Analysis
-
max time kernel
24s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 19:15
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe
-
Size
430KB
-
MD5
d9c59ec2ac39b090ae098a5398a9d204
-
SHA1
7fd7b7e395ed123afa6491a1b6cff5df58dd1971
-
SHA256
343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484
-
SHA512
86b6b22aec38674d5714296b9020c7807dca3d05fb7a96bea8cfe402f2b510ccbc36f4bac0f3a893eb19a32f25154bc6f10e4b3758f054186e6992c0bf6d1811
-
SSDEEP
3072:P+7RRSq1vYqBVrVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFD0AlWsnzj:PmRS8vY0rRs+HLlD0rN2ZwVht740Psz
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnopldgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dljkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegcbjkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflkaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgncfcaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmifhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjifhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqemdbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlndnacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkpegi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgpkpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjnla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mioabp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afajafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diphbfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhneehek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkkjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqamje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blaopqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmihpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohigamf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphhenhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgihn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhohda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfhil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljmlbfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfikmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehakigbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gblifo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gligjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbgpkpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjgifpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edlfhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknoaoaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghiaof32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000d0000000133a4-5.dat UPX behavioral1/files/0x002b000000015c5b-21.dat UPX behavioral1/files/0x0009000000015db7-33.dat UPX behavioral1/files/0x000700000001680a-51.dat UPX behavioral1/files/0x000700000001680a-50.dat UPX behavioral1/files/0x000700000001680a-48.dat UPX behavioral1/files/0x000700000001680a-55.dat UPX behavioral1/files/0x000700000001680a-54.dat UPX behavioral1/files/0x0010000000015c7a-69.dat UPX behavioral1/files/0x0006000000018aec-79.dat UPX behavioral1/files/0x0006000000018b36-92.dat UPX behavioral1/files/0x0006000000018b46-101.dat UPX behavioral1/files/0x0006000000018b6f-113.dat UPX behavioral1/files/0x0006000000018b9c-128.dat UPX behavioral1/files/0x0006000000018d07-137.dat UPX behavioral1/files/0x0005000000019302-149.dat UPX behavioral1/files/0x000500000001933d-167.dat UPX behavioral1/files/0x000400000001939a-180.dat UPX behavioral1/files/0x00040000000193b3-185.dat UPX behavioral1/files/0x0004000000019413-204.dat UPX behavioral1/files/0x000400000001944a-210.dat UPX behavioral1/files/0x0004000000019454-218.dat UPX behavioral1/files/0x000400000001946a-226.dat UPX behavioral1/files/0x0004000000019472-234.dat UPX behavioral1/files/0x0004000000019487-242.dat UPX behavioral1/files/0x00040000000194d1-250.dat UPX behavioral1/files/0x00040000000194d9-258.dat UPX behavioral1/files/0x00040000000194e0-266.dat UPX behavioral1/files/0x00050000000194ed-274.dat UPX behavioral1/files/0x00050000000194f1-282.dat UPX behavioral1/files/0x00050000000194f5-290.dat UPX behavioral1/files/0x0005000000019527-298.dat UPX behavioral1/files/0x000500000001952b-306.dat UPX behavioral1/files/0x0005000000019555-314.dat UPX behavioral1/files/0x0005000000019581-322.dat UPX behavioral1/files/0x00050000000199ae-330.dat UPX behavioral1/files/0x00050000000199b2-338.dat UPX behavioral1/files/0x0005000000019c05-346.dat UPX behavioral1/files/0x0005000000019c11-354.dat UPX behavioral1/files/0x0005000000019e39-357.dat UPX behavioral1/files/0x0005000000019fc6-370.dat UPX behavioral1/files/0x000500000001a013-378.dat UPX behavioral1/files/0x000500000001a2d2-386.dat UPX behavioral1/files/0x000500000001a3bc-396.dat UPX behavioral1/files/0x000500000001a3be-402.dat UPX behavioral1/files/0x000500000001a3df-410.dat UPX behavioral1/files/0x000500000001a40c-418.dat UPX behavioral1/files/0x000500000001a41b-426.dat UPX behavioral1/files/0x000500000001a430-434.dat UPX behavioral1/files/0x000500000001a434-437.dat UPX behavioral1/files/0x000500000001a438-450.dat UPX behavioral1/files/0x000500000001a43c-458.dat UPX behavioral1/files/0x000500000001a440-466.dat UPX behavioral1/files/0x000500000001a443-474.dat UPX behavioral1/files/0x000500000001a446-482.dat UPX behavioral1/files/0x000500000001a449-490.dat UPX behavioral1/files/0x000500000001a44c-498.dat UPX behavioral1/files/0x000500000001a450-501.dat UPX behavioral1/files/0x000500000001a454-514.dat UPX behavioral1/files/0x000500000001a458-522.dat UPX behavioral1/files/0x000500000001a45c-530.dat UPX behavioral1/files/0x000500000001a460-538.dat UPX behavioral1/files/0x000500000001a464-546.dat UPX behavioral1/files/0x000500000001a468-554.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2776 Qimhoi32.exe 2632 Alnqqd32.exe 2064 Abjebn32.exe 2580 Bjlqhoba.exe 2456 Bbjbaa32.exe 2340 Bpnbkeld.exe 2736 Cohigamf.exe 2848 Cnaocmmi.exe 1812 Dndlim32.exe 1976 Dbhnhp32.exe 1972 Dookgcij.exe 1032 Ejmebq32.exe 1540 Emnndlod.exe 1532 Fekpnn32.exe 2028 Fhneehek.exe 1688 Gnmgmbhb.exe 3028 Gfjhgdck.exe 1872 Gljnej32.exe 1068 Hlljjjnm.exe 1192 Hedocp32.exe 2320 Hhgdkjol.exe 1384 Hiknhbcg.exe 1388 Hdqbekcm.exe 1104 Illgimph.exe 2344 Inkccpgk.exe 1552 Igchlf32.exe 1940 Ijdqna32.exe 1728 Iapebchh.exe 332 Jabbhcfe.exe 2816 Jkjfah32.exe 2264 Jchhkjhn.exe 1604 Jjbpgd32.exe 2544 Jmbiipml.exe 2540 Kiijnq32.exe 2788 Kbbngf32.exe 2440 Kjifhc32.exe 2408 Kofopj32.exe 2092 Kbfhbeek.exe 2392 Kicmdo32.exe 2396 Kjdilgpc.exe 2748 Ljffag32.exe 812 Lcojjmea.exe 776 Ljibgg32.exe 344 Lgmcqkkh.exe 2204 Lphhenhc.exe 436 Ljmlbfhi.exe 1592 Lpjdjmfp.exe 1640 Libicbma.exe 864 Mooaljkh.exe 1264 Moanaiie.exe 2044 Modkfi32.exe 2236 Mkklljmg.exe 2004 Mdcpdp32.exe 3068 Moidahcn.exe 1444 Mpjqiq32.exe 1860 Nkpegi32.exe 784 Ngfflj32.exe 1080 Niebhf32.exe 1096 Nekbmgcn.exe 1724 Npagjpcd.exe 2244 Nenobfak.exe 2224 Npccpo32.exe 908 Nhohda32.exe 2268 Oohqqlei.exe -
Loads dropped DLL 64 IoCs
pid Process 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 2776 Qimhoi32.exe 2776 Qimhoi32.exe 2632 Alnqqd32.exe 2632 Alnqqd32.exe 2064 Abjebn32.exe 2064 Abjebn32.exe 2580 Bjlqhoba.exe 2580 Bjlqhoba.exe 2456 Bbjbaa32.exe 2456 Bbjbaa32.exe 2340 Bpnbkeld.exe 2340 Bpnbkeld.exe 2736 Cohigamf.exe 2736 Cohigamf.exe 2848 Cnaocmmi.exe 2848 Cnaocmmi.exe 1812 Dndlim32.exe 1812 Dndlim32.exe 1976 Dbhnhp32.exe 1976 Dbhnhp32.exe 1972 Dookgcij.exe 1972 Dookgcij.exe 1032 Ejmebq32.exe 1032 Ejmebq32.exe 1540 Emnndlod.exe 1540 Emnndlod.exe 1532 Fekpnn32.exe 1532 Fekpnn32.exe 2028 Fhneehek.exe 2028 Fhneehek.exe 1688 Gnmgmbhb.exe 1688 Gnmgmbhb.exe 3028 Gfjhgdck.exe 3028 Gfjhgdck.exe 1872 Gljnej32.exe 1872 Gljnej32.exe 1068 Hlljjjnm.exe 1068 Hlljjjnm.exe 1192 Hedocp32.exe 1192 Hedocp32.exe 2320 Hhgdkjol.exe 2320 Hhgdkjol.exe 1384 Hiknhbcg.exe 1384 Hiknhbcg.exe 1388 Hdqbekcm.exe 1388 Hdqbekcm.exe 1104 Illgimph.exe 1104 Illgimph.exe 2344 Inkccpgk.exe 2344 Inkccpgk.exe 1552 Igchlf32.exe 1552 Igchlf32.exe 1940 Ijdqna32.exe 1940 Ijdqna32.exe 1728 Iapebchh.exe 1728 Iapebchh.exe 332 Jabbhcfe.exe 332 Jabbhcfe.exe 2816 Jkjfah32.exe 2816 Jkjfah32.exe 2264 Jchhkjhn.exe 2264 Jchhkjhn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mkklljmg.exe Modkfi32.exe File opened for modification C:\Windows\SysWOW64\Npccpo32.exe Nenobfak.exe File created C:\Windows\SysWOW64\Dknoaoaj.exe Deojci32.exe File opened for modification C:\Windows\SysWOW64\Fgnokb32.exe Fmhjni32.exe File created C:\Windows\SysWOW64\Jcgapdeb.exe Jlmicj32.exe File created C:\Windows\SysWOW64\Kjdilgpc.exe Kicmdo32.exe File opened for modification C:\Windows\SysWOW64\Pkdgpo32.exe Pjbjhgde.exe File created C:\Windows\SysWOW64\Pboepn32.dll Fdhlnhhc.exe File created C:\Windows\SysWOW64\Oedcmfgb.dll Kdpcikdi.exe File created C:\Windows\SysWOW64\Pfmnoc32.dll Mamgmofp.exe File opened for modification C:\Windows\SysWOW64\Okojkf32.exe Odebolpe.exe File created C:\Windows\SysWOW64\Comdkipe.exe Caidaeak.exe File opened for modification C:\Windows\SysWOW64\Ckcepj32.exe Comdkipe.exe File created C:\Windows\SysWOW64\Ibebkc32.dll Kicmdo32.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Ljibgg32.exe File created C:\Windows\SysWOW64\Nledoj32.exe Nblpfepo.exe File created C:\Windows\SysWOW64\Degiggjm.exe Dlndnacm.exe File created C:\Windows\SysWOW64\Fjngcolf.dll Lphhenhc.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nekbmgcn.exe File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Blaopqpo.exe Bbikgk32.exe File created C:\Windows\SysWOW64\Ckkpbj32.dll Dknoaoaj.exe File created C:\Windows\SysWOW64\Kkidapal.dll Nemhhpmp.exe File created C:\Windows\SysWOW64\Efdhpjok.exe Ecfldoph.exe File created C:\Windows\SysWOW64\Jjlcbpdk.dll 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe File created C:\Windows\SysWOW64\Fgnokb32.exe Fmhjni32.exe File created C:\Windows\SysWOW64\Padeldeo.exe Olgmcmgh.exe File created C:\Windows\SysWOW64\Ieeeljdp.dll Acqnnndl.exe File created C:\Windows\SysWOW64\Ckolek32.exe Cbdgqimc.exe File created C:\Windows\SysWOW64\Hdqbekcm.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Hflkaq32.exe Hfjnla32.exe File opened for modification C:\Windows\SysWOW64\Aollokco.exe Afajafoa.exe File opened for modification C:\Windows\SysWOW64\Bplhnoej.exe Bjoofhgc.exe File created C:\Windows\SysWOW64\Njekpl32.dll Fjdnlhco.exe File created C:\Windows\SysWOW64\Fkhgip32.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Idhlad32.dll Cklfll32.exe File opened for modification C:\Windows\SysWOW64\Cckdlnjg.exe Cegcbjkn.exe File created C:\Windows\SysWOW64\Eoigpa32.exe Edccch32.exe File created C:\Windows\SysWOW64\Binlfn32.dll Gblifo32.exe File created C:\Windows\SysWOW64\Jmiiak32.dll Gbnflo32.exe File opened for modification C:\Windows\SysWOW64\Eolmip32.exe Enkpahon.exe File created C:\Windows\SysWOW64\Odebolpe.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Cohigamf.exe Bpnbkeld.exe File created C:\Windows\SysWOW64\Padajbnl.dll Kofopj32.exe File opened for modification C:\Windows\SysWOW64\Lgmcqkkh.exe Ljibgg32.exe File opened for modification C:\Windows\SysWOW64\Lphhenhc.exe Lgmcqkkh.exe File opened for modification C:\Windows\SysWOW64\Jfhjbobc.exe Jblnaq32.exe File created C:\Windows\SysWOW64\Aollokco.exe Afajafoa.exe File opened for modification C:\Windows\SysWOW64\Diphbfdi.exe Dgoopkgh.exe File opened for modification C:\Windows\SysWOW64\Alnqqd32.exe Qimhoi32.exe File created C:\Windows\SysWOW64\Kbbngf32.exe Kiijnq32.exe File created C:\Windows\SysWOW64\Oaajloig.dll Modkfi32.exe File created C:\Windows\SysWOW64\Ieagbm32.exe Ilicig32.exe File created C:\Windows\SysWOW64\Ikekpn32.dll Olgmcmgh.exe File created C:\Windows\SysWOW64\Cbdgqimc.exe Cjmopkla.exe File opened for modification C:\Windows\SysWOW64\Mooaljkh.exe Libicbma.exe File opened for modification C:\Windows\SysWOW64\Moidahcn.exe Mdcpdp32.exe File created C:\Windows\SysWOW64\Mgofmajn.dll Ehakigbo.exe File created C:\Windows\SysWOW64\Ffnbaojm.exe Fqomci32.exe File created C:\Windows\SysWOW64\Hnmaip32.dll Hflkaq32.exe File created C:\Windows\SysWOW64\Acqnnndl.exe Aboaff32.exe File created C:\Windows\SysWOW64\Mjapln32.dll Hedocp32.exe File created C:\Windows\SysWOW64\Onkkja32.dll Ihdmihpn.exe File opened for modification C:\Windows\SysWOW64\Lgpiij32.exe Lnhdqdnd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoafmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hicqmmfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdakgdi.dll" Nledoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Illgimph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiokbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kddmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapebchh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll" Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll" Nkpegi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkidlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgepiehf.dll" Abfnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqnnndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqamje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkjgicl.dll" Hfjnla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdgiqf32.dll" Pnopldgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abfnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbehjo32.dll" Bplhnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nekbmgcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobdqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgfhjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enghee32.dll" Lopkjhko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bplhnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll" Cnaocmmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdilgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnndane.dll" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobkpdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamgmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anignn32.dll" Npgihn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegbkc32.dll" Hhgdkjol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqdgapkm.dll" Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okppejbk.dll" Mioabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Ckcepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdnqlnqc.dll" Cckdlnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnopldgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmbbdq32.dll" Fekpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phploedo.dll" Kobkpdfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Konndhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbnb32.dll" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjapln32.dll" Hedocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll" Lpjdjmfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" Pjpnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flaehkpo.dll" Lnhdqdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpcfqoam.dll" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mooaljkh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2776 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 28 PID 2212 wrote to memory of 2776 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 28 PID 2212 wrote to memory of 2776 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 28 PID 2212 wrote to memory of 2776 2212 343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe 28 PID 2776 wrote to memory of 2632 2776 Qimhoi32.exe 29 PID 2776 wrote to memory of 2632 2776 Qimhoi32.exe 29 PID 2776 wrote to memory of 2632 2776 Qimhoi32.exe 29 PID 2776 wrote to memory of 2632 2776 Qimhoi32.exe 29 PID 2632 wrote to memory of 2064 2632 Alnqqd32.exe 30 PID 2632 wrote to memory of 2064 2632 Alnqqd32.exe 30 PID 2632 wrote to memory of 2064 2632 Alnqqd32.exe 30 PID 2632 wrote to memory of 2064 2632 Alnqqd32.exe 30 PID 2064 wrote to memory of 2580 2064 Abjebn32.exe 31 PID 2064 wrote to memory of 2580 2064 Abjebn32.exe 31 PID 2064 wrote to memory of 2580 2064 Abjebn32.exe 31 PID 2064 wrote to memory of 2580 2064 Abjebn32.exe 31 PID 2580 wrote to memory of 2456 2580 Bjlqhoba.exe 32 PID 2580 wrote to memory of 2456 2580 Bjlqhoba.exe 32 PID 2580 wrote to memory of 2456 2580 Bjlqhoba.exe 32 PID 2580 wrote to memory of 2456 2580 Bjlqhoba.exe 32 PID 2456 wrote to memory of 2340 2456 Bbjbaa32.exe 33 PID 2456 wrote to memory of 2340 2456 Bbjbaa32.exe 33 PID 2456 wrote to memory of 2340 2456 Bbjbaa32.exe 33 PID 2456 wrote to memory of 2340 2456 Bbjbaa32.exe 33 PID 2340 wrote to memory of 2736 2340 Bpnbkeld.exe 34 PID 2340 wrote to memory of 2736 2340 Bpnbkeld.exe 34 PID 2340 wrote to memory of 2736 2340 Bpnbkeld.exe 34 PID 2340 wrote to memory of 2736 2340 Bpnbkeld.exe 34 PID 2736 wrote to memory of 2848 2736 Cohigamf.exe 35 PID 2736 wrote to memory of 2848 2736 Cohigamf.exe 35 PID 2736 wrote to memory of 2848 2736 Cohigamf.exe 35 PID 2736 wrote to memory of 2848 2736 Cohigamf.exe 35 PID 2848 wrote to memory of 1812 2848 Cnaocmmi.exe 36 PID 2848 wrote to memory of 1812 2848 Cnaocmmi.exe 36 PID 2848 wrote to memory of 1812 2848 Cnaocmmi.exe 36 PID 2848 wrote to memory of 1812 2848 Cnaocmmi.exe 36 PID 1812 wrote to memory of 1976 1812 Dndlim32.exe 37 PID 1812 wrote to memory of 1976 1812 Dndlim32.exe 37 PID 1812 wrote to memory of 1976 1812 Dndlim32.exe 37 PID 1812 wrote to memory of 1976 1812 Dndlim32.exe 37 PID 1976 wrote to memory of 1972 1976 Dbhnhp32.exe 38 PID 1976 wrote to memory of 1972 1976 Dbhnhp32.exe 38 PID 1976 wrote to memory of 1972 1976 Dbhnhp32.exe 38 PID 1976 wrote to memory of 1972 1976 Dbhnhp32.exe 38 PID 1972 wrote to memory of 1032 1972 Dookgcij.exe 39 PID 1972 wrote to memory of 1032 1972 Dookgcij.exe 39 PID 1972 wrote to memory of 1032 1972 Dookgcij.exe 39 PID 1972 wrote to memory of 1032 1972 Dookgcij.exe 39 PID 1032 wrote to memory of 1540 1032 Ejmebq32.exe 40 PID 1032 wrote to memory of 1540 1032 Ejmebq32.exe 40 PID 1032 wrote to memory of 1540 1032 Ejmebq32.exe 40 PID 1032 wrote to memory of 1540 1032 Ejmebq32.exe 40 PID 1540 wrote to memory of 1532 1540 Emnndlod.exe 41 PID 1540 wrote to memory of 1532 1540 Emnndlod.exe 41 PID 1540 wrote to memory of 1532 1540 Emnndlod.exe 41 PID 1540 wrote to memory of 1532 1540 Emnndlod.exe 41 PID 1532 wrote to memory of 2028 1532 Fekpnn32.exe 42 PID 1532 wrote to memory of 2028 1532 Fekpnn32.exe 42 PID 1532 wrote to memory of 2028 1532 Fekpnn32.exe 42 PID 1532 wrote to memory of 2028 1532 Fekpnn32.exe 42 PID 2028 wrote to memory of 1688 2028 Fhneehek.exe 43 PID 2028 wrote to memory of 1688 2028 Fhneehek.exe 43 PID 2028 wrote to memory of 1688 2028 Fhneehek.exe 43 PID 2028 wrote to memory of 1688 2028 Fhneehek.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe"C:\Users\Admin\AppData\Local\Temp\343fccd769319a772eafc6ab99b0f24a84127d086cbf4ce29a08014542d66484.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Alnqqd32.exeC:\Windows\system32\Alnqqd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Cnaocmmi.exeC:\Windows\system32\Cnaocmmi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dndlim32.exeC:\Windows\system32\Dndlim32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dookgcij.exeC:\Windows\system32\Dookgcij.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Emnndlod.exeC:\Windows\system32\Emnndlod.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Gnmgmbhb.exeC:\Windows\system32\Gnmgmbhb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Gfjhgdck.exeC:\Windows\system32\Gfjhgdck.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Hedocp32.exeC:\Windows\system32\Hedocp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Illgimph.exeC:\Windows\system32\Illgimph.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Inkccpgk.exeC:\Windows\system32\Inkccpgk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Jabbhcfe.exeC:\Windows\system32\Jabbhcfe.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe33⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe34⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe36⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kofopj32.exeC:\Windows\system32\Kofopj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe42⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe43⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Ljibgg32.exeC:\Windows\system32\Ljibgg32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Ljmlbfhi.exeC:\Windows\system32\Ljmlbfhi.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe51⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe55⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe58⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe59⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Nenobfak.exeC:\Windows\system32\Nenobfak.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe65⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe66⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe67⤵PID:2564
-
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe68⤵PID:2572
-
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe69⤵PID:2956
-
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe70⤵PID:2588
-
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe71⤵PID:2468
-
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe72⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe74⤵PID:1924
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe75⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe78⤵PID:568
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1124 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe80⤵PID:1228
-
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe81⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe82⤵PID:2360
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe83⤵PID:1832
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe84⤵PID:1528
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe85⤵
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe86⤵PID:1556
-
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe88⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe89⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:896 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe92⤵PID:2304
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe93⤵PID:2624
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe94⤵PID:2792
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe98⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe99⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe100⤵PID:1768
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe101⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe104⤵PID:1776
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe105⤵PID:2104
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe106⤵PID:2820
-
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Edccch32.exeC:\Windows\system32\Edccch32.exe108⤵
- Drops file in System32 directory
PID:1200 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe109⤵PID:1348
-
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe112⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe113⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe114⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe115⤵PID:2628
-
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe116⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe117⤵PID:2412
-
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe118⤵
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe120⤵PID:2768
-
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe121⤵PID:1984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-