Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 18:34
Static task
static1
Behavioral task
behavioral1
Sample
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
Resource
win10v2004-20240226-en
General
-
Target
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe
-
Size
163KB
-
MD5
bc165a02361411203a67b93723f1854f
-
SHA1
bea74d163740c55ed9838985f5210630b7c0d94a
-
SHA256
22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e
-
SHA512
3e877568b844a31665e77698d0f9ad3321b84b18750fe2f745bf02f4569500fce5080fcf74bb14b6778cc718288ffd12a68cfb6e9ddbb05472e4b5a0fe61ff85
-
SSDEEP
1536:Pllp8hWR8XZFT06Rnm+sEWoB6ovcCNLTum6ZlProNVU4qNVUrk/9QbfBr+7GwKrj:db8lmVEWg6Wcub6ZltOrWKDBr+yJb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhcdaibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhcmgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigeqkai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghkllmoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgodbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgodbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbkja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjpqdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqjepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddifnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgaek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankdiqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djefobmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcnpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahokfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebedndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdfflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqeidnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjigg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoffmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aajpelhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajpelhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdooajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpjiphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeempocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcoja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aigaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doobajme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbijhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmepp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknnbklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afiecb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjgoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcplhi32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000c00000001224c-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0035000000014712-22.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014b4c-37.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014e71-49.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0008000000015cff-59.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d4e-75.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d5f-85.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d7f-97.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d93-111.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015ecc-124.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015fe5-137.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001621e-150.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000164aa-163.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016616-176.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016adc-190.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2360-204-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c5e-208.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cb0-221.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d07-232.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d20-243.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d3a-255.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d43-265.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x003500000001471a-276.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d8e-286.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016da5-297.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016db9-307.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001704a-317.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000171df-329.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017437-338.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186f6-359.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0031000000018649-348.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001875a-369.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001876e-380.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018785-391.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bb0-401.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bd6-412.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000192e7-423.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019357-433.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019397-444.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001941e-455.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001944b-465.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019489-476.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ba-486.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019568-496.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195de-506.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001960a-517.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019610-528.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019616-540.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019619-550.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961b-561.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961e-571.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019622-584.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019627-594.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001969e-605.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001979d-615.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001984b-627.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000199d0-637.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c48-650.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ca8-659.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019db1-667.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ef8-677.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a02e-685.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a097-693.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a34e-701.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000c00000001224c-5.dat UPX behavioral1/files/0x0035000000014712-22.dat UPX behavioral1/files/0x0007000000014b4c-37.dat UPX behavioral1/files/0x0007000000014e71-49.dat UPX behavioral1/files/0x0008000000015cff-59.dat UPX behavioral1/files/0x0006000000015d4e-75.dat UPX behavioral1/files/0x0006000000015d5f-85.dat UPX behavioral1/files/0x0006000000015d7f-97.dat UPX behavioral1/files/0x0006000000015d93-111.dat UPX behavioral1/files/0x0006000000015ecc-124.dat UPX behavioral1/files/0x0006000000015fe5-137.dat UPX behavioral1/files/0x000600000001621e-150.dat UPX behavioral1/files/0x00060000000164aa-163.dat UPX behavioral1/files/0x0006000000016616-176.dat UPX behavioral1/files/0x0006000000016adc-190.dat UPX behavioral1/memory/2360-204-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral1/files/0x0006000000016c5e-208.dat UPX behavioral1/files/0x0006000000016cb0-221.dat UPX behavioral1/files/0x0006000000016d07-232.dat UPX behavioral1/files/0x0006000000016d20-243.dat UPX behavioral1/files/0x0006000000016d3a-255.dat UPX behavioral1/files/0x0006000000016d43-265.dat UPX behavioral1/files/0x003500000001471a-276.dat UPX behavioral1/files/0x0006000000016d8e-286.dat UPX behavioral1/files/0x0006000000016da5-297.dat UPX behavioral1/files/0x0006000000016db9-307.dat UPX behavioral1/files/0x000600000001704a-317.dat UPX behavioral1/files/0x00060000000171df-329.dat UPX behavioral1/files/0x0006000000017437-338.dat UPX behavioral1/files/0x00050000000186f6-359.dat UPX behavioral1/files/0x0031000000018649-348.dat UPX behavioral1/files/0x000500000001875a-369.dat UPX behavioral1/files/0x000500000001876e-380.dat UPX behavioral1/files/0x0005000000018785-391.dat UPX behavioral1/files/0x0006000000018bb0-401.dat UPX behavioral1/files/0x0006000000018bd6-412.dat UPX behavioral1/files/0x00050000000192e7-423.dat UPX behavioral1/files/0x0005000000019357-433.dat UPX behavioral1/files/0x0005000000019397-444.dat UPX behavioral1/files/0x000500000001941e-455.dat UPX behavioral1/files/0x000500000001944b-465.dat UPX behavioral1/files/0x0005000000019489-476.dat UPX behavioral1/files/0x00050000000194ba-486.dat UPX behavioral1/files/0x0005000000019568-496.dat UPX behavioral1/files/0x00050000000195de-506.dat UPX behavioral1/files/0x000500000001960a-517.dat UPX behavioral1/files/0x0005000000019610-528.dat UPX behavioral1/files/0x0005000000019616-540.dat UPX behavioral1/files/0x0005000000019619-550.dat UPX behavioral1/files/0x000500000001961b-561.dat UPX behavioral1/files/0x000500000001961e-571.dat UPX behavioral1/files/0x0005000000019622-584.dat UPX behavioral1/files/0x0005000000019627-594.dat UPX behavioral1/files/0x000500000001969e-605.dat UPX behavioral1/files/0x000500000001979d-615.dat UPX behavioral1/files/0x000500000001984b-627.dat UPX behavioral1/files/0x00050000000199d0-637.dat UPX behavioral1/files/0x0005000000019c48-650.dat UPX behavioral1/files/0x0005000000019ca8-659.dat UPX behavioral1/files/0x0005000000019db1-667.dat UPX behavioral1/files/0x0005000000019ef8-677.dat UPX behavioral1/files/0x000500000001a02e-685.dat UPX behavioral1/files/0x000500000001a097-693.dat UPX behavioral1/files/0x000500000001a34e-701.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 3040 Nkmbgdfl.exe 2620 Nbfjdn32.exe 2552 Ohqbqhde.exe 2716 Okoomd32.exe 2416 Onmkio32.exe 2808 Oicpfh32.exe 1040 Onphoo32.exe 2308 Odjpkihg.exe 1512 Oghlgdgk.exe 1272 Onbddoog.exe 876 Ogjimd32.exe 1208 Omgaek32.exe 1224 Oenifh32.exe 2708 Ofpfnqjp.exe 2360 Ongnonkb.exe 268 Pccfge32.exe 1076 Pipopl32.exe 2380 Ppjglfon.exe 2904 Pfdpip32.exe 2996 Piblek32.exe 1892 Ppmdbe32.exe 108 Pmqdkj32.exe 672 Plcdgfbo.exe 2012 Pbmmcq32.exe 2216 Pelipl32.exe 2576 Pigeqkai.exe 2544 Pbpjiphi.exe 2452 Qlhnbf32.exe 2536 Qnfjna32.exe 2448 Qaefjm32.exe 2496 Qdccfh32.exe 2336 Qnigda32.exe 1628 Qagcpljo.exe 640 Adeplhib.exe 1572 Ahakmf32.exe 2204 Ankdiqih.exe 1228 Amndem32.exe 1700 Aajpelhl.exe 2508 Aplpai32.exe 2168 Ahchbf32.exe 536 Aiedjneg.exe 1796 Aalmklfi.exe 1488 Adjigg32.exe 836 Afiecb32.exe 1004 Aigaon32.exe 2328 Alenki32.exe 2724 Admemg32.exe 2296 Afkbib32.exe 1952 Aiinen32.exe 2872 Alhjai32.exe 2564 Aoffmd32.exe 2424 Ailkjmpo.exe 3052 Ahokfj32.exe 1768 Boiccdnf.exe 2156 Bagpopmj.exe 1364 Bingpmnl.exe 1692 Blmdlhmp.exe 332 Bbflib32.exe 1176 Beehencq.exe 1744 Bhcdaibd.exe 2664 Bloqah32.exe 2140 Bommnc32.exe 1008 Balijo32.exe 580 Bdjefj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 3040 Nkmbgdfl.exe 3040 Nkmbgdfl.exe 2620 Nbfjdn32.exe 2620 Nbfjdn32.exe 2552 Ohqbqhde.exe 2552 Ohqbqhde.exe 2716 Okoomd32.exe 2716 Okoomd32.exe 2416 Onmkio32.exe 2416 Onmkio32.exe 2808 Oicpfh32.exe 2808 Oicpfh32.exe 1040 Onphoo32.exe 1040 Onphoo32.exe 2308 Odjpkihg.exe 2308 Odjpkihg.exe 1512 Oghlgdgk.exe 1512 Oghlgdgk.exe 1272 Onbddoog.exe 1272 Onbddoog.exe 876 Ogjimd32.exe 876 Ogjimd32.exe 1208 Omgaek32.exe 1208 Omgaek32.exe 1224 Oenifh32.exe 1224 Oenifh32.exe 2708 Ofpfnqjp.exe 2708 Ofpfnqjp.exe 2360 Ongnonkb.exe 2360 Ongnonkb.exe 268 Pccfge32.exe 268 Pccfge32.exe 1076 Pipopl32.exe 1076 Pipopl32.exe 2380 Ppjglfon.exe 2380 Ppjglfon.exe 2904 Pfdpip32.exe 2904 Pfdpip32.exe 2996 Piblek32.exe 2996 Piblek32.exe 1892 Ppmdbe32.exe 1892 Ppmdbe32.exe 108 Pmqdkj32.exe 108 Pmqdkj32.exe 672 Plcdgfbo.exe 672 Plcdgfbo.exe 2012 Pbmmcq32.exe 2012 Pbmmcq32.exe 2216 Pelipl32.exe 2216 Pelipl32.exe 2576 Pigeqkai.exe 2576 Pigeqkai.exe 2544 Pbpjiphi.exe 2544 Pbpjiphi.exe 2452 Qlhnbf32.exe 2452 Qlhnbf32.exe 2536 Qnfjna32.exe 2536 Qnfjna32.exe 2448 Qaefjm32.exe 2448 Qaefjm32.exe 2496 Qdccfh32.exe 2496 Qdccfh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ikeelnol.dll Ogjimd32.exe File created C:\Windows\SysWOW64\Qnfjna32.exe Qlhnbf32.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bnbjopoi.exe File opened for modification C:\Windows\SysWOW64\Glfhll32.exe Ghkllmoi.exe File created C:\Windows\SysWOW64\Hellne32.exe Hcnpbi32.exe File created C:\Windows\SysWOW64\Nfmjcmjd.dll Iaeiieeb.exe File created C:\Windows\SysWOW64\Pbmmcq32.exe Plcdgfbo.exe File created C:\Windows\SysWOW64\Jkoginch.dll Fhhcgj32.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gpmjak32.exe File created C:\Windows\SysWOW64\Goddhg32.exe Glfhll32.exe File opened for modification C:\Windows\SysWOW64\Gogangdc.exe Gkkemh32.exe File created C:\Windows\SysWOW64\Bghabf32.exe Bdjefj32.exe File opened for modification C:\Windows\SysWOW64\Iaeiieeb.exe Icbimi32.exe File created C:\Windows\SysWOW64\Djpmccqq.exe Dgaqgh32.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dgaqgh32.exe File created C:\Windows\SysWOW64\Pfdpip32.exe Ppjglfon.exe File opened for modification C:\Windows\SysWOW64\Ahakmf32.exe Adeplhib.exe File opened for modification C:\Windows\SysWOW64\Ahchbf32.exe Aplpai32.exe File created C:\Windows\SysWOW64\Ailkjmpo.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File opened for modification C:\Windows\SysWOW64\Dbpodagk.exe Ckffgg32.exe File created C:\Windows\SysWOW64\Faagpp32.exe Fnbkddem.exe File created C:\Windows\SysWOW64\Hlfdkoin.exe Hhjhkq32.exe File created C:\Windows\SysWOW64\Cgmkmecg.exe Bdooajdc.exe File created C:\Windows\SysWOW64\Dflkdp32.exe Dbpodagk.exe File opened for modification C:\Windows\SysWOW64\Epaogi32.exe Eihfjo32.exe File created C:\Windows\SysWOW64\Eloemi32.exe Eeempocb.exe File created C:\Windows\SysWOW64\Blnhfb32.dll Gaqcoc32.exe File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe Hknach32.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Aigaon32.exe Afiecb32.exe File opened for modification C:\Windows\SysWOW64\Afkbib32.exe Admemg32.exe File created C:\Windows\SysWOW64\Mocaac32.dll Bopicc32.exe File created C:\Windows\SysWOW64\Ddgkcd32.dll Dbbkja32.exe File created C:\Windows\SysWOW64\Dcknbh32.exe Doobajme.exe File created C:\Windows\SysWOW64\Djefobmk.exe Dcknbh32.exe File opened for modification C:\Windows\SysWOW64\Ecmkghcl.exe Epaogi32.exe File created C:\Windows\SysWOW64\Eecqjpee.exe Ebedndfa.exe File created C:\Windows\SysWOW64\Bdhaablp.dll Henidd32.exe File created C:\Windows\SysWOW64\Mhhaff32.dll Ppmdbe32.exe File created C:\Windows\SysWOW64\Jolfcj32.dll Alenki32.exe File created C:\Windows\SysWOW64\Cnbpqb32.dll Bbflib32.exe File created C:\Windows\SysWOW64\Ejgcdb32.exe Eflgccbp.exe File opened for modification C:\Windows\SysWOW64\Admemg32.exe Alenki32.exe File opened for modification C:\Windows\SysWOW64\Dqjepm32.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Ppmcfdad.dll Dcknbh32.exe File created C:\Windows\SysWOW64\Pdamlbjc.dll Qnigda32.exe File created C:\Windows\SysWOW64\Gejcjbah.exe Gejcjbah.exe File opened for modification C:\Windows\SysWOW64\Ggpimica.exe Ghmiam32.exe File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Bingpmnl.exe Bagpopmj.exe File opened for modification C:\Windows\SysWOW64\Bdjefj32.exe Balijo32.exe File created C:\Windows\SysWOW64\Pfabenjd.dll Gphmeo32.exe File opened for modification C:\Windows\SysWOW64\Nbfjdn32.exe Nkmbgdfl.exe File created C:\Windows\SysWOW64\Aiedjneg.exe Ahchbf32.exe File created C:\Windows\SysWOW64\Kcfdakpf.dll Ejgcdb32.exe File created C:\Windows\SysWOW64\Bnpmlfkm.dll Eiomkn32.exe File created C:\Windows\SysWOW64\Lpbjlbfp.dll Eeempocb.exe File created C:\Windows\SysWOW64\Dhekfh32.dll Aiedjneg.exe File created C:\Windows\SysWOW64\Aiinen32.exe Afkbib32.exe File created C:\Windows\SysWOW64\Bloqah32.exe Bhcdaibd.exe File opened for modification C:\Windows\SysWOW64\Coklgg32.exe Cllpkl32.exe File created C:\Windows\SysWOW64\Jamfqeie.dll Epdkli32.exe File created C:\Windows\SysWOW64\Qlidlf32.dll Flmefm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3612 3656 WerFault.exe 264 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbebiao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfjhgfl.dll" Nbfjdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" Clomqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djefobmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll" Ealnephf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ongnonkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihomanac.dll" Balijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfmpcjge.dll" Bjijdadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eflgccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Ekholjqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gogangdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahchbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blmdlhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bnbjopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oenifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdjefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" Hknach32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beehencq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bloqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egamfkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" Gfefiemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpmjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmqdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbmmcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fioija32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddmgjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hiekid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofpfnqjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiinen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqlckoi.dll" Coklgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhffaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll" Filldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okoomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" Ffnphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" Hpkjko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdmmgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeqdep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhljm32.dll" Adeplhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipghqomc.dll" Ankdiqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdoneabg.dll" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coklgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" Dqhhknjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbijhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inljnfkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alhjai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll" Cllpkl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 3040 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 28 PID 2848 wrote to memory of 3040 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 28 PID 2848 wrote to memory of 3040 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 28 PID 2848 wrote to memory of 3040 2848 22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe 28 PID 3040 wrote to memory of 2620 3040 Nkmbgdfl.exe 29 PID 3040 wrote to memory of 2620 3040 Nkmbgdfl.exe 29 PID 3040 wrote to memory of 2620 3040 Nkmbgdfl.exe 29 PID 3040 wrote to memory of 2620 3040 Nkmbgdfl.exe 29 PID 2620 wrote to memory of 2552 2620 Nbfjdn32.exe 30 PID 2620 wrote to memory of 2552 2620 Nbfjdn32.exe 30 PID 2620 wrote to memory of 2552 2620 Nbfjdn32.exe 30 PID 2620 wrote to memory of 2552 2620 Nbfjdn32.exe 30 PID 2552 wrote to memory of 2716 2552 Ohqbqhde.exe 31 PID 2552 wrote to memory of 2716 2552 Ohqbqhde.exe 31 PID 2552 wrote to memory of 2716 2552 Ohqbqhde.exe 31 PID 2552 wrote to memory of 2716 2552 Ohqbqhde.exe 31 PID 2716 wrote to memory of 2416 2716 Okoomd32.exe 32 PID 2716 wrote to memory of 2416 2716 Okoomd32.exe 32 PID 2716 wrote to memory of 2416 2716 Okoomd32.exe 32 PID 2716 wrote to memory of 2416 2716 Okoomd32.exe 32 PID 2416 wrote to memory of 2808 2416 Onmkio32.exe 33 PID 2416 wrote to memory of 2808 2416 Onmkio32.exe 33 PID 2416 wrote to memory of 2808 2416 Onmkio32.exe 33 PID 2416 wrote to memory of 2808 2416 Onmkio32.exe 33 PID 2808 wrote to memory of 1040 2808 Oicpfh32.exe 34 PID 2808 wrote to memory of 1040 2808 Oicpfh32.exe 34 PID 2808 wrote to memory of 1040 2808 Oicpfh32.exe 34 PID 2808 wrote to memory of 1040 2808 Oicpfh32.exe 34 PID 1040 wrote to memory of 2308 1040 Onphoo32.exe 35 PID 1040 wrote to memory of 2308 1040 Onphoo32.exe 35 PID 1040 wrote to memory of 2308 1040 Onphoo32.exe 35 PID 1040 wrote to memory of 2308 1040 Onphoo32.exe 35 PID 2308 wrote to memory of 1512 2308 Odjpkihg.exe 36 PID 2308 wrote to memory of 1512 2308 Odjpkihg.exe 36 PID 2308 wrote to memory of 1512 2308 Odjpkihg.exe 36 PID 2308 wrote to memory of 1512 2308 Odjpkihg.exe 36 PID 1512 wrote to memory of 1272 1512 Oghlgdgk.exe 37 PID 1512 wrote to memory of 1272 1512 Oghlgdgk.exe 37 PID 1512 wrote to memory of 1272 1512 Oghlgdgk.exe 37 PID 1512 wrote to memory of 1272 1512 Oghlgdgk.exe 37 PID 1272 wrote to memory of 876 1272 Onbddoog.exe 38 PID 1272 wrote to memory of 876 1272 Onbddoog.exe 38 PID 1272 wrote to memory of 876 1272 Onbddoog.exe 38 PID 1272 wrote to memory of 876 1272 Onbddoog.exe 38 PID 876 wrote to memory of 1208 876 Ogjimd32.exe 39 PID 876 wrote to memory of 1208 876 Ogjimd32.exe 39 PID 876 wrote to memory of 1208 876 Ogjimd32.exe 39 PID 876 wrote to memory of 1208 876 Ogjimd32.exe 39 PID 1208 wrote to memory of 1224 1208 Omgaek32.exe 40 PID 1208 wrote to memory of 1224 1208 Omgaek32.exe 40 PID 1208 wrote to memory of 1224 1208 Omgaek32.exe 40 PID 1208 wrote to memory of 1224 1208 Omgaek32.exe 40 PID 1224 wrote to memory of 2708 1224 Oenifh32.exe 41 PID 1224 wrote to memory of 2708 1224 Oenifh32.exe 41 PID 1224 wrote to memory of 2708 1224 Oenifh32.exe 41 PID 1224 wrote to memory of 2708 1224 Oenifh32.exe 41 PID 2708 wrote to memory of 2360 2708 Ofpfnqjp.exe 42 PID 2708 wrote to memory of 2360 2708 Ofpfnqjp.exe 42 PID 2708 wrote to memory of 2360 2708 Ofpfnqjp.exe 42 PID 2708 wrote to memory of 2360 2708 Ofpfnqjp.exe 42 PID 2360 wrote to memory of 268 2360 Ongnonkb.exe 43 PID 2360 wrote to memory of 268 2360 Ongnonkb.exe 43 PID 2360 wrote to memory of 268 2360 Ongnonkb.exe 43 PID 2360 wrote to memory of 268 2360 Ongnonkb.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe"C:\Users\Admin\AppData\Local\Temp\22848bf6464f609caf31f1f38adb4f976732840734a18cacc097778cae63518e.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Pccfge32.exeC:\Windows\system32\Pccfge32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Pbmmcq32.exeC:\Windows\system32\Pbmmcq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe34⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Adeplhib.exeC:\Windows\system32\Adeplhib.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe36⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Ankdiqih.exeC:\Windows\system32\Ankdiqih.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe38⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe53⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Boiccdnf.exeC:\Windows\system32\Boiccdnf.exe55⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe57⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Bloqah32.exeC:\Windows\system32\Bloqah32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe66⤵PID:296
-
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe67⤵
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe69⤵PID:3064
-
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe70⤵PID:1472
-
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe71⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe72⤵PID:1556
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe73⤵PID:932
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe76⤵PID:2556
-
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe77⤵PID:2588
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe78⤵PID:3024
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe79⤵PID:1724
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe81⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe82⤵PID:1748
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe85⤵PID:2796
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe86⤵PID:1120
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe87⤵PID:1852
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe88⤵PID:2040
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe89⤵PID:2760
-
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe90⤵PID:1152
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe91⤵PID:1712
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe92⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe93⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe94⤵PID:2100
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe99⤵PID:2532
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe101⤵PID:2172
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe102⤵PID:1516
-
C:\Windows\SysWOW64\Dbehoa32.exeC:\Windows\system32\Dbehoa32.exe103⤵PID:2148
-
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe104⤵
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe105⤵PID:2124
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe106⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe107⤵PID:2932
-
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe108⤵PID:2868
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe109⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe111⤵
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe112⤵PID:2656
-
C:\Windows\SysWOW64\Dnneja32.exeC:\Windows\system32\Dnneja32.exe113⤵PID:2560
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe116⤵
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe118⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe119⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe120⤵PID:808
-
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe122⤵
- Drops file in System32 directory
PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-