Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 04:40
Static task
static1
3 signatures
Behavioral task
behavioral1
Sample
f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe
Resource
win7-20240215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe
-
Size
163KB
-
MD5
eacbb8fbbde17e2f7c3f503b04ac1bcf
-
SHA1
cb32f4c7d0a318d8779b84f402f6824707822fb3
-
SHA256
f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78
-
SHA512
6bff464d1992dedec869f4c08f7a08c2a12e10aee2df18dba7a2aad631c9112a2bb9d3d32381c9e8e2821ca60e2486fde87f2a4d30f4a07c33438d342722142b
-
SSDEEP
3072:SMUY4YtYZ0G28mitfghT4W+ltOrWKDBr+yJb:fNRyeGBmitfghT2LOf
Score
10/10
Malware Config
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacgdhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alpmfdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jakfkfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkmnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdneebf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blpjegfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bekkcljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iheddndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedmkgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmjok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhooggdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lliflp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papfegmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgkbipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccmffjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjglfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfahhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkpbgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojald32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imeggc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiomkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpocfncj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjjgclai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhimnma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foeodj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfbogcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkpegnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejobhppq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habfipdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohendqhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfgjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofabc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oklkmnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpnojioo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbamma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Namqci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiladcdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcokkak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkfgoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmkmecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpimica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hogmmjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilknfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgplkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimjmbae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokcgmee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obojhlbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhpnkch.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x000e000000012345-5.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0008000000013129-25.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000800000001315b-33.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000a0000000133a3-47.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001418f-60.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001430c-73.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014323-86.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014435-99.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000144d8-112.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014502-126.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014662-139.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014702-152.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000149e1-166.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014b36-186.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000014dae-194.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001502c-209.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000153d9-226.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0030000000012727-236.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015645-247.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015ba8-258.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c5a-270.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c85-279.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c9c-290.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cbd-301.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cd9-313.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cf5-314.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d24-331.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d4c-342.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015e6d-353.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015fa7-363.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000161b3-374.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016476-383.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000165f0-394.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016a6f-405.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c3a-416.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c8c-426.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ce4-439.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cfd-448.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d0e-458.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d1f-469.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d36-482.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d9f-490.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016db3-501.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016fe8-512.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000173e5-521.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175ac-530.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00060000000175b8-539.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000018640-547.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000186c1-555.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018700-563.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001874c-571.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000191eb-582.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019223-591.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019233-602.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019248-611.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019331-620.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001935b-630.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000193e2-640.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019413-654.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019426-667.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019437-681.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001948d-692.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194c4-706.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019520-715.dat INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000e000000012345-5.dat UPX behavioral1/files/0x0008000000013129-25.dat UPX behavioral1/files/0x000800000001315b-33.dat UPX behavioral1/files/0x000a0000000133a3-47.dat UPX behavioral1/files/0x000600000001418f-60.dat UPX behavioral1/files/0x000600000001430c-73.dat UPX behavioral1/files/0x0006000000014323-86.dat UPX behavioral1/files/0x0006000000014435-99.dat UPX behavioral1/files/0x00060000000144d8-112.dat UPX behavioral1/files/0x0006000000014502-126.dat UPX behavioral1/files/0x0006000000014662-139.dat UPX behavioral1/files/0x0006000000014702-152.dat UPX behavioral1/files/0x00060000000149e1-166.dat UPX behavioral1/files/0x0006000000014b36-186.dat UPX behavioral1/files/0x0006000000014dae-194.dat UPX behavioral1/files/0x000600000001502c-209.dat UPX behavioral1/files/0x00060000000153d9-226.dat UPX behavioral1/files/0x0030000000012727-236.dat UPX behavioral1/files/0x0006000000015645-247.dat UPX behavioral1/files/0x0006000000015ba8-258.dat UPX behavioral1/files/0x0006000000015c5a-270.dat UPX behavioral1/files/0x0006000000015c85-279.dat UPX behavioral1/files/0x0006000000015c9c-290.dat UPX behavioral1/files/0x0006000000015cbd-301.dat UPX behavioral1/files/0x0006000000015cd9-313.dat UPX behavioral1/files/0x0006000000015cf5-314.dat UPX behavioral1/files/0x0006000000015d24-331.dat UPX behavioral1/files/0x0006000000015d4c-342.dat UPX behavioral1/files/0x0006000000015e6d-353.dat UPX behavioral1/files/0x0006000000015fa7-363.dat UPX behavioral1/files/0x00060000000161b3-374.dat UPX behavioral1/files/0x0006000000016476-383.dat UPX behavioral1/files/0x00060000000165f0-394.dat UPX behavioral1/files/0x0006000000016a6f-405.dat UPX behavioral1/files/0x0006000000016c3a-416.dat UPX behavioral1/files/0x0006000000016c8c-426.dat UPX behavioral1/files/0x0006000000016ce4-439.dat UPX behavioral1/files/0x0006000000016cfd-448.dat UPX behavioral1/files/0x0006000000016d0e-458.dat UPX behavioral1/files/0x0006000000016d1f-469.dat UPX behavioral1/files/0x0006000000016d36-482.dat UPX behavioral1/files/0x0006000000016d9f-490.dat UPX behavioral1/files/0x0006000000016db3-501.dat UPX behavioral1/files/0x0006000000016fe8-512.dat UPX behavioral1/files/0x00060000000173e5-521.dat UPX behavioral1/files/0x00060000000175ac-530.dat UPX behavioral1/files/0x00060000000175b8-539.dat UPX behavioral1/files/0x0009000000018640-547.dat UPX behavioral1/files/0x00050000000186c1-555.dat UPX behavioral1/files/0x0005000000018700-563.dat UPX behavioral1/files/0x000500000001874c-571.dat UPX behavioral1/files/0x00050000000191eb-582.dat UPX behavioral1/files/0x0005000000019223-591.dat UPX behavioral1/files/0x0005000000019233-602.dat UPX behavioral1/files/0x0005000000019248-611.dat UPX behavioral1/files/0x0005000000019331-620.dat UPX behavioral1/files/0x000500000001935b-630.dat UPX behavioral1/files/0x00050000000193e2-640.dat UPX behavioral1/files/0x0005000000019413-654.dat UPX behavioral1/files/0x0005000000019426-667.dat UPX behavioral1/files/0x0005000000019437-681.dat UPX behavioral1/files/0x000500000001948d-692.dat UPX behavioral1/files/0x00050000000194c4-706.dat UPX behavioral1/files/0x0005000000019520-715.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2848 Efagii32.exe 2648 Epilbohf.exe 2932 Efcdoipc.exe 2880 Eaihlapi.exe 2404 Efeqdhnq.exe 2884 Elbimplh.exe 1376 Fblaii32.exe 2700 Fififc32.exe 1652 Fppbbnbo.exe 240 Femjkdqf.exe 2164 Foeodj32.exe 1332 Fepgqdnc.exe 1280 Fhncmp32.exe 1880 Fohkijed.exe 2596 Fhppbp32.exe 696 Fmmhjf32.exe 1576 Fedplc32.exe 2312 Gakaqd32.exe 560 Gheimogo.exe 936 Giffeg32.exe 700 Gcojnmdn.exe 1976 Gpbkgq32.exe 1008 Gdnghpkq.exe 2812 Gglcdkjd.exe 2600 Geocph32.exe 2928 Gohhhmgo.exe 2568 Gccdil32.exe 2680 Ghplac32.exe 2656 Gojdnm32.exe 2412 Hedmkgmi.exe 2828 Hjpike32.exe 2100 Hchmdklc.exe 2472 Hakmph32.exe 2716 Hamjehqk.exe 1560 Hhgbba32.exe 1628 Haogkgoh.exe 2376 Hqbgfd32.exe 1084 Hbbcpg32.exe 1244 Hkjhimcf.exe 2112 Inhdehbj.exe 2152 Idblbb32.exe 2768 Inkakhpg.exe 604 Iqimgc32.exe 1908 Iffeoj32.exe 108 Iidbke32.exe 3068 Iqljlb32.exe 1644 Ioojhpdb.exe 1192 Ifhbdj32.exe 2996 Ijdnehci.exe 2892 Ikekmq32.exe 1536 Ioagno32.exe 1548 Ibocjk32.exe 2548 Ifkojiim.exe 2552 Imeggc32.exe 2636 Ioccco32.exe 2484 Ifmlpigj.exe 1564 Jeplkf32.exe 2224 Jgnhga32.exe 1788 Jkjdhpea.exe 1600 Jbdlejmn.exe 2316 Jebiaelb.exe 1080 Jgqemakf.exe 1936 Jnkmjk32.exe 2088 Jaiiff32.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 2848 Efagii32.exe 2848 Efagii32.exe 2648 Epilbohf.exe 2648 Epilbohf.exe 2932 Efcdoipc.exe 2932 Efcdoipc.exe 2880 Eaihlapi.exe 2880 Eaihlapi.exe 2404 Efeqdhnq.exe 2404 Efeqdhnq.exe 2884 Elbimplh.exe 2884 Elbimplh.exe 1376 Fblaii32.exe 1376 Fblaii32.exe 2700 Fififc32.exe 2700 Fififc32.exe 1652 Fppbbnbo.exe 1652 Fppbbnbo.exe 240 Femjkdqf.exe 240 Femjkdqf.exe 2164 Foeodj32.exe 2164 Foeodj32.exe 1332 Fepgqdnc.exe 1332 Fepgqdnc.exe 1280 Fhncmp32.exe 1280 Fhncmp32.exe 1880 Fohkijed.exe 1880 Fohkijed.exe 2596 Fhppbp32.exe 2596 Fhppbp32.exe 696 Fmmhjf32.exe 696 Fmmhjf32.exe 1576 Fedplc32.exe 1576 Fedplc32.exe 2312 Gakaqd32.exe 2312 Gakaqd32.exe 560 Gheimogo.exe 560 Gheimogo.exe 936 Giffeg32.exe 936 Giffeg32.exe 700 Gcojnmdn.exe 700 Gcojnmdn.exe 1976 Gpbkgq32.exe 1976 Gpbkgq32.exe 1008 Gdnghpkq.exe 1008 Gdnghpkq.exe 2812 Gglcdkjd.exe 2812 Gglcdkjd.exe 2600 Geocph32.exe 2600 Geocph32.exe 2928 Gohhhmgo.exe 2928 Gohhhmgo.exe 2568 Gccdil32.exe 2568 Gccdil32.exe 2680 Ghplac32.exe 2680 Ghplac32.exe 2656 Gojdnm32.exe 2656 Gojdnm32.exe 2412 Hedmkgmi.exe 2412 Hedmkgmi.exe 2828 Hjpike32.exe 2828 Hjpike32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iklgpmjo.dll Ckignd32.exe File opened for modification C:\Windows\SysWOW64\Inqcif32.exe Ikbgmj32.exe File opened for modification C:\Windows\SysWOW64\Cohigamf.exe Clilkfnb.exe File created C:\Windows\SysWOW64\Ifkacb32.exe Icmegf32.exe File opened for modification C:\Windows\SysWOW64\Kjcgco32.exe Klqfhbbe.exe File created C:\Windows\SysWOW64\Ejkima32.exe Egllae32.exe File opened for modification C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File opened for modification C:\Windows\SysWOW64\Ailkjmpo.exe Afmonbqk.exe File created C:\Windows\SysWOW64\Flgeqgog.exe Fiihdlpc.exe File created C:\Windows\SysWOW64\Pmihgeia.dll Nnnojlpa.exe File created C:\Windows\SysWOW64\Jqilooij.exe Jbgkcb32.exe File opened for modification C:\Windows\SysWOW64\Kbbngf32.exe Kqqboncb.exe File created C:\Windows\SysWOW64\Nleiqhcg.exe Njgldmdc.exe File created C:\Windows\SysWOW64\Dbehoa32.exe Dnilobkm.exe File opened for modification C:\Windows\SysWOW64\Lliflp32.exe Lijjoe32.exe File created C:\Windows\SysWOW64\Pikkiijf.exe Pflomnkb.exe File created C:\Windows\SysWOW64\Ccngld32.exe Cppkph32.exe File opened for modification C:\Windows\SysWOW64\Nilhhdga.exe Ncbplk32.exe File created C:\Windows\SysWOW64\Mggpgmof.exe Mhdplq32.exe File opened for modification C:\Windows\SysWOW64\Ccahbp32.exe Ckjpacfp.exe File created C:\Windows\SysWOW64\Gddifnbk.exe Gogangdc.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File created C:\Windows\SysWOW64\Hpmgqnfl.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Dchali32.exe Dqjepm32.exe File created C:\Windows\SysWOW64\Lpicol32.dll Cngcjo32.exe File created C:\Windows\SysWOW64\Lnjmhe32.dll Inqcif32.exe File created C:\Windows\SysWOW64\Oimpgolj.dll Pnajilng.exe File opened for modification C:\Windows\SysWOW64\Ckignd32.exe Cgmkmecg.exe File opened for modification C:\Windows\SysWOW64\Bagpopmj.exe Bbdocc32.exe File created C:\Windows\SysWOW64\Ecpgmhai.exe Ekholjqg.exe File created C:\Windows\SysWOW64\Imfqjbli.exe Incpoe32.exe File opened for modification C:\Windows\SysWOW64\Jakfkfpc.exe Jnmjok32.exe File created C:\Windows\SysWOW64\Klidkobf.dll Dkmmhf32.exe File opened for modification C:\Windows\SysWOW64\Ojfaijcc.exe Obojhlbq.exe File opened for modification C:\Windows\SysWOW64\Hjpike32.exe Hedmkgmi.exe File created C:\Windows\SysWOW64\Mgfgdn32.exe Lmnbkinf.exe File created C:\Windows\SysWOW64\Hoamnbaf.dll Kahojc32.exe File created C:\Windows\SysWOW64\Lkoacn32.dll Mlibjc32.exe File created C:\Windows\SysWOW64\Efagii32.exe f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe File created C:\Windows\SysWOW64\Qhooggdn.exe Qdccfh32.exe File created C:\Windows\SysWOW64\Pflomnkb.exe Pgioaa32.exe File created C:\Windows\SysWOW64\Qhiphb32.dll Qgmdjp32.exe File opened for modification C:\Windows\SysWOW64\Djpmccqq.exe Dkmmhf32.exe File created C:\Windows\SysWOW64\Labhkh32.exe Lkhpnnej.exe File created C:\Windows\SysWOW64\Pqkmjh32.exe Pnlqnl32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Aplifb32.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Aekodi32.exe File opened for modification C:\Windows\SysWOW64\Bldcpf32.exe Bifgdk32.exe File created C:\Windows\SysWOW64\Qkekligg.dll Fhqbkhch.exe File created C:\Windows\SysWOW64\Iodahd32.dll Iccbqh32.exe File opened for modification C:\Windows\SysWOW64\Kqqboncb.exe Kiijnq32.exe File created C:\Windows\SysWOW64\Kffbcfgd.dll Onphoo32.exe File created C:\Windows\SysWOW64\Kfammbdf.dll Pfdpip32.exe File created C:\Windows\SysWOW64\Ceodnl32.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Nnjcpefo.dll Inhdehbj.exe File created C:\Windows\SysWOW64\Pdlkiepd.exe Pbnoliap.exe File created C:\Windows\SysWOW64\Daekko32.dll Onbgmg32.exe File created C:\Windows\SysWOW64\Ennaieib.exe Eloemi32.exe File created C:\Windows\SysWOW64\Olcehoom.dll Kedaeh32.exe File created C:\Windows\SysWOW64\Gikaio32.exe Gfmemc32.exe File opened for modification C:\Windows\SysWOW64\Kgcpjmcb.exe Keednado.exe File created C:\Windows\SysWOW64\Oacima32.dll Mmceigep.exe File created C:\Windows\SysWOW64\Lhbjkfod.dll Ongnonkb.exe File created C:\Windows\SysWOW64\Dfoqmo32.exe Dcadac32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10136 9956 Process not Found 1092 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaiiff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nocemcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkcmiimi.dll" Dnilobkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikjha32.dll" Abmbhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjcbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faigdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhncmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmndi32.dll" Odjpkihg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpojo32.dll" Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklgpmjo.dll" Ckignd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnennj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll" Mponel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcbqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokkjm32.dll" Llkbap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfaijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbhkqaj.dll" Bghabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmolnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfahhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aekodi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Ccdlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnbobin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hicodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpclc32.dll" Pefijfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkmjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onmdoioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcmafj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcpjmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll" Labkdack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfggf32.dll" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmanoifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdjbaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bghabf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loeebl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkihhhnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjmcaea.dll" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Ecejkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbamma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplkfgoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagpopmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bafidiio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll" Cjdfmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbddoog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejkima32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlqdei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibkki32.dll" Limfed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll" Gacpdbej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keanebkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpfqama.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2848 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 28 PID 1680 wrote to memory of 2848 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 28 PID 1680 wrote to memory of 2848 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 28 PID 1680 wrote to memory of 2848 1680 f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe 28 PID 2848 wrote to memory of 2648 2848 Efagii32.exe 29 PID 2848 wrote to memory of 2648 2848 Efagii32.exe 29 PID 2848 wrote to memory of 2648 2848 Efagii32.exe 29 PID 2848 wrote to memory of 2648 2848 Efagii32.exe 29 PID 2648 wrote to memory of 2932 2648 Epilbohf.exe 30 PID 2648 wrote to memory of 2932 2648 Epilbohf.exe 30 PID 2648 wrote to memory of 2932 2648 Epilbohf.exe 30 PID 2648 wrote to memory of 2932 2648 Epilbohf.exe 30 PID 2932 wrote to memory of 2880 2932 Efcdoipc.exe 31 PID 2932 wrote to memory of 2880 2932 Efcdoipc.exe 31 PID 2932 wrote to memory of 2880 2932 Efcdoipc.exe 31 PID 2932 wrote to memory of 2880 2932 Efcdoipc.exe 31 PID 2880 wrote to memory of 2404 2880 Eaihlapi.exe 32 PID 2880 wrote to memory of 2404 2880 Eaihlapi.exe 32 PID 2880 wrote to memory of 2404 2880 Eaihlapi.exe 32 PID 2880 wrote to memory of 2404 2880 Eaihlapi.exe 32 PID 2404 wrote to memory of 2884 2404 Efeqdhnq.exe 33 PID 2404 wrote to memory of 2884 2404 Efeqdhnq.exe 33 PID 2404 wrote to memory of 2884 2404 Efeqdhnq.exe 33 PID 2404 wrote to memory of 2884 2404 Efeqdhnq.exe 33 PID 2884 wrote to memory of 1376 2884 Elbimplh.exe 34 PID 2884 wrote to memory of 1376 2884 Elbimplh.exe 34 PID 2884 wrote to memory of 1376 2884 Elbimplh.exe 34 PID 2884 wrote to memory of 1376 2884 Elbimplh.exe 34 PID 1376 wrote to memory of 2700 1376 Fblaii32.exe 35 PID 1376 wrote to memory of 2700 1376 Fblaii32.exe 35 PID 1376 wrote to memory of 2700 1376 Fblaii32.exe 35 PID 1376 wrote to memory of 2700 1376 Fblaii32.exe 35 PID 2700 wrote to memory of 1652 2700 Fififc32.exe 36 PID 2700 wrote to memory of 1652 2700 Fififc32.exe 36 PID 2700 wrote to memory of 1652 2700 Fififc32.exe 36 PID 2700 wrote to memory of 1652 2700 Fififc32.exe 36 PID 1652 wrote to memory of 240 1652 Fppbbnbo.exe 37 PID 1652 wrote to memory of 240 1652 Fppbbnbo.exe 37 PID 1652 wrote to memory of 240 1652 Fppbbnbo.exe 37 PID 1652 wrote to memory of 240 1652 Fppbbnbo.exe 37 PID 240 wrote to memory of 2164 240 Femjkdqf.exe 38 PID 240 wrote to memory of 2164 240 Femjkdqf.exe 38 PID 240 wrote to memory of 2164 240 Femjkdqf.exe 38 PID 240 wrote to memory of 2164 240 Femjkdqf.exe 38 PID 2164 wrote to memory of 1332 2164 Foeodj32.exe 39 PID 2164 wrote to memory of 1332 2164 Foeodj32.exe 39 PID 2164 wrote to memory of 1332 2164 Foeodj32.exe 39 PID 2164 wrote to memory of 1332 2164 Foeodj32.exe 39 PID 1332 wrote to memory of 1280 1332 Fepgqdnc.exe 40 PID 1332 wrote to memory of 1280 1332 Fepgqdnc.exe 40 PID 1332 wrote to memory of 1280 1332 Fepgqdnc.exe 40 PID 1332 wrote to memory of 1280 1332 Fepgqdnc.exe 40 PID 1280 wrote to memory of 1880 1280 Fhncmp32.exe 41 PID 1280 wrote to memory of 1880 1280 Fhncmp32.exe 41 PID 1280 wrote to memory of 1880 1280 Fhncmp32.exe 41 PID 1280 wrote to memory of 1880 1280 Fhncmp32.exe 41 PID 1880 wrote to memory of 2596 1880 Fohkijed.exe 42 PID 1880 wrote to memory of 2596 1880 Fohkijed.exe 42 PID 1880 wrote to memory of 2596 1880 Fohkijed.exe 42 PID 1880 wrote to memory of 2596 1880 Fohkijed.exe 42 PID 2596 wrote to memory of 696 2596 Fhppbp32.exe 43 PID 2596 wrote to memory of 696 2596 Fhppbp32.exe 43 PID 2596 wrote to memory of 696 2596 Fhppbp32.exe 43 PID 2596 wrote to memory of 696 2596 Fhppbp32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe"C:\Users\Admin\AppData\Local\Temp\f900059b568c573369251b4396dbd6779c0eafb5f7eed91848a1281751135d78.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Efagii32.exeC:\Windows\system32\Efagii32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Epilbohf.exeC:\Windows\system32\Epilbohf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Efcdoipc.exeC:\Windows\system32\Efcdoipc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Eaihlapi.exeC:\Windows\system32\Eaihlapi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Efeqdhnq.exeC:\Windows\system32\Efeqdhnq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Elbimplh.exeC:\Windows\system32\Elbimplh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Fblaii32.exeC:\Windows\system32\Fblaii32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Fififc32.exeC:\Windows\system32\Fififc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fppbbnbo.exeC:\Windows\system32\Fppbbnbo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Femjkdqf.exeC:\Windows\system32\Femjkdqf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Foeodj32.exeC:\Windows\system32\Foeodj32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fepgqdnc.exeC:\Windows\system32\Fepgqdnc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Fhncmp32.exeC:\Windows\system32\Fhncmp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Fohkijed.exeC:\Windows\system32\Fohkijed.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Fhppbp32.exeC:\Windows\system32\Fhppbp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Fmmhjf32.exeC:\Windows\system32\Fmmhjf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Fedplc32.exeC:\Windows\system32\Fedplc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Gakaqd32.exeC:\Windows\system32\Gakaqd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Gheimogo.exeC:\Windows\system32\Gheimogo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Giffeg32.exeC:\Windows\system32\Giffeg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Gcojnmdn.exeC:\Windows\system32\Gcojnmdn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700 -
C:\Windows\SysWOW64\Gpbkgq32.exeC:\Windows\system32\Gpbkgq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Gdnghpkq.exeC:\Windows\system32\Gdnghpkq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Gglcdkjd.exeC:\Windows\system32\Gglcdkjd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Geocph32.exeC:\Windows\system32\Geocph32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Gohhhmgo.exeC:\Windows\system32\Gohhhmgo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Gccdil32.exeC:\Windows\system32\Gccdil32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Ghplac32.exeC:\Windows\system32\Ghplac32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Gojdnm32.exeC:\Windows\system32\Gojdnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Hedmkgmi.exeC:\Windows\system32\Hedmkgmi.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Hchmdklc.exeC:\Windows\system32\Hchmdklc.exe33⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe34⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Hamjehqk.exeC:\Windows\system32\Hamjehqk.exe35⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Hhgbba32.exeC:\Windows\system32\Hhgbba32.exe36⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Haogkgoh.exeC:\Windows\system32\Haogkgoh.exe37⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Hqbgfd32.exeC:\Windows\system32\Hqbgfd32.exe38⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Hbbcpg32.exeC:\Windows\system32\Hbbcpg32.exe39⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Hkjhimcf.exeC:\Windows\system32\Hkjhimcf.exe40⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Idblbb32.exeC:\Windows\system32\Idblbb32.exe42⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe43⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe44⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Iffeoj32.exeC:\Windows\system32\Iffeoj32.exe45⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Iidbke32.exeC:\Windows\system32\Iidbke32.exe46⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Iqljlb32.exeC:\Windows\system32\Iqljlb32.exe47⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe48⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ifhbdj32.exeC:\Windows\system32\Ifhbdj32.exe49⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Ijdnehci.exeC:\Windows\system32\Ijdnehci.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ikekmq32.exeC:\Windows\system32\Ikekmq32.exe51⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ioagno32.exeC:\Windows\system32\Ioagno32.exe52⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Ibocjk32.exeC:\Windows\system32\Ibocjk32.exe53⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe54⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Imeggc32.exeC:\Windows\system32\Imeggc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe57⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Jeplkf32.exeC:\Windows\system32\Jeplkf32.exe58⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe59⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe60⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Jebiaelb.exeC:\Windows\system32\Jebiaelb.exe62⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe63⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe64⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe66⤵PID:1420
-
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe67⤵PID:1000
-
C:\Windows\SysWOW64\Jnmjok32.exeC:\Windows\system32\Jnmjok32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:380 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe70⤵PID:1640
-
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe71⤵PID:2076
-
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe72⤵PID:2220
-
C:\Windows\SysWOW64\Jmbgpg32.exeC:\Windows\system32\Jmbgpg32.exe73⤵PID:2564
-
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe74⤵PID:2576
-
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe75⤵PID:2464
-
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe77⤵PID:328
-
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe78⤵PID:1596
-
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe79⤵PID:1372
-
C:\Windows\SysWOW64\Kikdkh32.exeC:\Windows\system32\Kikdkh32.exe80⤵PID:2320
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe81⤵PID:2068
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe82⤵PID:1912
-
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe83⤵PID:800
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe84⤵PID:2272
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe85⤵PID:1656
-
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe86⤵PID:2108
-
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe87⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Klnjbbdh.exeC:\Windows\system32\Klnjbbdh.exe89⤵PID:2752
-
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe90⤵PID:2476
-
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe91⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe92⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe93⤵PID:768
-
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe94⤵PID:1200
-
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe95⤵PID:1716
-
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe96⤵PID:2124
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe97⤵PID:608
-
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe98⤵PID:2960
-
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe99⤵PID:540
-
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe100⤵PID:868
-
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe101⤵PID:1984
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe102⤵PID:1444
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe103⤵PID:2612
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe104⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe105⤵PID:2580
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe106⤵PID:2480
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe107⤵PID:1664
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe108⤵PID:2720
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe109⤵PID:1528
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe110⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe111⤵PID:2184
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe112⤵PID:488
-
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe113⤵PID:2024
-
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe114⤵PID:1820
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe115⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe116⤵PID:1896
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe117⤵PID:1256
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe118⤵PID:2268
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe119⤵PID:2344
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe120⤵PID:2608
-
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe121⤵PID:3020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-