Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe
Resource
win10v2004-20240508-en
General
-
Target
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe
-
Size
163KB
-
MD5
052ba2f03f6467543333b644839c95ff
-
SHA1
f4994128177be9ee481ec8da194953c9d5793834
-
SHA256
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9
-
SHA512
57834bca12207d9c1205d424921979a665d3dcc015018550d96c3f112fb8d5e8139e59ad8005926700eada6e982a2116c6e32d4ada83779bd07eaa1776a40928
-
SSDEEP
3072:JcWhPcX3hPvB1uztzeMeCBltOrWKDBr+yJb:iWouztzECBLOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Nolhan32.exeDkqbaecc.exeDookgcij.exeQlkdkd32.exeAmfcikek.exeKaldcb32.exeBhdgjb32.exePlcdgfbo.exeHckcmjep.exeIcmlam32.exeLckdanld.exeFphafl32.exeDdeaalpg.exeGangic32.exeKifpdelo.exeLeonofpp.exeDdokpmfo.exeEbmgcohn.exeGebbnpfp.exeFpngfgle.exeKofopj32.exeEjmebq32.exeKnpemf32.exeAaheie32.exeFnhnbb32.exeHkcdafqb.exeBaakhm32.exeDbhnhp32.exeNdjfeo32.exePicnndmb.exeJghknp32.exeKmjfdejp.exeLemaif32.exeAehboi32.exeNcmdhb32.exeBommnc32.exeMigbnb32.exeNckjkl32.exeAmnfnfgg.exeJmhmpb32.exePbhmnkjf.exeGpknlk32.exeNgpolo32.exeNbfjdn32.exeBghabf32.exeBegeknan.exeHedocp32.exePcibkm32.exeBehgcf32.exeCjlgiqbk.exeClcflkic.exeEndhhp32.exeFljafg32.exeMigpeiag.exeBkfjhd32.exeCnippoha.exeDnlidb32.exeIcpigm32.exeIgakgfpn.exeBdmddc32.exeMgljbm32.exePimkpfeh.exePcnbablo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nolhan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqbaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlkdkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfcikek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaldcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plcdgfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hckcmjep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icmlam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdanld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddeaalpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gangic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifpdelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leonofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddokpmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gebbnpfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpngfgle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaheie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhnbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkcdafqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baakhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbhnhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndjfeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picnndmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghknp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfdejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lemaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bommnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnfnfgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhmpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhmnkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpknlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpolo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfjdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Begeknan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hedocp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcibkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlgiqbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clcflkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endhhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljafg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migpeiag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkfjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnippoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begeknan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icpigm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igakgfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgljbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkpfeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Jghknp32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Jmdcfg32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kbalnnam.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kmgpkfab.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kcahhq32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kinaqg32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Knjiin32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kedaeh32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kipnfged.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kbhbom32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Khekgc32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Koocdnai.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kdlkld32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lkfciogm.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lekhfgfc.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2696-194-0x00000000004D0000-0x0000000000523000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lodlom32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lhlqhb32.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/1172-232-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lkkmdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ladeqhjd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lbfahp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Llnfaffc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldenbcge.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgdjnofi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lplogdmj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Meigpkka.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/608-315-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mpolmdkg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcmhiojk.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Migpeiag.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcodno32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mhlmgf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mnieom32.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2440-385-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mdcnlglc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Magnek32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mdejaf32.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2556-416-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mhqfbebj.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2096-428-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Naikkk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndgggf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nkaocp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncmdhb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njgldmdc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nocemcbj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ngkmnacm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nfmmin32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nlgefh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nqcagfim.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nofabc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbdnoo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nhnfkigh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nmjblg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbfjdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ofbfdmeb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Omloag32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okoomd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onmkio32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Obigjnkf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ofdcjm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ogfpbeim.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onphoo32.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Jghknp32.exe UPX \Windows\SysWOW64\Jmdcfg32.exe UPX \Windows\SysWOW64\Kbalnnam.exe UPX \Windows\SysWOW64\Kmgpkfab.exe UPX \Windows\SysWOW64\Kcahhq32.exe UPX \Windows\SysWOW64\Kinaqg32.exe UPX \Windows\SysWOW64\Knjiin32.exe UPX \Windows\SysWOW64\Kedaeh32.exe UPX \Windows\SysWOW64\Kipnfged.exe UPX \Windows\SysWOW64\Kbhbom32.exe UPX \Windows\SysWOW64\Khekgc32.exe UPX \Windows\SysWOW64\Koocdnai.exe UPX \Windows\SysWOW64\Kdlkld32.exe UPX \Windows\SysWOW64\Lkfciogm.exe UPX \Windows\SysWOW64\Lekhfgfc.exe UPX behavioral1/memory/2696-194-0x00000000004D0000-0x0000000000523000-memory.dmp UPX C:\Windows\SysWOW64\Lodlom32.exe UPX C:\Windows\SysWOW64\Lhlqhb32.exe UPX behavioral1/memory/1172-232-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lkkmdn32.exe UPX C:\Windows\SysWOW64\Ladeqhjd.exe UPX C:\Windows\SysWOW64\Lbfahp32.exe UPX C:\Windows\SysWOW64\Llnfaffc.exe UPX C:\Windows\SysWOW64\Ldenbcge.exe UPX C:\Windows\SysWOW64\Lgdjnofi.exe UPX C:\Windows\SysWOW64\Lplogdmj.exe UPX C:\Windows\SysWOW64\Meigpkka.exe UPX behavioral1/memory/608-315-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mpolmdkg.exe UPX C:\Windows\SysWOW64\Mcmhiojk.exe UPX C:\Windows\SysWOW64\Migpeiag.exe UPX C:\Windows\SysWOW64\Mcodno32.exe UPX C:\Windows\SysWOW64\Mhlmgf32.exe UPX C:\Windows\SysWOW64\Mnieom32.exe UPX behavioral1/memory/2440-385-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mdcnlglc.exe UPX C:\Windows\SysWOW64\Magnek32.exe UPX C:\Windows\SysWOW64\Mdejaf32.exe UPX behavioral1/memory/2556-416-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mhqfbebj.exe UPX behavioral1/memory/2096-428-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Naikkk32.exe UPX C:\Windows\SysWOW64\Ndgggf32.exe UPX C:\Windows\SysWOW64\Nkaocp32.exe UPX C:\Windows\SysWOW64\Ncmdhb32.exe UPX C:\Windows\SysWOW64\Njgldmdc.exe UPX behavioral1/memory/2804-473-0x0000000000250000-0x00000000002A3000-memory.dmp UPX C:\Windows\SysWOW64\Nocemcbj.exe UPX C:\Windows\SysWOW64\Ngkmnacm.exe UPX C:\Windows\SysWOW64\Nfmmin32.exe UPX C:\Windows\SysWOW64\Nlgefh32.exe UPX C:\Windows\SysWOW64\Nqcagfim.exe UPX C:\Windows\SysWOW64\Nofabc32.exe UPX C:\Windows\SysWOW64\Nbdnoo32.exe UPX C:\Windows\SysWOW64\Nhnfkigh.exe UPX C:\Windows\SysWOW64\Nmjblg32.exe UPX C:\Windows\SysWOW64\Nbfjdn32.exe UPX C:\Windows\SysWOW64\Ofbfdmeb.exe UPX C:\Windows\SysWOW64\Omloag32.exe UPX C:\Windows\SysWOW64\Okoomd32.exe UPX C:\Windows\SysWOW64\Onmkio32.exe UPX C:\Windows\SysWOW64\Obigjnkf.exe UPX C:\Windows\SysWOW64\Ofdcjm32.exe UPX C:\Windows\SysWOW64\Ogfpbeim.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Jghknp32.exeJmdcfg32.exeKbalnnam.exeKmgpkfab.exeKcahhq32.exeKinaqg32.exeKnjiin32.exeKedaeh32.exeKipnfged.exeKbhbom32.exeKhekgc32.exeKoocdnai.exeKdlkld32.exeLkfciogm.exeLekhfgfc.exeLodlom32.exeLhlqhb32.exeLkkmdn32.exeLadeqhjd.exeLbfahp32.exeLlnfaffc.exeLdenbcge.exeLgdjnofi.exeLplogdmj.exeMeigpkka.exeMpolmdkg.exeMcmhiojk.exeMigpeiag.exeMcodno32.exeMhlmgf32.exeMnieom32.exeMdcnlglc.exeMagnek32.exeMdejaf32.exeMhqfbebj.exeNaikkk32.exeNdgggf32.exeNkaocp32.exeNcmdhb32.exeNjgldmdc.exeNocemcbj.exeNgkmnacm.exeNfmmin32.exeNlgefh32.exeNqcagfim.exeNofabc32.exeNbdnoo32.exeNhnfkigh.exeNmjblg32.exeNbfjdn32.exeOfbfdmeb.exeOmloag32.exeOkoomd32.exeOnmkio32.exeObigjnkf.exeOfdcjm32.exeOgfpbeim.exeOnphoo32.exeObkdonic.exeOdjpkihg.exeOiellh32.exeOkchhc32.exeOjficpfn.exeOnbddoog.exepid process 2472 Jghknp32.exe 2596 Jmdcfg32.exe 2732 Kbalnnam.exe 2872 Kmgpkfab.exe 2380 Kcahhq32.exe 2428 Kinaqg32.exe 2108 Knjiin32.exe 2448 Kedaeh32.exe 2100 Kipnfged.exe 1856 Kbhbom32.exe 2136 Khekgc32.exe 1516 Koocdnai.exe 2020 Kdlkld32.exe 2696 Lkfciogm.exe 2680 Lekhfgfc.exe 768 Lodlom32.exe 1172 Lhlqhb32.exe 684 Lkkmdn32.exe 788 Ladeqhjd.exe 1672 Lbfahp32.exe 1892 Llnfaffc.exe 1680 Ldenbcge.exe 632 Lgdjnofi.exe 284 Lplogdmj.exe 608 Meigpkka.exe 1532 Mpolmdkg.exe 2600 Mcmhiojk.exe 2504 Migpeiag.exe 2644 Mcodno32.exe 2304 Mhlmgf32.exe 2440 Mnieom32.exe 2824 Mdcnlglc.exe 860 Magnek32.exe 2556 Mdejaf32.exe 2096 Mhqfbebj.exe 1456 Naikkk32.exe 1568 Ndgggf32.exe 2040 Nkaocp32.exe 2804 Ncmdhb32.exe 2188 Njgldmdc.exe 1972 Nocemcbj.exe 1424 Ngkmnacm.exe 828 Nfmmin32.exe 2924 Nlgefh32.exe 3032 Nqcagfim.exe 824 Nofabc32.exe 2104 Nbdnoo32.exe 2008 Nhnfkigh.exe 1968 Nmjblg32.exe 3020 Nbfjdn32.exe 1628 Ofbfdmeb.exe 2580 Omloag32.exe 2496 Okoomd32.exe 2620 Onmkio32.exe 2548 Obigjnkf.exe 2876 Ofdcjm32.exe 1200 Ogfpbeim.exe 1360 Onphoo32.exe 2624 Obkdonic.exe 240 Odjpkihg.exe 2276 Oiellh32.exe 624 Okchhc32.exe 2944 Ojficpfn.exe 1996 Onbddoog.exe -
Loads dropped DLL 64 IoCs
Processes:
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exeJghknp32.exeJmdcfg32.exeKbalnnam.exeKmgpkfab.exeKcahhq32.exeKinaqg32.exeKnjiin32.exeKedaeh32.exeKipnfged.exeKbhbom32.exeKhekgc32.exeKoocdnai.exeKdlkld32.exeLkfciogm.exeLekhfgfc.exeLodlom32.exeLhlqhb32.exeLkkmdn32.exeLadeqhjd.exeLbfahp32.exeLlnfaffc.exeLdenbcge.exeLgdjnofi.exeLplogdmj.exeMeigpkka.exeMpolmdkg.exeMcmhiojk.exeMigpeiag.exeMcodno32.exeMhlmgf32.exeMnieom32.exepid process 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe 2472 Jghknp32.exe 2472 Jghknp32.exe 2596 Jmdcfg32.exe 2596 Jmdcfg32.exe 2732 Kbalnnam.exe 2732 Kbalnnam.exe 2872 Kmgpkfab.exe 2872 Kmgpkfab.exe 2380 Kcahhq32.exe 2380 Kcahhq32.exe 2428 Kinaqg32.exe 2428 Kinaqg32.exe 2108 Knjiin32.exe 2108 Knjiin32.exe 2448 Kedaeh32.exe 2448 Kedaeh32.exe 2100 Kipnfged.exe 2100 Kipnfged.exe 1856 Kbhbom32.exe 1856 Kbhbom32.exe 2136 Khekgc32.exe 2136 Khekgc32.exe 1516 Koocdnai.exe 1516 Koocdnai.exe 2020 Kdlkld32.exe 2020 Kdlkld32.exe 2696 Lkfciogm.exe 2696 Lkfciogm.exe 2680 Lekhfgfc.exe 2680 Lekhfgfc.exe 768 Lodlom32.exe 768 Lodlom32.exe 1172 Lhlqhb32.exe 1172 Lhlqhb32.exe 684 Lkkmdn32.exe 684 Lkkmdn32.exe 788 Ladeqhjd.exe 788 Ladeqhjd.exe 1672 Lbfahp32.exe 1672 Lbfahp32.exe 1892 Llnfaffc.exe 1892 Llnfaffc.exe 1680 Ldenbcge.exe 1680 Ldenbcge.exe 632 Lgdjnofi.exe 632 Lgdjnofi.exe 284 Lplogdmj.exe 284 Lplogdmj.exe 608 Meigpkka.exe 608 Meigpkka.exe 1532 Mpolmdkg.exe 1532 Mpolmdkg.exe 2600 Mcmhiojk.exe 2600 Mcmhiojk.exe 2504 Migpeiag.exe 2504 Migpeiag.exe 2644 Mcodno32.exe 2644 Mcodno32.exe 2304 Mhlmgf32.exe 2304 Mhlmgf32.exe 2440 Mnieom32.exe 2440 Mnieom32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nnhkcj32.exeKmjojo32.exeBecnhgmg.exeJmdcfg32.exePggbla32.exeGbomfe32.exePcibkm32.exeFidoim32.exeOcomlemo.exeFacdeo32.exeBfenbpec.exeEmnndlod.exeJcmafj32.exeQbplbi32.exeQgmdjp32.exeBlkioa32.exeAmejeljk.exeDjbiicon.exeAmfcikek.exeDhnmij32.exeMlfojn32.exeQdccfh32.exeKmjfdejp.exeDhpiojfb.exeLfdmggnm.exeGikaio32.exeLfmffhde.exeOgkkfmml.exeCgcmlcja.exeLaegiq32.exeMpmapm32.exeOhaeia32.exeEbpkce32.exeGangic32.exeGkgkbipp.exePklhlael.exeAfgkfl32.exeHakphqja.exeIhgainbg.exeKegqdqbl.exeAecaidjl.exeHcplhi32.exeOikojfgk.exeQfokbnip.exeGhqnjk32.exeQmlgonbe.exeNaoniipe.exeGnmgmbhb.exeJdehon32.exeLapnnafn.exeNhdlkdkg.exeGpejeihi.exeJchhkjhn.exeOnpjghhn.exePigeqkai.exeHpmgqnfl.exeCeaadk32.exeDfmdho32.exeFagjnn32.exeGdjpeifj.exeIgchlf32.exePkdgpo32.exePmnhfjmg.exedescription ioc process File created C:\Windows\SysWOW64\Npfgpe32.exe Nnhkcj32.exe File created C:\Windows\SysWOW64\Knklagmb.exe Kmjojo32.exe File opened for modification C:\Windows\SysWOW64\Pdiadenf.dll Becnhgmg.exe File opened for modification C:\Windows\SysWOW64\Kbalnnam.exe Jmdcfg32.exe File opened for modification C:\Windows\SysWOW64\Pjenhm32.exe Pggbla32.exe File opened for modification C:\Windows\SysWOW64\Gjfdhbld.exe Gbomfe32.exe File created C:\Windows\SysWOW64\Hnablp32.dll Pcibkm32.exe File created C:\Windows\SysWOW64\Fmpkjkma.exe Fidoim32.exe File created C:\Windows\SysWOW64\Okfencna.exe Ocomlemo.exe File created C:\Windows\SysWOW64\Fpfdalii.exe Facdeo32.exe File created C:\Windows\SysWOW64\Behnnm32.exe Bfenbpec.exe File opened for modification C:\Windows\SysWOW64\Eplkpgnh.exe Emnndlod.exe File created C:\Windows\SysWOW64\Hebpjd32.dll Jcmafj32.exe File created C:\Windows\SysWOW64\Eioojl32.dll Qbplbi32.exe File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Momeefin.dll Blkioa32.exe File created C:\Windows\SysWOW64\Aofqfokm.dll Amejeljk.exe File created C:\Windows\SysWOW64\Jpbpbqda.dll Djbiicon.exe File created C:\Windows\SysWOW64\Aaaoij32.exe Amfcikek.exe File created C:\Windows\SysWOW64\Dliijipn.exe Dhnmij32.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Cibcni32.dll Qdccfh32.exe File opened for modification C:\Windows\SysWOW64\Keanebkb.exe Kmjfdejp.exe File opened for modification C:\Windows\SysWOW64\Dlkepi32.exe Dhpiojfb.exe File created C:\Windows\SysWOW64\Libicbma.exe Lfdmggnm.exe File opened for modification C:\Windows\SysWOW64\Gmgninie.exe Gikaio32.exe File opened for modification C:\Windows\SysWOW64\Lndohedg.exe Lfmffhde.exe File opened for modification C:\Windows\SysWOW64\Okfgfl32.exe Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Ckoilb32.exe Cgcmlcja.exe File created C:\Windows\SysWOW64\Lccdel32.exe Laegiq32.exe File opened for modification C:\Windows\SysWOW64\Mbkmlh32.exe Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Okoafmkm.exe Ohaeia32.exe File created C:\Windows\SysWOW64\Eflgccbp.exe Ebpkce32.exe File created C:\Windows\SysWOW64\Lkoabpeg.dll Gangic32.exe File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe Gkgkbipp.exe File opened for modification C:\Windows\SysWOW64\Pogclp32.exe Pklhlael.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Qpehocqo.dll Hakphqja.exe File created C:\Windows\SysWOW64\Lafcif32.dll Ihgainbg.exe File created C:\Windows\SysWOW64\Allepo32.dll Kegqdqbl.exe File created C:\Windows\SysWOW64\Aganeoip.exe Aecaidjl.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Kiebec32.dll Oikojfgk.exe File created C:\Windows\SysWOW64\Ldhnfd32.dll Qfokbnip.exe File created C:\Windows\SysWOW64\Hlljjjnm.exe Ghqnjk32.exe File opened for modification C:\Windows\SysWOW64\Qagcpljo.exe Qmlgonbe.exe File opened for modification C:\Windows\SysWOW64\Ndmjedoi.exe Naoniipe.exe File opened for modification C:\Windows\SysWOW64\Gmpgio32.exe Gnmgmbhb.exe File created C:\Windows\SysWOW64\Algdlcdm.dll Gnmgmbhb.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jdehon32.exe File created C:\Windows\SysWOW64\Lgjfkk32.exe Lapnnafn.exe File created C:\Windows\SysWOW64\Nlphkb32.exe Nhdlkdkg.exe File created C:\Windows\SysWOW64\Gbcfadgl.exe Gpejeihi.exe File opened for modification C:\Windows\SysWOW64\Jgcdki32.exe Jchhkjhn.exe File created C:\Windows\SysWOW64\Oalfhf32.exe Onpjghhn.exe File opened for modification C:\Windows\SysWOW64\Plfamfpm.exe Pigeqkai.exe File created C:\Windows\SysWOW64\Hdhbam32.exe Hpmgqnfl.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Ceaadk32.exe File created C:\Windows\SysWOW64\Dndlim32.exe Dfmdho32.exe File opened for modification C:\Windows\SysWOW64\Fcefji32.exe Fagjnn32.exe File opened for modification C:\Windows\SysWOW64\Gfhladfn.exe Gdjpeifj.exe File opened for modification C:\Windows\SysWOW64\Ijbdha32.exe Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Poocpnbm.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Ajenen32.dll Pmnhfjmg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 9136 8248 WerFault.exe Cacacg32.exe -
Modifies registry class 64 IoCs
Processes:
Hpmgqnfl.exeIoijbj32.exeQfokbnip.exeEbmgcohn.exeFbopgb32.exeQmlgonbe.exeCpjiajeb.exeKeoapb32.exeLbeknj32.exeBegeknan.exeCcfhhffh.exeFbdqmghm.exeAdnopfoj.exeBjlqhoba.exeFmpkjkma.exeObigjnkf.exeAbpfhcje.exeJdehon32.exeGdjpeifj.exeMkklljmg.exeQngmgjeb.exeAganeoip.exeAgfgqo32.exeIjeghgoh.exeEqbddk32.exeHgjefg32.exeIhgainbg.exeMabgcd32.exeCfinoq32.exeNdpfkdmf.exeGmgdddmq.exeKjljhjkl.exeNkgbbo32.exeEgjpkffe.exeFnkjhb32.exeIdnaoohk.exeOiellh32.exeEjbfhfaj.exePjpnbg32.exeNgdifkpi.exeNcmfqkdj.exeGmjaic32.exeKeanebkb.exeLlnofpcg.exeOqideepg.exeCkccgane.exeFfklhqao.exeDnilobkm.exeGhhofmql.exeFjongcbl.exeFfkcbgek.exeMppepcfg.exeJoplbl32.exeBhigphio.exeIpllekdl.exeNhllob32.exeAfgkfl32.exeEmcbkn32.exeEajaoq32.exeOnphoo32.exePfdpip32.exeAiedjneg.exeAhokfj32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpmgqnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioijbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhnfd32.dll" Qfokbnip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebmgcohn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbopgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmlgonbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" Cpjiajeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnplna32.dll" Keoapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbeknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacebaej.dll" Begeknan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccfhhffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" Fbdqmghm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnopfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obigjnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpfhcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jdehon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdepo32.dll" Gdjpeifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkklljmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" Qngmgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aganeoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijeghgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgjefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll" Ihgainbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll" Mabgcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfinoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpebfbaj.dll" Ndpfkdmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgdddmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemaaoaf.dll" Kjljhjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljdpbcc.dll" Nkgbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egjpkffe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnkjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmfmhhoj.dll" Idnaoohk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiellh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbfhfaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll" Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmfqkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" Gmjaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keanebkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnofpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghniakc.dll" Oqideepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffklhqao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcfok32.dll" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll" Ghhofmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdcpnkh.dll" Fjongcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll" Agfgqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Mppepcfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll" Bhigphio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipllekdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhllob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgkfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajaoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onphoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdpip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiedjneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahokfj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exeJghknp32.exeJmdcfg32.exeKbalnnam.exeKmgpkfab.exeKcahhq32.exeKinaqg32.exeKnjiin32.exeKedaeh32.exeKipnfged.exeKbhbom32.exeKhekgc32.exeKoocdnai.exeKdlkld32.exeLkfciogm.exeLekhfgfc.exedescription pid process target process PID 2220 wrote to memory of 2472 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe Jghknp32.exe PID 2220 wrote to memory of 2472 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe Jghknp32.exe PID 2220 wrote to memory of 2472 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe Jghknp32.exe PID 2220 wrote to memory of 2472 2220 12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe Jghknp32.exe PID 2472 wrote to memory of 2596 2472 Jghknp32.exe Jmdcfg32.exe PID 2472 wrote to memory of 2596 2472 Jghknp32.exe Jmdcfg32.exe PID 2472 wrote to memory of 2596 2472 Jghknp32.exe Jmdcfg32.exe PID 2472 wrote to memory of 2596 2472 Jghknp32.exe Jmdcfg32.exe PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe Kbalnnam.exe PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe Kbalnnam.exe PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe Kbalnnam.exe PID 2596 wrote to memory of 2732 2596 Jmdcfg32.exe Kbalnnam.exe PID 2732 wrote to memory of 2872 2732 Kbalnnam.exe Kmgpkfab.exe PID 2732 wrote to memory of 2872 2732 Kbalnnam.exe Kmgpkfab.exe PID 2732 wrote to memory of 2872 2732 Kbalnnam.exe Kmgpkfab.exe PID 2732 wrote to memory of 2872 2732 Kbalnnam.exe Kmgpkfab.exe PID 2872 wrote to memory of 2380 2872 Kmgpkfab.exe Kcahhq32.exe PID 2872 wrote to memory of 2380 2872 Kmgpkfab.exe Kcahhq32.exe PID 2872 wrote to memory of 2380 2872 Kmgpkfab.exe Kcahhq32.exe PID 2872 wrote to memory of 2380 2872 Kmgpkfab.exe Kcahhq32.exe PID 2380 wrote to memory of 2428 2380 Kcahhq32.exe Kinaqg32.exe PID 2380 wrote to memory of 2428 2380 Kcahhq32.exe Kinaqg32.exe PID 2380 wrote to memory of 2428 2380 Kcahhq32.exe Kinaqg32.exe PID 2380 wrote to memory of 2428 2380 Kcahhq32.exe Kinaqg32.exe PID 2428 wrote to memory of 2108 2428 Kinaqg32.exe Knjiin32.exe PID 2428 wrote to memory of 2108 2428 Kinaqg32.exe Knjiin32.exe PID 2428 wrote to memory of 2108 2428 Kinaqg32.exe Knjiin32.exe PID 2428 wrote to memory of 2108 2428 Kinaqg32.exe Knjiin32.exe PID 2108 wrote to memory of 2448 2108 Knjiin32.exe Kedaeh32.exe PID 2108 wrote to memory of 2448 2108 Knjiin32.exe Kedaeh32.exe PID 2108 wrote to memory of 2448 2108 Knjiin32.exe Kedaeh32.exe PID 2108 wrote to memory of 2448 2108 Knjiin32.exe Kedaeh32.exe PID 2448 wrote to memory of 2100 2448 Kedaeh32.exe Kipnfged.exe PID 2448 wrote to memory of 2100 2448 Kedaeh32.exe Kipnfged.exe PID 2448 wrote to memory of 2100 2448 Kedaeh32.exe Kipnfged.exe PID 2448 wrote to memory of 2100 2448 Kedaeh32.exe Kipnfged.exe PID 2100 wrote to memory of 1856 2100 Kipnfged.exe Kbhbom32.exe PID 2100 wrote to memory of 1856 2100 Kipnfged.exe Kbhbom32.exe PID 2100 wrote to memory of 1856 2100 Kipnfged.exe Kbhbom32.exe PID 2100 wrote to memory of 1856 2100 Kipnfged.exe Kbhbom32.exe PID 1856 wrote to memory of 2136 1856 Kbhbom32.exe Khekgc32.exe PID 1856 wrote to memory of 2136 1856 Kbhbom32.exe Khekgc32.exe PID 1856 wrote to memory of 2136 1856 Kbhbom32.exe Khekgc32.exe PID 1856 wrote to memory of 2136 1856 Kbhbom32.exe Khekgc32.exe PID 2136 wrote to memory of 1516 2136 Khekgc32.exe Koocdnai.exe PID 2136 wrote to memory of 1516 2136 Khekgc32.exe Koocdnai.exe PID 2136 wrote to memory of 1516 2136 Khekgc32.exe Koocdnai.exe PID 2136 wrote to memory of 1516 2136 Khekgc32.exe Koocdnai.exe PID 1516 wrote to memory of 2020 1516 Koocdnai.exe Kdlkld32.exe PID 1516 wrote to memory of 2020 1516 Koocdnai.exe Kdlkld32.exe PID 1516 wrote to memory of 2020 1516 Koocdnai.exe Kdlkld32.exe PID 1516 wrote to memory of 2020 1516 Koocdnai.exe Kdlkld32.exe PID 2020 wrote to memory of 2696 2020 Kdlkld32.exe Lkfciogm.exe PID 2020 wrote to memory of 2696 2020 Kdlkld32.exe Lkfciogm.exe PID 2020 wrote to memory of 2696 2020 Kdlkld32.exe Lkfciogm.exe PID 2020 wrote to memory of 2696 2020 Kdlkld32.exe Lkfciogm.exe PID 2696 wrote to memory of 2680 2696 Lkfciogm.exe Lekhfgfc.exe PID 2696 wrote to memory of 2680 2696 Lkfciogm.exe Lekhfgfc.exe PID 2696 wrote to memory of 2680 2696 Lkfciogm.exe Lekhfgfc.exe PID 2696 wrote to memory of 2680 2696 Lkfciogm.exe Lekhfgfc.exe PID 2680 wrote to memory of 768 2680 Lekhfgfc.exe Lodlom32.exe PID 2680 wrote to memory of 768 2680 Lekhfgfc.exe Lodlom32.exe PID 2680 wrote to memory of 768 2680 Lekhfgfc.exe Lodlom32.exe PID 2680 wrote to memory of 768 2680 Lekhfgfc.exe Lodlom32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe"C:\Users\Admin\AppData\Local\Temp\12d66107671eb4b2ce864fad98fda18e37240ecb759c8b3aead1c836a926f2c9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Jghknp32.exeC:\Windows\system32\Jghknp32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Kmgpkfab.exeC:\Windows\system32\Kmgpkfab.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Kcahhq32.exeC:\Windows\system32\Kcahhq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Knjiin32.exeC:\Windows\system32\Knjiin32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Kedaeh32.exeC:\Windows\system32\Kedaeh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Kipnfged.exeC:\Windows\system32\Kipnfged.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Kbhbom32.exeC:\Windows\system32\Kbhbom32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Khekgc32.exeC:\Windows\system32\Khekgc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Koocdnai.exeC:\Windows\system32\Koocdnai.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kdlkld32.exeC:\Windows\system32\Kdlkld32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Lkfciogm.exeC:\Windows\system32\Lkfciogm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Lodlom32.exeC:\Windows\system32\Lodlom32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Lhlqhb32.exeC:\Windows\system32\Lhlqhb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Lkkmdn32.exeC:\Windows\system32\Lkkmdn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Ladeqhjd.exeC:\Windows\system32\Ladeqhjd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Lbfahp32.exeC:\Windows\system32\Lbfahp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Ldenbcge.exeC:\Windows\system32\Ldenbcge.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Lgdjnofi.exeC:\Windows\system32\Lgdjnofi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Lplogdmj.exeC:\Windows\system32\Lplogdmj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:284 -
C:\Windows\SysWOW64\Meigpkka.exeC:\Windows\system32\Meigpkka.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Mpolmdkg.exeC:\Windows\system32\Mpolmdkg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Mcmhiojk.exeC:\Windows\system32\Mcmhiojk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Mcodno32.exeC:\Windows\system32\Mcodno32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Mhlmgf32.exeC:\Windows\system32\Mhlmgf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Mnieom32.exeC:\Windows\system32\Mnieom32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Mdcnlglc.exeC:\Windows\system32\Mdcnlglc.exe33⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Magnek32.exeC:\Windows\system32\Magnek32.exe34⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Mdejaf32.exeC:\Windows\system32\Mdejaf32.exe35⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mhqfbebj.exeC:\Windows\system32\Mhqfbebj.exe36⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe37⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Ndgggf32.exeC:\Windows\system32\Ndgggf32.exe38⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe39⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ncmdhb32.exeC:\Windows\system32\Ncmdhb32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Njgldmdc.exeC:\Windows\system32\Njgldmdc.exe41⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe42⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe43⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Nfmmin32.exeC:\Windows\system32\Nfmmin32.exe44⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Nlgefh32.exeC:\Windows\system32\Nlgefh32.exe45⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Nqcagfim.exeC:\Windows\system32\Nqcagfim.exe46⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Nofabc32.exeC:\Windows\system32\Nofabc32.exe47⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe48⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe49⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe50⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ofbfdmeb.exeC:\Windows\system32\Ofbfdmeb.exe52⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Omloag32.exeC:\Windows\system32\Omloag32.exe53⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe54⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe55⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ofdcjm32.exeC:\Windows\system32\Ofdcjm32.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe58⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Obkdonic.exeC:\Windows\system32\Obkdonic.exe60⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe61⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\Oiellh32.exeC:\Windows\system32\Oiellh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe63⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe64⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Onbddoog.exeC:\Windows\system32\Onbddoog.exe65⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Oqqapjnk.exeC:\Windows\system32\Oqqapjnk.exe66⤵PID:536
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe67⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe68⤵PID:2912
-
C:\Windows\SysWOW64\Ojieip32.exeC:\Windows\system32\Ojieip32.exe69⤵PID:996
-
C:\Windows\SysWOW64\Oqcnfjli.exeC:\Windows\system32\Oqcnfjli.exe70⤵PID:856
-
C:\Windows\SysWOW64\Ocajbekl.exeC:\Windows\system32\Ocajbekl.exe71⤵PID:2204
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe72⤵PID:2092
-
C:\Windows\SysWOW64\Ongnonkb.exeC:\Windows\system32\Ongnonkb.exe73⤵PID:2216
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe74⤵PID:2404
-
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe75⤵PID:2392
-
C:\Windows\SysWOW64\Pjmodopf.exeC:\Windows\system32\Pjmodopf.exe76⤵PID:3048
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe77⤵PID:1032
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe78⤵PID:1580
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe79⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Pjpkjond.exeC:\Windows\system32\Pjpkjond.exe80⤵PID:2468
-
C:\Windows\SysWOW64\Pmnhfjmg.exeC:\Windows\system32\Pmnhfjmg.exe81⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Pchpbded.exeC:\Windows\system32\Pchpbded.exe82⤵PID:592
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe83⤵PID:1184
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe84⤵PID:952
-
C:\Windows\SysWOW64\Plcdgfbo.exeC:\Windows\system32\Plcdgfbo.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe86⤵PID:2744
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe87⤵PID:1644
-
C:\Windows\SysWOW64\Pigeqkai.exeC:\Windows\system32\Pigeqkai.exe88⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Plfamfpm.exeC:\Windows\system32\Plfamfpm.exe89⤵PID:2432
-
C:\Windows\SysWOW64\Pbpjiphi.exeC:\Windows\system32\Pbpjiphi.exe90⤵PID:1660
-
C:\Windows\SysWOW64\Penfelgm.exeC:\Windows\system32\Penfelgm.exe91⤵PID:1324
-
C:\Windows\SysWOW64\Qlhnbf32.exeC:\Windows\system32\Qlhnbf32.exe92⤵PID:2288
-
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe93⤵PID:1232
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe94⤵PID:2704
-
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe95⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Qljkhe32.exeC:\Windows\system32\Qljkhe32.exe96⤵PID:1868
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe98⤵PID:1308
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe99⤵PID:300
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe100⤵PID:1684
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe101⤵PID:2728
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe102⤵PID:1904
-
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe103⤵PID:1676
-
C:\Windows\SysWOW64\Aiedjneg.exeC:\Windows\system32\Aiedjneg.exe104⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe105⤵PID:2424
-
C:\Windows\SysWOW64\Adjigg32.exeC:\Windows\system32\Adjigg32.exe106⤵PID:1256
-
C:\Windows\SysWOW64\Afiecb32.exeC:\Windows\system32\Afiecb32.exe107⤵PID:320
-
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe108⤵PID:1556
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe109⤵PID:2044
-
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe110⤵
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe111⤵PID:1640
-
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe112⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Apcfahio.exeC:\Windows\system32\Apcfahio.exe113⤵PID:2660
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Afmonbqk.exeC:\Windows\system32\Afmonbqk.exe115⤵PID:1288
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe116⤵PID:1212
-
C:\Windows\SysWOW64\Ahokfj32.exeC:\Windows\system32\Ahokfj32.exe117⤵
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe118⤵PID:2512
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe119⤵PID:2340
-
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe120⤵PID:2652
-
C:\Windows\SysWOW64\Bhahlj32.exeC:\Windows\system32\Bhahlj32.exe121⤵PID:1428
-
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe122⤵PID:884
-
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe123⤵PID:1772
-
C:\Windows\SysWOW64\Baildokg.exeC:\Windows\system32\Baildokg.exe124⤵PID:2716
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe125⤵PID:2284
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe126⤵PID:2064
-
C:\Windows\SysWOW64\Bommnc32.exeC:\Windows\system32\Bommnc32.exe127⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1408 -
C:\Windows\SysWOW64\Balijo32.exeC:\Windows\system32\Balijo32.exe128⤵PID:2356
-
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Bhfagipa.exeC:\Windows\system32\Bhfagipa.exe130⤵PID:2976
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe131⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Bopicc32.exeC:\Windows\system32\Bopicc32.exe132⤵PID:2524
-
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe133⤵PID:2484
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe134⤵PID:2388
-
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe135⤵PID:2920
-
C:\Windows\SysWOW64\Bkfjhd32.exeC:\Windows\system32\Bkfjhd32.exe136⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe137⤵PID:1404
-
C:\Windows\SysWOW64\Bnefdp32.exeC:\Windows\system32\Bnefdp32.exe138⤵PID:2336
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe139⤵PID:2052
-
C:\Windows\SysWOW64\Bcaomf32.exeC:\Windows\system32\Bcaomf32.exe140⤵PID:2948
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe141⤵PID:296
-
C:\Windows\SysWOW64\Cjlgiqbk.exeC:\Windows\system32\Cjlgiqbk.exe142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1008 -
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe143⤵PID:1956
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe144⤵PID:2240
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe145⤵PID:2820
-
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe146⤵PID:108
-
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe147⤵PID:544
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe148⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe149⤵PID:1260
-
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe150⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Ccfhhffh.exeC:\Windows\system32\Ccfhhffh.exe151⤵PID:800
-
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe152⤵PID:980
-
C:\Windows\SysWOW64\Cjpqdp32.exeC:\Windows\system32\Cjpqdp32.exe153⤵PID:2852
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe154⤵PID:1656
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe155⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe156⤵PID:756
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe157⤵PID:2708
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe158⤵PID:584
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe159⤵PID:1216
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe160⤵PID:2268
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe161⤵PID:2608
-
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe162⤵PID:2692
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe163⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe164⤵PID:324
-
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe166⤵PID:2956
-
C:\Windows\SysWOW64\Cndbcc32.exeC:\Windows\system32\Cndbcc32.exe167⤵PID:2520
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe168⤵PID:1128
-
C:\Windows\SysWOW64\Ddokpmfo.exeC:\Windows\system32\Ddokpmfo.exe169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe170⤵PID:2848
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe171⤵PID:2072
-
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe172⤵PID:1576
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe173⤵PID:356
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe174⤵PID:944
-
C:\Windows\SysWOW64\Dhmcfkme.exeC:\Windows\system32\Dhmcfkme.exe175⤵PID:2140
-
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe176⤵PID:1840
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe177⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe178⤵PID:2412
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe179⤵PID:2352
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe180⤵PID:2488
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe181⤵PID:404
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe183⤵PID:2588
-
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe185⤵PID:2808
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe186⤵PID:2760
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe187⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe188⤵PID:1608
-
C:\Windows\SysWOW64\Dqlafm32.exeC:\Windows\system32\Dqlafm32.exe189⤵PID:3100
-
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe190⤵PID:3140
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe191⤵PID:3180
-
C:\Windows\SysWOW64\Djefobmk.exeC:\Windows\system32\Djefobmk.exe192⤵PID:3220
-
C:\Windows\SysWOW64\Emcbkn32.exeC:\Windows\system32\Emcbkn32.exe193⤵
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe194⤵PID:3300
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe195⤵PID:3340
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe196⤵
- Drops file in System32 directory
PID:3380 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe197⤵PID:3420
-
C:\Windows\SysWOW64\Eijcpoac.exeC:\Windows\system32\Eijcpoac.exe198⤵PID:3460
-
C:\Windows\SysWOW64\Ekholjqg.exeC:\Windows\system32\Ekholjqg.exe199⤵PID:3504
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe200⤵PID:3544
-
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe201⤵PID:3584
-
C:\Windows\SysWOW64\Efncicpm.exeC:\Windows\system32\Efncicpm.exe202⤵PID:3624
-
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe203⤵PID:3664
-
C:\Windows\SysWOW64\Ekklaj32.exeC:\Windows\system32\Ekklaj32.exe204⤵PID:3704
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe205⤵PID:3744
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe206⤵PID:3784
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe207⤵PID:3824
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe208⤵PID:3864
-
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe209⤵PID:3904
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe210⤵PID:3944
-
C:\Windows\SysWOW64\Eajaoq32.exeC:\Windows\system32\Eajaoq32.exe211⤵
- Modifies registry class
PID:3984 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe212⤵PID:4024
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe213⤵PID:4064
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe214⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe215⤵PID:3128
-
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe216⤵PID:3164
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe217⤵PID:3232
-
C:\Windows\SysWOW64\Fhffaj32.exeC:\Windows\system32\Fhffaj32.exe218⤵PID:3240
-
C:\Windows\SysWOW64\Fjdbnf32.exeC:\Windows\system32\Fjdbnf32.exe219⤵PID:3272
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe220⤵PID:3388
-
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe221⤵PID:3440
-
C:\Windows\SysWOW64\Fcmgfkeg.exeC:\Windows\system32\Fcmgfkeg.exe222⤵PID:3484
-
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe223⤵
- Modifies registry class
PID:3528 -
C:\Windows\SysWOW64\Fjgoce32.exeC:\Windows\system32\Fjgoce32.exe224⤵PID:3580
-
C:\Windows\SysWOW64\Fmekoalh.exeC:\Windows\system32\Fmekoalh.exe225⤵PID:3596
-
C:\Windows\SysWOW64\Fpdhklkl.exeC:\Windows\system32\Fpdhklkl.exe226⤵PID:3644
-
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe227⤵PID:3728
-
C:\Windows\SysWOW64\Ffnphf32.exeC:\Windows\system32\Ffnphf32.exe228⤵PID:3780
-
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe229⤵PID:3832
-
C:\Windows\SysWOW64\Facdeo32.exeC:\Windows\system32\Facdeo32.exe230⤵
- Drops file in System32 directory
PID:3880 -
C:\Windows\SysWOW64\Fpfdalii.exeC:\Windows\system32\Fpfdalii.exe231⤵PID:3928
-
C:\Windows\SysWOW64\Fbdqmghm.exeC:\Windows\system32\Fbdqmghm.exe232⤵
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe233⤵PID:4032
-
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe234⤵PID:4084
-
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe235⤵PID:3120
-
C:\Windows\SysWOW64\Fphafl32.exeC:\Windows\system32\Fphafl32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3172 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe237⤵PID:3192
-
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe238⤵PID:3296
-
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe239⤵PID:3368
-
C:\Windows\SysWOW64\Fmlapp32.exeC:\Windows\system32\Fmlapp32.exe240⤵PID:3428
-
C:\Windows\SysWOW64\Gpknlk32.exeC:\Windows\system32\Gpknlk32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3512 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe242⤵PID:3556