Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/04/2024, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
Resource
win10v2004-20240226-en
General
-
Target
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe
-
Size
243KB
-
MD5
86c1384b7eac799a2c9924ab6d06675e
-
SHA1
d4a68a1859ec86db3cd90042850a9bb1b8be5d5f
-
SHA256
91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc
-
SHA512
5e6cdb1c25cf442d27be4b952ab9f6b57f24cea4af4920cbc18368790572ce54699f0e3505a7d452b00ef492cd1f589573dc515d713045d62792e59f98216bd6
-
SSDEEP
6144:527zx544JKzwesDzjhZAKqDuvlU2zlNgwTnAWtlhjQ:5qzxu4zliol5LhDAalhj
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dglpbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedkbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poocpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdjdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgjfkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qabcjgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ganpomec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqbekcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbheh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcampgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhphncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffhpbacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdjbaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdildlie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjclbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijbdha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjdmmdnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkolkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbcpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgiiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlmic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjclbdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhnpea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poocpnbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhgmpfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaldcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomjlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifhnpea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfjhgdck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpejeihi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiigmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbdha32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000b000000012246-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000015480-19.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015c1e-35.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015c45-45.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000800000001601c-60.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016226-72.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016432-85.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000165e5-98.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ad6-110.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c07-126.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c5c-133.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cb1-147.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cca-168.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cde-178.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cef-194.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2072-202-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d12-209.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d32-216.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2352-242-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d58-231.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1632-248-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000171cb-266.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017076-254.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d6a-244.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018687-285.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1332-274-0x0000000000400000-0x0000000000467000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017554-276.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001872a-295.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b02-305.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b44-316.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b63-326.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b8b-330.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bb2-344.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001932a-354.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019387-364.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019423-374.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001943f-384.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019484-394.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001948c-404.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194a5-414.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019570-426.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a3-437.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a5-446.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a9-455.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ad-465.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195b1-474.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195b5-483.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195bb-492.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195c1-501.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001963f-510.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019643-519.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000197d6-530.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000198b4-539.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019a78-548.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019bf5-556.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c90-564.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d5f-572.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019eb8-580.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019fdf-588.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a04b-596.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a311-604.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3f8-612.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3ff-620.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a406-628.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2164 Meagci32.exe 1316 Mgqcmlgl.exe 2596 Nialog32.exe 2836 Nkbhgojk.exe 2828 Nlbeqb32.exe 2476 Nejiih32.exe 2468 Nnennj32.exe 1648 Ngnbgplj.exe 1684 Ndbcpd32.exe 1452 Onjgiiad.exe 1660 Ofelmloo.exe 580 Oqmmpd32.exe 1528 Odobjg32.exe 2808 Ooeggp32.exe 2072 Pdaoog32.exe 2192 Pogclp32.exe 2352 Pmdjdh32.exe 2296 Pgioaa32.exe 1632 Qabcjgkh.exe 1988 Qbelgood.exe 1332 Aipddi32.exe 636 Abjebn32.exe 2304 Aidnohbk.exe 2300 Aaobdjof.exe 1732 Ajhgmpfg.exe 1992 Aemkjiem.exe 1300 Bpgljfbl.exe 2016 Bjlqhoba.exe 2372 Bmkmdk32.exe 2660 Bfcampgf.exe 2664 Bfenbpec.exe 2692 Boqbfb32.exe 2624 Bifgdk32.exe 2508 Bbokmqie.exe 2380 Ckjpacfp.exe 2000 Ceodnl32.exe 1044 Cklmgb32.exe 1268 Cnkicn32.exe 1072 Cgcmlcja.exe 1244 Cojema32.exe 892 Cahail32.exe 2068 Cgejac32.exe 2780 Cjdfmo32.exe 2284 Caknol32.exe 1652 Cclkfdnc.exe 2768 Cjfccn32.exe 2860 Cppkph32.exe 1296 Dgjclbdi.exe 936 Djhphncm.exe 1692 Dpbheh32.exe 948 Dglpbbbg.exe 2092 Dojald32.exe 2392 Dlnbeh32.exe 2940 Dggcffhg.exe 2536 Ejhlgaeh.exe 1280 Ednpej32.exe 1624 Enfenplo.exe 2644 Egoife32.exe 2420 Ejobhppq.exe 2832 Eplkpgnh.exe 2984 Effcma32.exe 2620 Fmpkjkma.exe 2576 Fpngfgle.exe 2452 Ffhpbacb.exe -
Loads dropped DLL 64 IoCs
pid Process 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 2164 Meagci32.exe 2164 Meagci32.exe 1316 Mgqcmlgl.exe 1316 Mgqcmlgl.exe 2596 Nialog32.exe 2596 Nialog32.exe 2836 Nkbhgojk.exe 2836 Nkbhgojk.exe 2828 Nlbeqb32.exe 2828 Nlbeqb32.exe 2476 Nejiih32.exe 2476 Nejiih32.exe 2468 Nnennj32.exe 2468 Nnennj32.exe 1648 Ngnbgplj.exe 1648 Ngnbgplj.exe 1684 Ndbcpd32.exe 1684 Ndbcpd32.exe 1452 Onjgiiad.exe 1452 Onjgiiad.exe 1660 Ofelmloo.exe 1660 Ofelmloo.exe 580 Oqmmpd32.exe 580 Oqmmpd32.exe 1528 Odobjg32.exe 1528 Odobjg32.exe 2808 Ooeggp32.exe 2808 Ooeggp32.exe 2072 Pdaoog32.exe 2072 Pdaoog32.exe 2192 Pogclp32.exe 2192 Pogclp32.exe 2352 Pmdjdh32.exe 2352 Pmdjdh32.exe 2296 Pgioaa32.exe 2296 Pgioaa32.exe 1632 Qabcjgkh.exe 1632 Qabcjgkh.exe 1988 Qbelgood.exe 1988 Qbelgood.exe 1332 Aipddi32.exe 1332 Aipddi32.exe 636 Abjebn32.exe 636 Abjebn32.exe 2304 Aidnohbk.exe 2304 Aidnohbk.exe 2300 Aaobdjof.exe 2300 Aaobdjof.exe 1732 Ajhgmpfg.exe 1732 Ajhgmpfg.exe 1992 Aemkjiem.exe 1992 Aemkjiem.exe 1300 Bpgljfbl.exe 1300 Bpgljfbl.exe 2016 Bjlqhoba.exe 2016 Bjlqhoba.exe 2372 Bmkmdk32.exe 2372 Bmkmdk32.exe 2660 Bfcampgf.exe 2660 Bfcampgf.exe 2664 Bfenbpec.exe 2664 Bfenbpec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ibddljof.dll Lpjdjmfp.exe File created C:\Windows\SysWOW64\Qeohnd32.exe Pndpajgd.exe File opened for modification C:\Windows\SysWOW64\Cgejac32.exe Cahail32.exe File created C:\Windows\SysWOW64\Eplkpgnh.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Jijdkh32.dll Fmpkjkma.exe File opened for modification C:\Windows\SysWOW64\Jqgoiokm.exe Jofbag32.exe File created C:\Windows\SysWOW64\Jpfdhnai.dll Jhngjmlo.exe File created C:\Windows\SysWOW64\Fhneehek.exe Fikejl32.exe File created C:\Windows\SysWOW64\Jfdnjb32.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Bnkbam32.exe Bhajdblk.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Bnkbam32.exe File created C:\Windows\SysWOW64\Fiihdlpc.exe Fncdgcqm.exe File created C:\Windows\SysWOW64\Jpfppg32.dll Ljffag32.exe File created C:\Windows\SysWOW64\Cophek32.dll Achojp32.exe File created C:\Windows\SysWOW64\Nlbeqb32.exe Nkbhgojk.exe File created C:\Windows\SysWOW64\Hokokc32.dll Bjlqhoba.exe File created C:\Windows\SysWOW64\Hdjlnm32.dll Cahail32.exe File created C:\Windows\SysWOW64\Dglpbbbg.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Dojald32.exe Dglpbbbg.exe File created C:\Windows\SysWOW64\Afgkfl32.exe Achojp32.exe File created C:\Windows\SysWOW64\Fjkhohik.dll Ooeggp32.exe File created C:\Windows\SysWOW64\Mhkdik32.dll Cjfccn32.exe File created C:\Windows\SysWOW64\Jaegglem.dll Dgjclbdi.exe File created C:\Windows\SysWOW64\Odjbdb32.exe Oomjlk32.exe File created C:\Windows\SysWOW64\Pkidlk32.exe Ocalkn32.exe File opened for modification C:\Windows\SysWOW64\Aaobdjof.exe Aidnohbk.exe File created C:\Windows\SysWOW64\Bfcampgf.exe Bmkmdk32.exe File created C:\Windows\SysWOW64\Kilfcpqm.exe Kfmjgeaj.exe File opened for modification C:\Windows\SysWOW64\Kebgia32.exe Kcakaipc.exe File created C:\Windows\SysWOW64\Egnhob32.dll Mponel32.exe File created C:\Windows\SysWOW64\Fmbhok32.exe Ffhpbacb.exe File created C:\Windows\SysWOW64\Pgegdo32.dll Hhgdkjol.exe File created C:\Windows\SysWOW64\Hmfjha32.exe Hgmalg32.exe File opened for modification C:\Windows\SysWOW64\Iompkh32.exe Ilncom32.exe File created C:\Windows\SysWOW64\Oflcmqaa.dll Ohendqhd.exe File opened for modification C:\Windows\SysWOW64\Haiccald.exe Hojgfemq.exe File created C:\Windows\SysWOW64\Jgcdki32.exe Jdehon32.exe File created C:\Windows\SysWOW64\Jmihnd32.dll Ohcaoajg.exe File opened for modification C:\Windows\SysWOW64\Lfpclh32.exe Labkdack.exe File created C:\Windows\SysWOW64\Cmelgapq.dll Qkhpkoen.exe File created C:\Windows\SysWOW64\Nnennj32.exe Nejiih32.exe File created C:\Windows\SysWOW64\Mhofcjea.dll Dlnbeh32.exe File created C:\Windows\SysWOW64\Abofbl32.dll Effcma32.exe File opened for modification C:\Windows\SysWOW64\Ganpomec.exe Gifhnpea.exe File opened for modification C:\Windows\SysWOW64\Ilqpdm32.exe Ijbdha32.exe File opened for modification C:\Windows\SysWOW64\Giieco32.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Mkcggqfg.dll Hoamgd32.exe File created C:\Windows\SysWOW64\Kiijnq32.exe Jghmfhmb.exe File opened for modification C:\Windows\SysWOW64\Aemkjiem.exe Ajhgmpfg.exe File created C:\Windows\SysWOW64\Olkbjhpi.dll Ceodnl32.exe File created C:\Windows\SysWOW64\Ahoanjcc.dll Ejobhppq.exe File opened for modification C:\Windows\SysWOW64\Fjongcbl.exe Fcefji32.exe File created C:\Windows\SysWOW64\Gifhnpea.exe Ghelfg32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File opened for modification C:\Windows\SysWOW64\Heihnoph.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Iddnkn32.dll Jnkpbcjg.exe File created C:\Windows\SysWOW64\Nelkpj32.dll Jdehon32.exe File created C:\Windows\SysWOW64\Bjlqhoba.exe Bpgljfbl.exe File created C:\Windows\SysWOW64\Ejmmiihp.dll Cojema32.exe File created C:\Windows\SysWOW64\Fbdjbaea.exe Fhneehek.exe File created C:\Windows\SysWOW64\Obknqjig.dll Gdgcpi32.exe File created C:\Windows\SysWOW64\Ganpomec.exe Gifhnpea.exe File opened for modification C:\Windows\SysWOW64\Kjdilgpc.exe Kgemplap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3616 3596 WerFault.exe 255 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aipddi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aemkjiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll" Kkolkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll" Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngnbgplj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfjnod32.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eimofi32.dll" Gpcmpijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll" Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkglameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooeggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cppkph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" Dggcffhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcggqfg.dll" Hoamgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdghad32.dll" Hpgfki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdqbekcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljibgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Cjfccn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll" Ejobhppq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoamgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mponel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll" Odjbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aelcmdee.dll" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll" Dlnbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmebnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odobjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfenbpec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjlnm32.dll" Cahail32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnkpbcjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqacic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blaopqpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempblao.dll" Ikkjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkolkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abofbl32.dll" Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdobjm32.dll" Ghelfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" Kfbcbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnpjo.dll" Ganpomec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll" Mffimglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpjakhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpbheh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2164 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 28 PID 2156 wrote to memory of 2164 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 28 PID 2156 wrote to memory of 2164 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 28 PID 2156 wrote to memory of 2164 2156 91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe 28 PID 2164 wrote to memory of 1316 2164 Meagci32.exe 29 PID 2164 wrote to memory of 1316 2164 Meagci32.exe 29 PID 2164 wrote to memory of 1316 2164 Meagci32.exe 29 PID 2164 wrote to memory of 1316 2164 Meagci32.exe 29 PID 1316 wrote to memory of 2596 1316 Mgqcmlgl.exe 30 PID 1316 wrote to memory of 2596 1316 Mgqcmlgl.exe 30 PID 1316 wrote to memory of 2596 1316 Mgqcmlgl.exe 30 PID 1316 wrote to memory of 2596 1316 Mgqcmlgl.exe 30 PID 2596 wrote to memory of 2836 2596 Nialog32.exe 31 PID 2596 wrote to memory of 2836 2596 Nialog32.exe 31 PID 2596 wrote to memory of 2836 2596 Nialog32.exe 31 PID 2596 wrote to memory of 2836 2596 Nialog32.exe 31 PID 2836 wrote to memory of 2828 2836 Nkbhgojk.exe 32 PID 2836 wrote to memory of 2828 2836 Nkbhgojk.exe 32 PID 2836 wrote to memory of 2828 2836 Nkbhgojk.exe 32 PID 2836 wrote to memory of 2828 2836 Nkbhgojk.exe 32 PID 2828 wrote to memory of 2476 2828 Nlbeqb32.exe 33 PID 2828 wrote to memory of 2476 2828 Nlbeqb32.exe 33 PID 2828 wrote to memory of 2476 2828 Nlbeqb32.exe 33 PID 2828 wrote to memory of 2476 2828 Nlbeqb32.exe 33 PID 2476 wrote to memory of 2468 2476 Nejiih32.exe 34 PID 2476 wrote to memory of 2468 2476 Nejiih32.exe 34 PID 2476 wrote to memory of 2468 2476 Nejiih32.exe 34 PID 2476 wrote to memory of 2468 2476 Nejiih32.exe 34 PID 2468 wrote to memory of 1648 2468 Nnennj32.exe 35 PID 2468 wrote to memory of 1648 2468 Nnennj32.exe 35 PID 2468 wrote to memory of 1648 2468 Nnennj32.exe 35 PID 2468 wrote to memory of 1648 2468 Nnennj32.exe 35 PID 1648 wrote to memory of 1684 1648 Ngnbgplj.exe 36 PID 1648 wrote to memory of 1684 1648 Ngnbgplj.exe 36 PID 1648 wrote to memory of 1684 1648 Ngnbgplj.exe 36 PID 1648 wrote to memory of 1684 1648 Ngnbgplj.exe 36 PID 1684 wrote to memory of 1452 1684 Ndbcpd32.exe 37 PID 1684 wrote to memory of 1452 1684 Ndbcpd32.exe 37 PID 1684 wrote to memory of 1452 1684 Ndbcpd32.exe 37 PID 1684 wrote to memory of 1452 1684 Ndbcpd32.exe 37 PID 1452 wrote to memory of 1660 1452 Onjgiiad.exe 38 PID 1452 wrote to memory of 1660 1452 Onjgiiad.exe 38 PID 1452 wrote to memory of 1660 1452 Onjgiiad.exe 38 PID 1452 wrote to memory of 1660 1452 Onjgiiad.exe 38 PID 1660 wrote to memory of 580 1660 Ofelmloo.exe 39 PID 1660 wrote to memory of 580 1660 Ofelmloo.exe 39 PID 1660 wrote to memory of 580 1660 Ofelmloo.exe 39 PID 1660 wrote to memory of 580 1660 Ofelmloo.exe 39 PID 580 wrote to memory of 1528 580 Oqmmpd32.exe 40 PID 580 wrote to memory of 1528 580 Oqmmpd32.exe 40 PID 580 wrote to memory of 1528 580 Oqmmpd32.exe 40 PID 580 wrote to memory of 1528 580 Oqmmpd32.exe 40 PID 1528 wrote to memory of 2808 1528 Odobjg32.exe 41 PID 1528 wrote to memory of 2808 1528 Odobjg32.exe 41 PID 1528 wrote to memory of 2808 1528 Odobjg32.exe 41 PID 1528 wrote to memory of 2808 1528 Odobjg32.exe 41 PID 2808 wrote to memory of 2072 2808 Ooeggp32.exe 42 PID 2808 wrote to memory of 2072 2808 Ooeggp32.exe 42 PID 2808 wrote to memory of 2072 2808 Ooeggp32.exe 42 PID 2808 wrote to memory of 2072 2808 Ooeggp32.exe 42 PID 2072 wrote to memory of 2192 2072 Pdaoog32.exe 43 PID 2072 wrote to memory of 2192 2072 Pdaoog32.exe 43 PID 2072 wrote to memory of 2192 2072 Pdaoog32.exe 43 PID 2072 wrote to memory of 2192 2072 Pdaoog32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe"C:\Users\Admin\AppData\Local\Temp\91352527c4eca6bdfdb0898f762babdc15e27d103144ecfa31bb546ebc196fbc.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Mgqcmlgl.exeC:\Windows\system32\Mgqcmlgl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Nialog32.exeC:\Windows\system32\Nialog32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Nkbhgojk.exeC:\Windows\system32\Nkbhgojk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nlbeqb32.exeC:\Windows\system32\Nlbeqb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Nejiih32.exeC:\Windows\system32\Nejiih32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Nnennj32.exeC:\Windows\system32\Nnennj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ngnbgplj.exeC:\Windows\system32\Ngnbgplj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ndbcpd32.exeC:\Windows\system32\Ndbcpd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Onjgiiad.exeC:\Windows\system32\Onjgiiad.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Oqmmpd32.exeC:\Windows\system32\Oqmmpd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Odobjg32.exeC:\Windows\system32\Odobjg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Ooeggp32.exeC:\Windows\system32\Ooeggp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Pdaoog32.exeC:\Windows\system32\Pdaoog32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Pogclp32.exeC:\Windows\system32\Pogclp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Bpgljfbl.exeC:\Windows\system32\Bpgljfbl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Bfcampgf.exeC:\Windows\system32\Bfcampgf.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Bfenbpec.exeC:\Windows\system32\Bfenbpec.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe34⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Bbokmqie.exeC:\Windows\system32\Bbokmqie.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ckjpacfp.exeC:\Windows\system32\Ckjpacfp.exe36⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Cklmgb32.exeC:\Windows\system32\Cklmgb32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Cgcmlcja.exeC:\Windows\system32\Cgcmlcja.exe40⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Cahail32.exeC:\Windows\system32\Cahail32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe43⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe44⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe45⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Cclkfdnc.exeC:\Windows\system32\Cclkfdnc.exe46⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Cjfccn32.exeC:\Windows\system32\Cjfccn32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cppkph32.exeC:\Windows\system32\Cppkph32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Dgjclbdi.exeC:\Windows\system32\Dgjclbdi.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Dpbheh32.exeC:\Windows\system32\Dpbheh32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Dglpbbbg.exeC:\Windows\system32\Dglpbbbg.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe53⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Dlnbeh32.exeC:\Windows\system32\Dlnbeh32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Dggcffhg.exeC:\Windows\system32\Dggcffhg.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ednpej32.exeC:\Windows\system32\Ednpej32.exe57⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Enfenplo.exeC:\Windows\system32\Enfenplo.exe58⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Egoife32.exeC:\Windows\system32\Egoife32.exe59⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe61⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Effcma32.exeC:\Windows\system32\Effcma32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Fmpkjkma.exeC:\Windows\system32\Fmpkjkma.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe64⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ffhpbacb.exeC:\Windows\system32\Ffhpbacb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Fmbhok32.exeC:\Windows\system32\Fmbhok32.exe66⤵PID:1204
-
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe67⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe68⤵PID:1200
-
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe69⤵PID:1292
-
C:\Windows\SysWOW64\Fikejl32.exeC:\Windows\system32\Fikejl32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe71⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Fcefji32.exeC:\Windows\system32\Fcefji32.exe73⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe74⤵PID:2084
-
C:\Windows\SysWOW64\Fmmkcoap.exeC:\Windows\system32\Fmmkcoap.exe75⤵PID:1368
-
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe77⤵PID:2900
-
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe78⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Gifhnpea.exeC:\Windows\system32\Gifhnpea.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe83⤵PID:2880
-
C:\Windows\SysWOW64\Gpcmpijk.exeC:\Windows\system32\Gpcmpijk.exe84⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Gbaileio.exeC:\Windows\system32\Gbaileio.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe88⤵PID:2636
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe89⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe90⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Haiccald.exeC:\Windows\system32\Haiccald.exe91⤵PID:2460
-
C:\Windows\SysWOW64\Hlngpjlj.exeC:\Windows\system32\Hlngpjlj.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe93⤵PID:1816
-
C:\Windows\SysWOW64\Hdildlie.exeC:\Windows\system32\Hdildlie.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe95⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Heihnoph.exeC:\Windows\system32\Heihnoph.exe96⤵PID:2076
-
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe99⤵PID:1568
-
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe100⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Hmfjha32.exeC:\Windows\system32\Hmfjha32.exe101⤵PID:1788
-
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Ikkjbe32.exeC:\Windows\system32\Ikkjbe32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe104⤵PID:1508
-
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe105⤵
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe107⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe108⤵PID:1348
-
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe109⤵PID:2976
-
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1172 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe111⤵PID:2496
-
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe112⤵PID:2444
-
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe114⤵PID:528
-
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe115⤵PID:268
-
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe116⤵PID:112
-
C:\Windows\SysWOW64\Ileiplhn.exeC:\Windows\system32\Ileiplhn.exe117⤵PID:2316
-
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe119⤵PID:1852
-
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe120⤵PID:2784
-
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe121⤵
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Jqgoiokm.exeC:\Windows\system32\Jqgoiokm.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-