Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 22:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe
-
Size
385KB
-
MD5
954f10b919d66b6ab21cc78283a2b773
-
SHA1
846ce96d20e54d4c4c26b6c76c17ab7c91c328e1
-
SHA256
783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d
-
SHA512
204c525d3001bd612c58129416aaf9596a8135dfdee43dc1379b457b1576d7a980ff61e2bb807346636c62d7816c628385e32ea25bd531cc50f90610371f0983
-
SSDEEP
12288:i/y59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:sy7oWypy7o3y7Ey7oAy7oZyUy7o
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcaiiejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljipmdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joggci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobkfqpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmaijdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhffnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efppqoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amoibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injqmdki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgoime32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldbkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hanogipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpikik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedhgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojipjcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmcmgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goldfelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbmeifk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogfqe32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
resource yara_rule behavioral1/files/0x0006000000016c23-144.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d01-196.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d24-210.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2720-233-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d4f-235.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d41-226.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016cd4-181.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016ca9-166.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016c10-137.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016b5e-122.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000600000001663d-109.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016476-96.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016283-83.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016042-70.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000900000001560a-55.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015c2f-42.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00090000000155e2-28.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000b000000014fe1-14.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016d84-246.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000016e56-257.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000017090-268.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1852-277-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000018698-279.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018ae2-291.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/3036-306-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b15-299.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b37-314.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b4a-323.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2928-322-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018b73-334.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000018ba2-342.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000192c9-358.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001939b-387.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019368-368.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2476-373-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001931b-364.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019410-401.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001946f-411.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019485-427.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000194d6-433.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00040000000194dc-438.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2312-443-0x0000000000400000-0x000000000048B000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ea-457.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194ef-469.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000194f4-480.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019521-492.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019570-501.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001959e-511.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a4-522.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a7-536.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195a9-545.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x00050000000195ba-559.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019646-570.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001996e-574.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019bd7-592.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019bef-601.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019ce6-614.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019d59-624.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0005000000019f60-634.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a013-643.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3c2-657.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3c8-666.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a3d4-677.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x000500000001a429-682.dat INDICATOR_EXE_Packed_MPress -
Executes dropped EXE 64 IoCs
pid Process 2248 Fafcdh32.exe 2844 Gcglec32.exe 2480 Hafock32.exe 2516 Hjcmgp32.exe 1344 Hlffdh32.exe 2364 Iggned32.exe 2988 Jliohkak.exe 1952 Jlpeij32.exe 1432 Jhffnk32.exe 1488 Kklikejc.exe 2032 Kgbipf32.exe 860 Lmbonmll.exe 1796 Lihobnap.exe 1756 Liklhmom.exe 1956 Lgpiij32.exe 2720 Lipecm32.exe 632 Mgebdipp.exe 1288 Meicnm32.exe 1988 Pdldnomh.exe 1852 Aeggbbci.exe 1624 Affdle32.exe 3036 Bnhoag32.exe 2732 Bgqcjlhp.exe 2928 Baigca32.exe 1764 Chnbcpmn.exe 2940 Cedpbd32.exe 1612 Ckahkk32.exe 1324 Dcfpel32.exe 2476 Dhbhmb32.exe 2572 Dchmkkkj.exe 2556 Ddiibc32.exe 2328 Fbmfkkbm.exe 2856 Fcmben32.exe 2312 Ggcaiqhj.exe 460 Gcjbna32.exe 1124 Gqnbhf32.exe 1648 Gjfgqk32.exe 2192 Gildahhp.exe 952 Hibjbgbh.exe 2576 Hanogipc.exe 2028 Helgmg32.exe 2280 Hjipenda.exe 2588 Hmglajcd.exe 2648 Imiigiab.exe 1100 Iplnnd32.exe 1564 Ilcoce32.exe 920 Jabdql32.exe 1548 Jhlmmfef.exe 3000 Jaeafklf.exe 2260 Jhafhe32.exe 2888 Jnnnalph.exe 2268 Jjdofm32.exe 1692 Kcmcoblm.exe 2236 Klehgh32.exe 1540 Klhemhpk.exe 2484 Kcamjb32.exe 2504 Khoebi32.exe 2452 Kdefgj32.exe 2188 Kkoncdcp.exe 576 Kfebambf.exe 944 Lqncaj32.exe 1932 Lbnpkmfg.exe 2592 Lgkhdddo.exe 1772 Lcaiiejc.exe -
Loads dropped DLL 64 IoCs
pid Process 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 2248 Fafcdh32.exe 2248 Fafcdh32.exe 2844 Gcglec32.exe 2844 Gcglec32.exe 2480 Hafock32.exe 2480 Hafock32.exe 2516 Hjcmgp32.exe 2516 Hjcmgp32.exe 1344 Hlffdh32.exe 1344 Hlffdh32.exe 2364 Iggned32.exe 2364 Iggned32.exe 2988 Jliohkak.exe 2988 Jliohkak.exe 1952 Jlpeij32.exe 1952 Jlpeij32.exe 1432 Jhffnk32.exe 1432 Jhffnk32.exe 1488 Kklikejc.exe 1488 Kklikejc.exe 2032 Kgbipf32.exe 2032 Kgbipf32.exe 860 Lmbonmll.exe 860 Lmbonmll.exe 1796 Lihobnap.exe 1796 Lihobnap.exe 1756 Liklhmom.exe 1756 Liklhmom.exe 1956 Lgpiij32.exe 1956 Lgpiij32.exe 2720 Lipecm32.exe 2720 Lipecm32.exe 632 Mgebdipp.exe 632 Mgebdipp.exe 1288 Meicnm32.exe 1288 Meicnm32.exe 1988 Pdldnomh.exe 1988 Pdldnomh.exe 1852 Aeggbbci.exe 1852 Aeggbbci.exe 1624 Affdle32.exe 1624 Affdle32.exe 3036 Bnhoag32.exe 3036 Bnhoag32.exe 2732 Bgqcjlhp.exe 2732 Bgqcjlhp.exe 2928 Baigca32.exe 2928 Baigca32.exe 1764 Chnbcpmn.exe 1764 Chnbcpmn.exe 2940 Cedpbd32.exe 2940 Cedpbd32.exe 1612 Ckahkk32.exe 1612 Ckahkk32.exe 1324 Dcfpel32.exe 1324 Dcfpel32.exe 2476 Dhbhmb32.exe 2476 Dhbhmb32.exe 2572 Dchmkkkj.exe 2572 Dchmkkkj.exe 2556 Ddiibc32.exe 2556 Ddiibc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfnidhlj.dll Fkhibino.exe File opened for modification C:\Windows\SysWOW64\Fobkfqpo.exe Fopnpaba.exe File created C:\Windows\SysWOW64\Jcmfjeap.dll Eddjhb32.exe File created C:\Windows\SysWOW64\Fkhibino.exe Foahmh32.exe File created C:\Windows\SysWOW64\Jhlmmfef.exe Jabdql32.exe File opened for modification C:\Windows\SysWOW64\Jikeeh32.exe Iihiphln.exe File opened for modification C:\Windows\SysWOW64\Kdkelolf.exe Jhdegn32.exe File opened for modification C:\Windows\SysWOW64\Bgqcjlhp.exe Bnhoag32.exe File created C:\Windows\SysWOW64\Bcbonpco.dll Jpbcek32.exe File created C:\Windows\SysWOW64\Dkjgfien.dll Joppeeif.exe File opened for modification C:\Windows\SysWOW64\Mphiqbon.exe Lgpdglhn.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mkaghg32.exe File created C:\Windows\SysWOW64\Hcgjmo32.exe Hnjbeh32.exe File opened for modification C:\Windows\SysWOW64\Hjcppidk.exe Hpnkbpdd.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Opglafab.exe File created C:\Windows\SysWOW64\Enemcbio.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Pajhnb32.dll Enneln32.exe File created C:\Windows\SysWOW64\Dolpccdl.dll Hafock32.exe File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Fbmfkkbm.exe File opened for modification C:\Windows\SysWOW64\Qkghgpfi.exe Pblcbn32.exe File created C:\Windows\SysWOW64\Bnfifeml.dll Emdmjamj.exe File created C:\Windows\SysWOW64\Dcdeed32.dll Ocefpnom.exe File created C:\Windows\SysWOW64\Fogdap32.exe Fbpclofe.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Eogmcjef.exe Eeohkeoe.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hnheohcl.exe File opened for modification C:\Windows\SysWOW64\Alqnah32.exe Adifpk32.exe File created C:\Windows\SysWOW64\Qopmpa32.dll Apppkekc.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fhdmph32.exe File created C:\Windows\SysWOW64\Olophhjd.exe Ohagbj32.exe File opened for modification C:\Windows\SysWOW64\Nojnql32.exe Nbfnggeo.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Hjfdcidn.dll Aompambg.exe File created C:\Windows\SysWOW64\Gpmdcijc.dll Alaqjaaa.exe File created C:\Windows\SysWOW64\Lcobciom.dll Ofafgipc.exe File opened for modification C:\Windows\SysWOW64\Mkacfiga.exe Mgcjpkak.exe File created C:\Windows\SysWOW64\Ghoijebj.exe Fogdap32.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Ojbbmnhc.exe File created C:\Windows\SysWOW64\Cffajc32.dll Nndemg32.exe File created C:\Windows\SysWOW64\Padccpal.exe Paafmp32.exe File created C:\Windows\SysWOW64\Klehgh32.exe Kcmcoblm.exe File created C:\Windows\SysWOW64\Kfebambf.exe Kkoncdcp.exe File created C:\Windows\SysWOW64\Maojpk32.dll Lbnpkmfg.exe File created C:\Windows\SysWOW64\Cceell32.dll Qcachc32.exe File created C:\Windows\SysWOW64\Aedlhg32.exe Aebobgmi.exe File created C:\Windows\SysWOW64\Bepejfpc.dll Iggned32.exe File created C:\Windows\SysWOW64\Mgcjpkak.exe Mdendpbg.exe File opened for modification C:\Windows\SysWOW64\Fmdbnnlj.exe Famaimfe.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Cmedlk32.exe Cenljmgq.exe File created C:\Windows\SysWOW64\Hannfn32.dll Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Mjkibehc.exe Mkacfiga.exe File created C:\Windows\SysWOW64\Mkgpnd32.dll Lgkhdddo.exe File created C:\Windows\SysWOW64\Nhokmehl.dll Gjfgqk32.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jnnnalph.exe File opened for modification C:\Windows\SysWOW64\Qbafalph.exe Qdlipplq.exe File created C:\Windows\SysWOW64\Bedhgj32.exe Bkkgfm32.exe File opened for modification C:\Windows\SysWOW64\Ldhgnk32.exe Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Meicnm32.exe Mgebdipp.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bfioia32.exe File created C:\Windows\SysWOW64\Mnmpdlac.exe Lbfook32.exe File created C:\Windows\SysWOW64\Mdmckc32.dll Ghibjjnk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3636 1136 WerFault.exe 567 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnadkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palpneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boleejag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paiche32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagjihoe.dll" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Accqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldhgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apkihofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlffdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joggci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammbof32.dll" Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilchhgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaeoe32.dll" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblcge32.dll" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdobdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcpccaf.dll" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmnap32.dll" Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbfagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjhmcok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojeobm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqaiph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpodcba.dll" Dchmkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmfaj32.dll" Ojblbgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Ifbaapfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpidibpf.dll" Kflafbak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnpkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmmabb32.dll" Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeoijkk.dll" Nnjklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihjolae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiobie32.dll" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpiij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2248 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 28 PID 2804 wrote to memory of 2248 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 28 PID 2804 wrote to memory of 2248 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 28 PID 2804 wrote to memory of 2248 2804 783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe 28 PID 2248 wrote to memory of 2844 2248 Fafcdh32.exe 29 PID 2248 wrote to memory of 2844 2248 Fafcdh32.exe 29 PID 2248 wrote to memory of 2844 2248 Fafcdh32.exe 29 PID 2248 wrote to memory of 2844 2248 Fafcdh32.exe 29 PID 2844 wrote to memory of 2480 2844 Gcglec32.exe 30 PID 2844 wrote to memory of 2480 2844 Gcglec32.exe 30 PID 2844 wrote to memory of 2480 2844 Gcglec32.exe 30 PID 2844 wrote to memory of 2480 2844 Gcglec32.exe 30 PID 2480 wrote to memory of 2516 2480 Hafock32.exe 31 PID 2480 wrote to memory of 2516 2480 Hafock32.exe 31 PID 2480 wrote to memory of 2516 2480 Hafock32.exe 31 PID 2480 wrote to memory of 2516 2480 Hafock32.exe 31 PID 2516 wrote to memory of 1344 2516 Hjcmgp32.exe 32 PID 2516 wrote to memory of 1344 2516 Hjcmgp32.exe 32 PID 2516 wrote to memory of 1344 2516 Hjcmgp32.exe 32 PID 2516 wrote to memory of 1344 2516 Hjcmgp32.exe 32 PID 1344 wrote to memory of 2364 1344 Hlffdh32.exe 33 PID 1344 wrote to memory of 2364 1344 Hlffdh32.exe 33 PID 1344 wrote to memory of 2364 1344 Hlffdh32.exe 33 PID 1344 wrote to memory of 2364 1344 Hlffdh32.exe 33 PID 2364 wrote to memory of 2988 2364 Iggned32.exe 34 PID 2364 wrote to memory of 2988 2364 Iggned32.exe 34 PID 2364 wrote to memory of 2988 2364 Iggned32.exe 34 PID 2364 wrote to memory of 2988 2364 Iggned32.exe 34 PID 2988 wrote to memory of 1952 2988 Jliohkak.exe 35 PID 2988 wrote to memory of 1952 2988 Jliohkak.exe 35 PID 2988 wrote to memory of 1952 2988 Jliohkak.exe 35 PID 2988 wrote to memory of 1952 2988 Jliohkak.exe 35 PID 1952 wrote to memory of 1432 1952 Jlpeij32.exe 36 PID 1952 wrote to memory of 1432 1952 Jlpeij32.exe 36 PID 1952 wrote to memory of 1432 1952 Jlpeij32.exe 36 PID 1952 wrote to memory of 1432 1952 Jlpeij32.exe 36 PID 1432 wrote to memory of 1488 1432 Jhffnk32.exe 37 PID 1432 wrote to memory of 1488 1432 Jhffnk32.exe 37 PID 1432 wrote to memory of 1488 1432 Jhffnk32.exe 37 PID 1432 wrote to memory of 1488 1432 Jhffnk32.exe 37 PID 1488 wrote to memory of 2032 1488 Kklikejc.exe 38 PID 1488 wrote to memory of 2032 1488 Kklikejc.exe 38 PID 1488 wrote to memory of 2032 1488 Kklikejc.exe 38 PID 1488 wrote to memory of 2032 1488 Kklikejc.exe 38 PID 2032 wrote to memory of 860 2032 Kgbipf32.exe 39 PID 2032 wrote to memory of 860 2032 Kgbipf32.exe 39 PID 2032 wrote to memory of 860 2032 Kgbipf32.exe 39 PID 2032 wrote to memory of 860 2032 Kgbipf32.exe 39 PID 860 wrote to memory of 1796 860 Lmbonmll.exe 40 PID 860 wrote to memory of 1796 860 Lmbonmll.exe 40 PID 860 wrote to memory of 1796 860 Lmbonmll.exe 40 PID 860 wrote to memory of 1796 860 Lmbonmll.exe 40 PID 1796 wrote to memory of 1756 1796 Lihobnap.exe 41 PID 1796 wrote to memory of 1756 1796 Lihobnap.exe 41 PID 1796 wrote to memory of 1756 1796 Lihobnap.exe 41 PID 1796 wrote to memory of 1756 1796 Lihobnap.exe 41 PID 1756 wrote to memory of 1956 1756 Liklhmom.exe 42 PID 1756 wrote to memory of 1956 1756 Liklhmom.exe 42 PID 1756 wrote to memory of 1956 1756 Liklhmom.exe 42 PID 1756 wrote to memory of 1956 1756 Liklhmom.exe 42 PID 1956 wrote to memory of 2720 1956 Lgpiij32.exe 43 PID 1956 wrote to memory of 2720 1956 Lgpiij32.exe 43 PID 1956 wrote to memory of 2720 1956 Lgpiij32.exe 43 PID 1956 wrote to memory of 2720 1956 Lgpiij32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe"C:\Users\Admin\AppData\Local\Temp\783d099281c7808292adc6ff0b861987c2719b007cd0786733348d798f10321d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:632 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe34⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe35⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe36⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe37⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe40⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe42⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe43⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe46⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe49⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe51⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe53⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe55⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe56⤵PID:3056
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe57⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe58⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe59⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe60⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe62⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe63⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe67⤵PID:1168
-
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe68⤵PID:1368
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe69⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe70⤵PID:940
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe71⤵PID:2960
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe72⤵PID:2744
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe73⤵PID:1748
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe74⤵PID:1048
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe75⤵PID:1700
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe76⤵PID:2208
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1072 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe78⤵PID:2688
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe79⤵PID:872
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe80⤵PID:1784
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe81⤵PID:1608
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe82⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe83⤵PID:2436
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe84⤵PID:2360
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe85⤵PID:2692
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe87⤵PID:2496
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe88⤵PID:324
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe89⤵PID:1320
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe90⤵
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe91⤵PID:948
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:764 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe93⤵PID:3020
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe94⤵PID:1688
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe95⤵PID:2168
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe96⤵PID:1708
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe97⤵PID:1632
-
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe98⤵PID:1064
-
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe99⤵PID:2748
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe100⤵PID:2112
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe102⤵PID:832
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe103⤵PID:1436
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe104⤵PID:1164
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe105⤵PID:2128
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe106⤵PID:2440
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe107⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe108⤵PID:2640
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe109⤵PID:2096
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe111⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe112⤵PID:552
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe113⤵PID:1108
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe114⤵PID:2384
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe115⤵PID:2012
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe116⤵PID:884
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe117⤵PID:2276
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe118⤵PID:1844
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe119⤵PID:980
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe120⤵PID:368
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe121⤵PID:1120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-