Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
Resource
win10v2004-20240508-en
General
-
Target
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
-
Size
163KB
-
MD5
a5d676bf2333c24096aa7e658bc73390
-
SHA1
062a3fe5ac692602566b2628e2eeb42c20aec3cc
-
SHA256
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23
-
SHA512
403a1dea6f949589d82c0a9fce25abf849c8d4e966c9d3bcd307573c102c6f275a31388549a5251b95e0a05984759039ea0800a2bd22f484e5702eb228ac0680
-
SSDEEP
1536:P3O0RZViAazzxymcrT8UbYlEmlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:BVVGERYlEmltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Cadhnmnm.exeCdakgibq.exeQhmbagfa.exeQaefjm32.exeFmcoja32.exeKfaajlfp.exeAplpai32.exeBghabf32.exeDmafennb.exeGloblmmj.exeHiekid32.exeCohigamf.exeOkfencna.exeLdcamcih.exeNbdnoo32.exeBbdocc32.exeHahjpbad.exeMpdnkb32.exeMimbdhhb.exeKanopipl.exeFlmefm32.exeGhoegl32.exeJgnamk32.exeKahojc32.exeOnhgbmfb.exePogclp32.exeQbcpbo32.exePpamme32.exeAekodi32.exeAehboi32.exeLbnemk32.exeLijjoe32.exeOfjfhk32.exePcnbablo.exeBdgafdfp.exeChpmpg32.exeKaceodek.exeAlbjlcao.exeIcbimi32.exeEbpkce32.exeKaklpcoc.exeAjjcbpdd.exeChhjkl32.exeAjdadamj.exeBebkpn32.exeDnilobkm.exeJkpgfn32.exePmanoifd.exeQimhoi32.exeNdjdlffl.exeCaknol32.exeCgpgce32.exeCgbdhd32.exeChcqpmep.exeFfkcbgek.exeFpdhklkl.exeFphafl32.exeGhfbqn32.exeBingpmnl.exeEgjpkffe.exeEibbcm32.exeIblpjdpk.exeEgamfkdh.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadhnmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdakgibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmbagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaefjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmcoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfaajlfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplpai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bghabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmafennb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Globlmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiekid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohigamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfencna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldcamcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdocc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahjpbad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdnkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanopipl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghoegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahojc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhgbmfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pogclp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbcpbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppamme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aekodi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aehboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbnemk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnbablo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaceodek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjlcao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebpkce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaklpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjcbpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chhjkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajdadamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnilobkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkpgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanoifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qimhoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjlcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjdlffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caknol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgpgce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgbdhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcqpmep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffkcbgek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdhklkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fphafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bingpmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjpkffe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblpjdpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egamfkdh.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Jmdcfg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kbalnnam.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kljqgc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kbcicmpj.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kinaqg32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kllmmc32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kfaajlfp.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Khcnad32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Komfnnck.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kibjkgca.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Kjcgco32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kanopipl.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lhggmchi.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Loapim32.exe INDICATOR_EXE_Packed_MPress \Windows\SysWOW64\Lekhfgfc.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lhjdbcef.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldqegd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lgoacojo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lpgele32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ldcamcih.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lipjejgp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Llnfaffc.exe INDICATOR_EXE_Packed_MPress behavioral1/memory/2668-269-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Lpjbad32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Libgjj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Loooca32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mgfgdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Moalhq32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Maphdl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Migpeiag.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mochnppo.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mabejlob.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mlgigdoh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mepnpj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mhnjle32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mohbip32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mpjoqhah.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnnojlpa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Naikkk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nkaocp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnplpl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ndjdlffl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nfkpdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nocemcbj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ngkmnacm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nhlifi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ncancbha.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbdnoo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nhnfkigh.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nmjblg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nohnhc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nbfjdn32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odegpj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ohqbqhde.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okoomd32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onmkio32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Obigjnkf.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odgcfijj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ogfpbeim.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Onphoo32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oqndkj32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Odjpkihg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oghlgdgk.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Okchhc32.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\Jmdcfg32.exe UPX C:\Windows\SysWOW64\Kbalnnam.exe UPX \Windows\SysWOW64\Kljqgc32.exe UPX C:\Windows\SysWOW64\Kbcicmpj.exe UPX \Windows\SysWOW64\Kinaqg32.exe UPX \Windows\SysWOW64\Kllmmc32.exe UPX \Windows\SysWOW64\Kfaajlfp.exe UPX \Windows\SysWOW64\Khcnad32.exe UPX \Windows\SysWOW64\Komfnnck.exe UPX \Windows\SysWOW64\Kibjkgca.exe UPX \Windows\SysWOW64\Kjcgco32.exe UPX C:\Windows\SysWOW64\Kanopipl.exe UPX \Windows\SysWOW64\Lhggmchi.exe UPX \Windows\SysWOW64\Loapim32.exe UPX \Windows\SysWOW64\Lekhfgfc.exe UPX C:\Windows\SysWOW64\Lhjdbcef.exe UPX C:\Windows\SysWOW64\Ldqegd32.exe UPX C:\Windows\SysWOW64\Lgoacojo.exe UPX C:\Windows\SysWOW64\Lpgele32.exe UPX C:\Windows\SysWOW64\Ldcamcih.exe UPX C:\Windows\SysWOW64\Lipjejgp.exe UPX C:\Windows\SysWOW64\Llnfaffc.exe UPX behavioral1/memory/2668-269-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Lpjbad32.exe UPX C:\Windows\SysWOW64\Libgjj32.exe UPX C:\Windows\SysWOW64\Loooca32.exe UPX C:\Windows\SysWOW64\Mgfgdn32.exe UPX C:\Windows\SysWOW64\Moalhq32.exe UPX C:\Windows\SysWOW64\Maphdl32.exe UPX C:\Windows\SysWOW64\Migpeiag.exe UPX C:\Windows\SysWOW64\Mochnppo.exe UPX C:\Windows\SysWOW64\Mabejlob.exe UPX C:\Windows\SysWOW64\Mlgigdoh.exe UPX C:\Windows\SysWOW64\Mepnpj32.exe UPX C:\Windows\SysWOW64\Mhnjle32.exe UPX C:\Windows\SysWOW64\Mohbip32.exe UPX C:\Windows\SysWOW64\Mpjoqhah.exe UPX C:\Windows\SysWOW64\Nnnojlpa.exe UPX C:\Windows\SysWOW64\Naikkk32.exe UPX C:\Windows\SysWOW64\Nkaocp32.exe UPX C:\Windows\SysWOW64\Nnplpl32.exe UPX C:\Windows\SysWOW64\Ndjdlffl.exe UPX C:\Windows\SysWOW64\Nfkpdn32.exe UPX C:\Windows\SysWOW64\Nocemcbj.exe UPX C:\Windows\SysWOW64\Ngkmnacm.exe UPX C:\Windows\SysWOW64\Nhlifi32.exe UPX C:\Windows\SysWOW64\Ncancbha.exe UPX C:\Windows\SysWOW64\Nbdnoo32.exe UPX C:\Windows\SysWOW64\Nhnfkigh.exe UPX C:\Windows\SysWOW64\Nmjblg32.exe UPX C:\Windows\SysWOW64\Nohnhc32.exe UPX C:\Windows\SysWOW64\Nbfjdn32.exe UPX C:\Windows\SysWOW64\Odegpj32.exe UPX C:\Windows\SysWOW64\Ohqbqhde.exe UPX C:\Windows\SysWOW64\Okoomd32.exe UPX C:\Windows\SysWOW64\Onmkio32.exe UPX C:\Windows\SysWOW64\Obigjnkf.exe UPX C:\Windows\SysWOW64\Odgcfijj.exe UPX C:\Windows\SysWOW64\Ogfpbeim.exe UPX C:\Windows\SysWOW64\Onphoo32.exe UPX C:\Windows\SysWOW64\Oqndkj32.exe UPX C:\Windows\SysWOW64\Odjpkihg.exe UPX C:\Windows\SysWOW64\Oghlgdgk.exe UPX C:\Windows\SysWOW64\Okchhc32.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Jmdcfg32.exeKbalnnam.exeKljqgc32.exeKbcicmpj.exeKinaqg32.exeKllmmc32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKibjkgca.exeKjcgco32.exeKanopipl.exeLhggmchi.exeLoapim32.exeLekhfgfc.exeLhjdbcef.exeLdqegd32.exeLgoacojo.exeLpgele32.exeLdcamcih.exeLipjejgp.exeLlnfaffc.exeLpjbad32.exeLibgjj32.exeLoooca32.exeMgfgdn32.exeMoalhq32.exeMaphdl32.exeMigpeiag.exeMochnppo.exeMabejlob.exeMlgigdoh.exeMepnpj32.exeMhnjle32.exeMohbip32.exeMpjoqhah.exeNnnojlpa.exeNaikkk32.exeNkaocp32.exeNnplpl32.exeNdjdlffl.exeNfkpdn32.exeNocemcbj.exeNgkmnacm.exeNhlifi32.exeNcancbha.exeNbdnoo32.exeNhnfkigh.exeNmjblg32.exeNohnhc32.exeNbfjdn32.exeOdegpj32.exeOhqbqhde.exeOkoomd32.exeOkoomd32.exeOnmkio32.exeObigjnkf.exeOdgcfijj.exeOgfpbeim.exeOnphoo32.exeOqndkj32.exeOdjpkihg.exeOghlgdgk.exeOkchhc32.exepid process 2824 Jmdcfg32.exe 2520 Kbalnnam.exe 2676 Kljqgc32.exe 2744 Kbcicmpj.exe 2588 Kinaqg32.exe 2448 Kllmmc32.exe 2100 Kfaajlfp.exe 2476 Khcnad32.exe 2644 Komfnnck.exe 1884 Kibjkgca.exe 1888 Kjcgco32.exe 764 Kanopipl.exe 1632 Lhggmchi.exe 2800 Loapim32.exe 2276 Lekhfgfc.exe 2052 Lhjdbcef.exe 984 Ldqegd32.exe 1788 Lgoacojo.exe 1468 Lpgele32.exe 988 Ldcamcih.exe 2668 Lipjejgp.exe 312 Llnfaffc.exe 1856 Lpjbad32.exe 944 Libgjj32.exe 2936 Loooca32.exe 1864 Mgfgdn32.exe 2072 Moalhq32.exe 2368 Maphdl32.exe 2840 Migpeiag.exe 2244 Mochnppo.exe 2452 Mabejlob.exe 2344 Mlgigdoh.exe 2948 Mepnpj32.exe 760 Mhnjle32.exe 1964 Mohbip32.exe 1592 Mpjoqhah.exe 272 Nnnojlpa.exe 2316 Naikkk32.exe 348 Nkaocp32.exe 1688 Nnplpl32.exe 2820 Ndjdlffl.exe 2640 Nfkpdn32.exe 1180 Nocemcbj.exe 1568 Ngkmnacm.exe 2248 Nhlifi32.exe 2264 Ncancbha.exe 1852 Nbdnoo32.exe 1860 Nhnfkigh.exe 912 Nmjblg32.exe 1548 Nohnhc32.exe 2832 Nbfjdn32.exe 1656 Odegpj32.exe 2976 Ohqbqhde.exe 2712 Okoomd32.exe 2092 Okoomd32.exe 2552 Onmkio32.exe 2428 Obigjnkf.exe 2472 Odgcfijj.exe 352 Ogfpbeim.exe 2328 Onphoo32.exe 1952 Oqndkj32.exe 2304 Odjpkihg.exe 836 Oghlgdgk.exe 1004 Okchhc32.exe -
Loads dropped DLL 64 IoCs
Processes:
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exeJmdcfg32.exeKbalnnam.exeKljqgc32.exeKbcicmpj.exeKinaqg32.exeKllmmc32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKibjkgca.exeKjcgco32.exeKanopipl.exeLhggmchi.exeLoapim32.exeLekhfgfc.exeLhjdbcef.exeLdqegd32.exeLgoacojo.exeLpgele32.exeLdcamcih.exeLipjejgp.exeLlnfaffc.exeLpjbad32.exeLibgjj32.exeLoooca32.exeMgfgdn32.exeMoalhq32.exeMaphdl32.exeMigpeiag.exeMochnppo.exeMabejlob.exepid process 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe 2824 Jmdcfg32.exe 2824 Jmdcfg32.exe 2520 Kbalnnam.exe 2520 Kbalnnam.exe 2676 Kljqgc32.exe 2676 Kljqgc32.exe 2744 Kbcicmpj.exe 2744 Kbcicmpj.exe 2588 Kinaqg32.exe 2588 Kinaqg32.exe 2448 Kllmmc32.exe 2448 Kllmmc32.exe 2100 Kfaajlfp.exe 2100 Kfaajlfp.exe 2476 Khcnad32.exe 2476 Khcnad32.exe 2644 Komfnnck.exe 2644 Komfnnck.exe 1884 Kibjkgca.exe 1884 Kibjkgca.exe 1888 Kjcgco32.exe 1888 Kjcgco32.exe 764 Kanopipl.exe 764 Kanopipl.exe 1632 Lhggmchi.exe 1632 Lhggmchi.exe 2800 Loapim32.exe 2800 Loapim32.exe 2276 Lekhfgfc.exe 2276 Lekhfgfc.exe 2052 Lhjdbcef.exe 2052 Lhjdbcef.exe 984 Ldqegd32.exe 984 Ldqegd32.exe 1788 Lgoacojo.exe 1788 Lgoacojo.exe 1468 Lpgele32.exe 1468 Lpgele32.exe 988 Ldcamcih.exe 988 Ldcamcih.exe 2668 Lipjejgp.exe 2668 Lipjejgp.exe 312 Llnfaffc.exe 312 Llnfaffc.exe 1856 Lpjbad32.exe 1856 Lpjbad32.exe 944 Libgjj32.exe 944 Libgjj32.exe 2936 Loooca32.exe 2936 Loooca32.exe 1864 Mgfgdn32.exe 1864 Mgfgdn32.exe 2072 Moalhq32.exe 2072 Moalhq32.exe 2368 Maphdl32.exe 2368 Maphdl32.exe 2840 Migpeiag.exe 2840 Migpeiag.exe 2244 Mochnppo.exe 2244 Mochnppo.exe 2452 Mabejlob.exe 2452 Mabejlob.exe -
Drops file in System32 directory 64 IoCs
Processes:
Nmjblg32.exeBlmdlhmp.exeOmfkke32.exeCkafbbph.exeNhlifi32.exeJicgpb32.exeChbjffad.exeEfaibbij.exeOfmbnkhg.exeDbfabp32.exePcnbablo.exeDolnad32.exeFaokjpfd.exeIkddbj32.exeAnojbobe.exeMigpeiag.exeMpjoqhah.exeOgfpbeim.exeGobgcg32.exeLlkbap32.exeCoklgg32.exeIfnechbj.exeKjljhjkl.exeKpkofpgq.exeLhggmchi.exeAmpqjm32.exeLefdpe32.exeOjahnj32.exeAadloj32.exeHlfdkoin.exeMeagci32.exeBafidiio.exeBpleef32.exeDfffnn32.exeCfinoq32.exeHellne32.exeAbmibdlh.exeAenbdoii.exeBnpmipql.exeDmoipopd.exeIcbimi32.exeLbeknj32.exePikkiijf.exeBdbhke32.exeBagpopmj.exeCopfbfjj.exeHcplhi32.exePogclp32.exeAbbbnchb.exeJejhecaj.exeNhfipcid.exeCcahbp32.exeNohnhc32.exeCohigamf.exeDpbheh32.exeEeqdep32.exeFmlapp32.exeBdlblj32.exeOgblbo32.exePgplkb32.exePggbla32.exeAbmbhn32.exeBppoqeja.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nohnhc32.exe Nmjblg32.exe File created C:\Windows\SysWOW64\Bkodhe32.exe Blmdlhmp.exe File opened for modification C:\Windows\SysWOW64\Ooeggp32.exe Omfkke32.exe File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe Ckafbbph.exe File created C:\Windows\SysWOW64\Jhcbom32.dll Nhlifi32.exe File created C:\Windows\SysWOW64\Jmocpado.exe Jicgpb32.exe File created C:\Windows\SysWOW64\Gjhfbach.dll Chbjffad.exe File created C:\Windows\SysWOW64\Ejmebq32.exe Efaibbij.exe File opened for modification C:\Windows\SysWOW64\Oikojfgk.exe Ofmbnkhg.exe File created C:\Windows\SysWOW64\Blopagpd.dll Dbfabp32.exe File created C:\Windows\SysWOW64\Ecfhengk.dll Pcnbablo.exe File opened for modification C:\Windows\SysWOW64\Dbkknojp.exe Dolnad32.exe File opened for modification C:\Windows\SysWOW64\Fcmgfkeg.exe Faokjpfd.exe File opened for modification C:\Windows\SysWOW64\Ijgdngmf.exe Ikddbj32.exe File created C:\Windows\SysWOW64\Abjebn32.exe Anojbobe.exe File created C:\Windows\SysWOW64\Pfliqila.dll Migpeiag.exe File created C:\Windows\SysWOW64\Mhllhfdh.dll Mpjoqhah.exe File created C:\Windows\SysWOW64\Lphhoacd.dll Ogfpbeim.exe File created C:\Windows\SysWOW64\Gbnccfpb.exe Gobgcg32.exe File created C:\Windows\SysWOW64\Aefbii32.dll Llkbap32.exe File created C:\Windows\SysWOW64\Cgbdhd32.exe Coklgg32.exe File created C:\Windows\SysWOW64\Jjjacf32.exe Ifnechbj.exe File created C:\Windows\SysWOW64\Bhlhkl32.dll Kjljhjkl.exe File created C:\Windows\SysWOW64\Flmpfjke.dll Kpkofpgq.exe File opened for modification C:\Windows\SysWOW64\Loapim32.exe Lhggmchi.exe File created C:\Windows\SysWOW64\Aalmklfi.exe Ampqjm32.exe File opened for modification C:\Windows\SysWOW64\Ldidkbpb.exe Lefdpe32.exe File opened for modification C:\Windows\SysWOW64\Onmdoioa.exe Ojahnj32.exe File created C:\Windows\SysWOW64\Iooklook.dll Aadloj32.exe File opened for modification C:\Windows\SysWOW64\Hpapln32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Mimbdhhb.exe Meagci32.exe File created C:\Windows\SysWOW64\Bbhela32.exe Bafidiio.exe File opened for modification C:\Windows\SysWOW64\Bdgafdfp.exe Bpleef32.exe File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe Dfffnn32.exe File created C:\Windows\SysWOW64\Keledb32.dll Cfinoq32.exe File created C:\Windows\SysWOW64\Hhjhkq32.exe Hellne32.exe File created C:\Windows\SysWOW64\Iklefg32.dll Abmibdlh.exe File created C:\Windows\SysWOW64\Hleajblp.dll Aenbdoii.exe File opened for modification C:\Windows\SysWOW64\Begeknan.exe Bnpmipql.exe File created C:\Windows\SysWOW64\Ddeaalpg.exe Dmoipopd.exe File created C:\Windows\SysWOW64\Gmibbifn.dll Icbimi32.exe File opened for modification C:\Windows\SysWOW64\Lahkigca.exe Lbeknj32.exe File opened for modification C:\Windows\SysWOW64\Qabcjgkh.exe Pikkiijf.exe File created C:\Windows\SysWOW64\Ilcbjpbn.dll Bdbhke32.exe File created C:\Windows\SysWOW64\Icplghmh.dll Bagpopmj.exe File created C:\Windows\SysWOW64\Lgeceh32.dll Copfbfjj.exe File created C:\Windows\SysWOW64\Alogkm32.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Enbfpg32.dll Pogclp32.exe File created C:\Windows\SysWOW64\Amaipodm.dll Pikkiijf.exe File created C:\Windows\SysWOW64\Aepojo32.exe Abbbnchb.exe File created C:\Windows\SysWOW64\Dpbnlj32.dll Jejhecaj.exe File opened for modification C:\Windows\SysWOW64\Nlbeqb32.exe Nhfipcid.exe File opened for modification C:\Windows\SysWOW64\Cadhnmnm.exe Ccahbp32.exe File created C:\Windows\SysWOW64\Nbfjdn32.exe Nohnhc32.exe File created C:\Windows\SysWOW64\Cnkicn32.exe Cohigamf.exe File opened for modification C:\Windows\SysWOW64\Doehqead.exe Dpbheh32.exe File created C:\Windows\SysWOW64\Dnoillim.dll Eeqdep32.exe File created C:\Windows\SysWOW64\Hpqpdnop.dll Fmlapp32.exe File created C:\Windows\SysWOW64\Aoipdkgg.dll Bdlblj32.exe File created C:\Windows\SysWOW64\Ojahnj32.exe Ogblbo32.exe File created C:\Windows\SysWOW64\Pbqpqcoj.dll Pgplkb32.exe File opened for modification C:\Windows\SysWOW64\Pfjbgnme.exe Pggbla32.exe File created C:\Windows\SysWOW64\Aaobdjof.exe Abmbhn32.exe File created C:\Windows\SysWOW64\Bbokmqie.exe Bppoqeja.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 7100 6860 WerFault.exe Fkckeh32.exe -
Modifies registry class 64 IoCs
Processes:
Oghlgdgk.exeDcknbh32.exeCpjiajeb.exeJqdipqbp.exeMijfnh32.exeDcadac32.exeEdnpej32.exeMgfgdn32.exeMeagci32.exeFdoclk32.exeNacgdhlp.exeKbcicmpj.exeHhjhkq32.exeAefeijle.exeDodonf32.exePjcabmga.exeCddaphkn.exeAidnohbk.exeAjhgmpfg.exeKanopipl.exeEeempocb.exeBjlqhoba.exeLojomkdn.exeQcbllb32.exeEqbddk32.exeGoddhg32.exeCghggc32.exeNjlockkm.exePggbla32.exeCldooj32.exeDliijipn.exeGlfhll32.exeKcdnao32.exeLeonofpp.exeEjhlgaeh.exeNohnhc32.exeEpdkli32.exeInngcfid.exeLbnemk32.exeLdcamcih.exeAbbbnchb.exeOhibdf32.exeHlcgeo32.exeCdgneh32.exeNnhkcj32.exeKibjkgca.exePpmdbe32.exeKfegbj32.exePimkpfeh.exeEgllae32.exeObojhlbq.exeEgafleqm.exeGhfbqn32.exeNdbcpd32.exeBmmiij32.exePikkiijf.exeOjficpfn.exePphjgfqq.exeEbbgid32.exeGlaoalkh.exeMimbdhhb.exeOfmbnkhg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghlgdgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcknbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqdipqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mijfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll" Dcadac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ednpej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oincig32.dll" Meagci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll" Fdoclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmbgl32.dll" Nacgdhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbcicmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbgljdk.dll" Aefeijle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dodonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjcabmga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Cddaphkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidnohbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll" Ajhgmpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfgfm32.dll" Kanopipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll" Eeempocb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjlqhoba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojomkdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhglodcb.dll" Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll" Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll" Cghggc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjjdbdn.dll" Njlockkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cldooj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dliijipn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdnao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leonofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" Ejhlgaeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohnhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epdkli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehllae32.dll" Inngcfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbfqed32.dll" Lbnemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfecjakk.dll" Ldcamcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbbnchb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohibdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goddhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll" Cpjiajeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlcgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnbefhd.dll" Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafpmhio.dll" Kibjkgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfegkapd.dll" Ppmdbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfegbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkeqmgm.dll" Pimkpfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egllae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obojhlbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egafleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghfbqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbcpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Bmmiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikkiijf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojficpfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfdaihk.dll" Pphjgfqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkakief.dll" Ebbgid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glaoalkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimbdhhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmbnkhg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exeJmdcfg32.exeKbalnnam.exeKljqgc32.exeKbcicmpj.exeKinaqg32.exeKllmmc32.exeKfaajlfp.exeKhcnad32.exeKomfnnck.exeKibjkgca.exeKjcgco32.exeKanopipl.exeLhggmchi.exeLoapim32.exeLekhfgfc.exedescription pid process target process PID 2156 wrote to memory of 2824 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Jmdcfg32.exe PID 2156 wrote to memory of 2824 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Jmdcfg32.exe PID 2156 wrote to memory of 2824 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Jmdcfg32.exe PID 2156 wrote to memory of 2824 2156 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Jmdcfg32.exe PID 2824 wrote to memory of 2520 2824 Jmdcfg32.exe Kbalnnam.exe PID 2824 wrote to memory of 2520 2824 Jmdcfg32.exe Kbalnnam.exe PID 2824 wrote to memory of 2520 2824 Jmdcfg32.exe Kbalnnam.exe PID 2824 wrote to memory of 2520 2824 Jmdcfg32.exe Kbalnnam.exe PID 2520 wrote to memory of 2676 2520 Kbalnnam.exe Kljqgc32.exe PID 2520 wrote to memory of 2676 2520 Kbalnnam.exe Kljqgc32.exe PID 2520 wrote to memory of 2676 2520 Kbalnnam.exe Kljqgc32.exe PID 2520 wrote to memory of 2676 2520 Kbalnnam.exe Kljqgc32.exe PID 2676 wrote to memory of 2744 2676 Kljqgc32.exe Kbcicmpj.exe PID 2676 wrote to memory of 2744 2676 Kljqgc32.exe Kbcicmpj.exe PID 2676 wrote to memory of 2744 2676 Kljqgc32.exe Kbcicmpj.exe PID 2676 wrote to memory of 2744 2676 Kljqgc32.exe Kbcicmpj.exe PID 2744 wrote to memory of 2588 2744 Kbcicmpj.exe Kinaqg32.exe PID 2744 wrote to memory of 2588 2744 Kbcicmpj.exe Kinaqg32.exe PID 2744 wrote to memory of 2588 2744 Kbcicmpj.exe Kinaqg32.exe PID 2744 wrote to memory of 2588 2744 Kbcicmpj.exe Kinaqg32.exe PID 2588 wrote to memory of 2448 2588 Kinaqg32.exe Kllmmc32.exe PID 2588 wrote to memory of 2448 2588 Kinaqg32.exe Kllmmc32.exe PID 2588 wrote to memory of 2448 2588 Kinaqg32.exe Kllmmc32.exe PID 2588 wrote to memory of 2448 2588 Kinaqg32.exe Kllmmc32.exe PID 2448 wrote to memory of 2100 2448 Kllmmc32.exe Kfaajlfp.exe PID 2448 wrote to memory of 2100 2448 Kllmmc32.exe Kfaajlfp.exe PID 2448 wrote to memory of 2100 2448 Kllmmc32.exe Kfaajlfp.exe PID 2448 wrote to memory of 2100 2448 Kllmmc32.exe Kfaajlfp.exe PID 2100 wrote to memory of 2476 2100 Kfaajlfp.exe Khcnad32.exe PID 2100 wrote to memory of 2476 2100 Kfaajlfp.exe Khcnad32.exe PID 2100 wrote to memory of 2476 2100 Kfaajlfp.exe Khcnad32.exe PID 2100 wrote to memory of 2476 2100 Kfaajlfp.exe Khcnad32.exe PID 2476 wrote to memory of 2644 2476 Khcnad32.exe Komfnnck.exe PID 2476 wrote to memory of 2644 2476 Khcnad32.exe Komfnnck.exe PID 2476 wrote to memory of 2644 2476 Khcnad32.exe Komfnnck.exe PID 2476 wrote to memory of 2644 2476 Khcnad32.exe Komfnnck.exe PID 2644 wrote to memory of 1884 2644 Komfnnck.exe Kibjkgca.exe PID 2644 wrote to memory of 1884 2644 Komfnnck.exe Kibjkgca.exe PID 2644 wrote to memory of 1884 2644 Komfnnck.exe Kibjkgca.exe PID 2644 wrote to memory of 1884 2644 Komfnnck.exe Kibjkgca.exe PID 1884 wrote to memory of 1888 1884 Kibjkgca.exe Kjcgco32.exe PID 1884 wrote to memory of 1888 1884 Kibjkgca.exe Kjcgco32.exe PID 1884 wrote to memory of 1888 1884 Kibjkgca.exe Kjcgco32.exe PID 1884 wrote to memory of 1888 1884 Kibjkgca.exe Kjcgco32.exe PID 1888 wrote to memory of 764 1888 Kjcgco32.exe Kanopipl.exe PID 1888 wrote to memory of 764 1888 Kjcgco32.exe Kanopipl.exe PID 1888 wrote to memory of 764 1888 Kjcgco32.exe Kanopipl.exe PID 1888 wrote to memory of 764 1888 Kjcgco32.exe Kanopipl.exe PID 764 wrote to memory of 1632 764 Kanopipl.exe Lhggmchi.exe PID 764 wrote to memory of 1632 764 Kanopipl.exe Lhggmchi.exe PID 764 wrote to memory of 1632 764 Kanopipl.exe Lhggmchi.exe PID 764 wrote to memory of 1632 764 Kanopipl.exe Lhggmchi.exe PID 1632 wrote to memory of 2800 1632 Lhggmchi.exe Loapim32.exe PID 1632 wrote to memory of 2800 1632 Lhggmchi.exe Loapim32.exe PID 1632 wrote to memory of 2800 1632 Lhggmchi.exe Loapim32.exe PID 1632 wrote to memory of 2800 1632 Lhggmchi.exe Loapim32.exe PID 2800 wrote to memory of 2276 2800 Loapim32.exe Lekhfgfc.exe PID 2800 wrote to memory of 2276 2800 Loapim32.exe Lekhfgfc.exe PID 2800 wrote to memory of 2276 2800 Loapim32.exe Lekhfgfc.exe PID 2800 wrote to memory of 2276 2800 Loapim32.exe Lekhfgfc.exe PID 2276 wrote to memory of 2052 2276 Lekhfgfc.exe Lhjdbcef.exe PID 2276 wrote to memory of 2052 2276 Lekhfgfc.exe Lhjdbcef.exe PID 2276 wrote to memory of 2052 2276 Lekhfgfc.exe Lhjdbcef.exe PID 2276 wrote to memory of 2052 2276 Lekhfgfc.exe Lhjdbcef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe"C:\Users\Admin\AppData\Local\Temp\b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jmdcfg32.exeC:\Windows\system32\Jmdcfg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Kbalnnam.exeC:\Windows\system32\Kbalnnam.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Kljqgc32.exeC:\Windows\system32\Kljqgc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kbcicmpj.exeC:\Windows\system32\Kbcicmpj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kinaqg32.exeC:\Windows\system32\Kinaqg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kllmmc32.exeC:\Windows\system32\Kllmmc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Kfaajlfp.exeC:\Windows\system32\Kfaajlfp.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Khcnad32.exeC:\Windows\system32\Khcnad32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Komfnnck.exeC:\Windows\system32\Komfnnck.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kibjkgca.exeC:\Windows\system32\Kibjkgca.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Kjcgco32.exeC:\Windows\system32\Kjcgco32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Kanopipl.exeC:\Windows\system32\Kanopipl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Lhggmchi.exeC:\Windows\system32\Lhggmchi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Loapim32.exeC:\Windows\system32\Loapim32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Lekhfgfc.exeC:\Windows\system32\Lekhfgfc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Lhjdbcef.exeC:\Windows\system32\Lhjdbcef.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Ldqegd32.exeC:\Windows\system32\Ldqegd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Lgoacojo.exeC:\Windows\system32\Lgoacojo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Lpgele32.exeC:\Windows\system32\Lpgele32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Ldcamcih.exeC:\Windows\system32\Ldcamcih.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Lipjejgp.exeC:\Windows\system32\Lipjejgp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Llnfaffc.exeC:\Windows\system32\Llnfaffc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:312 -
C:\Windows\SysWOW64\Lpjbad32.exeC:\Windows\system32\Lpjbad32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Libgjj32.exeC:\Windows\system32\Libgjj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:944 -
C:\Windows\SysWOW64\Loooca32.exeC:\Windows\system32\Loooca32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Mgfgdn32.exeC:\Windows\system32\Mgfgdn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Moalhq32.exeC:\Windows\system32\Moalhq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Maphdl32.exeC:\Windows\system32\Maphdl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Migpeiag.exeC:\Windows\system32\Migpeiag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Mochnppo.exeC:\Windows\system32\Mochnppo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Mabejlob.exeC:\Windows\system32\Mabejlob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Mlgigdoh.exeC:\Windows\system32\Mlgigdoh.exe33⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Mepnpj32.exeC:\Windows\system32\Mepnpj32.exe34⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Mhnjle32.exeC:\Windows\system32\Mhnjle32.exe35⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Mohbip32.exeC:\Windows\system32\Mohbip32.exe36⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mpjoqhah.exeC:\Windows\system32\Mpjoqhah.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Nnnojlpa.exeC:\Windows\system32\Nnnojlpa.exe38⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Naikkk32.exeC:\Windows\system32\Naikkk32.exe39⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Nkaocp32.exeC:\Windows\system32\Nkaocp32.exe40⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Nnplpl32.exeC:\Windows\system32\Nnplpl32.exe41⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ndjdlffl.exeC:\Windows\system32\Ndjdlffl.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nfkpdn32.exeC:\Windows\system32\Nfkpdn32.exe43⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Nocemcbj.exeC:\Windows\system32\Nocemcbj.exe44⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Ngkmnacm.exeC:\Windows\system32\Ngkmnacm.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Nhlifi32.exeC:\Windows\system32\Nhlifi32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Ncancbha.exeC:\Windows\system32\Ncancbha.exe47⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nbdnoo32.exeC:\Windows\system32\Nbdnoo32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nhnfkigh.exeC:\Windows\system32\Nhnfkigh.exe49⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nmjblg32.exeC:\Windows\system32\Nmjblg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Nohnhc32.exeC:\Windows\system32\Nohnhc32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Nbfjdn32.exeC:\Windows\system32\Nbfjdn32.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Odegpj32.exeC:\Windows\system32\Odegpj32.exe53⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ohqbqhde.exeC:\Windows\system32\Ohqbqhde.exe54⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe55⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Okoomd32.exeC:\Windows\system32\Okoomd32.exe56⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Onmkio32.exeC:\Windows\system32\Onmkio32.exe57⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Obigjnkf.exeC:\Windows\system32\Obigjnkf.exe58⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Odgcfijj.exeC:\Windows\system32\Odgcfijj.exe59⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ogfpbeim.exeC:\Windows\system32\Ogfpbeim.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Onphoo32.exeC:\Windows\system32\Onphoo32.exe61⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Oqndkj32.exeC:\Windows\system32\Oqndkj32.exe62⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Odjpkihg.exeC:\Windows\system32\Odjpkihg.exe63⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Oghlgdgk.exeC:\Windows\system32\Oghlgdgk.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Okchhc32.exeC:\Windows\system32\Okchhc32.exe65⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Ojficpfn.exeC:\Windows\system32\Ojficpfn.exe66⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Oelmai32.exeC:\Windows\system32\Oelmai32.exe67⤵PID:2220
-
C:\Windows\SysWOW64\Ocomlemo.exeC:\Windows\system32\Ocomlemo.exe68⤵PID:840
-
C:\Windows\SysWOW64\Okfencna.exeC:\Windows\system32\Okfencna.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Ondajnme.exeC:\Windows\system32\Ondajnme.exe70⤵PID:1100
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe71⤵PID:1700
-
C:\Windows\SysWOW64\Oenifh32.exeC:\Windows\system32\Oenifh32.exe72⤵PID:1912
-
C:\Windows\SysWOW64\Ogmfbd32.exeC:\Windows\system32\Ogmfbd32.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Ofpfnqjp.exeC:\Windows\system32\Ofpfnqjp.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe75⤵PID:2756
-
C:\Windows\SysWOW64\Paejki32.exeC:\Windows\system32\Paejki32.exe76⤵PID:2700
-
C:\Windows\SysWOW64\Pphjgfqq.exeC:\Windows\system32\Pphjgfqq.exe77⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Pgobhcac.exeC:\Windows\system32\Pgobhcac.exe78⤵PID:2536
-
C:\Windows\SysWOW64\Pipopl32.exeC:\Windows\system32\Pipopl32.exe79⤵PID:2484
-
C:\Windows\SysWOW64\Ppjglfon.exeC:\Windows\system32\Ppjglfon.exe80⤵PID:2504
-
C:\Windows\SysWOW64\Pcfcmd32.exeC:\Windows\system32\Pcfcmd32.exe81⤵PID:2308
-
C:\Windows\SysWOW64\Pbiciana.exeC:\Windows\system32\Pbiciana.exe82⤵PID:2192
-
C:\Windows\SysWOW64\Pfdpip32.exeC:\Windows\system32\Pfdpip32.exe83⤵PID:2896
-
C:\Windows\SysWOW64\Piblek32.exeC:\Windows\system32\Piblek32.exe84⤵PID:2796
-
C:\Windows\SysWOW64\Ppmdbe32.exeC:\Windows\system32\Ppmdbe32.exe85⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Pbkpna32.exeC:\Windows\system32\Pbkpna32.exe86⤵PID:2044
-
C:\Windows\SysWOW64\Peiljl32.exeC:\Windows\system32\Peiljl32.exe87⤵PID:1408
-
C:\Windows\SysWOW64\Piehkkcl.exeC:\Windows\system32\Piehkkcl.exe88⤵PID:1480
-
C:\Windows\SysWOW64\Pmqdkj32.exeC:\Windows\system32\Pmqdkj32.exe89⤵PID:1880
-
C:\Windows\SysWOW64\Ppoqge32.exeC:\Windows\system32\Ppoqge32.exe90⤵PID:1452
-
C:\Windows\SysWOW64\Pfiidobe.exeC:\Windows\system32\Pfiidobe.exe91⤵PID:2544
-
C:\Windows\SysWOW64\Pelipl32.exeC:\Windows\system32\Pelipl32.exe92⤵PID:2684
-
C:\Windows\SysWOW64\Phjelg32.exeC:\Windows\system32\Phjelg32.exe93⤵PID:2324
-
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Pabjem32.exeC:\Windows\system32\Pabjem32.exe95⤵PID:1192
-
C:\Windows\SysWOW64\Pijbfj32.exeC:\Windows\system32\Pijbfj32.exe96⤵PID:628
-
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Qnfjna32.exeC:\Windows\system32\Qnfjna32.exe98⤵PID:1608
-
C:\Windows\SysWOW64\Qbbfopeg.exeC:\Windows\system32\Qbbfopeg.exe99⤵PID:2252
-
C:\Windows\SysWOW64\Qaefjm32.exeC:\Windows\system32\Qaefjm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Qdccfh32.exeC:\Windows\system32\Qdccfh32.exe101⤵PID:2236
-
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe102⤵PID:1676
-
C:\Windows\SysWOW64\Qnigda32.exeC:\Windows\system32\Qnigda32.exe103⤵PID:1872
-
C:\Windows\SysWOW64\Qmlgonbe.exeC:\Windows\system32\Qmlgonbe.exe104⤵PID:2112
-
C:\Windows\SysWOW64\Qagcpljo.exeC:\Windows\system32\Qagcpljo.exe105⤵PID:1868
-
C:\Windows\SysWOW64\Ahakmf32.exeC:\Windows\system32\Ahakmf32.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Afdlhchf.exeC:\Windows\system32\Afdlhchf.exe107⤵PID:2120
-
C:\Windows\SysWOW64\Ajphib32.exeC:\Windows\system32\Ajphib32.exe108⤵PID:2440
-
C:\Windows\SysWOW64\Amndem32.exeC:\Windows\system32\Amndem32.exe109⤵PID:2420
-
C:\Windows\SysWOW64\Aplpai32.exeC:\Windows\system32\Aplpai32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Adhlaggp.exeC:\Windows\system32\Adhlaggp.exe111⤵PID:1756
-
C:\Windows\SysWOW64\Affhncfc.exeC:\Windows\system32\Affhncfc.exe112⤵PID:1996
-
C:\Windows\SysWOW64\Ajbdna32.exeC:\Windows\system32\Ajbdna32.exe113⤵PID:2204
-
C:\Windows\SysWOW64\Ampqjm32.exeC:\Windows\system32\Ampqjm32.exe114⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Aalmklfi.exeC:\Windows\system32\Aalmklfi.exe115⤵PID:1264
-
C:\Windows\SysWOW64\Apomfh32.exeC:\Windows\system32\Apomfh32.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Abmibdlh.exeC:\Windows\system32\Abmibdlh.exe117⤵
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Ajdadamj.exeC:\Windows\system32\Ajdadamj.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Aigaon32.exeC:\Windows\system32\Aigaon32.exe119⤵PID:1544
-
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe120⤵PID:2496
-
C:\Windows\SysWOW64\Admemg32.exeC:\Windows\system32\Admemg32.exe121⤵PID:1536
-
C:\Windows\SysWOW64\Afkbib32.exeC:\Windows\system32\Afkbib32.exe122⤵PID:2172
-
C:\Windows\SysWOW64\Aenbdoii.exeC:\Windows\system32\Aenbdoii.exe123⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Amejeljk.exeC:\Windows\system32\Amejeljk.exe124⤵PID:2488
-
C:\Windows\SysWOW64\Alhjai32.exeC:\Windows\system32\Alhjai32.exe125⤵PID:2724
-
C:\Windows\SysWOW64\Aoffmd32.exeC:\Windows\system32\Aoffmd32.exe126⤵PID:1956
-
C:\Windows\SysWOW64\Abbbnchb.exeC:\Windows\system32\Abbbnchb.exe127⤵
- Drops file in System32 directory
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Aepojo32.exeC:\Windows\system32\Aepojo32.exe128⤵PID:552
-
C:\Windows\SysWOW64\Ailkjmpo.exeC:\Windows\system32\Ailkjmpo.exe129⤵PID:2632
-
C:\Windows\SysWOW64\Aljgfioc.exeC:\Windows\system32\Aljgfioc.exe130⤵PID:2788
-
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe131⤵PID:2864
-
C:\Windows\SysWOW64\Bbdocc32.exeC:\Windows\system32\Bbdocc32.exe132⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Bagpopmj.exeC:\Windows\system32\Bagpopmj.exe133⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe134⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1280 -
C:\Windows\SysWOW64\Bingpmnl.exeC:\Windows\system32\Bingpmnl.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Blmdlhmp.exeC:\Windows\system32\Blmdlhmp.exe136⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Bkodhe32.exeC:\Windows\system32\Bkodhe32.exe137⤵PID:2912
-
C:\Windows\SysWOW64\Bbflib32.exeC:\Windows\system32\Bbflib32.exe138⤵PID:1988
-
C:\Windows\SysWOW64\Beehencq.exeC:\Windows\system32\Beehencq.exe139⤵PID:2392
-
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe140⤵PID:280
-
C:\Windows\SysWOW64\Bhcdaibd.exeC:\Windows\system32\Bhcdaibd.exe141⤵PID:3016
-
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe142⤵PID:2988
-
C:\Windows\SysWOW64\Bnpmipql.exeC:\Windows\system32\Bnpmipql.exe143⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe144⤵PID:1252
-
C:\Windows\SysWOW64\Bdjefj32.exeC:\Windows\system32\Bdjefj32.exe145⤵PID:2748
-
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Bkdmcdoe.exeC:\Windows\system32\Bkdmcdoe.exe147⤵PID:2008
-
C:\Windows\SysWOW64\Bnbjopoi.exeC:\Windows\system32\Bnbjopoi.exe148⤵PID:664
-
C:\Windows\SysWOW64\Bpafkknm.exeC:\Windows\system32\Bpafkknm.exe149⤵PID:2456
-
C:\Windows\SysWOW64\Bdlblj32.exeC:\Windows\system32\Bdlblj32.exe150⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe151⤵PID:1216
-
C:\Windows\SysWOW64\Bpcbqk32.exeC:\Windows\system32\Bpcbqk32.exe152⤵PID:1292
-
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe153⤵PID:2804
-
C:\Windows\SysWOW64\Cgmkmecg.exeC:\Windows\system32\Cgmkmecg.exe154⤵PID:2612
-
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe155⤵PID:2188
-
C:\Windows\SysWOW64\Cngcjo32.exeC:\Windows\system32\Cngcjo32.exe156⤵PID:1744
-
C:\Windows\SysWOW64\Cljcelan.exeC:\Windows\system32\Cljcelan.exe157⤵PID:1976
-
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe158⤵PID:2200
-
C:\Windows\SysWOW64\Cdakgibq.exeC:\Windows\system32\Cdakgibq.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Cgpgce32.exeC:\Windows\system32\Cgpgce32.exe160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2996 -
C:\Windows\SysWOW64\Cfbhnaho.exeC:\Windows\system32\Cfbhnaho.exe161⤵PID:2548
-
C:\Windows\SysWOW64\Cnippoha.exeC:\Windows\system32\Cnippoha.exe162⤵PID:2740
-
C:\Windows\SysWOW64\Cllpkl32.exeC:\Windows\system32\Cllpkl32.exe163⤵PID:2768
-
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe164⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Cgbdhd32.exeC:\Windows\system32\Cgbdhd32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe166⤵PID:2688
-
C:\Windows\SysWOW64\Chcqpmep.exeC:\Windows\system32\Chcqpmep.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Clomqk32.exeC:\Windows\system32\Clomqk32.exe168⤵PID:1736
-
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe169⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Cciemedf.exeC:\Windows\system32\Cciemedf.exe170⤵PID:2160
-
C:\Windows\SysWOW64\Cbkeib32.exeC:\Windows\system32\Cbkeib32.exe171⤵PID:2736
-
C:\Windows\SysWOW64\Cjbmjplb.exeC:\Windows\system32\Cjbmjplb.exe172⤵PID:2940
-
C:\Windows\SysWOW64\Chemfl32.exeC:\Windows\system32\Chemfl32.exe173⤵PID:320
-
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe174⤵PID:3032
-
C:\Windows\SysWOW64\Copfbfjj.exeC:\Windows\system32\Copfbfjj.exe175⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Cbnbobin.exeC:\Windows\system32\Cbnbobin.exe176⤵PID:1616
-
C:\Windows\SysWOW64\Cfinoq32.exeC:\Windows\system32\Cfinoq32.exe177⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Chhjkl32.exeC:\Windows\system32\Chhjkl32.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Clcflkic.exeC:\Windows\system32\Clcflkic.exe179⤵PID:1356
-
C:\Windows\SysWOW64\Ckffgg32.exeC:\Windows\system32\Ckffgg32.exe180⤵PID:1900
-
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe181⤵PID:1928
-
C:\Windows\SysWOW64\Dbpodagk.exeC:\Windows\system32\Dbpodagk.exe182⤵PID:588
-
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe183⤵PID:2300
-
C:\Windows\SysWOW64\Dhjgal32.exeC:\Windows\system32\Dhjgal32.exe184⤵PID:2656
-
C:\Windows\SysWOW64\Dgmglh32.exeC:\Windows\system32\Dgmglh32.exe185⤵PID:2336
-
C:\Windows\SysWOW64\Dodonf32.exeC:\Windows\system32\Dodonf32.exe186⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Dngoibmo.exeC:\Windows\system32\Dngoibmo.exe187⤵PID:3080
-
C:\Windows\SysWOW64\Dqelenlc.exeC:\Windows\system32\Dqelenlc.exe188⤵PID:3120
-
C:\Windows\SysWOW64\Ddagfm32.exeC:\Windows\system32\Ddagfm32.exe189⤵PID:3160
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe190⤵PID:3200
-
C:\Windows\SysWOW64\Dgodbh32.exeC:\Windows\system32\Dgodbh32.exe191⤵PID:3228
-
C:\Windows\SysWOW64\Djnpnc32.exeC:\Windows\system32\Djnpnc32.exe192⤵PID:3252
-
C:\Windows\SysWOW64\Dnilobkm.exeC:\Windows\system32\Dnilobkm.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3292 -
C:\Windows\SysWOW64\Dqhhknjp.exeC:\Windows\system32\Dqhhknjp.exe194⤵PID:3332
-
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe195⤵PID:3372
-
C:\Windows\SysWOW64\Dgaqgh32.exeC:\Windows\system32\Dgaqgh32.exe196⤵PID:3412
-
C:\Windows\SysWOW64\Dkmmhf32.exeC:\Windows\system32\Dkmmhf32.exe197⤵PID:3452
-
C:\Windows\SysWOW64\Dnlidb32.exeC:\Windows\system32\Dnlidb32.exe198⤵PID:3496
-
C:\Windows\SysWOW64\Dmoipopd.exeC:\Windows\system32\Dmoipopd.exe199⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe200⤵PID:3576
-
C:\Windows\SysWOW64\Dchali32.exeC:\Windows\system32\Dchali32.exe201⤵PID:3616
-
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe202⤵PID:3656
-
C:\Windows\SysWOW64\Djbiicon.exeC:\Windows\system32\Djbiicon.exe203⤵PID:3696
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe204⤵PID:3736
-
C:\Windows\SysWOW64\Dmafennb.exeC:\Windows\system32\Dmafennb.exe205⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3768 -
C:\Windows\SysWOW64\Dcknbh32.exeC:\Windows\system32\Dcknbh32.exe206⤵
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Dgfjbgmh.exeC:\Windows\system32\Dgfjbgmh.exe207⤵PID:3832
-
C:\Windows\SysWOW64\Dfijnd32.exeC:\Windows\system32\Dfijnd32.exe208⤵PID:3872
-
C:\Windows\SysWOW64\Eihfjo32.exeC:\Windows\system32\Eihfjo32.exe209⤵PID:3912
-
C:\Windows\SysWOW64\Eqonkmdh.exeC:\Windows\system32\Eqonkmdh.exe210⤵PID:3952
-
C:\Windows\SysWOW64\Epaogi32.exeC:\Windows\system32\Epaogi32.exe211⤵PID:3992
-
C:\Windows\SysWOW64\Ebpkce32.exeC:\Windows\system32\Ebpkce32.exe212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4032 -
C:\Windows\SysWOW64\Eflgccbp.exeC:\Windows\system32\Eflgccbp.exe213⤵PID:4072
-
C:\Windows\SysWOW64\Ejgcdb32.exeC:\Windows\system32\Ejgcdb32.exe214⤵PID:2968
-
C:\Windows\SysWOW64\Emeopn32.exeC:\Windows\system32\Emeopn32.exe215⤵PID:3128
-
C:\Windows\SysWOW64\Epdkli32.exeC:\Windows\system32\Epdkli32.exe216⤵
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Ecpgmhai.exeC:\Windows\system32\Ecpgmhai.exe217⤵PID:3224
-
C:\Windows\SysWOW64\Ebbgid32.exeC:\Windows\system32\Ebbgid32.exe218⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe219⤵
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Eilpeooq.exeC:\Windows\system32\Eilpeooq.exe220⤵PID:3388
-
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe221⤵PID:3428
-
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe222⤵PID:3480
-
C:\Windows\SysWOW64\Enihne32.exeC:\Windows\system32\Enihne32.exe223⤵PID:3532
-
C:\Windows\SysWOW64\Efppoc32.exeC:\Windows\system32\Efppoc32.exe224⤵PID:3588
-
C:\Windows\SysWOW64\Eecqjpee.exeC:\Windows\system32\Eecqjpee.exe225⤵PID:3596
-
C:\Windows\SysWOW64\Egamfkdh.exeC:\Windows\system32\Egamfkdh.exe226⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3684 -
C:\Windows\SysWOW64\Elmigj32.exeC:\Windows\system32\Elmigj32.exe227⤵PID:3676
-
C:\Windows\SysWOW64\Enkece32.exeC:\Windows\system32\Enkece32.exe228⤵PID:3784
-
C:\Windows\SysWOW64\Ebgacddo.exeC:\Windows\system32\Ebgacddo.exe229⤵PID:3848
-
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe230⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Eiaiqn32.exeC:\Windows\system32\Eiaiqn32.exe231⤵PID:3940
-
C:\Windows\SysWOW64\Egdilkbf.exeC:\Windows\system32\Egdilkbf.exe232⤵PID:3984
-
C:\Windows\SysWOW64\Ejbfhfaj.exeC:\Windows\system32\Ejbfhfaj.exe233⤵PID:4044
-
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe234⤵PID:4052
-
C:\Windows\SysWOW64\Ebinic32.exeC:\Windows\system32\Ebinic32.exe235⤵PID:3112
-
C:\Windows\SysWOW64\Fehjeo32.exeC:\Windows\system32\Fehjeo32.exe236⤵PID:3176
-
C:\Windows\SysWOW64\Fckjalhj.exeC:\Windows\system32\Fckjalhj.exe237⤵PID:3248
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe238⤵PID:3244
-
C:\Windows\SysWOW64\Flabbihl.exeC:\Windows\system32\Flabbihl.exe239⤵PID:3368
-
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe240⤵PID:3352
-
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3460 -
C:\Windows\SysWOW64\Faokjpfd.exeC:\Windows\system32\Faokjpfd.exe242⤵
- Drops file in System32 directory
PID:3508