Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 00:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe
-
Size
358KB
-
MD5
5289928bf3f2b6cae76b42f274465371
-
SHA1
018e1a08264e382ccda3fc887463f574b414a778
-
SHA256
94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0
-
SHA512
c7894540b75677ab8700774874a429166474445f76bfd9807761adfa85bc92aa2f79272d32c2d42cf75fb02f73ee4abc76c2f2b8fa8f9f1cff659bd139fa7dd1
-
SSDEEP
6144:jMG/gel7qUlddDKca6aQ///NR5fLYG3eujPQ///NR5f:jRTdBKca+/NcZ7/N
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fikejl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bingpmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbellac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgmglh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpecfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacpdbej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmkcoap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mholen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgfckcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjongcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehjeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajhofao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogfpbeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjpkihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kebgia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nialog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilqpdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkdeggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldidkbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkommo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahlgfdeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebbgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fioija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpfkdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chbjffad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhkpmjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmceigep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjnom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iheddndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leajdfnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmdoioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccahbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkdmcdoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmcfkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apcfahio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcegmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjenhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfadgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejhlgaeh.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000b00000001313f-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0034000000015cb6-21.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015d42-33.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000015d56-47.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016616-60.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016adc-79.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c5e-86.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cb0-106.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d07-112.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d20-125.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d3a-138.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d43-151.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d74-164.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0034000000015ccd-184.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016da5-190.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016db9-208.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001704a-223.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2248-254-0x0000000000400000-0x000000000045B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0031000000018649-256.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017437-247.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186f6-266.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000171df-234.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001875a-277.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001876e-287.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018785-297.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bb0-308.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018bd6-319.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019357-332.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019397-345.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001941e-355.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001944b-364.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019489-373.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ba-384.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019568-394.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195de-405.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001960a-414.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019610-426.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019616-435.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019619-443.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961b-451.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001961e-459.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019622-467.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019627-475.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001969e-483.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001979d-491.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001984b-499.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000199d0-507.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019c48-515.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ca8-523.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019db1-531.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ef8-539.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a02e-547.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a097-555.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a34e-563.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a448-571.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a44e-579.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a456-587.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4a4-595.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4b3-603.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4bf-611.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4c7-619.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4cb-627.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4cf-635.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a4d3-643.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2028 Ogfpbeim.exe 2272 Odjpkihg.exe 2652 Onbddoog.exe 2556 Ogjimd32.exe 2468 Omgaek32.exe 2452 Ocajbekl.exe 2960 Ongnonkb.exe 2752 Paggai32.exe 2700 Pmnhfjmg.exe 2864 Pbkpna32.exe 1996 Pmqdkj32.exe 2416 Pelipl32.exe 816 Plfamfpm.exe 2988 Pijbfj32.exe 1932 Qjknnbed.exe 1480 Qjmkcbcb.exe 1792 Amndem32.exe 2104 Ajbdna32.exe 2248 Adjigg32.exe 884 Afiecb32.exe 2912 Ajdadamj.exe 1624 Abpfhcje.exe 2920 Aiinen32.exe 2072 Apcfahio.exe 896 Ailkjmpo.exe 2068 Bagpopmj.exe 3048 Bokphdld.exe 1208 Beehencq.exe 2672 Bommnc32.exe 2572 Bhfagipa.exe 2552 Bkdmcdoe.exe 2956 Banepo32.exe 2504 Bdlblj32.exe 2336 Bgknheej.exe 2792 Bnefdp32.exe 2820 Bpcbqk32.exe 1944 Bcaomf32.exe 1592 Cgmkmecg.exe 1644 Cljcelan.exe 2508 Ccdlbf32.exe 1160 Cfbhnaho.exe 1388 Cnippoha.exe 2656 Coklgg32.exe 584 Cgbdhd32.exe 1108 Chcqpmep.exe 2848 Clomqk32.exe 848 Cbkeib32.exe 2412 Cfgaiaci.exe 1620 Ckdjbh32.exe 1788 Cckace32.exe 1068 Cdlnkmha.exe 2140 Chhjkl32.exe 2944 Cndbcc32.exe 1716 Dbpodagk.exe 2524 Dgmglh32.exe 3068 Dkhcmgnl.exe 2992 Dqelenlc.exe 2532 Dhmcfkme.exe 2596 Dkkpbgli.exe 2588 Dnilobkm.exe 2768 Ddcdkl32.exe 2832 Dcfdgiid.exe 2484 Dnlidb32.exe 2692 Dqjepm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 2028 Ogfpbeim.exe 2028 Ogfpbeim.exe 2272 Odjpkihg.exe 2272 Odjpkihg.exe 2652 Onbddoog.exe 2652 Onbddoog.exe 2556 Ogjimd32.exe 2556 Ogjimd32.exe 2468 Omgaek32.exe 2468 Omgaek32.exe 2452 Ocajbekl.exe 2452 Ocajbekl.exe 2960 Ongnonkb.exe 2960 Ongnonkb.exe 2752 Paggai32.exe 2752 Paggai32.exe 2700 Pmnhfjmg.exe 2700 Pmnhfjmg.exe 2864 Pbkpna32.exe 2864 Pbkpna32.exe 1996 Pmqdkj32.exe 1996 Pmqdkj32.exe 2416 Pelipl32.exe 2416 Pelipl32.exe 816 Plfamfpm.exe 816 Plfamfpm.exe 2988 Pijbfj32.exe 2988 Pijbfj32.exe 1932 Qjknnbed.exe 1932 Qjknnbed.exe 1480 Qjmkcbcb.exe 1480 Qjmkcbcb.exe 1792 Amndem32.exe 1792 Amndem32.exe 2104 Ajbdna32.exe 2104 Ajbdna32.exe 2248 Adjigg32.exe 2248 Adjigg32.exe 884 Afiecb32.exe 884 Afiecb32.exe 2912 Ajdadamj.exe 2912 Ajdadamj.exe 1624 Abpfhcje.exe 1624 Abpfhcje.exe 2920 Aiinen32.exe 2920 Aiinen32.exe 2072 Apcfahio.exe 2072 Apcfahio.exe 896 Ailkjmpo.exe 896 Ailkjmpo.exe 1100 Bingpmnl.exe 1100 Bingpmnl.exe 3048 Bokphdld.exe 3048 Bokphdld.exe 1208 Beehencq.exe 1208 Beehencq.exe 2672 Bommnc32.exe 2672 Bommnc32.exe 2572 Bhfagipa.exe 2572 Bhfagipa.exe 2552 Bkdmcdoe.exe 2552 Bkdmcdoe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmmkcoap.exe Fjongcbl.exe File created C:\Windows\SysWOW64\Kebgia32.exe Kfpgmdog.exe File opened for modification C:\Windows\SysWOW64\Lihmjejl.exe Lfjqnjkh.exe File created C:\Windows\SysWOW64\Kndcpj32.dll Piphee32.exe File created C:\Windows\SysWOW64\Gjfdhbld.exe Gfjhgdck.exe File created C:\Windows\SysWOW64\Bagpopmj.exe Ailkjmpo.exe File created C:\Windows\SysWOW64\Icbimi32.exe Hhmepp32.exe File created C:\Windows\SysWOW64\Nfcijc32.dll Kaklpcoc.exe File opened for modification C:\Windows\SysWOW64\Pefijfii.exe Pnlqnl32.exe File opened for modification C:\Windows\SysWOW64\Chbjffad.exe Cahail32.exe File created C:\Windows\SysWOW64\Ckgkkllh.dll Dhbfdjdp.exe File created C:\Windows\SysWOW64\Cnjgia32.dll Nigome32.exe File created C:\Windows\SysWOW64\Ekholjqg.exe Emeopn32.exe File created C:\Windows\SysWOW64\Hcnhqe32.dll Ffklhqao.exe File created C:\Windows\SysWOW64\Dddaaf32.dll Idcokkak.exe File created C:\Windows\SysWOW64\Hellne32.exe Hobcak32.exe File created C:\Windows\SysWOW64\Bleago32.dll Ikbgmj32.exe File created C:\Windows\SysWOW64\Cmicaonb.dll Pjenhm32.exe File opened for modification C:\Windows\SysWOW64\Gphmeo32.exe Gmjaic32.exe File created C:\Windows\SysWOW64\Lpbefoai.exe Lmcijcbe.exe File created C:\Windows\SysWOW64\Dialipcb.dll Paggai32.exe File created C:\Windows\SysWOW64\Cogbjdmj.dll Ileiplhn.exe File created C:\Windows\SysWOW64\Lnbbbffj.exe Lclnemgd.exe File created C:\Windows\SysWOW64\Magqncba.exe Moidahcn.exe File created C:\Windows\SysWOW64\Gffoia32.dll Jicgpb32.exe File created C:\Windows\SysWOW64\Lclnemgd.exe Leimip32.exe File created C:\Windows\SysWOW64\Ffklhqao.exe Fncdgcqm.exe File created C:\Windows\SysWOW64\Kijmee32.dll Nkgbbo32.exe File created C:\Windows\SysWOW64\Aamfnkai.exe Abjebn32.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Bhkdeggl.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hmbpmapf.exe File created C:\Windows\SysWOW64\Gqncakcq.dll Lliflp32.exe File created C:\Windows\SysWOW64\Egdnbg32.dll Ebpkce32.exe File opened for modification C:\Windows\SysWOW64\Jiondcpk.exe Jcbellac.exe File created C:\Windows\SysWOW64\Aelcmdee.dll Qfahhm32.exe File created C:\Windows\SysWOW64\Eibbcm32.exe Egafleqm.exe File opened for modification C:\Windows\SysWOW64\Magqncba.exe Moidahcn.exe File opened for modification C:\Windows\SysWOW64\Pijbfj32.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Jofiln32.exe Jqdipqbp.exe File opened for modification C:\Windows\SysWOW64\Joifam32.exe Jiondcpk.exe File created C:\Windows\SysWOW64\Hakphqja.exe Homclekn.exe File created C:\Windows\SysWOW64\Ckchjmoo.dll Lpbefoai.exe File created C:\Windows\SysWOW64\Hbfcml32.dll Leajdfnm.exe File created C:\Windows\SysWOW64\Ilqpdm32.exe Iheddndj.exe File created C:\Windows\SysWOW64\Pknmbn32.dll Ajdadamj.exe File created C:\Windows\SysWOW64\Ogeigofa.exe Oonafa32.exe File created C:\Windows\SysWOW64\Fcjcfe32.exe Fpngfgle.exe File created C:\Windows\SysWOW64\Naimccpo.exe Nmnace32.exe File created C:\Windows\SysWOW64\Jkdpanhg.exe Jgidao32.exe File created C:\Windows\SysWOW64\Gkdjlion.dll Gohjaf32.exe File created C:\Windows\SysWOW64\Fmcoja32.exe Fhffaj32.exe File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Ihjnom32.exe File opened for modification C:\Windows\SysWOW64\Pggbla32.exe Peiepfgg.exe File opened for modification C:\Windows\SysWOW64\Knpemf32.exe Kjdilgpc.exe File created C:\Windows\SysWOW64\Mcegmm32.exe Mmhodf32.exe File created C:\Windows\SysWOW64\Igdogl32.exe Idfbkq32.exe File created C:\Windows\SysWOW64\Knlafm32.dll Omdneebf.exe File created C:\Windows\SysWOW64\Chhpdp32.dll Gkgkbipp.exe File created C:\Windows\SysWOW64\Nhdkokpa.dll Gmgninie.exe File opened for modification C:\Windows\SysWOW64\Jmmfkafa.exe Jjojofgn.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Ffnphf32.exe File opened for modification C:\Windows\SysWOW64\Jnffgd32.exe Jocflgga.exe File opened for modification C:\Windows\SysWOW64\Cgmkmecg.exe Bcaomf32.exe File opened for modification C:\Windows\SysWOW64\Bfcampgf.exe Bdeeqehb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5800 5960 WerFault.exe 566 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll" Ilcmjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oddpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkndaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kafbec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdmmdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll" Nodgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdkpbk32.dll" Mamddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll" Bidjnkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll" Eqgnokip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbaileio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkijmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmhdd32.dll" Peiepfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll" Cckace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppbfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piphee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlcbpdk.dll" Qfokbnip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iheddndj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiebec32.dll" Odobjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbpodagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" Hodpgjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll" Cdikkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkghm32.dll" Ifkacb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcdkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enihne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkgfioo.dll" Nkeelohh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omdneebf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgejac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhacojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfgmhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnfbe32.dll" Kcbakpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kebgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Bommnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmbnkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakphqja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdaoog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Effcma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onbddoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elbepj32.dll" Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpmapm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll" Gphmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clomqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofiln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhehek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojomkdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nigome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnbkddem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilgb32.dll" Pnajilng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" Fpdhklkl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2028 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 28 PID 2740 wrote to memory of 2028 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 28 PID 2740 wrote to memory of 2028 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 28 PID 2740 wrote to memory of 2028 2740 94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe 28 PID 2028 wrote to memory of 2272 2028 Ogfpbeim.exe 29 PID 2028 wrote to memory of 2272 2028 Ogfpbeim.exe 29 PID 2028 wrote to memory of 2272 2028 Ogfpbeim.exe 29 PID 2028 wrote to memory of 2272 2028 Ogfpbeim.exe 29 PID 2272 wrote to memory of 2652 2272 Odjpkihg.exe 30 PID 2272 wrote to memory of 2652 2272 Odjpkihg.exe 30 PID 2272 wrote to memory of 2652 2272 Odjpkihg.exe 30 PID 2272 wrote to memory of 2652 2272 Odjpkihg.exe 30 PID 2652 wrote to memory of 2556 2652 Onbddoog.exe 31 PID 2652 wrote to memory of 2556 2652 Onbddoog.exe 31 PID 2652 wrote to memory of 2556 2652 Onbddoog.exe 31 PID 2652 wrote to memory of 2556 2652 Onbddoog.exe 31 PID 2556 wrote to memory of 2468 2556 Ogjimd32.exe 32 PID 2556 wrote to memory of 2468 2556 Ogjimd32.exe 32 PID 2556 wrote to memory of 2468 2556 Ogjimd32.exe 32 PID 2556 wrote to memory of 2468 2556 Ogjimd32.exe 32 PID 2468 wrote to memory of 2452 2468 Omgaek32.exe 33 PID 2468 wrote to memory of 2452 2468 Omgaek32.exe 33 PID 2468 wrote to memory of 2452 2468 Omgaek32.exe 33 PID 2468 wrote to memory of 2452 2468 Omgaek32.exe 33 PID 2452 wrote to memory of 2960 2452 Ocajbekl.exe 34 PID 2452 wrote to memory of 2960 2452 Ocajbekl.exe 34 PID 2452 wrote to memory of 2960 2452 Ocajbekl.exe 34 PID 2452 wrote to memory of 2960 2452 Ocajbekl.exe 34 PID 2960 wrote to memory of 2752 2960 Ongnonkb.exe 35 PID 2960 wrote to memory of 2752 2960 Ongnonkb.exe 35 PID 2960 wrote to memory of 2752 2960 Ongnonkb.exe 35 PID 2960 wrote to memory of 2752 2960 Ongnonkb.exe 35 PID 2752 wrote to memory of 2700 2752 Paggai32.exe 36 PID 2752 wrote to memory of 2700 2752 Paggai32.exe 36 PID 2752 wrote to memory of 2700 2752 Paggai32.exe 36 PID 2752 wrote to memory of 2700 2752 Paggai32.exe 36 PID 2700 wrote to memory of 2864 2700 Pmnhfjmg.exe 37 PID 2700 wrote to memory of 2864 2700 Pmnhfjmg.exe 37 PID 2700 wrote to memory of 2864 2700 Pmnhfjmg.exe 37 PID 2700 wrote to memory of 2864 2700 Pmnhfjmg.exe 37 PID 2864 wrote to memory of 1996 2864 Pbkpna32.exe 38 PID 2864 wrote to memory of 1996 2864 Pbkpna32.exe 38 PID 2864 wrote to memory of 1996 2864 Pbkpna32.exe 38 PID 2864 wrote to memory of 1996 2864 Pbkpna32.exe 38 PID 1996 wrote to memory of 2416 1996 Pmqdkj32.exe 39 PID 1996 wrote to memory of 2416 1996 Pmqdkj32.exe 39 PID 1996 wrote to memory of 2416 1996 Pmqdkj32.exe 39 PID 1996 wrote to memory of 2416 1996 Pmqdkj32.exe 39 PID 2416 wrote to memory of 816 2416 Pelipl32.exe 40 PID 2416 wrote to memory of 816 2416 Pelipl32.exe 40 PID 2416 wrote to memory of 816 2416 Pelipl32.exe 40 PID 2416 wrote to memory of 816 2416 Pelipl32.exe 40 PID 816 wrote to memory of 2988 816 Plfamfpm.exe 41 PID 816 wrote to memory of 2988 816 Plfamfpm.exe 41 PID 816 wrote to memory of 2988 816 Plfamfpm.exe 41 PID 816 wrote to memory of 2988 816 Plfamfpm.exe 41 PID 2988 wrote to memory of 1932 2988 Pijbfj32.exe 42 PID 2988 wrote to memory of 1932 2988 Pijbfj32.exe 42 PID 2988 wrote to memory of 1932 2988 Pijbfj32.exe 42 PID 2988 wrote to memory of 1932 2988 Pijbfj32.exe 42 PID 1932 wrote to memory of 1480 1932 Qjknnbed.exe 43 PID 1932 wrote to memory of 1480 1932 Qjknnbed.exe 43 PID 1932 wrote to memory of 1480 1932 Qjknnbed.exe 43 PID 1932 wrote to memory of 1480 1932 Qjknnbed.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe"C:\Users\Admin\AppData\Local\Temp\94aa6fe63f076839ec1977459de29fd85d9dca53822579ee1c606c7db18e7bd0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ogjimd32.exeC:\Windows\system32\Ogjimd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Omgaek32.exeC:\Windows\system32\Omgaek32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Paggai32.exeC:\Windows\system32\Paggai32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Qjknnbed.exeC:\Windows\system32\Qjknnbed.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Qjmkcbcb.exeC:\Windows\system32\Qjmkcbcb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Aiinen32.exeC:\Windows\system32\Aiinen32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe27⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe34⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Bgknheej.exeC:\Windows\system32\Bgknheej.exe36⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe37⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe38⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe40⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe41⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe43⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe44⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe45⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe46⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe47⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe50⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe51⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Cckace32.exeC:\Windows\system32\Cckace32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe53⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe54⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe55⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe58⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe59⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe61⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe62⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dcfdgiid.exeC:\Windows\system32\Dcfdgiid.exe64⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Dqjepm32.exeC:\Windows\system32\Dqjepm32.exe66⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Dgdmmgpj.exeC:\Windows\system32\Dgdmmgpj.exe67⤵PID:2788
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe68⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe69⤵PID:556
-
C:\Windows\SysWOW64\Doobajme.exeC:\Windows\system32\Doobajme.exe70⤵PID:1708
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe71⤵PID:1948
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe72⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Ecmkghcl.exeC:\Windows\system32\Ecmkghcl.exe73⤵PID:2896
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe74⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe75⤵
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe76⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe78⤵PID:2016
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe79⤵PID:1824
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe80⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe81⤵PID:1028
-
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe82⤵PID:1980
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe83⤵PID:1000
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe84⤵PID:1508
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe85⤵PID:1396
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe87⤵PID:2720
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe89⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe90⤵
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe91⤵PID:2608
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe92⤵PID:2540
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe93⤵PID:2764
-
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe94⤵
- Modifies registry class
PID:312 -
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe95⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Fhkpmjln.exeC:\Windows\system32\Fhkpmjln.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe97⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Fjilieka.exeC:\Windows\system32\Fjilieka.exe98⤵PID:336
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe99⤵PID:840
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe100⤵PID:2004
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe101⤵PID:660
-
C:\Windows\SysWOW64\Fjlhneio.exeC:\Windows\system32\Fjlhneio.exe102⤵PID:1680
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe105⤵PID:776
-
C:\Windows\SysWOW64\Globlmmj.exeC:\Windows\system32\Globlmmj.exe106⤵PID:1988
-
C:\Windows\SysWOW64\Gonnhhln.exeC:\Windows\system32\Gonnhhln.exe107⤵PID:2648
-
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe108⤵PID:2564
-
C:\Windows\SysWOW64\Gicbeald.exeC:\Windows\system32\Gicbeald.exe109⤵PID:2492
-
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe110⤵PID:2440
-
C:\Windows\SysWOW64\Gopkmhjk.exeC:\Windows\system32\Gopkmhjk.exe111⤵PID:2472
-
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe112⤵PID:1836
-
C:\Windows\SysWOW64\Gkgkbipp.exeC:\Windows\system32\Gkgkbipp.exe113⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe114⤵PID:2096
-
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe115⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe116⤵PID:324
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe117⤵PID:452
-
C:\Windows\SysWOW64\Gacpdbej.exeC:\Windows\system32\Gacpdbej.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1360 -
C:\Windows\SysWOW64\Ghmiam32.exeC:\Windows\system32\Ghmiam32.exe119⤵PID:928
-
C:\Windows\SysWOW64\Ggpimica.exeC:\Windows\system32\Ggpimica.exe120⤵PID:748
-
C:\Windows\SysWOW64\Gmjaic32.exeC:\Windows\system32\Gmjaic32.exe121⤵
- Drops file in System32 directory
PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-