Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe
Resource
win10v2004-20240508-en
General
-
Target
ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe
-
Size
163KB
-
MD5
39ff46b7ffb69c44e3d56dd2a1984e3d
-
SHA1
f27c7274e095507ebc7e7fa8f5514c4e3102dbb9
-
SHA256
ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5
-
SHA512
5516bc2af3adcbc9718835b7dccb555d3eb4e72a05047cb91bba610d4cb936760bf14c4221c7b3b6fe03bd35106a937d278c19df5b9c6a00d034407b55d15328
-
SSDEEP
3072:Pz+2/349CT69/cnUEPsltOrWKDBr+yJb:Pq2/u9/cvsLOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Peieba32.exeFllpbldb.exeGgcfja32.exeKilpmh32.exeIlafiihp.exeLkeekk32.exeLcbiao32.exeMciobn32.exeNggjdc32.exeIfdonfka.exeFpjcgm32.exeJmhale32.exeIggaah32.exeOifeab32.exeQikgco32.exeBmbiamhi.exeGfheof32.exeOgaceh32.exeIppggbck.exeBfdodjhm.exeKpgodhkd.exeGpecbk32.exeAngddopp.exeGcimkc32.exeHgiepjga.exeJqiipljg.exeDheibpje.exeCmflbf32.exeFibhpbea.exeNcgkcl32.exeDemecd32.exeKmijbcpl.exeFdhcgaic.exeJkjcbe32.exeEmkndc32.exeEfpomccg.exePkhoae32.exeNgmgne32.exePqdqof32.exeOiihahme.exeBjfjka32.exeHpjmnjqn.exeMaaepd32.exeQnnanphk.exeKmfhkf32.exeQachgk32.exeEehicoel.exeOjopad32.exeAepefb32.exeIkpjbq32.exeKkeldnpi.exeEmoadlfo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peieba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllpbldb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcfja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilafiihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkeekk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcbiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mciobn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggjdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdonfka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjcgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikgco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbiamhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogaceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippggbck.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgodhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angddopp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcimkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgiepjga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqiipljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilpmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmflbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibhpbea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demecd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmijbcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjcbe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpomccg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhoae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngmgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqdqof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiihahme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnnanphk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qachgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojopad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aepefb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeldnpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Lcbiao32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lnhmng32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgpagm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lddbqa32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgbnmm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mnlfigcc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mpkbebbf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mciobn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mkpgck32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mjeddggd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mamleegg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mkepnjng.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mdmegp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mglack32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Maaepd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcbahlip.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nacbfdao.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndbnboqb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nklfoi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncgkcl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnmopdep.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nqklmpdd.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4308-178-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncihikcg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnolfdcn.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncldnkae.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njfmke32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nqpego32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oqbamo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okhfjh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Obangb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okjbpglo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oqgkhnjf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oqihnn32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1364-311-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pbmncp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pkhoae32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/4020-364-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2448-410-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3780-411-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3944-421-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ahmlgd32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1380-545-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2016-570-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4896-591-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5276-592-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5332-599-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Colffknh.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/852-624-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/5516-625-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Demecd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dadeieea.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dllfkn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ednaqo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ekjfcipa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcojed32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gmjlcj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hkdbpe32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hfqlnm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Icifbang.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iifokh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jehokgge.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kepelfam.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kfankifm.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Lcbiao32.exe UPX C:\Windows\SysWOW64\Lnhmng32.exe UPX C:\Windows\SysWOW64\Lgpagm32.exe UPX C:\Windows\SysWOW64\Lddbqa32.exe UPX behavioral2/memory/3572-33-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lgbnmm32.exe UPX C:\Windows\SysWOW64\Mnlfigcc.exe UPX C:\Windows\SysWOW64\Mpkbebbf.exe UPX C:\Windows\SysWOW64\Mciobn32.exe UPX C:\Windows\SysWOW64\Mkpgck32.exe UPX C:\Windows\SysWOW64\Mjeddggd.exe UPX C:\Windows\SysWOW64\Mamleegg.exe UPX C:\Windows\SysWOW64\Mkepnjng.exe UPX C:\Windows\SysWOW64\Mdmegp32.exe UPX C:\Windows\SysWOW64\Mglack32.exe UPX C:\Windows\SysWOW64\Maaepd32.exe UPX C:\Windows\SysWOW64\Mcbahlip.exe UPX C:\Windows\SysWOW64\Nacbfdao.exe UPX C:\Windows\SysWOW64\Ndbnboqb.exe UPX C:\Windows\SysWOW64\Nklfoi32.exe UPX C:\Windows\SysWOW64\Ncgkcl32.exe UPX C:\Windows\SysWOW64\Nnmopdep.exe UPX C:\Windows\SysWOW64\Nqklmpdd.exe UPX behavioral2/memory/4308-178-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ncihikcg.exe UPX C:\Windows\SysWOW64\Nnolfdcn.exe UPX C:\Windows\SysWOW64\Ncldnkae.exe UPX C:\Windows\SysWOW64\Njfmke32.exe UPX C:\Windows\SysWOW64\Nqpego32.exe UPX C:\Windows\SysWOW64\Oqbamo32.exe UPX C:\Windows\SysWOW64\Okhfjh32.exe UPX C:\Windows\SysWOW64\Obangb32.exe UPX C:\Windows\SysWOW64\Okjbpglo.exe UPX C:\Windows\SysWOW64\Oqgkhnjf.exe UPX C:\Windows\SysWOW64\Oqihnn32.exe UPX behavioral2/memory/1364-311-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Pbmncp32.exe UPX behavioral2/memory/2972-332-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Pkhoae32.exe UPX behavioral2/memory/4020-364-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2448-410-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3780-411-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3944-421-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Ahmlgd32.exe UPX behavioral2/memory/3676-480-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1380-545-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2016-570-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4580-571-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/5128-572-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4896-591-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/5276-592-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/5332-599-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Colffknh.exe UPX behavioral2/memory/1956-605-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/852-624-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/5516-625-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Demecd32.exe UPX C:\Windows\SysWOW64\Dadeieea.exe UPX C:\Windows\SysWOW64\Dllfkn32.exe UPX C:\Windows\SysWOW64\Ednaqo32.exe UPX C:\Windows\SysWOW64\Ekjfcipa.exe UPX C:\Windows\SysWOW64\Gcojed32.exe UPX C:\Windows\SysWOW64\Gmjlcj32.exe UPX C:\Windows\SysWOW64\Hkdbpe32.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Lcbiao32.exeLnhmng32.exeLgpagm32.exeLddbqa32.exeLgbnmm32.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMjeddggd.exeMamleegg.exeMkepnjng.exeMdmegp32.exeMglack32.exeMaaepd32.exeMcbahlip.exeNacbfdao.exeNdbnboqb.exeNklfoi32.exeNcgkcl32.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNnolfdcn.exeNcldnkae.exeNjfmke32.exeNqpego32.exeOqbamo32.exeOkhfjh32.exeObangb32.exeOkjbpglo.exeOqgkhnjf.exeOgaceh32.exeOjopad32.exeOqihnn32.exeOgcpjhoq.exeOjalgcnd.exeOqkdcn32.exePgemphmn.exePjdilcla.exePqnaim32.exePclneicb.exePbmncp32.exePcojkhap.exePkfblfab.exePndohaqe.exePengdk32.exePkhoae32.exePnfkma32.exePcccfh32.exePkjlge32.exePbddcoei.exeQgallfcq.exeQjpiha32.exeQajadlja.exeQchmagie.exeQloebdig.exeQnnanphk.exeQalnjkgo.exeAgffge32.exeAnpncp32.exeAejfpjne.exeAldomc32.exeAnbkio32.exepid process 2416 Lcbiao32.exe 1380 Lnhmng32.exe 3024 Lgpagm32.exe 3572 Lddbqa32.exe 4648 Lgbnmm32.exe 4580 Mnlfigcc.exe 3376 Mpkbebbf.exe 4752 Mciobn32.exe 4896 Mkpgck32.exe 3692 Mjeddggd.exe 1956 Mamleegg.exe 4964 Mkepnjng.exe 4828 Mdmegp32.exe 852 Mglack32.exe 5100 Maaepd32.exe 4212 Mcbahlip.exe 2716 Nacbfdao.exe 1496 Ndbnboqb.exe 1464 Nklfoi32.exe 1400 Ncgkcl32.exe 1532 Nnmopdep.exe 4308 Nqklmpdd.exe 3408 Ncihikcg.exe 2368 Nnolfdcn.exe 2912 Ncldnkae.exe 4312 Njfmke32.exe 3556 Nqpego32.exe 4736 Oqbamo32.exe 1692 Okhfjh32.exe 3596 Obangb32.exe 3304 Okjbpglo.exe 3020 Oqgkhnjf.exe 4604 Ogaceh32.exe 4992 Ojopad32.exe 3740 Oqihnn32.exe 3452 Ogcpjhoq.exe 3472 Ojalgcnd.exe 2076 Oqkdcn32.exe 3184 Pgemphmn.exe 3716 Pjdilcla.exe 4156 Pqnaim32.exe 1364 Pclneicb.exe 1820 Pbmncp32.exe 1612 Pcojkhap.exe 2972 Pkfblfab.exe 4996 Pndohaqe.exe 4040 Pengdk32.exe 3548 Pkhoae32.exe 4628 Pnfkma32.exe 1228 Pcccfh32.exe 4020 Pkjlge32.exe 3704 Pbddcoei.exe 1248 Qgallfcq.exe 2188 Qjpiha32.exe 4596 Qajadlja.exe 2616 Qchmagie.exe 1724 Qloebdig.exe 2448 Qnnanphk.exe 3780 Qalnjkgo.exe 3944 Agffge32.exe 2848 Anpncp32.exe 392 Aejfpjne.exe 2256 Aldomc32.exe 4484 Anbkio32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Obangb32.exeJefbfgig.exeIfdonfka.exeFlinkojm.exeGbabigfj.exeFbpnkama.exeOoejohhq.exeOnpjichj.exeBhkmec32.exeNjnpppkn.exeOlehhc32.exeJnmijq32.exePbddcoei.exeMpablkhc.exeHajpbckl.exeNbnpcj32.exeGlgjlm32.exeAaepqjpd.exeCcmgiaig.exePqnaim32.exeMahnhhod.exeNjciko32.exeQhmqdemc.exeEhljfnpn.exeCjmgfgdf.exeJeqbpb32.exeCiafbg32.exeEfepbi32.exeGpecbk32.exeOhmhmh32.exeFkalchij.exeGlldgljg.exeQachgk32.exeEipinkib.exeIqmidndd.exeKjpijpdg.exeAolblopj.exeEolpmi32.exeNnolfdcn.exeGgilil32.exeLbngllob.exeAoabad32.exeCjnffjkl.exeIggaah32.exeOacoqnci.exeMglack32.exeEhedfo32.exeEkhjmiad.exeGigaka32.exeBdkcmdhp.exeHbeqmoji.exeHheoid32.exedescription ioc process File created C:\Windows\SysWOW64\Echmafdm.dll Obangb32.exe File created C:\Windows\SysWOW64\Dmamoe32.dll Jefbfgig.exe File created C:\Windows\SysWOW64\Anhmomen.dll Ifdonfka.exe File created C:\Windows\SysWOW64\Ffobhg32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Gmggfp32.exe Gbabigfj.exe File created C:\Windows\SysWOW64\Ppahmb32.exe File opened for modification C:\Windows\SysWOW64\Fdnjgmle.exe Fbpnkama.exe File created C:\Windows\SysWOW64\Oeoblb32.exe Ooejohhq.exe File opened for modification C:\Windows\SysWOW64\Oejbfmpg.exe Onpjichj.exe File opened for modification C:\Windows\SysWOW64\Badanigc.exe Bhkmec32.exe File created C:\Windows\SysWOW64\Jlingkpe.dll Njnpppkn.exe File created C:\Windows\SysWOW64\Oiihahme.exe Olehhc32.exe File created C:\Windows\SysWOW64\Jkkbik32.dll Jnmijq32.exe File created C:\Windows\SysWOW64\Nhmkghpm.dll Pbddcoei.exe File created C:\Windows\SysWOW64\Onliio32.dll Mpablkhc.exe File created C:\Windows\SysWOW64\Gnqfcbnj.exe File opened for modification C:\Windows\SysWOW64\Hffken32.exe File created C:\Windows\SysWOW64\Dfokdq32.dll Hajpbckl.exe File created C:\Windows\SysWOW64\Nihipdhl.exe Nbnpcj32.exe File opened for modification C:\Windows\SysWOW64\Gdobnj32.exe Glgjlm32.exe File created C:\Windows\SysWOW64\Jiglalpk.dll Aaepqjpd.exe File created C:\Windows\SysWOW64\Cjgpfk32.exe Ccmgiaig.exe File created C:\Windows\SysWOW64\Egilaj32.dll File created C:\Windows\SysWOW64\Okjbpglo.exe Obangb32.exe File created C:\Windows\SysWOW64\Dikngm32.dll Pqnaim32.exe File created C:\Windows\SysWOW64\Mhafeb32.exe Mahnhhod.exe File opened for modification C:\Windows\SysWOW64\Nlaegk32.exe Njciko32.exe File created C:\Windows\SysWOW64\Pgfcalbj.dll Qhmqdemc.exe File created C:\Windows\SysWOW64\Enjgeopm.dll File opened for modification C:\Windows\SysWOW64\Okjbpglo.exe Obangb32.exe File opened for modification C:\Windows\SysWOW64\Ekjfcipa.exe Ehljfnpn.exe File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe Cjmgfgdf.exe File created C:\Windows\SysWOW64\Joffnk32.exe Jeqbpb32.exe File opened for modification C:\Windows\SysWOW64\Ckpbnb32.exe Ciafbg32.exe File created C:\Windows\SysWOW64\Eidlnd32.exe Efepbi32.exe File opened for modification C:\Windows\SysWOW64\Gbdoof32.exe Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Oogpjbbb.exe Ohmhmh32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe File created C:\Windows\SysWOW64\Fchddejl.exe Fkalchij.exe File created C:\Windows\SysWOW64\Gbfldf32.exe Glldgljg.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qachgk32.exe File created C:\Windows\SysWOW64\Gmiadfmi.dll File opened for modification C:\Windows\SysWOW64\Ehailbaa.exe Eipinkib.exe File created C:\Windows\SysWOW64\Mkjbip32.dll Iqmidndd.exe File opened for modification C:\Windows\SysWOW64\Lajagj32.exe Kjpijpdg.exe File created C:\Windows\SysWOW64\Mokmqben.dll Aolblopj.exe File opened for modification C:\Windows\SysWOW64\Eaklidoi.exe Eolpmi32.exe File created C:\Windows\SysWOW64\Iikmbh32.exe File created C:\Windows\SysWOW64\Lpfgmnfp.exe File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Gigheh32.exe Ggilil32.exe File created C:\Windows\SysWOW64\Njfkbf32.dll Lbngllob.exe File opened for modification C:\Windows\SysWOW64\Afkknogn.exe Aoabad32.exe File created C:\Windows\SysWOW64\Njoddaaj.dll Cjnffjkl.exe File created C:\Windows\SysWOW64\Inainbcn.exe Iggaah32.exe File created C:\Windows\SysWOW64\Ohmhmh32.exe Oacoqnci.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe File created C:\Windows\SysWOW64\Bebboiqi.dll Mglack32.exe File opened for modification C:\Windows\SysWOW64\Ekcpbj32.exe Ehedfo32.exe File created C:\Windows\SysWOW64\Ecoangbg.exe Ekhjmiad.exe File created C:\Windows\SysWOW64\Gbofcghl.exe Gigaka32.exe File created C:\Windows\SysWOW64\Blbknaib.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Hfqlnm32.exe Hbeqmoji.exe File created C:\Windows\SysWOW64\Hghoeqmp.exe Hheoid32.exe -
Program crash 1 IoCs
Processes:
pid pid_target process target process 12312 12024 -
Modifies registry class 64 IoCs
Processes:
Jjlmclqa.exeDdgkpp32.exeGbdoof32.exeCljobphg.exeEggmge32.exeEkiohclf.exeAmbgef32.exeMolelb32.exeHkgnfhnh.exeDkgqfl32.exeDahode32.exeNhmeapmd.exeMcmabg32.exeJkmgblok.exePjpobg32.exeOlhlhjpd.exePgefeajb.exePcncpbmd.exeFpbmfn32.exeQnnanphk.exeOcpgod32.exeQffbbldm.exeFgbmccpg.exeBblnindg.exeJklinohd.exeMpkbebbf.exeKpgfooop.exeCdiooblp.exeFiliii32.exePengdk32.exePdmkhgho.exePkjlge32.exeQachgk32.exeQnjnnj32.exeMjellmbp.exeKnalji32.exePclneicb.exeHiefcj32.exeFknbil32.exeGohhpe32.exeFmjaphek.exeCcpdoqgd.exeJcdala32.exeOdjeljhd.exeHelfik32.exeEfmmmn32.exeAanbhp32.exeIikhfg32.exeMcpnhfhf.exeLmmolepp.exeDgejpd32.exeBbgipldd.exeFkmchi32.exeGepmlimi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmclqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggmge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknbglob.dll" Ekiohclf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ambgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqcck32.dll" Molelb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkgnfhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnbme32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcmabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdmhm32.dll" Jkmgblok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll" Olhlhjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgefeajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll" Pcncpbmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnnanphk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll" Qffbbldm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbmccpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" Mpkbebbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnbea32.dll" Kpgfooop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdiooblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pengdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfioebm.dll" Pkjlge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qachgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faaigehd.dll" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knalji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pclneicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedoeq32.dll" Hiefcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkonq32.dll" Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gohhpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgpgh32.dll" Fmjaphek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnogj32.dll" Odjeljhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqlehck.dll" Helfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll" Iikhfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcpnhfhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmolepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghdlf32.dll" Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgipldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhimici.dll" Fkmchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepmlimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exeLcbiao32.exeLnhmng32.exeLgpagm32.exeLddbqa32.exeLgbnmm32.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMjeddggd.exeMamleegg.exeMkepnjng.exeMdmegp32.exeMglack32.exeMaaepd32.exeMcbahlip.exeNacbfdao.exeNdbnboqb.exeNklfoi32.exeNcgkcl32.exeNnmopdep.exedescription pid process target process PID 4776 wrote to memory of 2416 4776 ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe Lcbiao32.exe PID 4776 wrote to memory of 2416 4776 ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe Lcbiao32.exe PID 4776 wrote to memory of 2416 4776 ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe Lcbiao32.exe PID 2416 wrote to memory of 1380 2416 Lcbiao32.exe Lnhmng32.exe PID 2416 wrote to memory of 1380 2416 Lcbiao32.exe Lnhmng32.exe PID 2416 wrote to memory of 1380 2416 Lcbiao32.exe Lnhmng32.exe PID 1380 wrote to memory of 3024 1380 Lnhmng32.exe Lgpagm32.exe PID 1380 wrote to memory of 3024 1380 Lnhmng32.exe Lgpagm32.exe PID 1380 wrote to memory of 3024 1380 Lnhmng32.exe Lgpagm32.exe PID 3024 wrote to memory of 3572 3024 Lgpagm32.exe Lddbqa32.exe PID 3024 wrote to memory of 3572 3024 Lgpagm32.exe Lddbqa32.exe PID 3024 wrote to memory of 3572 3024 Lgpagm32.exe Lddbqa32.exe PID 3572 wrote to memory of 4648 3572 Lddbqa32.exe Lgbnmm32.exe PID 3572 wrote to memory of 4648 3572 Lddbqa32.exe Lgbnmm32.exe PID 3572 wrote to memory of 4648 3572 Lddbqa32.exe Lgbnmm32.exe PID 4648 wrote to memory of 4580 4648 Lgbnmm32.exe Mnlfigcc.exe PID 4648 wrote to memory of 4580 4648 Lgbnmm32.exe Mnlfigcc.exe PID 4648 wrote to memory of 4580 4648 Lgbnmm32.exe Mnlfigcc.exe PID 4580 wrote to memory of 3376 4580 Mnlfigcc.exe Mpkbebbf.exe PID 4580 wrote to memory of 3376 4580 Mnlfigcc.exe Mpkbebbf.exe PID 4580 wrote to memory of 3376 4580 Mnlfigcc.exe Mpkbebbf.exe PID 3376 wrote to memory of 4752 3376 Mpkbebbf.exe Mciobn32.exe PID 3376 wrote to memory of 4752 3376 Mpkbebbf.exe Mciobn32.exe PID 3376 wrote to memory of 4752 3376 Mpkbebbf.exe Mciobn32.exe PID 4752 wrote to memory of 4896 4752 Mciobn32.exe Mkpgck32.exe PID 4752 wrote to memory of 4896 4752 Mciobn32.exe Mkpgck32.exe PID 4752 wrote to memory of 4896 4752 Mciobn32.exe Mkpgck32.exe PID 4896 wrote to memory of 3692 4896 Mkpgck32.exe Mjeddggd.exe PID 4896 wrote to memory of 3692 4896 Mkpgck32.exe Mjeddggd.exe PID 4896 wrote to memory of 3692 4896 Mkpgck32.exe Mjeddggd.exe PID 3692 wrote to memory of 1956 3692 Mjeddggd.exe Mamleegg.exe PID 3692 wrote to memory of 1956 3692 Mjeddggd.exe Mamleegg.exe PID 3692 wrote to memory of 1956 3692 Mjeddggd.exe Mamleegg.exe PID 1956 wrote to memory of 4964 1956 Mamleegg.exe Mkepnjng.exe PID 1956 wrote to memory of 4964 1956 Mamleegg.exe Mkepnjng.exe PID 1956 wrote to memory of 4964 1956 Mamleegg.exe Mkepnjng.exe PID 4964 wrote to memory of 4828 4964 Mkepnjng.exe Mdmegp32.exe PID 4964 wrote to memory of 4828 4964 Mkepnjng.exe Mdmegp32.exe PID 4964 wrote to memory of 4828 4964 Mkepnjng.exe Mdmegp32.exe PID 4828 wrote to memory of 852 4828 Mdmegp32.exe Mglack32.exe PID 4828 wrote to memory of 852 4828 Mdmegp32.exe Mglack32.exe PID 4828 wrote to memory of 852 4828 Mdmegp32.exe Mglack32.exe PID 852 wrote to memory of 5100 852 Mglack32.exe Maaepd32.exe PID 852 wrote to memory of 5100 852 Mglack32.exe Maaepd32.exe PID 852 wrote to memory of 5100 852 Mglack32.exe Maaepd32.exe PID 5100 wrote to memory of 4212 5100 Maaepd32.exe Mcbahlip.exe PID 5100 wrote to memory of 4212 5100 Maaepd32.exe Mcbahlip.exe PID 5100 wrote to memory of 4212 5100 Maaepd32.exe Mcbahlip.exe PID 4212 wrote to memory of 2716 4212 Mcbahlip.exe Nacbfdao.exe PID 4212 wrote to memory of 2716 4212 Mcbahlip.exe Nacbfdao.exe PID 4212 wrote to memory of 2716 4212 Mcbahlip.exe Nacbfdao.exe PID 2716 wrote to memory of 1496 2716 Nacbfdao.exe Ndbnboqb.exe PID 2716 wrote to memory of 1496 2716 Nacbfdao.exe Ndbnboqb.exe PID 2716 wrote to memory of 1496 2716 Nacbfdao.exe Ndbnboqb.exe PID 1496 wrote to memory of 1464 1496 Ndbnboqb.exe Nklfoi32.exe PID 1496 wrote to memory of 1464 1496 Ndbnboqb.exe Nklfoi32.exe PID 1496 wrote to memory of 1464 1496 Ndbnboqb.exe Nklfoi32.exe PID 1464 wrote to memory of 1400 1464 Nklfoi32.exe Ncgkcl32.exe PID 1464 wrote to memory of 1400 1464 Nklfoi32.exe Ncgkcl32.exe PID 1464 wrote to memory of 1400 1464 Nklfoi32.exe Ncgkcl32.exe PID 1400 wrote to memory of 1532 1400 Ncgkcl32.exe Nnmopdep.exe PID 1400 wrote to memory of 1532 1400 Ncgkcl32.exe Nnmopdep.exe PID 1400 wrote to memory of 1532 1400 Ncgkcl32.exe Nnmopdep.exe PID 1532 wrote to memory of 4308 1532 Nnmopdep.exe Nqklmpdd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe"C:\Users\Admin\AppData\Local\Temp\ae3b640649579d4549db5b81aeb5a174d2f2dee8d3198492ed9a224e195cbec5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Lcbiao32.exeC:\Windows\system32\Lcbiao32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Lnhmng32.exeC:\Windows\system32\Lnhmng32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Lgbnmm32.exeC:\Windows\system32\Lgbnmm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Mnlfigcc.exeC:\Windows\system32\Mnlfigcc.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Mpkbebbf.exeC:\Windows\system32\Mpkbebbf.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Mciobn32.exeC:\Windows\system32\Mciobn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Mdmegp32.exeC:\Windows\system32\Mdmegp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\Nacbfdao.exeC:\Windows\system32\Nacbfdao.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ndbnboqb.exeC:\Windows\system32\Ndbnboqb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe23⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe24⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe26⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe27⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Nqpego32.exeC:\Windows\system32\Nqpego32.exe28⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Oqbamo32.exeC:\Windows\system32\Oqbamo32.exe29⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe30⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Obangb32.exeC:\Windows\system32\Obangb32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3596 -
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe32⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe33⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4992 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe36⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe37⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe38⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe39⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Pgemphmn.exeC:\Windows\system32\Pgemphmn.exe40⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Pjdilcla.exeC:\Windows\system32\Pjdilcla.exe41⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe44⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Pcojkhap.exeC:\Windows\system32\Pcojkhap.exe45⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe46⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Pndohaqe.exeC:\Windows\system32\Pndohaqe.exe47⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Pengdk32.exeC:\Windows\system32\Pengdk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Pkhoae32.exeC:\Windows\system32\Pkhoae32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pnfkma32.exeC:\Windows\system32\Pnfkma32.exe50⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\Pcccfh32.exeC:\Windows\system32\Pcccfh32.exe51⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Pkjlge32.exeC:\Windows\system32\Pkjlge32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4020 -
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe54⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Qajadlja.exeC:\Windows\system32\Qajadlja.exe56⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe57⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Qloebdig.exeC:\Windows\system32\Qloebdig.exe58⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe60⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Agffge32.exeC:\Windows\system32\Agffge32.exe61⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe62⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe63⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Aldomc32.exeC:\Windows\system32\Aldomc32.exe64⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe65⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe66⤵PID:780
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe67⤵PID:5028
-
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe68⤵PID:2488
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe69⤵PID:3284
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe71⤵
- Drops file in System32 directory
PID:3676 -
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe72⤵PID:2132
-
C:\Windows\SysWOW64\Ajneip32.exeC:\Windows\system32\Ajneip32.exe73⤵PID:4468
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe74⤵PID:4672
-
C:\Windows\SysWOW64\Bdfibe32.exeC:\Windows\system32\Bdfibe32.exe75⤵PID:4840
-
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe76⤵
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe77⤵PID:1680
-
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe78⤵PID:916
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe79⤵PID:2080
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe80⤵
- Drops file in System32 directory
PID:5076 -
C:\Windows\SysWOW64\Blbknaib.exeC:\Windows\system32\Blbknaib.exe81⤵PID:4000
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe82⤵PID:4348
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe83⤵PID:3040
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe84⤵PID:2324
-
C:\Windows\SysWOW64\Bdolhc32.exeC:\Windows\system32\Bdolhc32.exe85⤵PID:4836
-
C:\Windows\SysWOW64\Blfdia32.exeC:\Windows\system32\Blfdia32.exe86⤵PID:2016
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe87⤵PID:5128
-
C:\Windows\SysWOW64\Cogmkl32.exeC:\Windows\system32\Cogmkl32.exe88⤵PID:5188
-
C:\Windows\SysWOW64\Cafigg32.exeC:\Windows\system32\Cafigg32.exe89⤵PID:5228
-
C:\Windows\SysWOW64\Cknnpm32.exeC:\Windows\system32\Cknnpm32.exe90⤵PID:5276
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe91⤵PID:5332
-
C:\Windows\SysWOW64\Colffknh.exeC:\Windows\system32\Colffknh.exe92⤵PID:5380
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe93⤵PID:5424
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe94⤵
- Modifies registry class
PID:5476 -
C:\Windows\SysWOW64\Conclk32.exeC:\Windows\system32\Conclk32.exe95⤵PID:5516
-
C:\Windows\SysWOW64\Cehkhecb.exeC:\Windows\system32\Cehkhecb.exe96⤵PID:5560
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe97⤵PID:5608
-
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe98⤵
- Modifies registry class
PID:5652 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe99⤵PID:5696
-
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5736 -
C:\Windows\SysWOW64\Dlgmpogj.exeC:\Windows\system32\Dlgmpogj.exe101⤵PID:5780
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe102⤵PID:5828
-
C:\Windows\SysWOW64\Dadeieea.exeC:\Windows\system32\Dadeieea.exe103⤵PID:5888
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe104⤵PID:5928
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe105⤵PID:5972
-
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe106⤵PID:6028
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe107⤵PID:6076
-
C:\Windows\SysWOW64\Deanodkh.exeC:\Windows\system32\Deanodkh.exe108⤵PID:6140
-
C:\Windows\SysWOW64\Dllfkn32.exeC:\Windows\system32\Dllfkn32.exe109⤵PID:3052
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe110⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe111⤵
- Modifies registry class
PID:3848 -
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe112⤵PID:5344
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe113⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe114⤵PID:5568
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe115⤵PID:5672
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe116⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe117⤵PID:5816
-
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe118⤵PID:5912
-
C:\Windows\SysWOW64\Eamhodmf.exeC:\Windows\system32\Eamhodmf.exe119⤵PID:5968
-
C:\Windows\SysWOW64\Edkdkplj.exeC:\Windows\system32\Edkdkplj.exe120⤵PID:6068
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe121⤵PID:5124
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe122⤵PID:5172
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe123⤵PID:5368
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe124⤵PID:5500
-
C:\Windows\SysWOW64\Ednaqo32.exeC:\Windows\system32\Ednaqo32.exe125⤵PID:5704
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe126⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe127⤵PID:5960
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe128⤵PID:2732
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe129⤵
- Drops file in System32 directory
PID:5260 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe130⤵PID:5472
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe131⤵PID:5836
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe132⤵PID:6060
-
C:\Windows\SysWOW64\Fkmchi32.exeC:\Windows\system32\Fkmchi32.exe133⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe134⤵PID:5744
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe135⤵PID:5212
-
C:\Windows\SysWOW64\Fllpbldb.exeC:\Windows\system32\Fllpbldb.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5732 -
C:\Windows\SysWOW64\Fcfhof32.exeC:\Windows\system32\Fcfhof32.exe137⤵PID:5948
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe138⤵PID:5140
-
C:\Windows\SysWOW64\Fkalchij.exeC:\Windows\system32\Fkalchij.exe139⤵
- Drops file in System32 directory
PID:6164 -
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe140⤵PID:6208
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe141⤵PID:6248
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe142⤵PID:6296
-
C:\Windows\SysWOW64\Fckajehi.exeC:\Windows\system32\Fckajehi.exe143⤵PID:6336
-
C:\Windows\SysWOW64\Ffimfqgm.exeC:\Windows\system32\Ffimfqgm.exe144⤵PID:6376
-
C:\Windows\SysWOW64\Flceckoj.exeC:\Windows\system32\Flceckoj.exe145⤵PID:6420
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe146⤵PID:6460
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe147⤵
- Drops file in System32 directory
PID:6500 -
C:\Windows\SysWOW64\Fdnjgmle.exeC:\Windows\system32\Fdnjgmle.exe148⤵PID:6536
-
C:\Windows\SysWOW64\Gkhbdg32.exeC:\Windows\system32\Gkhbdg32.exe149⤵PID:6580
-
C:\Windows\SysWOW64\Gcojed32.exeC:\Windows\system32\Gcojed32.exe150⤵PID:6624
-
C:\Windows\SysWOW64\Ghlcnk32.exeC:\Windows\system32\Ghlcnk32.exe151⤵PID:6672
-
C:\Windows\SysWOW64\Gofkje32.exeC:\Windows\system32\Gofkje32.exe152⤵PID:6712
-
C:\Windows\SysWOW64\Gfpcgpae.exeC:\Windows\system32\Gfpcgpae.exe153⤵PID:6748
-
C:\Windows\SysWOW64\Gdcdbl32.exeC:\Windows\system32\Gdcdbl32.exe154⤵PID:6792
-
C:\Windows\SysWOW64\Gmjlcj32.exeC:\Windows\system32\Gmjlcj32.exe155⤵PID:6836
-
C:\Windows\SysWOW64\Gohhpe32.exeC:\Windows\system32\Gohhpe32.exe156⤵
- Modifies registry class
PID:6880 -
C:\Windows\SysWOW64\Gkoiefmj.exeC:\Windows\system32\Gkoiefmj.exe157⤵PID:6928
-
C:\Windows\SysWOW64\Gcfqfc32.exeC:\Windows\system32\Gcfqfc32.exe158⤵PID:6968
-
C:\Windows\SysWOW64\Gfembo32.exeC:\Windows\system32\Gfembo32.exe159⤵PID:7008
-
C:\Windows\SysWOW64\Gdhmnlcj.exeC:\Windows\system32\Gdhmnlcj.exe160⤵PID:7044
-
C:\Windows\SysWOW64\Gmoeoidl.exeC:\Windows\system32\Gmoeoidl.exe161⤵PID:7088
-
C:\Windows\SysWOW64\Gcimkc32.exeC:\Windows\system32\Gcimkc32.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7132 -
C:\Windows\SysWOW64\Hiefcj32.exeC:\Windows\system32\Hiefcj32.exe163⤵
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Hkdbpe32.exeC:\Windows\system32\Hkdbpe32.exe164⤵PID:6200
-
C:\Windows\SysWOW64\Hbnjmp32.exeC:\Windows\system32\Hbnjmp32.exe165⤵PID:6280
-
C:\Windows\SysWOW64\Helfik32.exeC:\Windows\system32\Helfik32.exe166⤵
- Modifies registry class
PID:6344 -
C:\Windows\SysWOW64\Hmcojh32.exeC:\Windows\system32\Hmcojh32.exe167⤵PID:6408
-
C:\Windows\SysWOW64\Hbpgbo32.exeC:\Windows\system32\Hbpgbo32.exe168⤵PID:6468
-
C:\Windows\SysWOW64\Heocnk32.exeC:\Windows\system32\Heocnk32.exe169⤵PID:6528
-
C:\Windows\SysWOW64\Hmfkoh32.exeC:\Windows\system32\Hmfkoh32.exe170⤵PID:6600
-
C:\Windows\SysWOW64\Hcpclbfa.exeC:\Windows\system32\Hcpclbfa.exe171⤵PID:6664
-
C:\Windows\SysWOW64\Hfnphn32.exeC:\Windows\system32\Hfnphn32.exe172⤵PID:6704
-
C:\Windows\SysWOW64\Hkkhqd32.exeC:\Windows\system32\Hkkhqd32.exe173⤵PID:6776
-
C:\Windows\SysWOW64\Hbeqmoji.exeC:\Windows\system32\Hbeqmoji.exe174⤵
- Drops file in System32 directory
PID:6828 -
C:\Windows\SysWOW64\Hfqlnm32.exeC:\Windows\system32\Hfqlnm32.exe175⤵PID:6888
-
C:\Windows\SysWOW64\Hmjdjgjo.exeC:\Windows\system32\Hmjdjgjo.exe176⤵PID:6956
-
C:\Windows\SysWOW64\Hoiafcic.exeC:\Windows\system32\Hoiafcic.exe177⤵PID:7004
-
C:\Windows\SysWOW64\Hfcicmqp.exeC:\Windows\system32\Hfcicmqp.exe178⤵PID:7068
-
C:\Windows\SysWOW64\Ikpaldog.exeC:\Windows\system32\Ikpaldog.exe179⤵PID:7148
-
C:\Windows\SysWOW64\Ifefimom.exeC:\Windows\system32\Ifefimom.exe180⤵PID:6196
-
C:\Windows\SysWOW64\Iehfdi32.exeC:\Windows\system32\Iehfdi32.exe181⤵PID:6324
-
C:\Windows\SysWOW64\Imoneg32.exeC:\Windows\system32\Imoneg32.exe182⤵PID:6448
-
C:\Windows\SysWOW64\Icifbang.exeC:\Windows\system32\Icifbang.exe183⤵PID:6596
-
C:\Windows\SysWOW64\Ifgbnlmj.exeC:\Windows\system32\Ifgbnlmj.exe184⤵PID:6656
-
C:\Windows\SysWOW64\Iifokh32.exeC:\Windows\system32\Iifokh32.exe185⤵PID:6808
-
C:\Windows\SysWOW64\Ippggbck.exeC:\Windows\system32\Ippggbck.exe186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6892 -
C:\Windows\SysWOW64\Ibnccmbo.exeC:\Windows\system32\Ibnccmbo.exe187⤵PID:7056
-
C:\Windows\SysWOW64\Iihkpg32.exeC:\Windows\system32\Iihkpg32.exe188⤵PID:5728
-
C:\Windows\SysWOW64\Imdgqfbd.exeC:\Windows\system32\Imdgqfbd.exe189⤵PID:6320
-
C:\Windows\SysWOW64\Ipbdmaah.exeC:\Windows\system32\Ipbdmaah.exe190⤵PID:6572
-
C:\Windows\SysWOW64\Ibqpimpl.exeC:\Windows\system32\Ibqpimpl.exe191⤵PID:6744
-
C:\Windows\SysWOW64\Ifllil32.exeC:\Windows\system32\Ifllil32.exe192⤵PID:6988
-
C:\Windows\SysWOW64\Iikhfg32.exeC:\Windows\system32\Iikhfg32.exe193⤵
- Modifies registry class
PID:6192 -
C:\Windows\SysWOW64\Ipdqba32.exeC:\Windows\system32\Ipdqba32.exe194⤵PID:6760
-
C:\Windows\SysWOW64\Ibcmom32.exeC:\Windows\system32\Ibcmom32.exe195⤵PID:7160
-
C:\Windows\SysWOW64\Jeaikh32.exeC:\Windows\system32\Jeaikh32.exe196⤵PID:6916
-
C:\Windows\SysWOW64\Jmhale32.exeC:\Windows\system32\Jmhale32.exe197⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7128 -
C:\Windows\SysWOW64\Jpgmha32.exeC:\Windows\system32\Jpgmha32.exe198⤵PID:7212
-
C:\Windows\SysWOW64\Jbeidl32.exeC:\Windows\system32\Jbeidl32.exe199⤵PID:7256
-
C:\Windows\SysWOW64\Jedeph32.exeC:\Windows\system32\Jedeph32.exe200⤵PID:7296
-
C:\Windows\SysWOW64\Jioaqfcc.exeC:\Windows\system32\Jioaqfcc.exe201⤵PID:7328
-
C:\Windows\SysWOW64\Jpijnqkp.exeC:\Windows\system32\Jpijnqkp.exe202⤵PID:7372
-
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe203⤵PID:7428
-
C:\Windows\SysWOW64\Jefbfgig.exeC:\Windows\system32\Jefbfgig.exe204⤵
- Drops file in System32 directory
PID:7468 -
C:\Windows\SysWOW64\Jmmjgejj.exeC:\Windows\system32\Jmmjgejj.exe205⤵PID:7508
-
C:\Windows\SysWOW64\Jplfcpin.exeC:\Windows\system32\Jplfcpin.exe206⤵PID:7544
-
C:\Windows\SysWOW64\Jbjcolha.exeC:\Windows\system32\Jbjcolha.exe207⤵PID:7584
-
C:\Windows\SysWOW64\Jehokgge.exeC:\Windows\system32\Jehokgge.exe208⤵PID:7620
-
C:\Windows\SysWOW64\Jmpgldhg.exeC:\Windows\system32\Jmpgldhg.exe209⤵PID:7656
-
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe210⤵PID:7696
-
C:\Windows\SysWOW64\Jblpek32.exeC:\Windows\system32\Jblpek32.exe211⤵PID:7736
-
C:\Windows\SysWOW64\Jeklag32.exeC:\Windows\system32\Jeklag32.exe212⤵PID:7772
-
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe213⤵PID:7812
-
C:\Windows\SysWOW64\Jpppnp32.exeC:\Windows\system32\Jpppnp32.exe214⤵PID:7864
-
C:\Windows\SysWOW64\Kfjhkjle.exeC:\Windows\system32\Kfjhkjle.exe215⤵PID:7920
-
C:\Windows\SysWOW64\Kemhff32.exeC:\Windows\system32\Kemhff32.exe216⤵PID:7956
-
C:\Windows\SysWOW64\Kmdqgd32.exeC:\Windows\system32\Kmdqgd32.exe217⤵PID:7992
-
C:\Windows\SysWOW64\Klgqcqkl.exeC:\Windows\system32\Klgqcqkl.exe218⤵PID:8036
-
C:\Windows\SysWOW64\Kdnidn32.exeC:\Windows\system32\Kdnidn32.exe219⤵PID:8076
-
C:\Windows\SysWOW64\Kepelfam.exeC:\Windows\system32\Kepelfam.exe220⤵PID:8116
-
C:\Windows\SysWOW64\Kmfmmcbo.exeC:\Windows\system32\Kmfmmcbo.exe221⤵PID:8160
-
C:\Windows\SysWOW64\Kpeiioac.exeC:\Windows\system32\Kpeiioac.exe222⤵PID:6636
-
C:\Windows\SysWOW64\Kbceejpf.exeC:\Windows\system32\Kbceejpf.exe223⤵PID:7220
-
C:\Windows\SysWOW64\Kebbafoj.exeC:\Windows\system32\Kebbafoj.exe224⤵PID:7288
-
C:\Windows\SysWOW64\Kmijbcpl.exeC:\Windows\system32\Kmijbcpl.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7348 -
C:\Windows\SysWOW64\Kpgfooop.exeC:\Windows\system32\Kpgfooop.exe226⤵
- Modifies registry class
PID:7400 -
C:\Windows\SysWOW64\Kbfbkj32.exeC:\Windows\system32\Kbfbkj32.exe227⤵PID:7488
-
C:\Windows\SysWOW64\Kfankifm.exeC:\Windows\system32\Kfankifm.exe228⤵PID:7580
-
C:\Windows\SysWOW64\Kmkfhc32.exeC:\Windows\system32\Kmkfhc32.exe229⤵PID:7648
-
C:\Windows\SysWOW64\Kdeoemeg.exeC:\Windows\system32\Kdeoemeg.exe230⤵PID:6272
-
C:\Windows\SysWOW64\Kfckahdj.exeC:\Windows\system32\Kfckahdj.exe231⤵PID:6284
-
C:\Windows\SysWOW64\Kibgmdcn.exeC:\Windows\system32\Kibgmdcn.exe232⤵PID:7804
-
C:\Windows\SysWOW64\Klqcioba.exeC:\Windows\system32\Klqcioba.exe233⤵PID:7908
-
C:\Windows\SysWOW64\Kdgljmcd.exeC:\Windows\system32\Kdgljmcd.exe234⤵PID:8000
-
C:\Windows\SysWOW64\Leihbeib.exeC:\Windows\system32\Leihbeib.exe235⤵PID:8052
-
C:\Windows\SysWOW64\Lmppcbjd.exeC:\Windows\system32\Lmppcbjd.exe236⤵PID:8112
-
C:\Windows\SysWOW64\Lpnlpnih.exeC:\Windows\system32\Lpnlpnih.exe237⤵PID:8180
-
C:\Windows\SysWOW64\Lbmhlihl.exeC:\Windows\system32\Lbmhlihl.exe238⤵PID:7240
-
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe239⤵PID:7336
-
C:\Windows\SysWOW64\Llemdo32.exeC:\Windows\system32\Llemdo32.exe240⤵PID:7476
-
C:\Windows\SysWOW64\Ldleel32.exeC:\Windows\system32\Ldleel32.exe241⤵PID:7568
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe242⤵PID:6912