysWOW64\Fjepaecb.exeC:\Windows\system32\Fjepaecb.exe133⤵PID:6112
-
C:\Windows\SysWOW64\Fihqmb32.exeC:\Windows\system32\Fihqmb32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184 -
C:\Windows\SysWOW64\Fmclmabe.exeC:\Windows\system32\Fmclmabe.exe135⤵PID:5312
-
C:\Windows\SysWOW64\Fobiilai.exeC:\Windows\system32\Fobiilai.exe136⤵PID:5392
-
C:\Windows\SysWOW64\Fcnejk32.exeC:\Windows\system32\Fcnejk32.exe137⤵PID:4828
-
C:\Windows\SysWOW64\Fbqefhpm.exeC:\Windows\system32\Fbqefhpm.exe138⤵PID:6088
-
C:\Windows\SysWOW64\Fflaff32.exeC:\Windows\system32\Fflaff32.exe139⤵PID:5676
-
C:\Windows\SysWOW64\Fijmbb32.exeC:\Windows\system32\Fijmbb32.exe140⤵PID:5848
-
C:\Windows\SysWOW64\Fmficqpc.exeC:\Windows\system32\Fmficqpc.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5968 -
C:\Windows\SysWOW64\Fodeolof.exeC:\Windows\system32\Fodeolof.exe142⤵PID:5792
-
C:\Windows\SysWOW64\Gcpapkgp.exeC:\Windows\system32\Gcpapkgp.exe143⤵PID:5276
-
C:\Windows\SysWOW64\Gjjjle32.exeC:\Windows\system32\Gjjjle32.exe144⤵PID:5132
-
C:\Windows\SysWOW64\Gmhfhp32.exeC:\Windows\system32\Gmhfhp32.exe145⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Gcbnejem.exeC:\Windows\system32\Gcbnejem.exe146⤵PID:5964
-
C:\Windows\SysWOW64\Gbenqg32.exeC:\Windows\system32\Gbenqg32.exe147⤵PID:4780
-
C:\Windows\SysWOW64\Gjlfbd32.exeC:\Windows\system32\Gjlfbd32.exe148⤵PID:5252
-
C:\Windows\SysWOW64\Gmkbnp32.exeC:\Windows\system32\Gmkbnp32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5384 -
C:\Windows\SysWOW64\Gqfooodg.exeC:\Windows\system32\Gqfooodg.exe150⤵PID:6184
-
C:\Windows\SysWOW64\Goiojk32.exeC:\Windows\system32\Goiojk32.exe151⤵PID:6224
-
C:\Windows\SysWOW64\Gbgkfg32.exeC:\Windows\system32\Gbgkfg32.exe152⤵
- Drops file in System32 directory
PID:6272 -
C:\Windows\SysWOW64\Gjocgdkg.exeC:\Windows\system32\Gjocgdkg.exe153⤵PID:6312
-
C:\Windows\SysWOW64\Giacca32.exeC:\Windows\system32\Giacca32.exe154⤵PID:6352
-
C:\Windows\SysWOW64\Gmmocpjk.exeC:\Windows\system32\Gmmocpjk.exe155⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6388 -
C:\Windows\SysWOW64\Gqikdn32.exeC:\Windows\system32\Gqikdn32.exe156⤵PID:6428
-
C:\Windows\SysWOW64\Gcggpj32.exeC:\Windows\system32\Gcggpj32.exe157⤵
- Drops file in System32 directory
PID:6480 -
C:\Windows\SysWOW64\Gfedle32.exeC:\Windows\system32\Gfedle32.exe158⤵
- Drops file in System32 directory
PID:6520 -
C:\Windows\SysWOW64\Gjapmdid.exeC:\Windows\system32\Gjapmdid.exe159⤵PID:6560
-
C:\Windows\SysWOW64\Gqkhjn32.exeC:\Windows\system32\Gqkhjn32.exe160⤵PID:6620
-
C:\Windows\SysWOW64\Gbldaffp.exeC:\Windows\system32\Gbldaffp.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6668 -
C:\Windows\SysWOW64\Gjclbc32.exeC:\Windows\system32\Gjclbc32.exe162⤵PID:6708
-
C:\Windows\SysWOW64\Gmaioo32.exeC:\Windows\system32\Gmaioo32.exe163⤵PID:6748
-
C:\Windows\SysWOW64\Gppekj32.exeC:\Windows\system32\Gppekj32.exe164⤵PID:6792
-
C:\Windows\SysWOW64\Hboagf32.exeC:\Windows\system32\Hboagf32.exe165⤵PID:6836
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe166⤵PID:6872
-
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe167⤵PID:6912
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe168⤵PID:6952
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6992 -
C:\Windows\SysWOW64\Hpenfjad.exeC:\Windows\system32\Hpenfjad.exe170⤵
- Drops file in System32 directory
- Modifies registry class
PID:7028 -
C:\Windows\SysWOW64\Hbckbepg.exeC:\Windows\system32\Hbckbepg.exe171⤵PID:7072
-
C:\Windows\SysWOW64\Hfofbd32.exeC:\Windows\system32\Hfofbd32.exe172⤵PID:7108
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe173⤵PID:7148
-
C:\Windows\SysWOW64\Hmioonpn.exeC:\Windows\system32\Hmioonpn.exe174⤵
- Drops file in System32 directory
PID:6164 -
C:\Windows\SysWOW64\Hccglh32.exeC:\Windows\system32\Hccglh32.exe175⤵
- Drops file in System32 directory
PID:6216 -
C:\Windows\SysWOW64\Hfachc32.exeC:\Windows\system32\Hfachc32.exe176⤵PID:6296
-
C:\Windows\SysWOW64\Hmklen32.exeC:\Windows\system32\Hmklen32.exe177⤵PID:6348
-
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6440 -
C:\Windows\SysWOW64\Hfcpncdk.exeC:\Windows\system32\Hfcpncdk.exe179⤵PID:6508
-
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe180⤵PID:6572
-
C:\Windows\SysWOW64\Ipldfi32.exeC:\Windows\system32\Ipldfi32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6612 -
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe182⤵PID:1164
-
C:\Windows\SysWOW64\Impepm32.exeC:\Windows\system32\Impepm32.exe183⤵PID:6640
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6688 -
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe185⤵PID:6760
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe186⤵PID:6816
-
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe187⤵PID:6900
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe188⤵PID:6940
-
C:\Windows\SysWOW64\Iikopmkd.exeC:\Windows\system32\Iikopmkd.exe189⤵PID:7040
-
C:\Windows\SysWOW64\Idacmfkj.exeC:\Windows\system32\Idacmfkj.exe190⤵PID:7116
-
C:\Windows\SysWOW64\Imihfl32.exeC:\Windows\system32\Imihfl32.exe191⤵PID:5932
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe192⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6256 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe193⤵PID:6344
-
C:\Windows\SysWOW64\Jagqlj32.exeC:\Windows\system32\Jagqlj32.exe194⤵
- Drops file in System32 directory
PID:6460 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe195⤵PID:6576
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe196⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6676 -
C:\Windows\SysWOW64\Jbkjjblm.exeC:\Windows\system32\Jbkjjblm.exe198⤵
- Modifies registry class
PID:6732 -
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe199⤵PID:6884
-
C:\Windows\SysWOW64\Jpojcf32.exeC:\Windows\system32\Jpojcf32.exe200⤵
- Drops file in System32 directory
PID:6988 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe201⤵PID:7136
-
C:\Windows\SysWOW64\Jangmibi.exeC:\Windows\system32\Jangmibi.exe202⤵PID:2464
-
C:\Windows\SysWOW64\Jdmcidam.exeC:\Windows\system32\Jdmcidam.exe203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6448 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe204⤵PID:1412
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe205⤵PID:6744
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe206⤵
- Drops file in System32 directory
PID:6864 -
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe207⤵PID:7096
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe208⤵PID:6308
-
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe209⤵
- Drops file in System32 directory
PID:6548 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6828 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe211⤵PID:6232
-
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe212⤵PID:3240
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe213⤵PID:7060
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe214⤵
- Modifies registry class
PID:6700 -
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe215⤵PID:6552
-
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe216⤵PID:7184
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe217⤵PID:7224
-
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe218⤵PID:7264
-
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe219⤵PID:7320
-
C:\Windows\SysWOW64\Liekmj32.exeC:\Windows\system32\Liekmj32.exe220⤵PID:7364
-
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe221⤵
- Modifies registry class
PID:7420 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe222⤵PID:7460
-
C:\Windows\SysWOW64\Lmccchkn.exeC:\Windows\system32\Lmccchkn.exe223⤵PID:7500
-
C:\Windows\SysWOW64\Lpappc32.exeC:\Windows\system32\Lpappc32.exe224⤵PID:7536
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe225⤵PID:7576
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe226⤵PID:7616
-
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe227⤵PID:7656
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe228⤵
- Drops file in System32 directory
PID:7696 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:7736 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe230⤵PID:7776
-
C:\Windows\SysWOW64\Ljnnch32.exeC:\Windows\system32\Ljnnch32.exe231⤵PID:7816
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7856 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe233⤵
- Modifies registry class
PID:7896 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe234⤵PID:7932
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe235⤵PID:7972
-
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe236⤵PID:8016
-
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe237⤵PID:8056
-
C:\Windows\SysWOW64\Mgekbljc.exeC:\Windows\system32\Mgekbljc.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8096 -
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe239⤵PID:8136
-
C:\Windows\SysWOW64\Mpmokb32.exeC:\Windows\system32\Mpmokb32.exe240⤵PID:8176
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe241⤵PID:7192
-
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe242⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7248