Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 23:29
Static task
static1
Behavioral task
behavioral1
Sample
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe
Resource
win10v2004-20240426-en
General
-
Target
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe
-
Size
163KB
-
MD5
2ef6f2ab3dda1ecab6f96e20c8ea47f2
-
SHA1
2dd3dc91a6b1fc70065a965f8164ee0413dea487
-
SHA256
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6
-
SHA512
76147da5f3eb5c5ebe408011e89c6cae709f8df2cb502d25aa1f2de7fac04c9cd64369ac155f6b932248d123bc018a2dc42bb8b9f91f45c713e0387d777c1f09
-
SSDEEP
1536:PiML+CBIuD7bJmw2vF9b+Pom4enxtasJzlProNVU4qNVUrk/9QbfBr+7GwKrPAsf:KMicD/JcvF9W+tsJzltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Jndjmifj.exeFeachqgb.exeFennoa32.exeObjjnkie.exeGajqbakc.exeLifcib32.exeEmifeqid.exeFgdgcfmb.exeInjndk32.exeOdchbe32.exeNgdjaofc.exeBmbgfkje.exeDmbcen32.exeFdkmeiei.exeIgceej32.exeGgfpgi32.exeGjgiidkl.exeIejiodbl.exeCqfbjhgf.exeNlqmmd32.exeCileqlmg.exeEegkpo32.exeHjohmbpd.exeIaimipjl.exeHokhbj32.exeKeqkofno.exeDboeco32.exeKdpfadlm.exeDbdehdfc.exeFlnlkgjq.exeEbckmaec.exeFodebh32.exeGdegfn32.exeKdmban32.exeNbeedh32.exePgfjhcge.exePbgjgomc.exeGcjmmdbf.exeAbmgjo32.exeFkkfgi32.exeCmfmojcb.exeCfehhn32.exeBkjdndjo.exeDhbdleol.exeEipgjaoi.exeMcfemmna.exePjleclph.exeLonpma32.exeOekjjl32.exeBjbndpmd.exeCeebklai.exe71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exePlgolf32.exeCegoqlof.exeFhjmfnok.exeFbegbacp.exeCnmfdb32.exeImgnjb32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feachqgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objjnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emifeqid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfpgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgiidkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfbjhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgiidkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keqkofno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboeco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Objjnkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdegfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgjgomc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjdndjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfemmna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekjjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbegbacp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgnjb32.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Injndk32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Idkpganf.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Jaoqqflp.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Jdpjba32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Jpigma32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Jbjpom32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Koaqcn32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kdpfadlm.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Knhjjj32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lonpma32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Loqmba32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lcofio32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lkjjma32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lgqkbb32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Mqklqhpg.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Mclebc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mqbbagjo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcckcbgp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Npjlhcmd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nlqmmd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Neiaeiii.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onfoin32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndqkleln.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odchbe32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbmaon32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odgamdef.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Olbfagca.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oekjjl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pljlbf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Plgolf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Opqoge32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pgfjhcge.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2600-409-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Qpbglhjq.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Apedah32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Agolnbok.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Acfmcc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ahbekjcf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Abmgjo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Aqbdkk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bgllgedi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bkjdndjo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bnknoogp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Boljgg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bjbndpmd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bfioia32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bmbgfkje.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cbppnbhm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cmedlk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cileqlmg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cnimiblo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cagienkb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ckmnbg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ceebklai.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cnmfdb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cegoqlof.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dmbcen32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dhhhbg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dmepkn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dbaice32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dbdehdfc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dilapopb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dmijfmfi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dokfme32.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Injndk32.exe UPX \Windows\SysWOW64\Idkpganf.exe UPX \Windows\SysWOW64\Jaoqqflp.exe UPX \Windows\SysWOW64\Jdpjba32.exe UPX \Windows\SysWOW64\Jpigma32.exe UPX \Windows\SysWOW64\Jbjpom32.exe UPX \Windows\SysWOW64\Koaqcn32.exe UPX \Windows\SysWOW64\Kdpfadlm.exe UPX \Windows\SysWOW64\Knhjjj32.exe UPX \Windows\SysWOW64\Lonpma32.exe UPX \Windows\SysWOW64\Loqmba32.exe UPX \Windows\SysWOW64\Lcofio32.exe UPX \Windows\SysWOW64\Lkjjma32.exe UPX \Windows\SysWOW64\Lgqkbb32.exe UPX \Windows\SysWOW64\Mqklqhpg.exe UPX \Windows\SysWOW64\Mclebc32.exe UPX C:\Windows\SysWOW64\Mqbbagjo.exe UPX C:\Windows\SysWOW64\Mcckcbgp.exe UPX C:\Windows\SysWOW64\Npjlhcmd.exe UPX C:\Windows\SysWOW64\Nlqmmd32.exe UPX C:\Windows\SysWOW64\Neiaeiii.exe UPX C:\Windows\SysWOW64\Onfoin32.exe UPX C:\Windows\SysWOW64\Ndqkleln.exe UPX C:\Windows\SysWOW64\Odchbe32.exe UPX C:\Windows\SysWOW64\Nbmaon32.exe UPX C:\Windows\SysWOW64\Odgamdef.exe UPX C:\Windows\SysWOW64\Olbfagca.exe UPX C:\Windows\SysWOW64\Oekjjl32.exe UPX C:\Windows\SysWOW64\Pljlbf32.exe UPX C:\Windows\SysWOW64\Plgolf32.exe UPX C:\Windows\SysWOW64\Opqoge32.exe UPX C:\Windows\SysWOW64\Pgfjhcge.exe UPX behavioral1/memory/2600-409-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Qpbglhjq.exe UPX C:\Windows\SysWOW64\Apedah32.exe UPX C:\Windows\SysWOW64\Agolnbok.exe UPX C:\Windows\SysWOW64\Acfmcc32.exe UPX C:\Windows\SysWOW64\Ahbekjcf.exe UPX C:\Windows\SysWOW64\Abmgjo32.exe UPX C:\Windows\SysWOW64\Aqbdkk32.exe UPX C:\Windows\SysWOW64\Bgllgedi.exe UPX C:\Windows\SysWOW64\Bkjdndjo.exe UPX C:\Windows\SysWOW64\Bnknoogp.exe UPX C:\Windows\SysWOW64\Boljgg32.exe UPX C:\Windows\SysWOW64\Bjbndpmd.exe UPX C:\Windows\SysWOW64\Bfioia32.exe UPX C:\Windows\SysWOW64\Bmbgfkje.exe UPX C:\Windows\SysWOW64\Cbppnbhm.exe UPX C:\Windows\SysWOW64\Cmedlk32.exe UPX C:\Windows\SysWOW64\Cileqlmg.exe UPX C:\Windows\SysWOW64\Cnimiblo.exe UPX C:\Windows\SysWOW64\Cagienkb.exe UPX C:\Windows\SysWOW64\Ckmnbg32.exe UPX C:\Windows\SysWOW64\Ceebklai.exe UPX C:\Windows\SysWOW64\Cnmfdb32.exe UPX C:\Windows\SysWOW64\Cegoqlof.exe UPX C:\Windows\SysWOW64\Dmbcen32.exe UPX C:\Windows\SysWOW64\Dhhhbg32.exe UPX C:\Windows\SysWOW64\Dmepkn32.exe UPX C:\Windows\SysWOW64\Dbaice32.exe UPX C:\Windows\SysWOW64\Dbdehdfc.exe UPX C:\Windows\SysWOW64\Dilapopb.exe UPX C:\Windows\SysWOW64\Dmijfmfi.exe UPX C:\Windows\SysWOW64\Dokfme32.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Injndk32.exeIdkpganf.exeJaoqqflp.exeJdpjba32.exeJpigma32.exeJbjpom32.exeKoaqcn32.exeKdpfadlm.exeKnhjjj32.exeLonpma32.exeLoqmba32.exeLcofio32.exeLkjjma32.exeLgqkbb32.exeMqklqhpg.exeMclebc32.exeMqbbagjo.exeMcckcbgp.exeNpjlhcmd.exeNlqmmd32.exeNeiaeiii.exeNbmaon32.exeNdqkleln.exeOnfoin32.exeOdchbe32.exeOdgamdef.exeOlbfagca.exeOekjjl32.exeOpqoge32.exePlgolf32.exePljlbf32.exePgfjhcge.exeQpbglhjq.exeApedah32.exeAgolnbok.exeAcfmcc32.exeAhbekjcf.exeAbmgjo32.exeAqbdkk32.exeBgllgedi.exeBkjdndjo.exeBnknoogp.exeBoljgg32.exeBjbndpmd.exeBfioia32.exeBmbgfkje.exeCbppnbhm.exeCmedlk32.exeCileqlmg.exeCnimiblo.exeCagienkb.exeCkmnbg32.exeCeebklai.exeCnmfdb32.exeCegoqlof.exeDmbcen32.exeDhhhbg32.exeDmepkn32.exeDbaice32.exeDilapopb.exeDbdehdfc.exeDmijfmfi.exeDokfme32.exeDlofgj32.exepid process 548 Injndk32.exe 2736 Idkpganf.exe 1108 Jaoqqflp.exe 2868 Jdpjba32.exe 1872 Jpigma32.exe 2556 Jbjpom32.exe 2572 Koaqcn32.exe 2684 Kdpfadlm.exe 2848 Knhjjj32.exe 2444 Lonpma32.exe 2128 Loqmba32.exe 2176 Lcofio32.exe 1080 Lkjjma32.exe 1064 Lgqkbb32.exe 944 Mqklqhpg.exe 1700 Mclebc32.exe 1424 Mqbbagjo.exe 1804 Mcckcbgp.exe 1396 Npjlhcmd.exe 1504 Nlqmmd32.exe 1880 Neiaeiii.exe 1968 Nbmaon32.exe 2276 Ndqkleln.exe 2700 Onfoin32.exe 1304 Odchbe32.exe 1748 Odgamdef.exe 1440 Olbfagca.exe 2912 Oekjjl32.exe 988 Opqoge32.exe 1012 Plgolf32.exe 2896 Pljlbf32.exe 2592 Pgfjhcge.exe 2600 Qpbglhjq.exe 2564 Apedah32.exe 2656 Agolnbok.exe 2608 Acfmcc32.exe 2476 Ahbekjcf.exe 2852 Abmgjo32.exe 2488 Aqbdkk32.exe 1260 Bgllgedi.exe 1956 Bkjdndjo.exe 2184 Bnknoogp.exe 1744 Boljgg32.exe 1684 Bjbndpmd.exe 1616 Bfioia32.exe 1884 Bmbgfkje.exe 1140 Cbppnbhm.exe 1092 Cmedlk32.exe 1844 Cileqlmg.exe 1316 Cnimiblo.exe 760 Cagienkb.exe 1584 Ckmnbg32.exe 2080 Ceebklai.exe 2740 Cnmfdb32.exe 324 Cegoqlof.exe 2928 Dmbcen32.exe 1664 Dhhhbg32.exe 2956 Dmepkn32.exe 364 Dbaice32.exe 2508 Dilapopb.exe 3004 Dbdehdfc.exe 2696 Dmijfmfi.exe 2440 Dokfme32.exe 2268 Dlofgj32.exe -
Loads dropped DLL 64 IoCs
Processes:
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exeInjndk32.exeIdkpganf.exeJaoqqflp.exeJdpjba32.exeJpigma32.exeJbjpom32.exeKoaqcn32.exeKdpfadlm.exeKnhjjj32.exeLonpma32.exeLoqmba32.exeLcofio32.exeLkjjma32.exeLgqkbb32.exeMqklqhpg.exeMclebc32.exeMqbbagjo.exeMcckcbgp.exeNpjlhcmd.exeNlqmmd32.exeNeiaeiii.exeNbmaon32.exeNdqkleln.exeOnfoin32.exeOdchbe32.exeOdgamdef.exeOlbfagca.exeOekjjl32.exeOpqoge32.exePlgolf32.exePljlbf32.exepid process 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe 548 Injndk32.exe 548 Injndk32.exe 2736 Idkpganf.exe 2736 Idkpganf.exe 1108 Jaoqqflp.exe 1108 Jaoqqflp.exe 2868 Jdpjba32.exe 2868 Jdpjba32.exe 1872 Jpigma32.exe 1872 Jpigma32.exe 2556 Jbjpom32.exe 2556 Jbjpom32.exe 2572 Koaqcn32.exe 2572 Koaqcn32.exe 2684 Kdpfadlm.exe 2684 Kdpfadlm.exe 2848 Knhjjj32.exe 2848 Knhjjj32.exe 2444 Lonpma32.exe 2444 Lonpma32.exe 2128 Loqmba32.exe 2128 Loqmba32.exe 2176 Lcofio32.exe 2176 Lcofio32.exe 1080 Lkjjma32.exe 1080 Lkjjma32.exe 1064 Lgqkbb32.exe 1064 Lgqkbb32.exe 944 Mqklqhpg.exe 944 Mqklqhpg.exe 1700 Mclebc32.exe 1700 Mclebc32.exe 1424 Mqbbagjo.exe 1424 Mqbbagjo.exe 1804 Mcckcbgp.exe 1804 Mcckcbgp.exe 1396 Npjlhcmd.exe 1396 Npjlhcmd.exe 1504 Nlqmmd32.exe 1504 Nlqmmd32.exe 1880 Neiaeiii.exe 1880 Neiaeiii.exe 1968 Nbmaon32.exe 1968 Nbmaon32.exe 2276 Ndqkleln.exe 2276 Ndqkleln.exe 2700 Onfoin32.exe 2700 Onfoin32.exe 1304 Odchbe32.exe 1304 Odchbe32.exe 1748 Odgamdef.exe 1748 Odgamdef.exe 1440 Olbfagca.exe 1440 Olbfagca.exe 2912 Oekjjl32.exe 2912 Oekjjl32.exe 988 Opqoge32.exe 988 Opqoge32.exe 1012 Plgolf32.exe 1012 Plgolf32.exe 2896 Pljlbf32.exe 2896 Pljlbf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Jdpjba32.exeAqbdkk32.exeJbbccgmp.exeAacmij32.exeAaejojjq.exeCfehhn32.exeDboeco32.exeDbdehdfc.exeJjjdhc32.exeNpjlhcmd.exeEhhdaj32.exeHcajhi32.exeHnpdcf32.exeLdmopa32.exe71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exeEheglk32.exeDlifadkk.exeEbckmaec.exeHjcaha32.exeDilapopb.exeIejiodbl.exeMneohj32.exeJpbcek32.exeJpepkk32.exeMcckcbgp.exeDlofgj32.exeEegkpo32.exeColpld32.exeJjfkmdlg.exeBmbgfkje.exeGqaafn32.exeCqfbjhgf.exeCmedlk32.exeHokhbj32.exeJfdhmk32.exeMhfjjdjf.exeDpklkgoj.exeFdiqpigl.exeLgqkbb32.exeNlqmmd32.exeCagienkb.exeEmdmjamj.exeLkicbk32.exeCfanmogq.exeHjohmbpd.exeAhmefdcp.exeIdkpganf.exeFhgppnan.exeGmhbkohm.exeJndjmifj.exePhklaacg.exeAknngo32.exeDbabho32.exeEicpcm32.exeJpigma32.exeBoljgg32.exeGkoobhhg.exeLjnqdhga.exeFkhbgbkc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jpigma32.exe Jdpjba32.exe File opened for modification C:\Windows\SysWOW64\Bgllgedi.exe Aqbdkk32.exe File opened for modification C:\Windows\SysWOW64\Jhoklnkg.exe Jbbccgmp.exe File created C:\Windows\SysWOW64\Aemgfj32.dll Aacmij32.exe File created C:\Windows\SysWOW64\Ecdbje32.dll Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cfehhn32.exe File created C:\Windows\SysWOW64\Egmpofck.dll Dboeco32.exe File created C:\Windows\SysWOW64\Plmcfpfk.dll Dbdehdfc.exe File opened for modification C:\Windows\SysWOW64\Aknngo32.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Jfaeme32.exe Jjjdhc32.exe File opened for modification C:\Windows\SysWOW64\Nlqmmd32.exe Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Emdmjamj.exe Ehhdaj32.exe File opened for modification C:\Windows\SysWOW64\Hohkmj32.exe Hcajhi32.exe File opened for modification C:\Windows\SysWOW64\Hqnapb32.exe Hnpdcf32.exe File created C:\Windows\SysWOW64\Ljigih32.exe Ldmopa32.exe File created C:\Windows\SysWOW64\Injndk32.exe 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe File created C:\Windows\SysWOW64\Cnkdfakf.dll Eheglk32.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Eeagimdf.exe Ebckmaec.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hjcaha32.exe File created C:\Windows\SysWOW64\Fbonbipa.dll Dilapopb.exe File opened for modification C:\Windows\SysWOW64\Jndjmifj.exe Iejiodbl.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mneohj32.exe File created C:\Windows\SysWOW64\Jmfcop32.exe Jpbcek32.exe File created C:\Windows\SysWOW64\Mebgijei.dll Jpepkk32.exe File created C:\Windows\SysWOW64\Npjlhcmd.exe Mcckcbgp.exe File created C:\Windows\SysWOW64\Eegkpo32.exe Dlofgj32.exe File created C:\Windows\SysWOW64\Eheglk32.exe Eegkpo32.exe File created C:\Windows\SysWOW64\Cfehhn32.exe Colpld32.exe File opened for modification C:\Windows\SysWOW64\Jpbcek32.exe Jjfkmdlg.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Ggkibhjf.exe Gqaafn32.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cqfbjhgf.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cmedlk32.exe File created C:\Windows\SysWOW64\Olfknedh.dll Hokhbj32.exe File created C:\Windows\SysWOW64\Jajmjcoe.exe Jfdhmk32.exe File opened for modification C:\Windows\SysWOW64\Mbnocipg.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Dhbdleol.exe Dpklkgoj.exe File opened for modification C:\Windows\SysWOW64\Fkcilc32.exe Fdiqpigl.exe File created C:\Windows\SysWOW64\Nlcgpm32.dll Lgqkbb32.exe File created C:\Windows\SysWOW64\Kongke32.dll Npjlhcmd.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Egmabg32.exe Emdmjamj.exe File opened for modification C:\Windows\SysWOW64\Ldahkaij.exe Lkicbk32.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hjohmbpd.exe File created C:\Windows\SysWOW64\Aaejojjq.exe Ahmefdcp.exe File created C:\Windows\SysWOW64\Nhnmcb32.dll Idkpganf.exe File opened for modification C:\Windows\SysWOW64\Npjlhcmd.exe Mcckcbgp.exe File opened for modification C:\Windows\SysWOW64\Fcmdnfad.exe Fhgppnan.exe File opened for modification C:\Windows\SysWOW64\Hcajhi32.exe Gmhbkohm.exe File created C:\Windows\SysWOW64\Hohkmj32.exe Hcajhi32.exe File opened for modification C:\Windows\SysWOW64\Jhmofo32.exe Jndjmifj.exe File opened for modification C:\Windows\SysWOW64\Pjihmmbk.exe Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Aaejojjq.exe Ahmefdcp.exe File created C:\Windows\SysWOW64\Apkgpf32.exe Aknngo32.exe File created C:\Windows\SysWOW64\Igbnok32.dll Dbabho32.exe File created C:\Windows\SysWOW64\Edidqf32.exe Eicpcm32.exe File opened for modification C:\Windows\SysWOW64\Jbjpom32.exe Jpigma32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe Boljgg32.exe File created C:\Windows\SysWOW64\Fpcgndfi.dll Gkoobhhg.exe File created C:\Windows\SysWOW64\Jofial32.dll Ljnqdhga.exe File created C:\Windows\SysWOW64\Aooihhdc.dll Fkhbgbkc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3524 3476 WerFault.exe Lepaccmo.exe -
Modifies registry class 64 IoCs
Processes:
Nbmaon32.exeKdmban32.exeMqehjecl.exeNnnbni32.exeOefjdgjk.exePicojhcm.exeCkbpqe32.exeEfhqmadd.exeHadcipbi.exeJjjdhc32.exeDilapopb.exeEcfnmh32.exeMneohj32.exeNijpdfhm.exeEdidqf32.exeFdiqpigl.exeJpepkk32.exeNeiaeiii.exePlgolf32.exeAhbekjcf.exeBnknoogp.exeCfehhn32.exeEeojcmfi.exeIinhdmma.exeJpbcek32.exeCegoqlof.exeJhmofo32.exeNfigck32.exeOekjjl32.exeGgfpgi32.exeFccglehn.exeEmifeqid.exeEipgjaoi.exeGkoobhhg.exeGnnlocgk.exeMmccqbpm.exeFdkmeiei.exeJdpjba32.exeLonpma32.exeCagienkb.exeGjgiidkl.exeLjnqdhga.exeCjjnhnbl.exeJmfcop32.exeApkgpf32.exePljlbf32.exeHbggif32.exeBqmpdioa.exeDpklkgoj.exeHjcaha32.exe71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exeEmdmjamj.exePjihmmbk.exePfebnmcj.exeCogfqe32.exeDokfme32.exeGqaafn32.exeJmlddeio.exeDgiaefgg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocamldcp.dll" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcckjpl.dll" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbonbipa.dll" Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plgolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmjop32.dll" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeojcmfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhmofo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggfpgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcohdeco.dll" Fccglehn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djepmm32.dll" Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcgndfi.dll" Gkoobhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndglp32.dll" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll" Fdkmeiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dimkiekk.dll" Lonpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgiidkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofial32.dll" Ljnqdhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclknm32.dll" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Dpklkgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcaha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdmjamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdqap32.dll" Ecfnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmadeed.dll" Dokfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiodpjni.dll" Jmlddeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgiaefgg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exeInjndk32.exeIdkpganf.exeJaoqqflp.exeJdpjba32.exeJpigma32.exeJbjpom32.exeKoaqcn32.exeKdpfadlm.exeKnhjjj32.exeLonpma32.exeLoqmba32.exeLcofio32.exeLkjjma32.exeLgqkbb32.exeMqklqhpg.exedescription pid process target process PID 2148 wrote to memory of 548 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Injndk32.exe PID 2148 wrote to memory of 548 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Injndk32.exe PID 2148 wrote to memory of 548 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Injndk32.exe PID 2148 wrote to memory of 548 2148 71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe Injndk32.exe PID 548 wrote to memory of 2736 548 Injndk32.exe Idkpganf.exe PID 548 wrote to memory of 2736 548 Injndk32.exe Idkpganf.exe PID 548 wrote to memory of 2736 548 Injndk32.exe Idkpganf.exe PID 548 wrote to memory of 2736 548 Injndk32.exe Idkpganf.exe PID 2736 wrote to memory of 1108 2736 Idkpganf.exe Jaoqqflp.exe PID 2736 wrote to memory of 1108 2736 Idkpganf.exe Jaoqqflp.exe PID 2736 wrote to memory of 1108 2736 Idkpganf.exe Jaoqqflp.exe PID 2736 wrote to memory of 1108 2736 Idkpganf.exe Jaoqqflp.exe PID 1108 wrote to memory of 2868 1108 Jaoqqflp.exe Jdpjba32.exe PID 1108 wrote to memory of 2868 1108 Jaoqqflp.exe Jdpjba32.exe PID 1108 wrote to memory of 2868 1108 Jaoqqflp.exe Jdpjba32.exe PID 1108 wrote to memory of 2868 1108 Jaoqqflp.exe Jdpjba32.exe PID 2868 wrote to memory of 1872 2868 Jdpjba32.exe Jpigma32.exe PID 2868 wrote to memory of 1872 2868 Jdpjba32.exe Jpigma32.exe PID 2868 wrote to memory of 1872 2868 Jdpjba32.exe Jpigma32.exe PID 2868 wrote to memory of 1872 2868 Jdpjba32.exe Jpigma32.exe PID 1872 wrote to memory of 2556 1872 Jpigma32.exe Jbjpom32.exe PID 1872 wrote to memory of 2556 1872 Jpigma32.exe Jbjpom32.exe PID 1872 wrote to memory of 2556 1872 Jpigma32.exe Jbjpom32.exe PID 1872 wrote to memory of 2556 1872 Jpigma32.exe Jbjpom32.exe PID 2556 wrote to memory of 2572 2556 Jbjpom32.exe Koaqcn32.exe PID 2556 wrote to memory of 2572 2556 Jbjpom32.exe Koaqcn32.exe PID 2556 wrote to memory of 2572 2556 Jbjpom32.exe Koaqcn32.exe PID 2556 wrote to memory of 2572 2556 Jbjpom32.exe Koaqcn32.exe PID 2572 wrote to memory of 2684 2572 Koaqcn32.exe Kdpfadlm.exe PID 2572 wrote to memory of 2684 2572 Koaqcn32.exe Kdpfadlm.exe PID 2572 wrote to memory of 2684 2572 Koaqcn32.exe Kdpfadlm.exe PID 2572 wrote to memory of 2684 2572 Koaqcn32.exe Kdpfadlm.exe PID 2684 wrote to memory of 2848 2684 Kdpfadlm.exe Knhjjj32.exe PID 2684 wrote to memory of 2848 2684 Kdpfadlm.exe Knhjjj32.exe PID 2684 wrote to memory of 2848 2684 Kdpfadlm.exe Knhjjj32.exe PID 2684 wrote to memory of 2848 2684 Kdpfadlm.exe Knhjjj32.exe PID 2848 wrote to memory of 2444 2848 Knhjjj32.exe Lonpma32.exe PID 2848 wrote to memory of 2444 2848 Knhjjj32.exe Lonpma32.exe PID 2848 wrote to memory of 2444 2848 Knhjjj32.exe Lonpma32.exe PID 2848 wrote to memory of 2444 2848 Knhjjj32.exe Lonpma32.exe PID 2444 wrote to memory of 2128 2444 Lonpma32.exe Loqmba32.exe PID 2444 wrote to memory of 2128 2444 Lonpma32.exe Loqmba32.exe PID 2444 wrote to memory of 2128 2444 Lonpma32.exe Loqmba32.exe PID 2444 wrote to memory of 2128 2444 Lonpma32.exe Loqmba32.exe PID 2128 wrote to memory of 2176 2128 Loqmba32.exe Lcofio32.exe PID 2128 wrote to memory of 2176 2128 Loqmba32.exe Lcofio32.exe PID 2128 wrote to memory of 2176 2128 Loqmba32.exe Lcofio32.exe PID 2128 wrote to memory of 2176 2128 Loqmba32.exe Lcofio32.exe PID 2176 wrote to memory of 1080 2176 Lcofio32.exe Lkjjma32.exe PID 2176 wrote to memory of 1080 2176 Lcofio32.exe Lkjjma32.exe PID 2176 wrote to memory of 1080 2176 Lcofio32.exe Lkjjma32.exe PID 2176 wrote to memory of 1080 2176 Lcofio32.exe Lkjjma32.exe PID 1080 wrote to memory of 1064 1080 Lkjjma32.exe Lgqkbb32.exe PID 1080 wrote to memory of 1064 1080 Lkjjma32.exe Lgqkbb32.exe PID 1080 wrote to memory of 1064 1080 Lkjjma32.exe Lgqkbb32.exe PID 1080 wrote to memory of 1064 1080 Lkjjma32.exe Lgqkbb32.exe PID 1064 wrote to memory of 944 1064 Lgqkbb32.exe Mqklqhpg.exe PID 1064 wrote to memory of 944 1064 Lgqkbb32.exe Mqklqhpg.exe PID 1064 wrote to memory of 944 1064 Lgqkbb32.exe Mqklqhpg.exe PID 1064 wrote to memory of 944 1064 Lgqkbb32.exe Mqklqhpg.exe PID 944 wrote to memory of 1700 944 Mqklqhpg.exe Mclebc32.exe PID 944 wrote to memory of 1700 944 Mqklqhpg.exe Mclebc32.exe PID 944 wrote to memory of 1700 944 Mqklqhpg.exe Mclebc32.exe PID 944 wrote to memory of 1700 944 Mqklqhpg.exe Mclebc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe"C:\Users\Admin\AppData\Local\Temp\71ead9f51c149c931503516271a1112a86d83921a8a17bec322e27c4298f4dc6.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Apedah32.exeC:\Windows\system32\Apedah32.exe35⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe36⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe37⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe41⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe46⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe48⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe51⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe53⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Ceebklai.exeC:\Windows\system32\Ceebklai.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe58⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe59⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe60⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe63⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe67⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe68⤵PID:2068
-
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe69⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe74⤵
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe76⤵PID:892
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe78⤵PID:604
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe79⤵PID:2748
-
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe80⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe81⤵PID:2240
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe86⤵PID:2840
-
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe89⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe93⤵PID:2732
-
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe94⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe95⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe96⤵PID:2604
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe97⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe99⤵PID:2532
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe100⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe102⤵PID:1340
-
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe103⤵PID:924
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1132 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe105⤵PID:1992
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe108⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe109⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe110⤵PID:1720
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe111⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe112⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe113⤵PID:2644
-
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe114⤵PID:2568
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe115⤵PID:2628
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe116⤵PID:2416
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe118⤵PID:2208
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe120⤵PID:1512
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe121⤵PID:1428
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe122⤵PID:1856
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe123⤵PID:828
-
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe124⤵PID:1800
-
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe125⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe126⤵PID:1568
-
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe127⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe128⤵PID:2180
-
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe129⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe130⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe131⤵PID:2288
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe132⤵
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe133⤵PID:2492
-
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe134⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe135⤵
- Drops file in System32 directory
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe136⤵PID:2332
-
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe137⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:668 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe139⤵PID:1716
-
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe140⤵PID:476
-
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe142⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe143⤵
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe144⤵PID:1600
-
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe145⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe146⤵PID:932
-
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe147⤵PID:2192
-
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe148⤵PID:2516
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe149⤵PID:2952
-
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe150⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe152⤵PID:1824
-
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe153⤵PID:1448
-
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe154⤵PID:2424
-
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe155⤵PID:1652
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe156⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe157⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe158⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1336 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2084 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe160⤵PID:2892
-
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe161⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe162⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe163⤵PID:2292
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe164⤵PID:1708
-
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe165⤵PID:968
-
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe166⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe167⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe168⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe169⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe170⤵
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe171⤵PID:1660
-
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe172⤵PID:1460
-
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe173⤵PID:1648
-
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe174⤵PID:1976
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe175⤵PID:1796
-
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe176⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe177⤵PID:2528
-
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe178⤵PID:2144
-
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe179⤵PID:1492
-
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:388 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe181⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe182⤵
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe183⤵
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe185⤵PID:1096
-
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe186⤵
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe187⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe188⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe189⤵PID:2428
-
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe190⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe192⤵PID:972
-
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe193⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe194⤵
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe195⤵PID:3128
-
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe196⤵PID:3168
-
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe197⤵
- Drops file in System32 directory
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe198⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3248 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe199⤵
- Drops file in System32 directory
PID:3288 -
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe200⤵
- Modifies registry class
PID:3328 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe201⤵
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Ebnabb32.exeC:\Windows\system32\Ebnabb32.exe202⤵PID:3408
-
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe203⤵PID:3448
-
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe204⤵
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe206⤵PID:3572
-
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe207⤵PID:3612
-
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe209⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3696 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe210⤵
- Drops file in System32 directory
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe211⤵PID:3776
-
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3816 -
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe213⤵PID:3856
-
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe214⤵
- Drops file in System32 directory
PID:3896 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe215⤵
- Modifies registry class
PID:3936 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3976 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe217⤵PID:4016
-
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe218⤵PID:4056
-
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe219⤵PID:2756
-
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe220⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3112 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3156 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe222⤵PID:3216
-
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe223⤵PID:3268
-
C:\Windows\SysWOW64\Hdpcokdo.exeC:\Windows\system32\Hdpcokdo.exe224⤵PID:3312
-
C:\Windows\SysWOW64\Hadcipbi.exeC:\Windows\system32\Hadcipbi.exe225⤵
- Modifies registry class
PID:3352 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3416 -
C:\Windows\SysWOW64\Honnki32.exeC:\Windows\system32\Honnki32.exe227⤵PID:3464
-
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe228⤵
- Drops file in System32 directory
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe229⤵PID:3556
-
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe230⤵PID:3608
-
C:\Windows\SysWOW64\Ioeclg32.exeC:\Windows\system32\Ioeclg32.exe231⤵PID:3640
-
C:\Windows\SysWOW64\Iinhdmma.exeC:\Windows\system32\Iinhdmma.exe232⤵
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\Iaimipjl.exeC:\Windows\system32\Iaimipjl.exe233⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3760 -
C:\Windows\SysWOW64\Igceej32.exeC:\Windows\system32\Igceej32.exe234⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3808 -
C:\Windows\SysWOW64\Igebkiof.exeC:\Windows\system32\Igebkiof.exe235⤵PID:3892
-
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe236⤵PID:3908
-
C:\Windows\SysWOW64\Jjfkmdlg.exeC:\Windows\system32\Jjfkmdlg.exe237⤵
- Drops file in System32 directory
PID:3996 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe238⤵
- Drops file in System32 directory
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe239⤵
- Modifies registry class
PID:4080 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe240⤵
- Drops file in System32 directory
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe241⤵
- Drops file in System32 directory
- Modifies registry class
PID:3176 -
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe242⤵PID:3244