Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 20:24
Static task
static1
Behavioral task
behavioral1
Sample
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
Resource
win10v2004-20240426-en
General
-
Target
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe
-
Size
163KB
-
MD5
a84ae699edf16a12fc3094445c982c32
-
SHA1
61f40fd56ba09eb51862e6aaab63610679cdfc42
-
SHA256
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751
-
SHA512
082fc22318187e895afa6a6ebb171e7cedd5c5d457435d2188c6ef516236e47953825a68df3e924f1deb898aaae856de06aad8cfc03ba1abf155bba1452939d9
-
SSDEEP
1536:PiByfeNWEfPSEpB3dUdhKVRlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:eC/UPSGVRltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fnflke32.exeLqipkhbj.exePhlclgfc.exeDbiocd32.exeEmdmjamj.exeBhdhefpc.exeEfedga32.exeFolhgbid.exeHqnjek32.exeLdgnklmi.exeGmecmg32.exeObbdml32.exeAgbbgqhh.exeEdaalk32.exeGcgqgd32.exeFkmqdpce.exeKbdmeoob.exeLghlndfa.exeMmdjkhdh.exeHbggif32.exeJdflqo32.exeIikkon32.exeIbmgpoia.exePckajebj.exeGfcnegnk.exeIpeaco32.exeDcllbhdn.exeJlfnangf.exeOpfegp32.exeApppkekc.exeDklddhka.exeHakkgc32.exeCinafkkd.exeBmhkmm32.exeBoogmgkl.exeCmpgpond.exeDaaenlng.exeDnhbmpkn.exeEimcjl32.exeCcpcckck.exeAkfkbd32.exeFmaeho32.exeKkmand32.exeHfjbmb32.exeEggndi32.exeFigmjq32.exeHkmollme.exeAahfdihn.exeBfncpcoc.exeFdqnkoep.exeCmpdgf32.exeJabdql32.exeNedhjj32.exeBoemlbpk.exeDeakjjbk.exeGoplilpf.exeCmhglq32.exeAfffenbp.exeHeliepmn.exeBbllnlfd.exeEoebgcol.exeIfolhann.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdmjamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folhgbid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmecmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbbgqhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edaalk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbggif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdflqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikkon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmgpoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckajebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfnangf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaenlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpcckck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaeho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjbmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figmjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmollme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabdql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deakjjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goplilpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhglq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heliepmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Bidlgdlk.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Clgbno32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Cebcmdlg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Cojhejbh.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Cmpdgf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ddnfop32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Dikogf32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Dojddmec.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Dkadjn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Elqaca32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Eoompl32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Egjbdo32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Eapfagno.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Epecbd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eniclh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fchijone.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fqlicclo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Fdnolfon.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2804-273-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcheib32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gpabcbdb.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2084-310-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gildahhp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hnpbjnpo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Halbai32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hdoghdmd.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imleli32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibhndp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibmgpoia.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jabdql32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jofejpmc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Koddccaa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kbdmeoob.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kkmand32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kcdjoaee.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Knnkpobc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Khcomhbi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lnpgeopa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lghlndfa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldllgiek.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lkfddc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lmgalkcf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lcaiiejc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lokgcf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Liqoflfh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mejlalji.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mkddnf32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mnbpjb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mihdgkpp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mndmoaog.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mijamjnm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mbbfep32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mhonngce.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Njpgpbpf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndhlhg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nmqpam32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Olkfmi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Olmcchlg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ookpodkj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odhhgkib.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oonldcih.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odjdmjgo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Opaebkmc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pljcllqe.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Bidlgdlk.exe UPX \Windows\SysWOW64\Clgbno32.exe UPX \Windows\SysWOW64\Cebcmdlg.exe UPX C:\Windows\SysWOW64\Cojhejbh.exe UPX \Windows\SysWOW64\Cmpdgf32.exe UPX C:\Windows\SysWOW64\Ddnfop32.exe UPX \Windows\SysWOW64\Dikogf32.exe UPX \Windows\SysWOW64\Dojddmec.exe UPX \Windows\SysWOW64\Dkadjn32.exe UPX C:\Windows\SysWOW64\Elqaca32.exe UPX \Windows\SysWOW64\Eoompl32.exe UPX \Windows\SysWOW64\Egjbdo32.exe UPX \Windows\SysWOW64\Eapfagno.exe UPX C:\Windows\SysWOW64\Epecbd32.exe UPX C:\Windows\SysWOW64\Eniclh32.exe UPX C:\Windows\SysWOW64\Fchijone.exe UPX C:\Windows\SysWOW64\Fqlicclo.exe UPX C:\Windows\SysWOW64\Fdnolfon.exe UPX behavioral1/memory/2804-273-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Gcheib32.exe UPX C:\Windows\SysWOW64\Gpabcbdb.exe UPX C:\Windows\SysWOW64\Gildahhp.exe UPX C:\Windows\SysWOW64\Hnpbjnpo.exe UPX C:\Windows\SysWOW64\Halbai32.exe UPX C:\Windows\SysWOW64\Hdoghdmd.exe UPX C:\Windows\SysWOW64\Imleli32.exe UPX C:\Windows\SysWOW64\Ibhndp32.exe UPX C:\Windows\SysWOW64\Ibmgpoia.exe UPX C:\Windows\SysWOW64\Jabdql32.exe UPX C:\Windows\SysWOW64\Jofejpmc.exe UPX C:\Windows\SysWOW64\Koddccaa.exe UPX C:\Windows\SysWOW64\Kbdmeoob.exe UPX C:\Windows\SysWOW64\Kkmand32.exe UPX C:\Windows\SysWOW64\Kcdjoaee.exe UPX C:\Windows\SysWOW64\Knnkpobc.exe UPX C:\Windows\SysWOW64\Khcomhbi.exe UPX C:\Windows\SysWOW64\Lnpgeopa.exe UPX C:\Windows\SysWOW64\Lghlndfa.exe UPX C:\Windows\SysWOW64\Ldllgiek.exe UPX C:\Windows\SysWOW64\Lkfddc32.exe UPX C:\Windows\SysWOW64\Lmgalkcf.exe UPX C:\Windows\SysWOW64\Lcaiiejc.exe UPX C:\Windows\SysWOW64\Lokgcf32.exe UPX C:\Windows\SysWOW64\Liqoflfh.exe UPX C:\Windows\SysWOW64\Mejlalji.exe UPX C:\Windows\SysWOW64\Mkddnf32.exe UPX C:\Windows\SysWOW64\Mnbpjb32.exe UPX C:\Windows\SysWOW64\Mihdgkpp.exe UPX C:\Windows\SysWOW64\Mndmoaog.exe UPX C:\Windows\SysWOW64\Mijamjnm.exe UPX C:\Windows\SysWOW64\Mbbfep32.exe UPX C:\Windows\SysWOW64\Mhonngce.exe UPX C:\Windows\SysWOW64\Njpgpbpf.exe UPX C:\Windows\SysWOW64\Ndhlhg32.exe UPX C:\Windows\SysWOW64\Nmqpam32.exe UPX C:\Windows\SysWOW64\Olkfmi32.exe UPX C:\Windows\SysWOW64\Olmcchlg.exe UPX C:\Windows\SysWOW64\Ookpodkj.exe UPX C:\Windows\SysWOW64\Odhhgkib.exe UPX C:\Windows\SysWOW64\Oonldcih.exe UPX C:\Windows\SysWOW64\Odjdmjgo.exe UPX C:\Windows\SysWOW64\Opaebkmc.exe UPX C:\Windows\SysWOW64\Pljcllqe.exe UPX C:\Windows\SysWOW64\Pcdkif32.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Bidlgdlk.exeClgbno32.exeCebcmdlg.exeCojhejbh.exeCmpdgf32.exeDdnfop32.exeDikogf32.exeDojddmec.exeDkadjn32.exeElqaca32.exeEoompl32.exeEgjbdo32.exeEapfagno.exeEpecbd32.exeEniclh32.exeFchijone.exeFqlicclo.exeFkejcq32.exeFdnolfon.exeFfmkfifa.exeFkmqdpce.exeGcheib32.exeGgfnopfg.exeGpabcbdb.exeGmecmg32.exeGildahhp.exeGbdhjm32.exeHinqgg32.exeHloiib32.exeHalbai32.exeHnpbjnpo.exeHdoghdmd.exeImleli32.exeIbhndp32.exeImnbbi32.exeIplnnd32.exeIiecgjba.exeIbmgpoia.exeJabdql32.exeJofejpmc.exeJoiappkp.exeJhafhe32.exeJjdofm32.exeKfkpknkq.exeKoddccaa.exeKbdmeoob.exeKkmand32.exeKcdjoaee.exeKnnkpobc.exeKhcomhbi.exeLnpgeopa.exeLghlndfa.exeLdllgiek.exeLkfddc32.exeLmgalkcf.exeLcaiiejc.exeLmjnak32.exeLgoboc32.exeLiqoflfh.exeLokgcf32.exeMjpkqonj.exeMkaghg32.exeMejlalji.exeMkddnf32.exepid process 2900 Bidlgdlk.exe 2504 Clgbno32.exe 2520 Cebcmdlg.exe 2400 Cojhejbh.exe 2360 Cmpdgf32.exe 3040 Ddnfop32.exe 1396 Dikogf32.exe 1928 Dojddmec.exe 2584 Dkadjn32.exe 2768 Elqaca32.exe 1912 Eoompl32.exe 2032 Egjbdo32.exe 2576 Eapfagno.exe 804 Epecbd32.exe 2256 Eniclh32.exe 3008 Fchijone.exe 268 Fqlicclo.exe 436 Fkejcq32.exe 632 Fdnolfon.exe 708 Ffmkfifa.exe 2804 Fkmqdpce.exe 1988 Gcheib32.exe 2932 Ggfnopfg.exe 2084 Gpabcbdb.exe 1676 Gmecmg32.exe 904 Gildahhp.exe 2328 Gbdhjm32.exe 1580 Hinqgg32.exe 2944 Hloiib32.exe 2640 Halbai32.exe 2656 Hnpbjnpo.exe 2524 Hdoghdmd.exe 2660 Imleli32.exe 1652 Ibhndp32.exe 2268 Imnbbi32.exe 1644 Iplnnd32.exe 2712 Iiecgjba.exe 2332 Ibmgpoia.exe 2688 Jabdql32.exe 1128 Jofejpmc.exe 1656 Joiappkp.exe 844 Jhafhe32.exe 768 Jjdofm32.exe 2244 Kfkpknkq.exe 1708 Koddccaa.exe 2072 Kbdmeoob.exe 1836 Kkmand32.exe 1236 Kcdjoaee.exe 2008 Knnkpobc.exe 612 Khcomhbi.exe 1524 Lnpgeopa.exe 1368 Lghlndfa.exe 2840 Ldllgiek.exe 2096 Lkfddc32.exe 1556 Lmgalkcf.exe 2808 Lcaiiejc.exe 1604 Lmjnak32.exe 2144 Lgoboc32.exe 2420 Liqoflfh.exe 592 Lokgcf32.exe 2344 Mjpkqonj.exe 880 Mkaghg32.exe 1800 Mejlalji.exe 1932 Mkddnf32.exe -
Loads dropped DLL 64 IoCs
Processes:
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exeBidlgdlk.exeClgbno32.exeCebcmdlg.exeCojhejbh.exeCmpdgf32.exeDdnfop32.exeDikogf32.exeDojddmec.exeDkadjn32.exeElqaca32.exeEoompl32.exeEgjbdo32.exeEapfagno.exeEpecbd32.exeEniclh32.exeFchijone.exeFqlicclo.exeFkejcq32.exeFdnolfon.exeFfmkfifa.exeFkmqdpce.exeGcheib32.exeGgfnopfg.exeGpabcbdb.exeGmecmg32.exeGildahhp.exeGbdhjm32.exeHinqgg32.exeHloiib32.exeHalbai32.exeHnpbjnpo.exepid process 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe 2900 Bidlgdlk.exe 2900 Bidlgdlk.exe 2504 Clgbno32.exe 2504 Clgbno32.exe 2520 Cebcmdlg.exe 2520 Cebcmdlg.exe 2400 Cojhejbh.exe 2400 Cojhejbh.exe 2360 Cmpdgf32.exe 2360 Cmpdgf32.exe 3040 Ddnfop32.exe 3040 Ddnfop32.exe 1396 Dikogf32.exe 1396 Dikogf32.exe 1928 Dojddmec.exe 1928 Dojddmec.exe 2584 Dkadjn32.exe 2584 Dkadjn32.exe 2768 Elqaca32.exe 2768 Elqaca32.exe 1912 Eoompl32.exe 1912 Eoompl32.exe 2032 Egjbdo32.exe 2032 Egjbdo32.exe 2576 Eapfagno.exe 2576 Eapfagno.exe 804 Epecbd32.exe 804 Epecbd32.exe 2256 Eniclh32.exe 2256 Eniclh32.exe 3008 Fchijone.exe 3008 Fchijone.exe 268 Fqlicclo.exe 268 Fqlicclo.exe 436 Fkejcq32.exe 436 Fkejcq32.exe 632 Fdnolfon.exe 632 Fdnolfon.exe 708 Ffmkfifa.exe 708 Ffmkfifa.exe 2804 Fkmqdpce.exe 2804 Fkmqdpce.exe 1988 Gcheib32.exe 1988 Gcheib32.exe 2932 Ggfnopfg.exe 2932 Ggfnopfg.exe 2084 Gpabcbdb.exe 2084 Gpabcbdb.exe 1676 Gmecmg32.exe 1676 Gmecmg32.exe 904 Gildahhp.exe 904 Gildahhp.exe 2328 Gbdhjm32.exe 2328 Gbdhjm32.exe 1580 Hinqgg32.exe 1580 Hinqgg32.exe 2944 Hloiib32.exe 2944 Hloiib32.exe 2640 Halbai32.exe 2640 Halbai32.exe 2656 Hnpbjnpo.exe 2656 Hnpbjnpo.exe -
Drops file in System32 directory 64 IoCs
Processes:
Oeckfndj.exeLcofio32.exeNibqqh32.exeDiidjpbe.exeBkpglbaj.exeOopijc32.exeHakkgc32.exeLfoojj32.exeNncbdomg.exeAkfkbd32.exeJkbaci32.exeGpabcbdb.exeGkbcbn32.exeFgjjad32.exeKfkpknkq.exeMkaghg32.exeBjbeofpp.exeIjphofem.exeNlilqbgp.exeCbgobp32.exeDlfgcl32.exeCcjoli32.exeGhlfjq32.exeOefjdgjk.exeAjhddk32.exeFmdbnnlj.exeBnqned32.exeEaheeecg.exeGfcnegnk.exeGhdgfbkl.exeIeofkp32.exeCjakccop.exeKageia32.exeGmecmg32.exeKkgahoel.exeKbdmeoob.exeEggndi32.exeHnpbjnpo.exePeedka32.exeGfhgpg32.exeAfdiondb.exeBoogmgkl.exeQhkipdeb.exeIbmgpoia.exeHboddk32.exeMkndhabp.exeEopphehb.exeIphgln32.exeEeojcmfi.exeGbdhjm32.exeQdncmgbj.exeHbggif32.exeAcfmcc32.exeAficjnpm.exeEgajnfoe.exeCcbbachm.exeHqiqjlga.exeIkqnlh32.exeIiecgjba.exeCcpcckck.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Olmcchlg.exe Oeckfndj.exe File created C:\Windows\SysWOW64\Lhknaf32.exe Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Nplimbka.exe Nibqqh32.exe File opened for modification C:\Windows\SysWOW64\Dpcmgi32.exe Diidjpbe.exe File created C:\Windows\SysWOW64\Bnochnpm.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Opaebkmc.exe Oopijc32.exe File created C:\Windows\SysWOW64\Hfhcoj32.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Lgqkbb32.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Abpcooea.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Kdhdfgep.dll Jkbaci32.exe File created C:\Windows\SysWOW64\Lbijlpke.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Ajcbch32.dll Hakkgc32.exe File created C:\Windows\SysWOW64\Gfhgpg32.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fgjjad32.exe File created C:\Windows\SysWOW64\Pdnldmfb.dll Kfkpknkq.exe File opened for modification C:\Windows\SysWOW64\Mejlalji.exe Mkaghg32.exe File opened for modification C:\Windows\SysWOW64\Bbjmpcab.exe Bjbeofpp.exe File created C:\Windows\SysWOW64\Iladfn32.exe Ijphofem.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Nlilqbgp.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Dmhdkdlg.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\Hbdjcffd.exe Ghlfjq32.exe File created C:\Windows\SysWOW64\Nehhoand.dll Oefjdgjk.exe File created C:\Windows\SysWOW64\Ihlnih32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Fcqjfeja.exe Fmdbnnlj.exe File opened for modification C:\Windows\SysWOW64\Bejfao32.exe Bnqned32.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Eaheeecg.exe File created C:\Windows\SysWOW64\Eligcnhi.dll Gfcnegnk.exe File created C:\Windows\SysWOW64\Gkbcbn32.exe Ghdgfbkl.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Akfkbd32.exe File opened for modification C:\Windows\SysWOW64\Ifpcchai.exe Ieofkp32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cjakccop.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kageia32.exe File created C:\Windows\SysWOW64\Nhokmehl.dll Gmecmg32.exe File created C:\Windows\SysWOW64\Kaajei32.exe Kkgahoel.exe File opened for modification C:\Windows\SysWOW64\Kkmand32.exe Kbdmeoob.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eggndi32.exe File opened for modification C:\Windows\SysWOW64\Hdoghdmd.exe Hnpbjnpo.exe File created C:\Windows\SysWOW64\Mgcfig32.dll Peedka32.exe File created C:\Windows\SysWOW64\Lmhjag32.dll Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Bfioia32.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Lanbhm32.dll Diidjpbe.exe File created C:\Windows\SysWOW64\Qmhahkdj.exe Qhkipdeb.exe File opened for modification C:\Windows\SysWOW64\Jabdql32.exe Ibmgpoia.exe File created C:\Windows\SysWOW64\Hmdhad32.exe Hboddk32.exe File opened for modification C:\Windows\SysWOW64\Mnmpdlac.exe Mkndhabp.exe File opened for modification C:\Windows\SysWOW64\Ehhdaj32.exe Eopphehb.exe File created C:\Windows\SysWOW64\Ifbphh32.exe Iphgln32.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Eeojcmfi.exe File created C:\Windows\SysWOW64\Hinqgg32.exe Gbdhjm32.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qdncmgbj.exe File created C:\Windows\SysWOW64\Hehiqh32.dll Hbggif32.exe File created C:\Windows\SysWOW64\Afdiondb.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Bqiibc32.dll Egajnfoe.exe File opened for modification C:\Windows\SysWOW64\Ciokijfd.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Bejfao32.exe Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Hffibceh.exe Hqiqjlga.exe File created C:\Windows\SysWOW64\Ieibdnnp.exe Ikqnlh32.exe File created C:\Windows\SysWOW64\Loqhnifk.dll Iiecgjba.exe File created C:\Windows\SysWOW64\Cfnoogbo.exe Ccpcckck.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 5252 2340 WerFault.exe -
Modifies registry class 64 IoCs
Processes:
Oejcpf32.exeKkmand32.exeKcecbq32.exeFmlbjq32.exeEbckmaec.exeKoddccaa.exeNlfmbibo.exeOalkih32.exeAahfdihn.exeNjpgpbpf.exeJeclebja.exeBcbfbp32.exeEknpadcn.exeFahhnn32.exeGaojnq32.exeDhpemm32.exeElajgpmj.exeIinhdmma.exeBnqned32.exeEmdmjamj.exeNibqqh32.exeGcheib32.exeLhknaf32.exeIbhndp32.exeGgicgopd.exeObokcqhk.exeEinjdb32.exeLmpcca32.exeNcfoch32.exeEggndi32.exeHbaaik32.exeGhofam32.exeLkfddc32.exeDmbcen32.exeIbkmchbh.exeMkaghg32.exePphkbj32.exeKcgphp32.exeJikeeh32.exeJkchmo32.exeBfdenafn.exePfpibn32.exeGlbaei32.exeAbpcooea.exeGhibjjnk.exeJgjkfi32.exeLnpgeopa.exeOdgamdef.exeEknmhk32.exeKlhgfq32.exeJlnmel32.exeGconbj32.exeDihmpinj.exePeedka32.exeHboddk32.exeCfcijf32.exeDlfgcl32.exeAficjnpm.exeQhilkege.exeKjeglh32.exeEodicd32.exePfbfhm32.exePmjaohol.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmand32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcecbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkalpla.dll" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koddccaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmdjb32.dll" Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecfn32.dll" Aahfdihn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjaekpm.dll" Jeclebja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeijod.dll" Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eknpadcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiioe32.dll" Elajgpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinhdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdmjamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcnhf32.dll" Gcheib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganigoib.dll" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggicgopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Einjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcomkpo.dll" Ncfoch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdojinhb.dll" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Dmbcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkmchbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhmdim32.dll" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecpilip.dll" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" Jikeeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfdenafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfpibn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pccohd32.dll" Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnpgeopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgamdef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehlpleg.dll" Klhgfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlnmel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hboddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjllk32.dll" Cfcijf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eodicd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbfhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjaohol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exeBidlgdlk.exeClgbno32.exeCebcmdlg.exeCojhejbh.exeCmpdgf32.exeDdnfop32.exeDikogf32.exeDojddmec.exeDkadjn32.exeElqaca32.exeEoompl32.exeEgjbdo32.exeEapfagno.exeEpecbd32.exeEniclh32.exedescription pid process target process PID 2888 wrote to memory of 2900 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Bidlgdlk.exe PID 2888 wrote to memory of 2900 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Bidlgdlk.exe PID 2888 wrote to memory of 2900 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Bidlgdlk.exe PID 2888 wrote to memory of 2900 2888 2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe Bidlgdlk.exe PID 2900 wrote to memory of 2504 2900 Bidlgdlk.exe Clgbno32.exe PID 2900 wrote to memory of 2504 2900 Bidlgdlk.exe Clgbno32.exe PID 2900 wrote to memory of 2504 2900 Bidlgdlk.exe Clgbno32.exe PID 2900 wrote to memory of 2504 2900 Bidlgdlk.exe Clgbno32.exe PID 2504 wrote to memory of 2520 2504 Clgbno32.exe Cebcmdlg.exe PID 2504 wrote to memory of 2520 2504 Clgbno32.exe Cebcmdlg.exe PID 2504 wrote to memory of 2520 2504 Clgbno32.exe Cebcmdlg.exe PID 2504 wrote to memory of 2520 2504 Clgbno32.exe Cebcmdlg.exe PID 2520 wrote to memory of 2400 2520 Cebcmdlg.exe Cojhejbh.exe PID 2520 wrote to memory of 2400 2520 Cebcmdlg.exe Cojhejbh.exe PID 2520 wrote to memory of 2400 2520 Cebcmdlg.exe Cojhejbh.exe PID 2520 wrote to memory of 2400 2520 Cebcmdlg.exe Cojhejbh.exe PID 2400 wrote to memory of 2360 2400 Cojhejbh.exe Hqnjek32.exe PID 2400 wrote to memory of 2360 2400 Cojhejbh.exe Hqnjek32.exe PID 2400 wrote to memory of 2360 2400 Cojhejbh.exe Hqnjek32.exe PID 2400 wrote to memory of 2360 2400 Cojhejbh.exe Hqnjek32.exe PID 2360 wrote to memory of 3040 2360 Cmpdgf32.exe Ddnfop32.exe PID 2360 wrote to memory of 3040 2360 Cmpdgf32.exe Ddnfop32.exe PID 2360 wrote to memory of 3040 2360 Cmpdgf32.exe Ddnfop32.exe PID 2360 wrote to memory of 3040 2360 Cmpdgf32.exe Ddnfop32.exe PID 3040 wrote to memory of 1396 3040 Ddnfop32.exe Dikogf32.exe PID 3040 wrote to memory of 1396 3040 Ddnfop32.exe Dikogf32.exe PID 3040 wrote to memory of 1396 3040 Ddnfop32.exe Dikogf32.exe PID 3040 wrote to memory of 1396 3040 Ddnfop32.exe Dikogf32.exe PID 1396 wrote to memory of 1928 1396 Dikogf32.exe Dojddmec.exe PID 1396 wrote to memory of 1928 1396 Dikogf32.exe Dojddmec.exe PID 1396 wrote to memory of 1928 1396 Dikogf32.exe Dojddmec.exe PID 1396 wrote to memory of 1928 1396 Dikogf32.exe Dojddmec.exe PID 1928 wrote to memory of 2584 1928 Dojddmec.exe Dkadjn32.exe PID 1928 wrote to memory of 2584 1928 Dojddmec.exe Dkadjn32.exe PID 1928 wrote to memory of 2584 1928 Dojddmec.exe Dkadjn32.exe PID 1928 wrote to memory of 2584 1928 Dojddmec.exe Dkadjn32.exe PID 2584 wrote to memory of 2768 2584 Dkadjn32.exe Elqaca32.exe PID 2584 wrote to memory of 2768 2584 Dkadjn32.exe Elqaca32.exe PID 2584 wrote to memory of 2768 2584 Dkadjn32.exe Elqaca32.exe PID 2584 wrote to memory of 2768 2584 Dkadjn32.exe Elqaca32.exe PID 2768 wrote to memory of 1912 2768 Elqaca32.exe Eoompl32.exe PID 2768 wrote to memory of 1912 2768 Elqaca32.exe Eoompl32.exe PID 2768 wrote to memory of 1912 2768 Elqaca32.exe Eoompl32.exe PID 2768 wrote to memory of 1912 2768 Elqaca32.exe Eoompl32.exe PID 1912 wrote to memory of 2032 1912 Eoompl32.exe Egjbdo32.exe PID 1912 wrote to memory of 2032 1912 Eoompl32.exe Egjbdo32.exe PID 1912 wrote to memory of 2032 1912 Eoompl32.exe Egjbdo32.exe PID 1912 wrote to memory of 2032 1912 Eoompl32.exe Egjbdo32.exe PID 2032 wrote to memory of 2576 2032 Egjbdo32.exe Ieibdnnp.exe PID 2032 wrote to memory of 2576 2032 Egjbdo32.exe Ieibdnnp.exe PID 2032 wrote to memory of 2576 2032 Egjbdo32.exe Ieibdnnp.exe PID 2032 wrote to memory of 2576 2032 Egjbdo32.exe Ieibdnnp.exe PID 2576 wrote to memory of 804 2576 Eapfagno.exe Epecbd32.exe PID 2576 wrote to memory of 804 2576 Eapfagno.exe Epecbd32.exe PID 2576 wrote to memory of 804 2576 Eapfagno.exe Epecbd32.exe PID 2576 wrote to memory of 804 2576 Eapfagno.exe Epecbd32.exe PID 804 wrote to memory of 2256 804 Epecbd32.exe Eniclh32.exe PID 804 wrote to memory of 2256 804 Epecbd32.exe Eniclh32.exe PID 804 wrote to memory of 2256 804 Epecbd32.exe Eniclh32.exe PID 804 wrote to memory of 2256 804 Epecbd32.exe Eniclh32.exe PID 2256 wrote to memory of 3008 2256 Eniclh32.exe Fchijone.exe PID 2256 wrote to memory of 3008 2256 Eniclh32.exe Fchijone.exe PID 2256 wrote to memory of 3008 2256 Eniclh32.exe Fchijone.exe PID 2256 wrote to memory of 3008 2256 Eniclh32.exe Fchijone.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe"C:\Users\Admin\AppData\Local\Temp\2c44e2a3e2d5493858b67a3642f5cedac47d9678deb1833edb04bc9ce3188751.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe33⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe36⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe37⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe41⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe42⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe43⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe44⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe49⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe50⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe51⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe56⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe57⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe58⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe59⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe60⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe61⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe62⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe64⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe65⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe66⤵PID:1972
-
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe67⤵PID:2024
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe68⤵PID:1840
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe69⤵PID:324
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe70⤵PID:676
-
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe71⤵PID:2204
-
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe72⤵
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe73⤵
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe74⤵PID:2140
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe75⤵PID:2828
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe76⤵PID:2324
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe77⤵PID:1680
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe78⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe79⤵PID:2020
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe80⤵PID:1748
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe81⤵PID:2516
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe82⤵PID:568
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe83⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe84⤵PID:1124
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe85⤵PID:948
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe86⤵PID:2028
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe87⤵PID:1760
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe88⤵PID:1532
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe89⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe90⤵PID:692
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe91⤵PID:2164
-
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe92⤵PID:364
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe93⤵PID:2772
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe94⤵PID:2796
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe95⤵PID:1960
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe96⤵PID:1744
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe97⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe99⤵PID:2528
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe100⤵PID:1904
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe102⤵PID:1264
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe103⤵PID:2876
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe104⤵PID:1216
-
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe105⤵PID:1064
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe106⤵PID:1732
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe107⤵PID:2832
-
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe108⤵PID:696
-
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe109⤵PID:2276
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe110⤵PID:2552
-
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe113⤵PID:2172
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe114⤵PID:580
-
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe115⤵PID:2000
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe117⤵
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe118⤵PID:2908
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe119⤵PID:1824
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe121⤵PID:764
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe122⤵PID:2196
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe124⤵PID:3036
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe126⤵PID:2132
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe127⤵PID:1084
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe128⤵PID:2960
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe129⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe130⤵PID:1140
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe131⤵PID:548
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe132⤵PID:2568
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe133⤵PID:2912
-
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe134⤵PID:2440
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe135⤵PID:896
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe136⤵PID:1764
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe137⤵
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe138⤵PID:2300
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe139⤵PID:840
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe141⤵PID:2780
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe142⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe143⤵PID:2372
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe144⤵PID:1696
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe145⤵PID:1388
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe146⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe147⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe148⤵PID:2316
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe149⤵PID:1096
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe150⤵PID:2312
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe151⤵PID:2708
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe152⤵PID:2616
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe153⤵PID:1648
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe154⤵PID:1772
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe155⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe156⤵
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe157⤵PID:2352
-
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe158⤵PID:2040
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe159⤵PID:2736
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe160⤵PID:2716
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe161⤵PID:564
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe162⤵PID:2572
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe163⤵PID:1512
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe164⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe165⤵PID:2612
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe166⤵PID:2128
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe167⤵PID:1816
-
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe169⤵PID:1584
-
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe170⤵PID:3044
-
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe171⤵
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe172⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe173⤵
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe174⤵
- Modifies registry class
PID:800 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe175⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe176⤵PID:1716
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe177⤵PID:1936
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe178⤵PID:2044
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe179⤵PID:2064
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe180⤵PID:2292
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe181⤵PID:2484
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe182⤵PID:2272
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe183⤵PID:1436
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe184⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe185⤵PID:1784
-
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe186⤵PID:1792
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe187⤵
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe188⤵PID:1248
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe189⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe190⤵PID:2920
-
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe191⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe192⤵PID:3124
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe193⤵PID:3164
-
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe194⤵PID:3204
-
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe195⤵PID:3244
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe196⤵PID:3284
-
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe197⤵PID:3324
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe198⤵PID:3364
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe199⤵PID:3404
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe200⤵PID:3444
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe201⤵
- Modifies registry class
PID:3488 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe202⤵
- Modifies registry class
PID:3528 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe203⤵PID:3568
-
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe204⤵PID:3608
-
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe205⤵
- Drops file in System32 directory
PID:3648 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe206⤵PID:3688
-
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe207⤵PID:3728
-
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe208⤵PID:3768
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe209⤵
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe210⤵PID:3848
-
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe211⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe212⤵PID:3928
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe213⤵PID:3968
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe214⤵PID:4008
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe215⤵PID:4048
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe216⤵PID:4088
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe217⤵PID:1456
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe218⤵PID:2872
-
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe219⤵
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe220⤵
- Modifies registry class
PID:3192 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe221⤵PID:3240
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe222⤵
- Drops file in System32 directory
PID:3292 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe223⤵PID:3348
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3396 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe225⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe226⤵PID:2896
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe227⤵PID:3508
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe228⤵PID:3556
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe229⤵PID:3616
-
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe230⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3672 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe231⤵PID:3724
-
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe232⤵PID:3780
-
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe233⤵PID:3828
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe234⤵PID:3876
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe235⤵PID:3924
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe236⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3964 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe237⤵PID:4016
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe238⤵
- Drops file in System32 directory
- Modifies registry class
PID:4072 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe239⤵PID:1132
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe240⤵PID:1968
-
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe241⤵PID:3152
-
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe242⤵PID:3228