Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 23:28
Static task
static1
Behavioral task
behavioral1
Sample
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
Resource
win10v2004-20240508-en
General
-
Target
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe
-
Size
163KB
-
MD5
5d8dc291be1ed5ff76e667ebaf120f34
-
SHA1
b646513b0b918297043010a6187ed1c273f2e1f9
-
SHA256
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a
-
SHA512
558093f1b2882878b8b90968ae1d059a01bfe354793b8fee418b3eb9768a8aeb8382c6deb8301682c522d858d2db5b34ec6a0e7e1bf7a0ca3ed40c490eb2d7d0
-
SSDEEP
1536:PrbbElqSmD+o++1E/H8C2piGCvKZ5lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:jnElqx+o9+cC7nKDltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Mgfgdn32.exeFacdeo32.exeHkkalk32.exeNfpjomgd.exeOenifh32.exeBjijdadm.exeGdopkn32.exeEgdilkbf.exeFckjalhj.exeOkchhc32.exePcfcmd32.exeQdccfh32.exeCfinoq32.exeEfppoc32.exeFmhheqje.exeCcdlbf32.exeCcfhhffh.exeChhjkl32.exeEmhlfmgj.exeAmejeljk.exeAoffmd32.exeEkklaj32.exeIcbimi32.exeIclcnnji.exeKbkodl32.exeMabejlob.exePfflopdh.exeEbgacddo.exeHgjbmoob.exeBhhnli32.exeCnippoha.exeEmcbkn32.exeAjdadamj.exeAilkjmpo.exeBpafkknm.exeDdcdkl32.exeNjbcim32.exeNgkmnacm.exePmlkpjpj.exeQnigda32.exeEbpkce32.exeEnnaieib.exeCdlnkmha.exeFpfdalii.exeKinaqg32.exeKnjiin32.exePelipl32.exeQagcpljo.exeJmpjkggj.exeBcaomf32.exeElmigj32.exeGhmiam32.exeHkeonm32.exeLkfciogm.exeLgdjnofi.exeHpmgqnfl.exeOmgaek32.exeDqelenlc.exeEloemi32.exeFjdbnf32.exeLlccmb32.exeNjgldmdc.exeOicpfh32.exeOgjimd32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Facdeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpjomgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjijdadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egdilkbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckjalhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfcmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdccfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmhheqje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emhlfmgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amejeljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoffmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekklaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbimi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclcnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabejlob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfflopdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgacddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjbmoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emcbkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdadamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailkjmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpafkknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddcdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbcim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkmnacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlkpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnigda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ennaieib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlnkmha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpfdalii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kinaqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knjiin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qagcpljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmpjkggj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmigj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmiam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkeonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfciogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdjnofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmgqnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqelenlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloemi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdbnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llccmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgldmdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicpfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogjimd32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Ggopijha.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Gpgdbpob.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Hahqjh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hjpike32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Hlnega32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Holacm32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Hakmph32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hefipfkg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hheelbjj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hoonilag.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hdkfacpo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hgjbmoob.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hkeonm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hdncgbnl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hgolhn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hjmhdi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imkdqe32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ijoeji32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ichico32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imbkadcl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ifkojiim.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ioccco32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ifmlpigj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jedefejo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jjanolhg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jnofejom.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jiigehkl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kappfeln.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kebepion.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kmimafop.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Knjiin32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Komfnnck.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kegnkh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kibjkgca.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kdlkld32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lkfciogm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lhjdbcef.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Labhkh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgoacojo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lmiipi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lipjejgp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lpjbad32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgdjnofi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Loooca32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Midcpj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mhjpaf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mochnppo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mepnpj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Naikkk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncjgbcoi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njdpomfe.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Npnhlg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nghphaeo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nleiqhcg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncoamb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbdnoo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njkfpl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onbddoog.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ojieip32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ojkboo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pccfge32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pjmodopf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Paggai32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pbiciana.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Ggopijha.exe UPX \Windows\SysWOW64\Gpgdbpob.exe UPX \Windows\SysWOW64\Hahqjh32.exe UPX C:\Windows\SysWOW64\Hjpike32.exe UPX \Windows\SysWOW64\Hlnega32.exe UPX \Windows\SysWOW64\Holacm32.exe UPX \Windows\SysWOW64\Hakmph32.exe UPX C:\Windows\SysWOW64\Hefipfkg.exe UPX C:\Windows\SysWOW64\Hheelbjj.exe UPX C:\Windows\SysWOW64\Hoonilag.exe UPX C:\Windows\SysWOW64\Hdkfacpo.exe UPX C:\Windows\SysWOW64\Hgjbmoob.exe UPX C:\Windows\SysWOW64\Hkeonm32.exe UPX C:\Windows\SysWOW64\Hdncgbnl.exe UPX C:\Windows\SysWOW64\Hgolhn32.exe UPX C:\Windows\SysWOW64\Hjmhdi32.exe UPX C:\Windows\SysWOW64\Imkdqe32.exe UPX C:\Windows\SysWOW64\Ijoeji32.exe UPX C:\Windows\SysWOW64\Ichico32.exe UPX C:\Windows\SysWOW64\Imbkadcl.exe UPX C:\Windows\SysWOW64\Ifkojiim.exe UPX C:\Windows\SysWOW64\Ioccco32.exe UPX C:\Windows\SysWOW64\Ifmlpigj.exe UPX C:\Windows\SysWOW64\Jedefejo.exe UPX C:\Windows\SysWOW64\Jjanolhg.exe UPX C:\Windows\SysWOW64\Jnofejom.exe UPX C:\Windows\SysWOW64\Jiigehkl.exe UPX C:\Windows\SysWOW64\Kappfeln.exe UPX C:\Windows\SysWOW64\Kebepion.exe UPX C:\Windows\SysWOW64\Kmimafop.exe UPX C:\Windows\SysWOW64\Knjiin32.exe UPX C:\Windows\SysWOW64\Komfnnck.exe UPX C:\Windows\SysWOW64\Kegnkh32.exe UPX C:\Windows\SysWOW64\Kibjkgca.exe UPX C:\Windows\SysWOW64\Kdlkld32.exe UPX C:\Windows\SysWOW64\Lkfciogm.exe UPX C:\Windows\SysWOW64\Lhjdbcef.exe UPX C:\Windows\SysWOW64\Labhkh32.exe UPX C:\Windows\SysWOW64\Lgoacojo.exe UPX C:\Windows\SysWOW64\Lmiipi32.exe UPX C:\Windows\SysWOW64\Lipjejgp.exe UPX C:\Windows\SysWOW64\Lpjbad32.exe UPX C:\Windows\SysWOW64\Lgdjnofi.exe UPX C:\Windows\SysWOW64\Loooca32.exe UPX C:\Windows\SysWOW64\Midcpj32.exe UPX C:\Windows\SysWOW64\Mhjpaf32.exe UPX C:\Windows\SysWOW64\Mochnppo.exe UPX C:\Windows\SysWOW64\Mepnpj32.exe UPX C:\Windows\SysWOW64\Naikkk32.exe UPX C:\Windows\SysWOW64\Ncjgbcoi.exe UPX C:\Windows\SysWOW64\Njdpomfe.exe UPX C:\Windows\SysWOW64\Npnhlg32.exe UPX C:\Windows\SysWOW64\Nghphaeo.exe UPX C:\Windows\SysWOW64\Nleiqhcg.exe UPX C:\Windows\SysWOW64\Ncoamb32.exe UPX C:\Windows\SysWOW64\Nbdnoo32.exe UPX C:\Windows\SysWOW64\Njkfpl32.exe UPX C:\Windows\SysWOW64\Onbddoog.exe UPX C:\Windows\SysWOW64\Ojieip32.exe UPX C:\Windows\SysWOW64\Ojkboo32.exe UPX C:\Windows\SysWOW64\Pccfge32.exe UPX C:\Windows\SysWOW64\Pjmodopf.exe UPX C:\Windows\SysWOW64\Paggai32.exe UPX C:\Windows\SysWOW64\Pbiciana.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Ggopijha.exeGpgdbpob.exeHahqjh32.exeHjpike32.exeHlnega32.exeHolacm32.exeHakmph32.exeHefipfkg.exeHheelbjj.exeHoonilag.exeHfifff32.exeHdkfacpo.exeHgjbmoob.exeHkeonm32.exeHndkji32.exeHdncgbnl.exeHkhkcm32.exeHnfgphdl.exeHdpplb32.exeHgolhn32.exeHjmhdi32.exeInhdehbj.exeImkdqe32.exeIcemmopa.exeIgainn32.exeIjoeji32.exeInkakhpg.exeIqimgc32.exeIchico32.exeIjaapifk.exeIoojhpdb.exeIcjfhn32.exeIigoqe32.exeImbkadcl.exeIclcnnji.exeIfkojiim.exeIenoff32.exeIkggbpgd.exeIoccco32.exeInfdolgh.exeIfmlpigj.exeJgnhga32.exeJkjdhpea.exeJoepio32.exeJnhqdkde.exeJbdlejmn.exeJinead32.exeJgqemakf.exeJklanp32.exeJnkmjk32.exeJbfijjkl.exeJaiiff32.exeJedefejo.exeJgcabqic.exeJjanolhg.exeJmpjkggj.exeJakfkfpc.exeJegble32.exeJcjbgaog.exeJgenhp32.exeJfhocmnk.exeJjdkdl32.exeJnofejom.exeJancafna.exepid process 2248 Ggopijha.exe 2260 Gpgdbpob.exe 2660 Hahqjh32.exe 2460 Hjpike32.exe 2476 Hlnega32.exe 2452 Holacm32.exe 768 Hakmph32.exe 2388 Hefipfkg.exe 1088 Hheelbjj.exe 1896 Hoonilag.exe 2040 Hfifff32.exe 936 Hdkfacpo.exe 1572 Hgjbmoob.exe 2184 Hkeonm32.exe 2112 Hndkji32.exe 540 Hdncgbnl.exe 1600 Hkhkcm32.exe 1856 Hnfgphdl.exe 3032 Hdpplb32.exe 2844 Hgolhn32.exe 1588 Hjmhdi32.exe 1108 Inhdehbj.exe 1832 Imkdqe32.exe 2852 Icemmopa.exe 1728 Igainn32.exe 1608 Ijoeji32.exe 2584 Inkakhpg.exe 2968 Iqimgc32.exe 2592 Ichico32.exe 2648 Ijaapifk.exe 1332 Ioojhpdb.exe 1616 Icjfhn32.exe 2704 Iigoqe32.exe 2244 Imbkadcl.exe 1900 Iclcnnji.exe 3036 Ifkojiim.exe 2116 Ienoff32.exe 2056 Ikggbpgd.exe 1992 Ioccco32.exe 1464 Infdolgh.exe 712 Ifmlpigj.exe 2916 Jgnhga32.exe 1404 Jkjdhpea.exe 1248 Joepio32.exe 2632 Jnhqdkde.exe 2304 Jbdlejmn.exe 2044 Jinead32.exe 2924 Jgqemakf.exe 2548 Jklanp32.exe 2484 Jnkmjk32.exe 1016 Jbfijjkl.exe 2736 Jaiiff32.exe 3024 Jedefejo.exe 2012 Jgcabqic.exe 2568 Jjanolhg.exe 1556 Jmpjkggj.exe 3012 Jakfkfpc.exe 2396 Jegble32.exe 1716 Jcjbgaog.exe 2480 Jgenhp32.exe 360 Jfhocmnk.exe 2512 Jjdkdl32.exe 2436 Jnofejom.exe 1272 Jancafna.exe -
Loads dropped DLL 64 IoCs
Processes:
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exeGgopijha.exeGpgdbpob.exeHahqjh32.exeHjpike32.exeHlnega32.exeHolacm32.exeHakmph32.exeHefipfkg.exeHheelbjj.exeHoonilag.exeHfifff32.exeHdkfacpo.exeHgjbmoob.exeHkeonm32.exeHndkji32.exeHdncgbnl.exeHkhkcm32.exeHnfgphdl.exeHdpplb32.exeHgolhn32.exeHjmhdi32.exeInhdehbj.exeImkdqe32.exeIcemmopa.exeIgainn32.exeIjoeji32.exeInkakhpg.exeIqimgc32.exeIchico32.exeIjaapifk.exeIoojhpdb.exepid process 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe 2248 Ggopijha.exe 2248 Ggopijha.exe 2260 Gpgdbpob.exe 2260 Gpgdbpob.exe 2660 Hahqjh32.exe 2660 Hahqjh32.exe 2460 Hjpike32.exe 2460 Hjpike32.exe 2476 Hlnega32.exe 2476 Hlnega32.exe 2452 Holacm32.exe 2452 Holacm32.exe 768 Hakmph32.exe 768 Hakmph32.exe 2388 Hefipfkg.exe 2388 Hefipfkg.exe 1088 Hheelbjj.exe 1088 Hheelbjj.exe 1896 Hoonilag.exe 1896 Hoonilag.exe 2040 Hfifff32.exe 2040 Hfifff32.exe 936 Hdkfacpo.exe 936 Hdkfacpo.exe 1572 Hgjbmoob.exe 1572 Hgjbmoob.exe 2184 Hkeonm32.exe 2184 Hkeonm32.exe 2112 Hndkji32.exe 2112 Hndkji32.exe 540 Hdncgbnl.exe 540 Hdncgbnl.exe 1600 Hkhkcm32.exe 1600 Hkhkcm32.exe 1856 Hnfgphdl.exe 1856 Hnfgphdl.exe 3032 Hdpplb32.exe 3032 Hdpplb32.exe 2844 Hgolhn32.exe 2844 Hgolhn32.exe 1588 Hjmhdi32.exe 1588 Hjmhdi32.exe 1108 Inhdehbj.exe 1108 Inhdehbj.exe 1832 Imkdqe32.exe 1832 Imkdqe32.exe 2852 Icemmopa.exe 2852 Icemmopa.exe 1728 Igainn32.exe 1728 Igainn32.exe 1608 Ijoeji32.exe 1608 Ijoeji32.exe 2584 Inkakhpg.exe 2584 Inkakhpg.exe 2968 Iqimgc32.exe 2968 Iqimgc32.exe 2592 Ichico32.exe 2592 Ichico32.exe 2648 Ijaapifk.exe 2648 Ijaapifk.exe 1332 Ioojhpdb.exe 1332 Ioojhpdb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ekklaj32.exeIcemmopa.exeNjkfpl32.exeJnofejom.exeFioija32.exeIaeiieeb.exeBhhnli32.exeFilldb32.exeDdagfm32.exeEpieghdk.exeGopkmhjk.exeGieojq32.exeOnphoo32.exeBdooajdc.exeNcmdhb32.exePipopl32.exeAiinen32.exeIeqeidnl.exeLkhpnnej.exeMnkbdlbd.exePlfamfpm.exeBjijdadm.exeCcfhhffh.exeGmgdddmq.exeGeolea32.exeKjcgco32.exePeiljl32.exeOhqbqhde.exeBanepo32.exeEgamfkdh.exeGbijhg32.exeGaqcoc32.exeIjoeji32.exeKphimanc.exeObigjnkf.exeCdlnkmha.exePiblek32.exeClcflkic.exeDdeaalpg.exeMkjica32.exeNnplpl32.exeAjdadamj.exeAoffmd32.exeLchnnp32.exeMcodno32.exeChemfl32.exeJghknp32.exeCfbhnaho.exeOdjpkihg.exeBlmdlhmp.exeDkhcmgnl.exeFbdqmghm.exeMcjkcplm.exeMcmhiojk.exeFfnphf32.exeFmhheqje.exeKpjfba32.exeAfmonbqk.exeEalnephf.exePbiciana.exeEbbgid32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Epfhbign.exe Ekklaj32.exe File created C:\Windows\SysWOW64\Gajbmbek.dll Icemmopa.exe File created C:\Windows\SysWOW64\Fdfcak32.dll Njkfpl32.exe File opened for modification C:\Windows\SysWOW64\Jancafna.exe Jnofejom.exe File opened for modification C:\Windows\SysWOW64\Fmjejphb.exe Fioija32.exe File created C:\Windows\SysWOW64\Ieqeidnl.exe Iaeiieeb.exe File created C:\Windows\SysWOW64\Gkkgcp32.dll Bhhnli32.exe File created C:\Windows\SysWOW64\Jeccgbbh.dll Filldb32.exe File opened for modification C:\Windows\SysWOW64\Njcbaa32.dll Ddagfm32.exe File opened for modification C:\Windows\SysWOW64\Lpdhmlbj.dll Epieghdk.exe File created C:\Windows\SysWOW64\Gbkgnfbd.exe Gopkmhjk.exe File created C:\Windows\SysWOW64\Ghhofmql.exe Gieojq32.exe File created C:\Windows\SysWOW64\Kffbcfgd.dll Onphoo32.exe File created C:\Windows\SysWOW64\Bmeohn32.dll Bdooajdc.exe File created C:\Windows\SysWOW64\Ildamhjd.dll Ncmdhb32.exe File created C:\Windows\SysWOW64\Pmlkpjpj.exe Pipopl32.exe File opened for modification C:\Windows\SysWOW64\Amejeljk.exe Aiinen32.exe File created C:\Windows\SysWOW64\Idceea32.exe Ieqeidnl.exe File created C:\Windows\SysWOW64\Lodlom32.exe Lkhpnnej.exe File opened for modification C:\Windows\SysWOW64\Magnek32.exe Mnkbdlbd.exe File opened for modification C:\Windows\SysWOW64\Ppamme32.exe Plfamfpm.exe File opened for modification C:\Windows\SysWOW64\Bnefdp32.exe Bjijdadm.exe File created C:\Windows\SysWOW64\Ccfhhffh.exe Ccfhhffh.exe File created C:\Windows\SysWOW64\Gmgdddmq.exe Gmgdddmq.exe File opened for modification C:\Windows\SysWOW64\Gdamqndn.exe Geolea32.exe File created C:\Windows\SysWOW64\Neolegcj.dll Kjcgco32.exe File opened for modification C:\Windows\SysWOW64\Kjcidhml.dll Peiljl32.exe File created C:\Windows\SysWOW64\Fhdclk32.dll Ohqbqhde.exe File opened for modification C:\Windows\SysWOW64\Bpafkknm.exe Banepo32.exe File created C:\Windows\SysWOW64\Ogjbla32.dll Egamfkdh.exe File created C:\Windows\SysWOW64\Gfefiemq.exe Gbijhg32.exe File created C:\Windows\SysWOW64\Gaqcoc32.exe Gaqcoc32.exe File created C:\Windows\SysWOW64\Ghjkhm32.dll Ijoeji32.exe File opened for modification C:\Windows\SysWOW64\Knjiin32.exe Kphimanc.exe File created C:\Windows\SysWOW64\Ofdcjm32.exe Obigjnkf.exe File created C:\Windows\SysWOW64\Keledb32.dll Cdlnkmha.exe File opened for modification C:\Windows\SysWOW64\Pmnhfjmg.exe Piblek32.exe File created C:\Windows\SysWOW64\Ckffgg32.exe Clcflkic.exe File created C:\Windows\SysWOW64\Dchali32.exe Ddeaalpg.exe File created C:\Windows\SysWOW64\Mofecpnl.exe Mkjica32.exe File created C:\Windows\SysWOW64\Nlblkhei.exe Nnplpl32.exe File opened for modification C:\Windows\SysWOW64\Iklefg32.dll Ajdadamj.exe File opened for modification C:\Windows\SysWOW64\Abbbnchb.exe Aoffmd32.exe File created C:\Windows\SysWOW64\Oihfic32.dll Kphimanc.exe File opened for modification C:\Windows\SysWOW64\Lgdjnofi.exe Lchnnp32.exe File created C:\Windows\SysWOW64\Jflhaaje.dll Mcodno32.exe File opened for modification C:\Windows\SysWOW64\Claifkkf.exe Chemfl32.exe File created C:\Windows\SysWOW64\Nnjoho32.dll Jghknp32.exe File created C:\Windows\SysWOW64\Cjndop32.exe Cfbhnaho.exe File created C:\Windows\SysWOW64\Oiellh32.exe Odjpkihg.exe File created C:\Windows\SysWOW64\Blmdlhmp.exe Blmdlhmp.exe File created C:\Windows\SysWOW64\Dodonf32.exe Dkhcmgnl.exe File created C:\Windows\SysWOW64\Dcdooi32.dll Fbdqmghm.exe File created C:\Windows\SysWOW64\Eemeeh32.dll Mcjkcplm.exe File created C:\Windows\SysWOW64\Bifdjp32.dll Mcmhiojk.exe File opened for modification C:\Windows\SysWOW64\Fjilieka.exe Ffnphf32.exe File opened for modification C:\Windows\SysWOW64\Jeccgbbh.dll Fmhheqje.exe File created C:\Windows\SysWOW64\Mphcda32.dll Kpjfba32.exe File created C:\Windows\SysWOW64\Aepojo32.exe Afmonbqk.exe File opened for modification C:\Windows\SysWOW64\Fehjeo32.exe Ealnephf.exe File created C:\Windows\SysWOW64\Hghmjpap.dll Gbijhg32.exe File opened for modification C:\Windows\SysWOW64\Febhomkh.dll Gmgdddmq.exe File created C:\Windows\SysWOW64\Dlmdloao.dll Pbiciana.exe File opened for modification C:\Windows\SysWOW64\Efncicpm.exe Ebbgid32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 7940 7892 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Ckffgg32.exeNccjhafn.exeDhjgal32.exeHjjddchg.exeFmhheqje.exeHdhbam32.exeJjfgjk32.exeKegnkh32.exeNdjdlffl.exeFjdbnf32.exeEajaoq32.exeGbkgnfbd.exeIoijbj32.exeKanopipl.exePmnhfjmg.exeBlmdlhmp.exeBnpmipql.exeCgpgce32.exeEloemi32.exeJinead32.exeLekhfgfc.exeObkdonic.exeAigaon32.exeOnphoo32.exeBaildokg.exeElmigj32.exeKfmhol32.exeFhkpmjln.exeFmjejphb.exeLdenbcge.exeBdlblj32.exeJancafna.exeMcjkcplm.exeNjbcim32.exeGangic32.exeHellne32.exeIoojhpdb.exeOkchhc32.exeAalmklfi.exeDngoibmo.exeGonnhhln.exeJaiiff32.exeCngcjo32.exeFdapak32.exeFbgmbg32.exeHknach32.exeImkdqe32.exePiehkkcl.exeChcqpmep.exeGobgcg32.exeGgopijha.exeDbbkja32.exeEgamfkdh.exeJedefejo.exeAdhlaggp.exeAfmonbqk.exeEkholjqg.exeMnieom32.exePlfamfpm.exeDkmmhf32.exeHiqbndpb.exeNkmbgdfl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckffgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgaje32.dll" Nccjhafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll" Dhjgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" Hjjddchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmhheqje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakndl32.dll" Jjfgjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhidee.dll" Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll" Fjdbnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll" Eajaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkgnfbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcmbeioh.dll" Pmnhfjmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmdlhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnpmipql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqfjpp.dll" Jinead32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghhgkf.dll" Lekhfgfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obkdonic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aigaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffbcfgd.dll" Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baildokg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmigj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfmhol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhkpmjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" Fmjejphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldenbcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoipdkgg.dll" Bdlblj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jancafna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeeh32.dll" Mcjkcplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhllhfdh.dll" Njbcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldahol32.dll" Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll" Hellne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioojhpdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okchhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcfgc32.dll" Aalmklfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjapnke.dll" Dngoibmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" Gonnhhln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaiiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognnoaka.dll" Cngcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbgmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hknach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhfjko32.dll" Imkdqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piehkkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll" Gobgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngjgjndh.dll" Ggopijha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbkja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egamfkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedefejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhlaggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afmonbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll" Ekholjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" Eloemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdoodim.dll" Mnieom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plfamfpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggopijha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmbgdfl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exeGgopijha.exeGpgdbpob.exeHahqjh32.exeHjpike32.exeHlnega32.exeHolacm32.exeHakmph32.exeHefipfkg.exeHheelbjj.exeHoonilag.exeHfifff32.exeHdkfacpo.exeHgjbmoob.exeHkeonm32.exeHndkji32.exedescription pid process target process PID 2180 wrote to memory of 2248 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Ggopijha.exe PID 2180 wrote to memory of 2248 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Ggopijha.exe PID 2180 wrote to memory of 2248 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Ggopijha.exe PID 2180 wrote to memory of 2248 2180 7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe Ggopijha.exe PID 2248 wrote to memory of 2260 2248 Ggopijha.exe Gpgdbpob.exe PID 2248 wrote to memory of 2260 2248 Ggopijha.exe Gpgdbpob.exe PID 2248 wrote to memory of 2260 2248 Ggopijha.exe Gpgdbpob.exe PID 2248 wrote to memory of 2260 2248 Ggopijha.exe Gpgdbpob.exe PID 2260 wrote to memory of 2660 2260 Gpgdbpob.exe Hahqjh32.exe PID 2260 wrote to memory of 2660 2260 Gpgdbpob.exe Hahqjh32.exe PID 2260 wrote to memory of 2660 2260 Gpgdbpob.exe Hahqjh32.exe PID 2260 wrote to memory of 2660 2260 Gpgdbpob.exe Hahqjh32.exe PID 2660 wrote to memory of 2460 2660 Hahqjh32.exe Hjpike32.exe PID 2660 wrote to memory of 2460 2660 Hahqjh32.exe Hjpike32.exe PID 2660 wrote to memory of 2460 2660 Hahqjh32.exe Hjpike32.exe PID 2660 wrote to memory of 2460 2660 Hahqjh32.exe Hjpike32.exe PID 2460 wrote to memory of 2476 2460 Hjpike32.exe Hlnega32.exe PID 2460 wrote to memory of 2476 2460 Hjpike32.exe Hlnega32.exe PID 2460 wrote to memory of 2476 2460 Hjpike32.exe Hlnega32.exe PID 2460 wrote to memory of 2476 2460 Hjpike32.exe Hlnega32.exe PID 2476 wrote to memory of 2452 2476 Hlnega32.exe Holacm32.exe PID 2476 wrote to memory of 2452 2476 Hlnega32.exe Holacm32.exe PID 2476 wrote to memory of 2452 2476 Hlnega32.exe Holacm32.exe PID 2476 wrote to memory of 2452 2476 Hlnega32.exe Holacm32.exe PID 2452 wrote to memory of 768 2452 Holacm32.exe Hakmph32.exe PID 2452 wrote to memory of 768 2452 Holacm32.exe Hakmph32.exe PID 2452 wrote to memory of 768 2452 Holacm32.exe Hakmph32.exe PID 2452 wrote to memory of 768 2452 Holacm32.exe Hakmph32.exe PID 768 wrote to memory of 2388 768 Hakmph32.exe Hefipfkg.exe PID 768 wrote to memory of 2388 768 Hakmph32.exe Hefipfkg.exe PID 768 wrote to memory of 2388 768 Hakmph32.exe Hefipfkg.exe PID 768 wrote to memory of 2388 768 Hakmph32.exe Hefipfkg.exe PID 2388 wrote to memory of 1088 2388 Hefipfkg.exe Hheelbjj.exe PID 2388 wrote to memory of 1088 2388 Hefipfkg.exe Hheelbjj.exe PID 2388 wrote to memory of 1088 2388 Hefipfkg.exe Hheelbjj.exe PID 2388 wrote to memory of 1088 2388 Hefipfkg.exe Hheelbjj.exe PID 1088 wrote to memory of 1896 1088 Hheelbjj.exe Hoonilag.exe PID 1088 wrote to memory of 1896 1088 Hheelbjj.exe Hoonilag.exe PID 1088 wrote to memory of 1896 1088 Hheelbjj.exe Hoonilag.exe PID 1088 wrote to memory of 1896 1088 Hheelbjj.exe Hoonilag.exe PID 1896 wrote to memory of 2040 1896 Hoonilag.exe Hfifff32.exe PID 1896 wrote to memory of 2040 1896 Hoonilag.exe Hfifff32.exe PID 1896 wrote to memory of 2040 1896 Hoonilag.exe Hfifff32.exe PID 1896 wrote to memory of 2040 1896 Hoonilag.exe Hfifff32.exe PID 2040 wrote to memory of 936 2040 Hfifff32.exe Hdkfacpo.exe PID 2040 wrote to memory of 936 2040 Hfifff32.exe Hdkfacpo.exe PID 2040 wrote to memory of 936 2040 Hfifff32.exe Hdkfacpo.exe PID 2040 wrote to memory of 936 2040 Hfifff32.exe Hdkfacpo.exe PID 936 wrote to memory of 1572 936 Hdkfacpo.exe Hgjbmoob.exe PID 936 wrote to memory of 1572 936 Hdkfacpo.exe Hgjbmoob.exe PID 936 wrote to memory of 1572 936 Hdkfacpo.exe Hgjbmoob.exe PID 936 wrote to memory of 1572 936 Hdkfacpo.exe Hgjbmoob.exe PID 1572 wrote to memory of 2184 1572 Hgjbmoob.exe Hkeonm32.exe PID 1572 wrote to memory of 2184 1572 Hgjbmoob.exe Hkeonm32.exe PID 1572 wrote to memory of 2184 1572 Hgjbmoob.exe Hkeonm32.exe PID 1572 wrote to memory of 2184 1572 Hgjbmoob.exe Hkeonm32.exe PID 2184 wrote to memory of 2112 2184 Hkeonm32.exe Hndkji32.exe PID 2184 wrote to memory of 2112 2184 Hkeonm32.exe Hndkji32.exe PID 2184 wrote to memory of 2112 2184 Hkeonm32.exe Hndkji32.exe PID 2184 wrote to memory of 2112 2184 Hkeonm32.exe Hndkji32.exe PID 2112 wrote to memory of 540 2112 Hndkji32.exe Hdncgbnl.exe PID 2112 wrote to memory of 540 2112 Hndkji32.exe Hdncgbnl.exe PID 2112 wrote to memory of 540 2112 Hndkji32.exe Hdncgbnl.exe PID 2112 wrote to memory of 540 2112 Hndkji32.exe Hdncgbnl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe"C:\Users\Admin\AppData\Local\Temp\7ef02dce9d2e3716ee6c153b38f6b8274d619a086668b83d30a23eb0bd4dcd2a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Ggopijha.exeC:\Windows\system32\Ggopijha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Gpgdbpob.exeC:\Windows\system32\Gpgdbpob.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hahqjh32.exeC:\Windows\system32\Hahqjh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hjpike32.exeC:\Windows\system32\Hjpike32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Hlnega32.exeC:\Windows\system32\Hlnega32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Holacm32.exeC:\Windows\system32\Holacm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Hakmph32.exeC:\Windows\system32\Hakmph32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Hefipfkg.exeC:\Windows\system32\Hefipfkg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hheelbjj.exeC:\Windows\system32\Hheelbjj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Hoonilag.exeC:\Windows\system32\Hoonilag.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Hfifff32.exeC:\Windows\system32\Hfifff32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Hdkfacpo.exeC:\Windows\system32\Hdkfacpo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Hgjbmoob.exeC:\Windows\system32\Hgjbmoob.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Hkeonm32.exeC:\Windows\system32\Hkeonm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Hndkji32.exeC:\Windows\system32\Hndkji32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Hdncgbnl.exeC:\Windows\system32\Hdncgbnl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Hkhkcm32.exeC:\Windows\system32\Hkhkcm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Hnfgphdl.exeC:\Windows\system32\Hnfgphdl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Hdpplb32.exeC:\Windows\system32\Hdpplb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Hgolhn32.exeC:\Windows\system32\Hgolhn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Hjmhdi32.exeC:\Windows\system32\Hjmhdi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Inhdehbj.exeC:\Windows\system32\Inhdehbj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Imkdqe32.exeC:\Windows\system32\Imkdqe32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Icemmopa.exeC:\Windows\system32\Icemmopa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Igainn32.exeC:\Windows\system32\Igainn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Ijoeji32.exeC:\Windows\system32\Ijoeji32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Inkakhpg.exeC:\Windows\system32\Inkakhpg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Iqimgc32.exeC:\Windows\system32\Iqimgc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Ichico32.exeC:\Windows\system32\Ichico32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Ijaapifk.exeC:\Windows\system32\Ijaapifk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Ioojhpdb.exeC:\Windows\system32\Ioojhpdb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Icjfhn32.exeC:\Windows\system32\Icjfhn32.exe33⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Iigoqe32.exeC:\Windows\system32\Iigoqe32.exe34⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Imbkadcl.exeC:\Windows\system32\Imbkadcl.exe35⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Iclcnnji.exeC:\Windows\system32\Iclcnnji.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Ifkojiim.exeC:\Windows\system32\Ifkojiim.exe37⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ienoff32.exeC:\Windows\system32\Ienoff32.exe38⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Ikggbpgd.exeC:\Windows\system32\Ikggbpgd.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Ioccco32.exeC:\Windows\system32\Ioccco32.exe40⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Infdolgh.exeC:\Windows\system32\Infdolgh.exe41⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Ifmlpigj.exeC:\Windows\system32\Ifmlpigj.exe42⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Jgnhga32.exeC:\Windows\system32\Jgnhga32.exe43⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jkjdhpea.exeC:\Windows\system32\Jkjdhpea.exe44⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Joepio32.exeC:\Windows\system32\Joepio32.exe45⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Jnhqdkde.exeC:\Windows\system32\Jnhqdkde.exe46⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Jbdlejmn.exeC:\Windows\system32\Jbdlejmn.exe47⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Jinead32.exeC:\Windows\system32\Jinead32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Jgqemakf.exeC:\Windows\system32\Jgqemakf.exe49⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jklanp32.exeC:\Windows\system32\Jklanp32.exe50⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Jnkmjk32.exeC:\Windows\system32\Jnkmjk32.exe51⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Jbfijjkl.exeC:\Windows\system32\Jbfijjkl.exe52⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Jaiiff32.exeC:\Windows\system32\Jaiiff32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Jedefejo.exeC:\Windows\system32\Jedefejo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Jgcabqic.exeC:\Windows\system32\Jgcabqic.exe55⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Jjanolhg.exeC:\Windows\system32\Jjanolhg.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Jmpjkggj.exeC:\Windows\system32\Jmpjkggj.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jakfkfpc.exeC:\Windows\system32\Jakfkfpc.exe58⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Jegble32.exeC:\Windows\system32\Jegble32.exe59⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jcjbgaog.exeC:\Windows\system32\Jcjbgaog.exe60⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jgenhp32.exeC:\Windows\system32\Jgenhp32.exe61⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Jfhocmnk.exeC:\Windows\system32\Jfhocmnk.exe62⤵
- Executes dropped EXE
PID:360 -
C:\Windows\SysWOW64\Jjdkdl32.exeC:\Windows\system32\Jjdkdl32.exe63⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jnofejom.exeC:\Windows\system32\Jnofejom.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe65⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Jancafna.exeC:\Windows\system32\Jancafna.exe66⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Jclomamd.exeC:\Windows\system32\Jclomamd.exe67⤵PID:2868
-
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe68⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Jfkkimlh.exeC:\Windows\system32\Jfkkimlh.exe69⤵PID:2384
-
C:\Windows\SysWOW64\Jjfgjk32.exeC:\Windows\system32\Jjfgjk32.exe70⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Jiigehkl.exeC:\Windows\system32\Jiigehkl.exe71⤵PID:2076
-
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe72⤵PID:944
-
C:\Windows\SysWOW64\Kappfeln.exeC:\Windows\system32\Kappfeln.exe73⤵PID:2904
-
C:\Windows\SysWOW64\Kpcpbb32.exeC:\Windows\system32\Kpcpbb32.exe74⤵PID:2672
-
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe75⤵PID:820
-
C:\Windows\SysWOW64\Kfmhol32.exeC:\Windows\system32\Kfmhol32.exe76⤵
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Kjhdokbo.exeC:\Windows\system32\Kjhdokbo.exe77⤵PID:1516
-
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe78⤵PID:1152
-
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe79⤵PID:1544
-
C:\Windows\SysWOW64\Kpemgbqf.exeC:\Windows\system32\Kpemgbqf.exe80⤵PID:2356
-
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe81⤵PID:2232
-
C:\Windows\SysWOW64\Kfoedl32.exeC:\Windows\system32\Kfoedl32.exe82⤵PID:2716
-
C:\Windows\SysWOW64\Kebepion.exeC:\Windows\system32\Kebepion.exe83⤵PID:2008
-
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Kmimafop.exeC:\Windows\system32\Kmimafop.exe85⤵PID:2836
-
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe86⤵PID:900
-
C:\Windows\SysWOW64\Kphimanc.exeC:\Windows\system32\Kphimanc.exe87⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1828 -
C:\Windows\SysWOW64\Kbfeimng.exeC:\Windows\system32\Kbfeimng.exe89⤵PID:1068
-
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe90⤵PID:2340
-
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe91⤵PID:980
-
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe92⤵PID:1868
-
C:\Windows\SysWOW64\Kpjfba32.exeC:\Windows\system32\Kpjfba32.exe93⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe94⤵PID:1380
-
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe95⤵PID:2712
-
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe96⤵PID:956
-
C:\Windows\SysWOW64\Kegnkh32.exeC:\Windows\system32\Kegnkh32.exe97⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe98⤵PID:2500
-
C:\Windows\SysWOW64\Klqfhbbe.exeC:\Windows\system32\Klqfhbbe.exe99⤵PID:1844
-
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe100⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Kbkodl32.exeC:\Windows\system32\Kbkodl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe102⤵
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Keikqhhe.exeC:\Windows\system32\Keikqhhe.exe103⤵PID:1672
-
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe104⤵PID:3016
-
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe105⤵PID:1964
-
C:\Windows\SysWOW64\Llccmb32.exeC:\Windows\system32\Llccmb32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe108⤵PID:2812
-
C:\Windows\SysWOW64\Lmdpejfq.exeC:\Windows\system32\Lmdpejfq.exe109⤵PID:1164
-
C:\Windows\SysWOW64\Laplei32.exeC:\Windows\system32\Laplei32.exe110⤵PID:2468
-
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe111⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ldnhad32.exeC:\Windows\system32\Ldnhad32.exe112⤵PID:1892
-
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe113⤵PID:2676
-
C:\Windows\SysWOW64\Lfmdnp32.exeC:\Windows\system32\Lfmdnp32.exe114⤵PID:804
-
C:\Windows\SysWOW64\Lkhpnnej.exeC:\Windows\system32\Lkhpnnej.exe115⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe116⤵PID:1968
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe117⤵PID:2932
-
C:\Windows\SysWOW64\Lmgmjjdn.exeC:\Windows\system32\Lmgmjjdn.exe118⤵PID:760
-
C:\Windows\SysWOW64\Labhkh32.exeC:\Windows\system32\Labhkh32.exe119⤵PID:2268
-
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe120⤵PID:2828
-
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe121⤵PID:2004
-
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe122⤵PID:2688
-
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe123⤵PID:1804
-
C:\Windows\SysWOW64\Limmokib.exeC:\Windows\system32\Limmokib.exe124⤵PID:1492
-
C:\Windows\SysWOW64\Lmiipi32.exeC:\Windows\system32\Lmiipi32.exe125⤵PID:2708
-
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe126⤵PID:1624
-
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe127⤵PID:328
-
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe128⤵PID:2092
-
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe129⤵PID:320
-
C:\Windows\SysWOW64\Lganiohl.exeC:\Windows\system32\Lganiohl.exe130⤵PID:2872
-
C:\Windows\SysWOW64\Lkmjin32.exeC:\Windows\system32\Lkmjin32.exe131⤵PID:2864
-
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe132⤵PID:1488
-
C:\Windows\SysWOW64\Lmkfei32.exeC:\Windows\system32\Lmkfei32.exe133⤵PID:1604
-
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe134⤵PID:1568
-
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe135⤵PID:2364
-
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe136⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Lchnnp32.exeC:\Windows\system32\Lchnnp32.exe137⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Lefkjkmc.exeC:\Windows\system32\Lefkjkmc.exe139⤵PID:1748
-
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe140⤵PID:412
-
C:\Windows\SysWOW64\Lmnbkinf.exeC:\Windows\system32\Lmnbkinf.exe141⤵PID:2120
-
C:\Windows\SysWOW64\Llqcfe32.exeC:\Windows\system32\Llqcfe32.exe142⤵PID:488
-
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe143⤵PID:2420
-
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe144⤵PID:2692
-
C:\Windows\SysWOW64\Mcjkcplm.exeC:\Windows\system32\Mcjkcplm.exe145⤵
- Drops file in System32 directory
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe147⤵PID:2960
-
C:\Windows\SysWOW64\Midcpj32.exeC:\Windows\system32\Midcpj32.exe148⤵PID:1812
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe149⤵PID:2788
-
C:\Windows\SysWOW64\Mlcple32.exeC:\Windows\system32\Mlcple32.exe150⤵PID:1988
-
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe151⤵PID:764
-
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe152⤵PID:2508
-
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe153⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Mekdekin.exeC:\Windows\system32\Mekdekin.exe154⤵PID:2892
-
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe155⤵PID:1436
-
C:\Windows\SysWOW64\Mhjpaf32.exeC:\Windows\system32\Mhjpaf32.exe156⤵PID:640
-
C:\Windows\SysWOW64\Mlelaeqk.exeC:\Windows\system32\Mlelaeqk.exe157⤵PID:1076
-
C:\Windows\SysWOW64\Mkhmma32.exeC:\Windows\system32\Mkhmma32.exe158⤵PID:1752
-
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe159⤵PID:2520
-
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe160⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Menakj32.exeC:\Windows\system32\Menakj32.exe162⤵PID:748
-
C:\Windows\SysWOW64\Mdqafgnf.exeC:\Windows\system32\Mdqafgnf.exe163⤵PID:2024
-
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe164⤵PID:2744
-
C:\Windows\SysWOW64\Mkjica32.exeC:\Windows\system32\Mkjica32.exe165⤵
- Drops file in System32 directory
PID:1196 -
C:\Windows\SysWOW64\Mofecpnl.exeC:\Windows\system32\Mofecpnl.exe166⤵PID:3096
-
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe167⤵
- Modifies registry class
PID:3136 -
C:\Windows\SysWOW64\Madapkmp.exeC:\Windows\system32\Madapkmp.exe168⤵PID:3176
-
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe169⤵PID:3216
-
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe170⤵PID:3256
-
C:\Windows\SysWOW64\Mkmfhacp.exeC:\Windows\system32\Mkmfhacp.exe171⤵PID:3296
-
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe172⤵PID:3336
-
C:\Windows\SysWOW64\Mnkbdlbd.exeC:\Windows\system32\Mnkbdlbd.exe173⤵
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe174⤵PID:3416
-
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe175⤵PID:3456
-
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe176⤵PID:3496
-
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe177⤵PID:3536
-
C:\Windows\SysWOW64\Mgcgmb32.exeC:\Windows\system32\Mgcgmb32.exe178⤵PID:3576
-
C:\Windows\SysWOW64\Mkobnqan.exeC:\Windows\system32\Mkobnqan.exe179⤵PID:3616
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe180⤵PID:3656
-
C:\Windows\SysWOW64\Njbcim32.exeC:\Windows\system32\Njbcim32.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3684 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe182⤵PID:3708
-
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe183⤵PID:3748
-
C:\Windows\SysWOW64\Nplkfgoe.exeC:\Windows\system32\Nplkfgoe.exe184⤵PID:3788
-
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe185⤵PID:3828
-
C:\Windows\SysWOW64\Ncjgbcoi.exeC:\Windows\system32\Ncjgbcoi.exe186⤵PID:3868
-
C:\Windows\SysWOW64\Ngfcca32.exeC:\Windows\system32\Ngfcca32.exe187⤵PID:3908
-
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe188⤵PID:3948
-
C:\Windows\SysWOW64\Njdpomfe.exeC:\Windows\system32\Njdpomfe.exe189⤵PID:3988
-
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe190⤵
- Drops file in System32 directory
PID:4028 -
C:\Windows\SysWOW64\Nlblkhei.exeC:\Windows\system32\Nlblkhei.exe191⤵PID:4068
-
C:\Windows\SysWOW64\Npnhlg32.exeC:\Windows\system32\Npnhlg32.exe192⤵PID:3080
-
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe193⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe194⤵PID:3184
-
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe195⤵
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Nghphaeo.exeC:\Windows\system32\Nghphaeo.exe196⤵PID:3248
-
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe197⤵PID:3288
-
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3344 -
C:\Windows\SysWOW64\Nnbhek32.exeC:\Windows\system32\Nnbhek32.exe199⤵PID:3388
-
C:\Windows\SysWOW64\Nleiqhcg.exeC:\Windows\system32\Nleiqhcg.exe200⤵PID:3444
-
C:\Windows\SysWOW64\Nqqdag32.exeC:\Windows\system32\Nqqdag32.exe201⤵PID:3480
-
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe202⤵PID:3528
-
C:\Windows\SysWOW64\Ncoamb32.exeC:\Windows\system32\Ncoamb32.exe203⤵PID:3572
-
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3548 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe205⤵PID:3592
-
C:\Windows\SysWOW64\Njiijlbp.exeC:\Windows\system32\Njiijlbp.exe206⤵PID:3636
-
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe207⤵PID:3772
-
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe208⤵PID:3820
-
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe209⤵PID:3876
-
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe210⤵PID:3932
-
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe211⤵PID:3980
-
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe212⤵PID:4040
-
C:\Windows\SysWOW64\Nfpjomgd.exeC:\Windows\system32\Nfpjomgd.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4092 -
C:\Windows\SysWOW64\Njkfpl32.exeC:\Windows\system32\Njkfpl32.exe214⤵
- Drops file in System32 directory
PID:3120 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe215⤵PID:3192
-
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe216⤵
- Modifies registry class
PID:3156 -
C:\Windows\SysWOW64\Nkmbgdfl.exeC:\Windows\system32\Nkmbgdfl.exe217⤵PID:592
-
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe218⤵PID:3332
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe219⤵PID:3404
-
C:\Windows\SysWOW64\Nccjhafn.exeC:\Windows\system32\Nccjhafn.exe220⤵
- Modifies registry class
PID:3440 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe221⤵PID:3276
-
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe222⤵PID:3544
-
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe223⤵PID:3600
-
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe224⤵
- Drops file in System32 directory
PID:3556 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe225⤵PID:3696
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe226⤵PID:3740
-
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe227⤵PID:2352
-
C:\Windows\SysWOW64\Oojknblb.exeC:\Windows\system32\Oojknblb.exe228⤵PID:3836
-
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe229⤵PID:3880
-
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe230⤵
- Drops file in System32 directory
PID:3944 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe231⤵PID:4020
-
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe232⤵PID:4000
-
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe233⤵PID:4008
-
C:\Windows\SysWOW64\Oicpfh32.exeC:\Windows\system32\Oicpfh32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4080 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe235⤵PID:3240
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe236⤵PID:3328
-
C:\Windows\SysWOW64\Okalbc32.exeC:\Windows\system32\Okalbc32.exe237⤵PID:3272
-
C:\Windows\SysWOW64\Oomhcbjp.exeC:\Windows\system32\Oomhcbjp.exe238⤵PID:3452
-
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe239⤵
- Drops file in System32 directory
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe240⤵PID:3560
-
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe241⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe242⤵PID:3664