Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
Resource
win10v2004-20240508-en
General
-
Target
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe
-
Size
163KB
-
MD5
a5d676bf2333c24096aa7e658bc73390
-
SHA1
062a3fe5ac692602566b2628e2eeb42c20aec3cc
-
SHA256
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23
-
SHA512
403a1dea6f949589d82c0a9fce25abf849c8d4e966c9d3bcd307573c102c6f275a31388549a5251b95e0a05984759039ea0800a2bd22f484e5702eb228ac0680
-
SSDEEP
1536:P3O0RZViAazzxymcrT8UbYlEmlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:BVVGERYlEmltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bjokdipf.exeKbdmpqcb.exeKmdqgd32.exeDodbbdbb.exeLmgfda32.exeIinlemia.exeJmnaakne.exeAhmlgd32.exeEleiam32.exeHkikkeeo.exeHcbpab32.exeKmfmmcbo.exeKmegbjgn.exeEkjfcipa.exeGmoeoidl.exeGcimkc32.exeAcqimo32.exeIabgaklg.exeLgikfn32.exeEchknh32.exeJjpeepnb.exeHcdmga32.exeNnqbanmo.exeBeglgani.exeLnjjdgee.exeBhaebcen.exeJbmfoa32.exeLknjmkdo.exeCabfga32.exeKbapjafe.exeMpoefk32.exeHjolnb32.exeLigqhc32.exeLllcen32.exeNjfmke32.exeEofbch32.exeFdnjgmle.exeIidipnal.exeEoaihhlp.exePnfdcjkg.exeChcddk32.exeDddhpjof.exeLalcng32.exeClnjjpod.exeDboigi32.exeJfaedkdp.exeAcjjfggb.exeAndgoobc.exeJlbgha32.exeNnjbke32.exeGmlhii32.exeAbkjdnoa.exeFlceckoj.exePjhlml32.exeDejacond.exeJdemhe32.exeJjbako32.exeKpjjod32.exeBjdkjo32.exeFcckif32.exeJlpkba32.exeCeehho32.exePaegjl32.exeEcoangbg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjokdipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmpqcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodbbdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iinlemia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnaakne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmlgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleiam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkikkeeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcbpab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfmmcbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegbjgn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjfcipa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoeoidl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcimkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqimo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabgaklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgikfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpeepnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnqbanmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beglgani.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjjdgee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhaebcen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lknjmkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbapjafe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolnb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njfmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofbch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdnjgmle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoaihhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnfdcjkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalcng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnjjpod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboigi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjjfggb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andgoobc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmlhii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjdnoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjhlml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdemhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbako32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpjjod32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpkba32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceehho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paegjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecoangbg.exe -
Detects executables built or packed with MPress PE compressor 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Hihicplj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hcnnaikp.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hpgkkioa.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hbeghene.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hjmoibog.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hpihai32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hjolnb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hmmhjm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iffmccbi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iidipnal.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iakaql32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ibmmhdhm.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iiffen32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iannfk32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Icljbg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ijfboafl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ipckgh32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Ifmcdblq.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Imgkql32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iabgaklg.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Iinlemia.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jpgdbg32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jbfpobpb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jiphkm32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jdemhe32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jjpeepnb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jmnaakne.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jplmmfmi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jjbako32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jaljgidl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jbmfoa32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Jigollag.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/1040-267-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1088-279-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4496-285-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4900-291-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3492-297-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2820-303-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1504-315-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/624-325-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1144-327-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Kpjjod32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mkpgck32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Mcpebmkb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnjbke32.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/968-567-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1912-566-0x0000000000400000-0x0000000000453000-memory.dmp INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Nnolfdcn.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Oqdoboli.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pcjapi32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pnpemb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Pabkdmpi.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Acjjfggb.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Becifhfj.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bblckl32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Bhikcb32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dekhneap.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Dhkapp32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eeidoc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Eabbjc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gcfqfc32.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Gmoeoidl.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Hfifmnij.exe INDICATOR_EXE_Packed_MPress C:\Windows\SysWOW64\Heocnk32.exe INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Hihicplj.exe UPX C:\Windows\SysWOW64\Hcnnaikp.exe UPX C:\Windows\SysWOW64\Hpgkkioa.exe UPX behavioral2/memory/4092-30-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Hbeghene.exe UPX C:\Windows\SysWOW64\Hjmoibog.exe UPX C:\Windows\SysWOW64\Hpihai32.exe UPX C:\Windows\SysWOW64\Hjolnb32.exe UPX C:\Windows\SysWOW64\Hmmhjm32.exe UPX C:\Windows\SysWOW64\Iffmccbi.exe UPX C:\Windows\SysWOW64\Iidipnal.exe UPX C:\Windows\SysWOW64\Iakaql32.exe UPX C:\Windows\SysWOW64\Ibmmhdhm.exe UPX C:\Windows\SysWOW64\Iiffen32.exe UPX C:\Windows\SysWOW64\Iannfk32.exe UPX C:\Windows\SysWOW64\Icljbg32.exe UPX C:\Windows\SysWOW64\Ijfboafl.exe UPX C:\Windows\SysWOW64\Ipckgh32.exe UPX C:\Windows\SysWOW64\Ifmcdblq.exe UPX C:\Windows\SysWOW64\Imgkql32.exe UPX C:\Windows\SysWOW64\Iabgaklg.exe UPX C:\Windows\SysWOW64\Iinlemia.exe UPX C:\Windows\SysWOW64\Jpgdbg32.exe UPX C:\Windows\SysWOW64\Jbfpobpb.exe UPX C:\Windows\SysWOW64\Jiphkm32.exe UPX C:\Windows\SysWOW64\Jdemhe32.exe UPX C:\Windows\SysWOW64\Jjpeepnb.exe UPX C:\Windows\SysWOW64\Jmnaakne.exe UPX C:\Windows\SysWOW64\Jplmmfmi.exe UPX C:\Windows\SysWOW64\Jjbako32.exe UPX C:\Windows\SysWOW64\Jaljgidl.exe UPX C:\Windows\SysWOW64\Jbmfoa32.exe UPX C:\Windows\SysWOW64\Jigollag.exe UPX behavioral2/memory/1040-267-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1088-279-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4496-285-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4900-291-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3492-297-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/2820-303-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1504-315-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/624-325-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1144-327-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1444-338-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Kpjjod32.exe UPX behavioral2/memory/4040-437-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/888-448-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/4064-453-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Mkpgck32.exe UPX C:\Windows\SysWOW64\Mcpebmkb.exe UPX C:\Windows\SysWOW64\Nnjbke32.exe UPX behavioral2/memory/968-567-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1912-566-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Windows\SysWOW64\Nnolfdcn.exe UPX C:\Windows\SysWOW64\Oqdoboli.exe UPX C:\Windows\SysWOW64\Pcjapi32.exe UPX C:\Windows\SysWOW64\Pnpemb32.exe UPX C:\Windows\SysWOW64\Pabkdmpi.exe UPX C:\Windows\SysWOW64\Acjjfggb.exe UPX C:\Windows\SysWOW64\Becifhfj.exe UPX C:\Windows\SysWOW64\Bblckl32.exe UPX C:\Windows\SysWOW64\Bhikcb32.exe UPX C:\Windows\SysWOW64\Dekhneap.exe UPX C:\Windows\SysWOW64\Dhkapp32.exe UPX C:\Windows\SysWOW64\Eeidoc32.exe UPX -
Executes dropped EXE 64 IoCs
Processes:
Hihicplj.exeHcnnaikp.exeHpgkkioa.exeHbeghene.exeHjmoibog.exeHpihai32.exeHjolnb32.exeHmmhjm32.exeIffmccbi.exeIidipnal.exeIakaql32.exeIbmmhdhm.exeIiffen32.exeIannfk32.exeIcljbg32.exeIjfboafl.exeIpckgh32.exeIfmcdblq.exeImgkql32.exeIabgaklg.exeIinlemia.exeJpgdbg32.exeJbfpobpb.exeJiphkm32.exeJdemhe32.exeJjpeepnb.exeJmnaakne.exeJplmmfmi.exeJjbako32.exeJaljgidl.exeJbmfoa32.exeJigollag.exeJpaghf32.exeJbocea32.exeJkfkfohj.exeJiikak32.exeKmegbjgn.exeKdopod32.exeKbapjafe.exeKkihknfg.exeKmgdgjek.exeKpepcedo.exeKbdmpqcb.exeKkkdan32.exeKmjqmi32.exeKphmie32.exeKbfiep32.exeKknafn32.exeKagichjo.exeKpjjod32.exeKgdbkohf.exeKibnhjgj.exeKajfig32.exeKdhbec32.exeKkbkamnl.exeLalcng32.exeLpocjdld.exeLcmofolg.exeLgikfn32.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLijdhiaa.exepid process 5036 Hihicplj.exe 4332 Hcnnaikp.exe 4092 Hpgkkioa.exe 1912 Hbeghene.exe 2388 Hjmoibog.exe 4100 Hpihai32.exe 536 Hjolnb32.exe 2272 Hmmhjm32.exe 3780 Iffmccbi.exe 1232 Iidipnal.exe 1004 Iakaql32.exe 1152 Ibmmhdhm.exe 2136 Iiffen32.exe 2676 Iannfk32.exe 2568 Icljbg32.exe 1904 Ijfboafl.exe 3920 Ipckgh32.exe 2044 Ifmcdblq.exe 2604 Imgkql32.exe 4884 Iabgaklg.exe 1012 Iinlemia.exe 4940 Jpgdbg32.exe 4856 Jbfpobpb.exe 408 Jiphkm32.exe 4444 Jdemhe32.exe 3016 Jjpeepnb.exe 2592 Jmnaakne.exe 2600 Jplmmfmi.exe 3756 Jjbako32.exe 4464 Jaljgidl.exe 436 Jbmfoa32.exe 3544 Jigollag.exe 2996 Jpaghf32.exe 1040 Jbocea32.exe 4060 Jkfkfohj.exe 1088 Jiikak32.exe 4496 Kmegbjgn.exe 4900 Kdopod32.exe 3492 Kbapjafe.exe 2820 Kkihknfg.exe 3024 Kmgdgjek.exe 1504 Kpepcedo.exe 624 Kbdmpqcb.exe 1144 Kkkdan32.exe 2096 Kmjqmi32.exe 1444 Kphmie32.exe 2360 Kbfiep32.exe 1472 Kknafn32.exe 3988 Kagichjo.exe 4400 Kpjjod32.exe 3848 Kgdbkohf.exe 4440 Kibnhjgj.exe 4080 Kajfig32.exe 2916 Kdhbec32.exe 980 Kkbkamnl.exe 4344 Lalcng32.exe 4892 Lpocjdld.exe 4656 Lcmofolg.exe 5044 Lgikfn32.exe 2584 Liggbi32.exe 3560 Laopdgcg.exe 3852 Ldmlpbbj.exe 4040 Lgkhlnbn.exe 888 Lijdhiaa.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ahhblemi.exeGmlhii32.exeGmoeoidl.exeJlkagbej.exeMiifeq32.exeCmnpgb32.exeJplmmfmi.exeOqgkhnjf.exeEhimanbq.exeNnqbanmo.exeAjiknpjj.exeEhnglm32.exeKmdqgd32.exeCklaknjd.exeCbefaj32.exeHfqlnm32.exeJeaikh32.exeJpgdbg32.exeOjalgcnd.exeBdkcmdhp.exeQgallfcq.exeCdainc32.exeEkcpbj32.exeFfddka32.exeGbgdlq32.exeKajfig32.exeLilanioo.exeOgogoi32.exeAcqimo32.exeBnmcjg32.exeEoaihhlp.exeGcimkc32.exeIppggbck.exeMdmnlj32.exeQmkadgpo.exeAjdbcano.exeBblckl32.exeDlijfneg.exeAmbgef32.exeChcddk32.exeLdohebqh.exeImfdff32.exePmdkch32.exeJioaqfcc.exePnfdcjkg.exeBelebq32.exeKmgdgjek.exeBdhfhe32.exeOkolkg32.exeQgciaf32.exeAdgbpc32.exeLgneampk.exeMkepnjng.exeBjbndobo.exeBemlmgnp.exeDekhneap.exeEkacmjgl.exeFakdpb32.exeNdkahnhh.exedescription ioc process File created C:\Windows\SysWOW64\Ajfoiqll.exe Ahhblemi.exe File created C:\Windows\SysWOW64\Elikfp32.dll Gmlhii32.exe File created C:\Windows\SysWOW64\Hbbhclmi.dll Gmoeoidl.exe File created C:\Windows\SysWOW64\Eeanii32.dll Jlkagbej.exe File created C:\Windows\SysWOW64\Mnebeogl.exe Miifeq32.exe File created C:\Windows\SysWOW64\Ceehho32.exe Cmnpgb32.exe File created C:\Windows\SysWOW64\Jjbako32.exe Jplmmfmi.exe File opened for modification C:\Windows\SysWOW64\Ocegdjij.exe Oqgkhnjf.exe File created C:\Windows\SysWOW64\Eleiam32.exe Ehimanbq.exe File created C:\Windows\SysWOW64\Najmlf32.dll Nnqbanmo.exe File opened for modification C:\Windows\SysWOW64\Andgoobc.exe Ajiknpjj.exe File created C:\Windows\SysWOW64\Fljcmlfd.exe Ehnglm32.exe File created C:\Windows\SysWOW64\Kbaipkbi.exe Kmdqgd32.exe File created C:\Windows\SysWOW64\Gohibf32.dll Cklaknjd.exe File opened for modification C:\Windows\SysWOW64\Cahfmgoo.exe Cbefaj32.exe File created C:\Windows\SysWOW64\Nlmbpgdl.dll Ehimanbq.exe File created C:\Windows\SysWOW64\Hkmefd32.exe Hfqlnm32.exe File created C:\Windows\SysWOW64\Jlkagbej.exe Jeaikh32.exe File opened for modification C:\Windows\SysWOW64\Jbfpobpb.exe Jpgdbg32.exe File created C:\Windows\SysWOW64\Jnmkhg32.dll Ojalgcnd.exe File created C:\Windows\SysWOW64\Bhfonc32.exe Bdkcmdhp.exe File created C:\Windows\SysWOW64\Qjpiha32.exe Qgallfcq.exe File opened for modification C:\Windows\SysWOW64\Chmeobkq.exe Cdainc32.exe File opened for modification C:\Windows\SysWOW64\Ecjhcg32.exe Ekcpbj32.exe File opened for modification C:\Windows\SysWOW64\Flnlhk32.exe Ffddka32.exe File created C:\Windows\SysWOW64\Dekclg32.dll Gbgdlq32.exe File created C:\Windows\SysWOW64\Kdhbec32.exe Kajfig32.exe File opened for modification C:\Windows\SysWOW64\Laciofpa.exe Lilanioo.exe File created C:\Windows\SysWOW64\Kpjcpkfo.dll Ogogoi32.exe File opened for modification C:\Windows\SysWOW64\Anfmjhmd.exe Acqimo32.exe File created C:\Windows\SysWOW64\Iphcjp32.dll Bnmcjg32.exe File created C:\Windows\SysWOW64\Jgmbieme.dll Eoaihhlp.exe File created C:\Windows\SysWOW64\Elhcgeja.dll Gcimkc32.exe File created C:\Windows\SysWOW64\Iemppiab.exe Ippggbck.exe File opened for modification C:\Windows\SysWOW64\Miifeq32.exe Mdmnlj32.exe File opened for modification C:\Windows\SysWOW64\Qqfmde32.exe Qmkadgpo.exe File created C:\Windows\SysWOW64\Mmhjbhod.dll Ajdbcano.exe File opened for modification C:\Windows\SysWOW64\Bejogg32.exe Bblckl32.exe File created C:\Windows\SysWOW64\Bcfmgfde.dll Dlijfneg.exe File created C:\Windows\SysWOW64\Jmmmebhb.dll Ambgef32.exe File created C:\Windows\SysWOW64\Jgilhm32.dll Chcddk32.exe File created C:\Windows\SysWOW64\Lgneampk.exe Ldohebqh.exe File created C:\Windows\SysWOW64\Ibcmom32.exe Imfdff32.exe File created C:\Windows\SysWOW64\Ehaaclak.dll Pmdkch32.exe File created C:\Windows\SysWOW64\Jbhfjljd.exe Jioaqfcc.exe File created C:\Windows\SysWOW64\Bjmjdbam.dll Pnfdcjkg.exe File created C:\Windows\SysWOW64\Imbajm32.dll Belebq32.exe File created C:\Windows\SysWOW64\Jbfpobpb.exe Jpgdbg32.exe File opened for modification C:\Windows\SysWOW64\Kpepcedo.exe Kmgdgjek.exe File created C:\Windows\SysWOW64\Pllfhkno.dll Bdhfhe32.exe File created C:\Windows\SysWOW64\Ojalgcnd.exe Okolkg32.exe File opened for modification C:\Windows\SysWOW64\Qjbena32.exe Qgciaf32.exe File opened for modification C:\Windows\SysWOW64\Mnebeogl.exe Miifeq32.exe File created C:\Windows\SysWOW64\Afhohlbj.exe Adgbpc32.exe File created C:\Windows\SysWOW64\Lilanioo.exe Lgneampk.exe File created C:\Windows\SysWOW64\Laciofpa.exe Lilanioo.exe File created C:\Windows\SysWOW64\Mncmjfmk.exe Mkepnjng.exe File opened for modification C:\Windows\SysWOW64\Bnnjen32.exe Bjbndobo.exe File created C:\Windows\SysWOW64\Fbegho32.dll Bemlmgnp.exe File opened for modification C:\Windows\SysWOW64\Dkgqfl32.exe Dekhneap.exe File opened for modification C:\Windows\SysWOW64\Echknh32.exe Ekacmjgl.exe File created C:\Windows\SysWOW64\Knkffk32.dll Fakdpb32.exe File created C:\Windows\SysWOW64\Pckgbakk.dll Jpgdbg32.exe File created C:\Windows\SysWOW64\Oboaabga.exe Ndkahnhh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 11004 10976 WerFault.exe Dmllipeg.exe -
Modifies registry class 64 IoCs
Processes:
Majopeii.exeAjdbcano.exeEapedd32.exeFkalchij.exeFlceckoj.exeMahbje32.exeBnlnon32.exePmoahijl.exeChokikeb.exeDfnjafap.exeNkncdifl.exeEkacmjgl.exeHkkhqd32.exeMbfkbhpa.exeQmmnjfnl.exeAnfmjhmd.exeJbmfoa32.exeFojlngce.exeGbgdlq32.exeMgimcebb.exeLaalifad.exeNnjbke32.exeBdhfhe32.exeBbnpqk32.exeMpoefk32.exeIpckgh32.exeLiggbi32.exeLdmlpbbj.exeOboaabga.exeQcepkg32.exeDkgqfl32.exeDmcibama.exeJplmmfmi.exeEeidoc32.exeGkmlofol.exeAjiknpjj.exeBkidenlg.exeCbgbgj32.exeDddojq32.exeMnebeogl.exeKmegbjgn.exeNnolfdcn.exeJfhlejnh.exeAdgbpc32.exeCmiflbel.exeJkfkfohj.exeQchmagie.exeDemecd32.exePjhlml32.exeAcqimo32.exeFakdpb32.exeBnpppgdj.exeJmnaakne.exeOnklabip.exeAnbkio32.exeElgfgl32.exeGmlhii32.exeJfaedkdp.exeLmppcbjd.exeIakaql32.exeIjfboafl.exeOjalgcnd.exeGmoeoidl.exeHfqlnm32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" Majopeii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajdbcano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll" Eapedd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkalchij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flceckoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" Mahbje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnlnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" Pmoahijl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chokikeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjafap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipoal32.dll" Ekacmjgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkkhqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbfkbhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll" Qmmnjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" Jbmfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldggoeb.dll" Fojlngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekclg32.dll" Gbgdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll" Mgimcebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll" Laalifad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdhfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgempgqo.dll" Bbnpqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll" Mpoefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipckgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liggbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll" Ldmlpbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oboaabga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmkghpm.dll" Qcepkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkgqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dmcibama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jplmmfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" Eeidoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmlofol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnobj32.dll" Ajiknpjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkidenlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbkfdh.dll" Cbgbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapolp32.dll" Dddojq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnebeogl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmegbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jheiojpj.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" Jfhlejnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adgbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmiflbel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfkfohj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qchmagie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Demecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjhlml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqimo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakdpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnpppgdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmnaakne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dalchnkg.dll" Onklabip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anbkio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elikfp32.dll" Gmlhii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll" Jfaedkdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmppcbjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijfboafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojalgcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmoeoidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfqlnm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exeHihicplj.exeHcnnaikp.exeHpgkkioa.exeHbeghene.exeHjmoibog.exeHpihai32.exeHjolnb32.exeHmmhjm32.exeIffmccbi.exeIidipnal.exeIakaql32.exeIbmmhdhm.exeIiffen32.exeIannfk32.exeIcljbg32.exeIjfboafl.exeIpckgh32.exeIfmcdblq.exeImgkql32.exeIabgaklg.exeIinlemia.exedescription pid process target process PID 720 wrote to memory of 5036 720 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Hihicplj.exe PID 720 wrote to memory of 5036 720 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Hihicplj.exe PID 720 wrote to memory of 5036 720 b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe Hihicplj.exe PID 5036 wrote to memory of 4332 5036 Hihicplj.exe Hcnnaikp.exe PID 5036 wrote to memory of 4332 5036 Hihicplj.exe Hcnnaikp.exe PID 5036 wrote to memory of 4332 5036 Hihicplj.exe Hcnnaikp.exe PID 4332 wrote to memory of 4092 4332 Hcnnaikp.exe Hpgkkioa.exe PID 4332 wrote to memory of 4092 4332 Hcnnaikp.exe Hpgkkioa.exe PID 4332 wrote to memory of 4092 4332 Hcnnaikp.exe Hpgkkioa.exe PID 4092 wrote to memory of 1912 4092 Hpgkkioa.exe Hbeghene.exe PID 4092 wrote to memory of 1912 4092 Hpgkkioa.exe Hbeghene.exe PID 4092 wrote to memory of 1912 4092 Hpgkkioa.exe Hbeghene.exe PID 1912 wrote to memory of 2388 1912 Hbeghene.exe Hjmoibog.exe PID 1912 wrote to memory of 2388 1912 Hbeghene.exe Hjmoibog.exe PID 1912 wrote to memory of 2388 1912 Hbeghene.exe Hjmoibog.exe PID 2388 wrote to memory of 4100 2388 Hjmoibog.exe Hpihai32.exe PID 2388 wrote to memory of 4100 2388 Hjmoibog.exe Hpihai32.exe PID 2388 wrote to memory of 4100 2388 Hjmoibog.exe Hpihai32.exe PID 4100 wrote to memory of 536 4100 Hpihai32.exe Hjolnb32.exe PID 4100 wrote to memory of 536 4100 Hpihai32.exe Hjolnb32.exe PID 4100 wrote to memory of 536 4100 Hpihai32.exe Hjolnb32.exe PID 536 wrote to memory of 2272 536 Hjolnb32.exe Hmmhjm32.exe PID 536 wrote to memory of 2272 536 Hjolnb32.exe Hmmhjm32.exe PID 536 wrote to memory of 2272 536 Hjolnb32.exe Hmmhjm32.exe PID 2272 wrote to memory of 3780 2272 Hmmhjm32.exe Iffmccbi.exe PID 2272 wrote to memory of 3780 2272 Hmmhjm32.exe Iffmccbi.exe PID 2272 wrote to memory of 3780 2272 Hmmhjm32.exe Iffmccbi.exe PID 3780 wrote to memory of 1232 3780 Iffmccbi.exe Iidipnal.exe PID 3780 wrote to memory of 1232 3780 Iffmccbi.exe Iidipnal.exe PID 3780 wrote to memory of 1232 3780 Iffmccbi.exe Iidipnal.exe PID 1232 wrote to memory of 1004 1232 Iidipnal.exe Iakaql32.exe PID 1232 wrote to memory of 1004 1232 Iidipnal.exe Iakaql32.exe PID 1232 wrote to memory of 1004 1232 Iidipnal.exe Iakaql32.exe PID 1004 wrote to memory of 1152 1004 Iakaql32.exe Ibmmhdhm.exe PID 1004 wrote to memory of 1152 1004 Iakaql32.exe Ibmmhdhm.exe PID 1004 wrote to memory of 1152 1004 Iakaql32.exe Ibmmhdhm.exe PID 1152 wrote to memory of 2136 1152 Ibmmhdhm.exe Iiffen32.exe PID 1152 wrote to memory of 2136 1152 Ibmmhdhm.exe Iiffen32.exe PID 1152 wrote to memory of 2136 1152 Ibmmhdhm.exe Iiffen32.exe PID 2136 wrote to memory of 2676 2136 Iiffen32.exe Iannfk32.exe PID 2136 wrote to memory of 2676 2136 Iiffen32.exe Iannfk32.exe PID 2136 wrote to memory of 2676 2136 Iiffen32.exe Iannfk32.exe PID 2676 wrote to memory of 2568 2676 Iannfk32.exe Icljbg32.exe PID 2676 wrote to memory of 2568 2676 Iannfk32.exe Icljbg32.exe PID 2676 wrote to memory of 2568 2676 Iannfk32.exe Icljbg32.exe PID 2568 wrote to memory of 1904 2568 Icljbg32.exe Ijfboafl.exe PID 2568 wrote to memory of 1904 2568 Icljbg32.exe Ijfboafl.exe PID 2568 wrote to memory of 1904 2568 Icljbg32.exe Ijfboafl.exe PID 1904 wrote to memory of 3920 1904 Ijfboafl.exe Ipckgh32.exe PID 1904 wrote to memory of 3920 1904 Ijfboafl.exe Ipckgh32.exe PID 1904 wrote to memory of 3920 1904 Ijfboafl.exe Ipckgh32.exe PID 3920 wrote to memory of 2044 3920 Ipckgh32.exe Ifmcdblq.exe PID 3920 wrote to memory of 2044 3920 Ipckgh32.exe Ifmcdblq.exe PID 3920 wrote to memory of 2044 3920 Ipckgh32.exe Ifmcdblq.exe PID 2044 wrote to memory of 2604 2044 Ifmcdblq.exe Imgkql32.exe PID 2044 wrote to memory of 2604 2044 Ifmcdblq.exe Imgkql32.exe PID 2044 wrote to memory of 2604 2044 Ifmcdblq.exe Imgkql32.exe PID 2604 wrote to memory of 4884 2604 Imgkql32.exe Iabgaklg.exe PID 2604 wrote to memory of 4884 2604 Imgkql32.exe Iabgaklg.exe PID 2604 wrote to memory of 4884 2604 Imgkql32.exe Iabgaklg.exe PID 4884 wrote to memory of 1012 4884 Iabgaklg.exe Iinlemia.exe PID 4884 wrote to memory of 1012 4884 Iabgaklg.exe Iinlemia.exe PID 4884 wrote to memory of 1012 4884 Iabgaklg.exe Iinlemia.exe PID 1012 wrote to memory of 4940 1012 Iinlemia.exe Jpgdbg32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe"C:\Users\Admin\AppData\Local\Temp\b02d1fbeeb25bd0def829f0c2a26e3e33cec5d2a42c95e13f0fee3e85e64ca23.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\Hihicplj.exeC:\Windows\system32\Hihicplj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Hcnnaikp.exeC:\Windows\system32\Hcnnaikp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Hpgkkioa.exeC:\Windows\system32\Hpgkkioa.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Hbeghene.exeC:\Windows\system32\Hbeghene.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hpihai32.exeC:\Windows\system32\Hpihai32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Hmmhjm32.exeC:\Windows\system32\Hmmhjm32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Iffmccbi.exeC:\Windows\system32\Iffmccbi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Iakaql32.exeC:\Windows\system32\Iakaql32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Ibmmhdhm.exeC:\Windows\system32\Ibmmhdhm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Iiffen32.exeC:\Windows\system32\Iiffen32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Iannfk32.exeC:\Windows\system32\Iannfk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ijfboafl.exeC:\Windows\system32\Ijfboafl.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Ifmcdblq.exeC:\Windows\system32\Ifmcdblq.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Imgkql32.exeC:\Windows\system32\Imgkql32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Jpgdbg32.exeC:\Windows\system32\Jpgdbg32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe24⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe25⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Jjpeepnb.exeC:\Windows\system32\Jjpeepnb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Jjbako32.exeC:\Windows\system32\Jjbako32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Jaljgidl.exeC:\Windows\system32\Jaljgidl.exe31⤵
- Executes dropped EXE
PID:4464 -
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Jigollag.exeC:\Windows\system32\Jigollag.exe33⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe34⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe35⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jkfkfohj.exeC:\Windows\system32\Jkfkfohj.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4060 -
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe37⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Kmegbjgn.exeC:\Windows\system32\Kmegbjgn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe39⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\Kkihknfg.exeC:\Windows\system32\Kkihknfg.exe41⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Kmgdgjek.exeC:\Windows\system32\Kmgdgjek.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Kpepcedo.exeC:\Windows\system32\Kpepcedo.exe43⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Kbdmpqcb.exeC:\Windows\system32\Kbdmpqcb.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe45⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe46⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Kphmie32.exeC:\Windows\system32\Kphmie32.exe47⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe48⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe49⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe50⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Kpjjod32.exeC:\Windows\system32\Kpjjod32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Kgdbkohf.exeC:\Windows\system32\Kgdbkohf.exe52⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Kibnhjgj.exeC:\Windows\system32\Kibnhjgj.exe53⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Kdhbec32.exeC:\Windows\system32\Kdhbec32.exe55⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Kkbkamnl.exeC:\Windows\system32\Kkbkamnl.exe56⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Lalcng32.exeC:\Windows\system32\Lalcng32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe58⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe59⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Lgikfn32.exeC:\Windows\system32\Lgikfn32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe62⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3852 -
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe64⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe65⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe66⤵
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe67⤵
- Drops file in System32 directory
PID:3196 -
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe68⤵
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe69⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Laciofpa.exeC:\Windows\system32\Laciofpa.exe70⤵PID:1256
-
C:\Windows\SysWOW64\Lgpagm32.exeC:\Windows\system32\Lgpagm32.exe71⤵PID:4996
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe73⤵PID:4412
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:876 -
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe75⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe76⤵PID:3388
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe77⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Mgghhlhq.exeC:\Windows\system32\Mgghhlhq.exe78⤵PID:2828
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe79⤵PID:2728
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe80⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Mncmjfmk.exeC:\Windows\system32\Mncmjfmk.exe81⤵PID:4008
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe82⤵PID:2224
-
C:\Windows\SysWOW64\Mgnnhk32.exeC:\Windows\system32\Mgnnhk32.exe83⤵PID:4964
-
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe84⤵PID:4564
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe86⤵PID:4608
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe87⤵
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe88⤵
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3168 -
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe90⤵
- Drops file in System32 directory
PID:3148 -
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe91⤵
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe92⤵PID:5132
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe93⤵PID:5176
-
C:\Windows\SysWOW64\Ogogoi32.exeC:\Windows\system32\Ogogoi32.exe94⤵
- Drops file in System32 directory
PID:5220 -
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe95⤵PID:5264
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe96⤵
- Drops file in System32 directory
PID:5308 -
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe97⤵PID:5352
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe98⤵PID:5384
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe99⤵
- Modifies registry class
PID:5432 -
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe100⤵PID:5476
-
C:\Windows\SysWOW64\Ocgdji32.exeC:\Windows\system32\Ocgdji32.exe101⤵PID:5524
-
C:\Windows\SysWOW64\Okolkg32.exeC:\Windows\system32\Okolkg32.exe102⤵
- Drops file in System32 directory
PID:5568 -
C:\Windows\SysWOW64\Ojalgcnd.exeC:\Windows\system32\Ojalgcnd.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:5608 -
C:\Windows\SysWOW64\Obidhaog.exeC:\Windows\system32\Obidhaog.exe104⤵PID:5652
-
C:\Windows\SysWOW64\Oqkdcn32.exeC:\Windows\system32\Oqkdcn32.exe105⤵PID:5692
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe106⤵PID:5736
-
C:\Windows\SysWOW64\Pnpemb32.exeC:\Windows\system32\Pnpemb32.exe107⤵PID:5780
-
C:\Windows\SysWOW64\Pqnaim32.exeC:\Windows\system32\Pqnaim32.exe108⤵PID:5824
-
C:\Windows\SysWOW64\Pghieg32.exeC:\Windows\system32\Pghieg32.exe109⤵PID:5896
-
C:\Windows\SysWOW64\Pbmncp32.exeC:\Windows\system32\Pbmncp32.exe110⤵PID:5956
-
C:\Windows\SysWOW64\Pgjfkg32.exeC:\Windows\system32\Pgjfkg32.exe111⤵PID:5992
-
C:\Windows\SysWOW64\Pabkdmpi.exeC:\Windows\system32\Pabkdmpi.exe112⤵PID:6040
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Pgopffec.exeC:\Windows\system32\Pgopffec.exe114⤵PID:6128
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe115⤵PID:5144
-
C:\Windows\SysWOW64\Pbddcoei.exeC:\Windows\system32\Pbddcoei.exe116⤵PID:5228
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe117⤵
- Modifies registry class
PID:5404 -
C:\Windows\SysWOW64\Qgallfcq.exeC:\Windows\system32\Qgallfcq.exe118⤵
- Drops file in System32 directory
PID:5500 -
C:\Windows\SysWOW64\Qjpiha32.exeC:\Windows\system32\Qjpiha32.exe119⤵PID:5576
-
C:\Windows\SysWOW64\Qchmagie.exeC:\Windows\system32\Qchmagie.exe120⤵
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe121⤵
- Drops file in System32 directory
PID:5720 -
C:\Windows\SysWOW64\Qjbena32.exeC:\Windows\system32\Qjbena32.exe122⤵PID:5788
-
C:\Windows\SysWOW64\Qbimoo32.exeC:\Windows\system32\Qbimoo32.exe123⤵PID:5872
-
C:\Windows\SysWOW64\Qalnjkgo.exeC:\Windows\system32\Qalnjkgo.exe124⤵PID:5948
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe125⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6024 -
C:\Windows\SysWOW64\Ajdbcano.exeC:\Windows\system32\Ajdbcano.exe126⤵
- Drops file in System32 directory
- Modifies registry class
PID:6092 -
C:\Windows\SysWOW64\Anpncp32.exeC:\Windows\system32\Anpncp32.exe127⤵PID:5152
-
C:\Windows\SysWOW64\Abkjdnoa.exeC:\Windows\system32\Abkjdnoa.exe128⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5216 -
C:\Windows\SysWOW64\Aejfpjne.exeC:\Windows\system32\Aejfpjne.exe129⤵PID:5320
-
C:\Windows\SysWOW64\Ahhblemi.exeC:\Windows\system32\Ahhblemi.exe130⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe131⤵PID:5468
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe132⤵
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe133⤵PID:5680
-
C:\Windows\SysWOW64\Aelcfilb.exeC:\Windows\system32\Aelcfilb.exe134⤵PID:5852
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe135⤵PID:6016
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe136⤵PID:6120
-
C:\Windows\SysWOW64\Ajiknpjj.exeC:\Windows\system32\Ajiknpjj.exe137⤵
- Drops file in System32 directory
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Andgoobc.exeC:\Windows\system32\Andgoobc.exe138⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Aacckjaf.exeC:\Windows\system32\Aacckjaf.exe139⤵PID:5184
-
C:\Windows\SysWOW64\Adapgfqj.exeC:\Windows\system32\Adapgfqj.exe140⤵PID:5836
-
C:\Windows\SysWOW64\Ahmlgd32.exeC:\Windows\system32\Ahmlgd32.exe141⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6076 -
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe142⤵PID:5292
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe143⤵PID:5484
-
C:\Windows\SysWOW64\Abbpem32.exeC:\Windows\system32\Abbpem32.exe144⤵PID:5904
-
C:\Windows\SysWOW64\Aealah32.exeC:\Windows\system32\Aealah32.exe145⤵PID:5512
-
C:\Windows\SysWOW64\Adcmmeog.exeC:\Windows\system32\Adcmmeog.exe146⤵PID:5832
-
C:\Windows\SysWOW64\Alkdnboj.exeC:\Windows\system32\Alkdnboj.exe147⤵PID:6184
-
C:\Windows\SysWOW64\Abemjmgg.exeC:\Windows\system32\Abemjmgg.exe148⤵PID:6228
-
C:\Windows\SysWOW64\Becifhfj.exeC:\Windows\system32\Becifhfj.exe149⤵PID:6296
-
C:\Windows\SysWOW64\Bhaebcen.exeC:\Windows\system32\Bhaebcen.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6348 -
C:\Windows\SysWOW64\Blmacb32.exeC:\Windows\system32\Blmacb32.exe151⤵PID:6424
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe152⤵
- Modifies registry class
PID:6464 -
C:\Windows\SysWOW64\Bbgipldd.exeC:\Windows\system32\Bbgipldd.exe153⤵PID:6508
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe154⤵PID:6548
-
C:\Windows\SysWOW64\Bdhfhe32.exeC:\Windows\system32\Bdhfhe32.exe155⤵
- Drops file in System32 directory
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\Bjbndobo.exeC:\Windows\system32\Bjbndobo.exe156⤵
- Drops file in System32 directory
PID:6748 -
C:\Windows\SysWOW64\Bnnjen32.exeC:\Windows\system32\Bnnjen32.exe157⤵PID:6788
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe158⤵PID:6832
-
C:\Windows\SysWOW64\Bdkcmdhp.exeC:\Windows\system32\Bdkcmdhp.exe159⤵
- Drops file in System32 directory
PID:6876 -
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe160⤵PID:6916
-
C:\Windows\SysWOW64\Bjdkjo32.exeC:\Windows\system32\Bjdkjo32.exe161⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6972 -
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe162⤵
- Drops file in System32 directory
PID:7016 -
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe163⤵PID:7052
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe164⤵PID:7092
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe165⤵PID:7128
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe166⤵
- Modifies registry class
PID:7164 -
C:\Windows\SysWOW64\Bemlmgnp.exeC:\Windows\system32\Bemlmgnp.exe167⤵
- Drops file in System32 directory
PID:6224 -
C:\Windows\SysWOW64\Bhkhibmc.exeC:\Windows\system32\Bhkhibmc.exe168⤵PID:6288
-
C:\Windows\SysWOW64\Bkidenlg.exeC:\Windows\system32\Bkidenlg.exe169⤵
- Modifies registry class
PID:6380 -
C:\Windows\SysWOW64\Cacmah32.exeC:\Windows\system32\Cacmah32.exe170⤵PID:6472
-
C:\Windows\SysWOW64\Cdainc32.exeC:\Windows\system32\Cdainc32.exe171⤵
- Drops file in System32 directory
PID:6540 -
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe172⤵PID:6612
-
C:\Windows\SysWOW64\Cklaknjd.exeC:\Windows\system32\Cklaknjd.exe173⤵
- Drops file in System32 directory
PID:6664 -
C:\Windows\SysWOW64\Cbcilkjg.exeC:\Windows\system32\Cbcilkjg.exe174⤵PID:6568
-
C:\Windows\SysWOW64\Ceaehfjj.exeC:\Windows\system32\Ceaehfjj.exe175⤵PID:6732
-
C:\Windows\SysWOW64\Chpada32.exeC:\Windows\system32\Chpada32.exe176⤵PID:6784
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe177⤵PID:6864
-
C:\Windows\SysWOW64\Cbefaj32.exeC:\Windows\system32\Cbefaj32.exe178⤵
- Drops file in System32 directory
PID:6932 -
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe179⤵PID:7000
-
C:\Windows\SysWOW64\Cecbmf32.exeC:\Windows\system32\Cecbmf32.exe180⤵PID:7072
-
C:\Windows\SysWOW64\Clnjjpod.exeC:\Windows\system32\Clnjjpod.exe181⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7136 -
C:\Windows\SysWOW64\Cbgbgj32.exeC:\Windows\system32\Cbgbgj32.exe182⤵
- Modifies registry class
PID:6216 -
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe183⤵PID:6340
-
C:\Windows\SysWOW64\Cdiooblp.exeC:\Windows\system32\Cdiooblp.exe184⤵PID:6536
-
C:\Windows\SysWOW64\Clpgpp32.exeC:\Windows\system32\Clpgpp32.exe185⤵PID:6608
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe186⤵PID:6700
-
C:\Windows\SysWOW64\Cdkldb32.exeC:\Windows\system32\Cdkldb32.exe187⤵PID:6768
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe188⤵PID:6928
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe189⤵PID:7060
-
C:\Windows\SysWOW64\Doqpak32.exeC:\Windows\system32\Doqpak32.exe190⤵PID:7116
-
C:\Windows\SysWOW64\Dekhneap.exeC:\Windows\system32\Dekhneap.exe191⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Dkgqfl32.exeC:\Windows\system32\Dkgqfl32.exe192⤵
- Modifies registry class
PID:6604 -
C:\Windows\SysWOW64\Dboigi32.exeC:\Windows\system32\Dboigi32.exe193⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6712 -
C:\Windows\SysWOW64\Demecd32.exeC:\Windows\system32\Demecd32.exe194⤵
- Modifies registry class
PID:6872 -
C:\Windows\SysWOW64\Dhkapp32.exeC:\Windows\system32\Dhkapp32.exe195⤵PID:7088
-
C:\Windows\SysWOW64\Dkjmlk32.exeC:\Windows\system32\Dkjmlk32.exe196⤵PID:6360
-
C:\Windows\SysWOW64\Dbaemi32.exeC:\Windows\system32\Dbaemi32.exe197⤵PID:6688
-
C:\Windows\SysWOW64\Deoaid32.exeC:\Windows\system32\Deoaid32.exe198⤵PID:7008
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe199⤵PID:6496
-
C:\Windows\SysWOW64\Dlijfneg.exeC:\Windows\system32\Dlijfneg.exe200⤵
- Drops file in System32 directory
PID:6956 -
C:\Windows\SysWOW64\Dohfbj32.exeC:\Windows\system32\Dohfbj32.exe201⤵PID:6844
-
C:\Windows\SysWOW64\Dafbne32.exeC:\Windows\system32\Dafbne32.exe202⤵PID:7172
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe203⤵
- Modifies registry class
PID:7216 -
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe204⤵PID:7260
-
C:\Windows\SysWOW64\Dkoggkjo.exeC:\Windows\system32\Dkoggkjo.exe205⤵PID:7308
-
C:\Windows\SysWOW64\Dojcgi32.exeC:\Windows\system32\Dojcgi32.exe206⤵PID:7344
-
C:\Windows\SysWOW64\Dahode32.exeC:\Windows\system32\Dahode32.exe207⤵PID:7380
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe208⤵PID:7416
-
C:\Windows\SysWOW64\Dlncan32.exeC:\Windows\system32\Dlncan32.exe209⤵PID:7456
-
C:\Windows\SysWOW64\Ekacmjgl.exeC:\Windows\system32\Ekacmjgl.exe210⤵
- Drops file in System32 directory
- Modifies registry class
PID:7496 -
C:\Windows\SysWOW64\Echknh32.exeC:\Windows\system32\Echknh32.exe211⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7536 -
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe212⤵PID:7576
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe213⤵PID:7612
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe214⤵PID:7648
-
C:\Windows\SysWOW64\Elppfmoo.exeC:\Windows\system32\Elppfmoo.exe215⤵PID:7684
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe216⤵
- Drops file in System32 directory
PID:7724 -
C:\Windows\SysWOW64\Ecjhcg32.exeC:\Windows\system32\Ecjhcg32.exe217⤵PID:7760
-
C:\Windows\SysWOW64\Eeidoc32.exeC:\Windows\system32\Eeidoc32.exe218⤵
- Modifies registry class
PID:7800 -
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe219⤵PID:7836
-
C:\Windows\SysWOW64\Elbmlmml.exeC:\Windows\system32\Elbmlmml.exe220⤵PID:7876
-
C:\Windows\SysWOW64\Eoaihhlp.exeC:\Windows\system32\Eoaihhlp.exe221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:7920 -
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe222⤵PID:7964
-
C:\Windows\SysWOW64\Eapedd32.exeC:\Windows\system32\Eapedd32.exe223⤵
- Modifies registry class
PID:8004 -
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe224⤵
- Drops file in System32 directory
PID:8044 -
C:\Windows\SysWOW64\Eleiam32.exeC:\Windows\system32\Eleiam32.exe225⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8092 -
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe226⤵PID:8148
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe227⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:8188 -
C:\Windows\SysWOW64\Eabbjc32.exeC:\Windows\system32\Eabbjc32.exe228⤵PID:7224
-
C:\Windows\SysWOW64\Edpnfo32.exeC:\Windows\system32\Edpnfo32.exe229⤵PID:7300
-
C:\Windows\SysWOW64\Elgfgl32.exeC:\Windows\system32\Elgfgl32.exe230⤵
- Modifies registry class
PID:7368 -
C:\Windows\SysWOW64\Ekjfcipa.exeC:\Windows\system32\Ekjfcipa.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7424 -
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7488 -
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe233⤵PID:7552
-
C:\Windows\SysWOW64\Eepjpb32.exeC:\Windows\system32\Eepjpb32.exe234⤵PID:7632
-
C:\Windows\SysWOW64\Ehnglm32.exeC:\Windows\system32\Ehnglm32.exe235⤵
- Drops file in System32 directory
PID:7692 -
C:\Windows\SysWOW64\Fljcmlfd.exeC:\Windows\system32\Fljcmlfd.exe236⤵PID:7748
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe237⤵PID:7824
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe238⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe239⤵PID:7884
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe240⤵PID:7948
-
C:\Windows\SysWOW64\Fojlngce.exeC:\Windows\system32\Fojlngce.exe241⤵
- Modifies registry class
PID:8012 -
C:\Windows\SysWOW64\Faihkbci.exeC:\Windows\system32\Faihkbci.exe242⤵PID:8080