Analysis
-
max time kernel
139s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 18:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe
-
Size
350KB
-
MD5
dfd9c1185316371b65f0593553001e89
-
SHA1
ded12aa75af6ab1751053572db2a0e2eebfee270
-
SHA256
07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6
-
SHA512
eb438e2fafe9d237d095f5bd8eb7f81b1640da9bdf3c41d5d05773b4dd4f530ef2d6f439f88d048a9cd175f09d28d236bc33bc324954aac219158b83620b92cb
-
SSDEEP
6144://hjk0ZJKtX3HVpaopOpHVILifyeYVDcfflXpX6LRifyeYVDc:/p40IHAHyefyeYCdXpXZfyeY
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhfipcid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfpgmdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmjedoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oclilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoepcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafidiio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolnad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhljdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmcqkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbgbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiihdlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpqpjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpmapf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdjkogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghfbqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkofpgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illgimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqmcpahh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhndldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egafleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqbddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngpjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnepk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjldghjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonoflae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmjfdejp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meccii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpeifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heihnoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmefooki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgmapfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombapedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anojbobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efaibbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffoldhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileiplhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnffgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofdklgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjqccigf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhkcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjaonpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjfdhbld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmjbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeqabgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgjqo32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x000d000000012262-5.dat UPX behavioral1/files/0x0008000000015ff4-19.dat UPX behavioral1/files/0x0007000000016255-31.dat UPX behavioral1/files/0x00070000000164a9-46.dat UPX behavioral1/files/0x0008000000016d65-60.dat UPX behavioral1/files/0x0006000000016d71-73.dat UPX behavioral1/files/0x0006000000016dde-87.dat UPX behavioral1/files/0x0006000000016eb9-101.dat UPX behavioral1/files/0x0036000000015d7f-118.dat UPX behavioral1/files/0x0006000000017486-129.dat UPX behavioral1/files/0x0006000000018663-149.dat UPX behavioral1/files/0x001100000001867a-156.dat UPX behavioral1/files/0x00050000000186e6-170.dat UPX behavioral1/files/0x00050000000186ff-183.dat UPX behavioral1/files/0x000500000001873f-203.dat UPX behavioral1/files/0x000500000001878d-211.dat UPX behavioral1/files/0x0005000000019228-226.dat UPX behavioral1/files/0x000500000001925d-238.dat UPX behavioral1/files/0x0005000000019275-245.dat UPX behavioral1/files/0x0005000000019283-256.dat UPX behavioral1/files/0x0005000000019381-265.dat UPX behavioral1/files/0x00050000000193a5-276.dat UPX behavioral1/files/0x0005000000019433-286.dat UPX behavioral1/files/0x0005000000019457-296.dat UPX behavioral1/files/0x0005000000019491-307.dat UPX behavioral1/files/0x00050000000194b8-317.dat UPX behavioral1/files/0x00050000000194ef-326.dat UPX behavioral1/files/0x0005000000019507-337.dat UPX behavioral1/files/0x000500000001957d-347.dat UPX behavioral1/memory/2972-345-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral1/files/0x00050000000195e3-358.dat UPX behavioral1/files/0x000500000001961c-367.dat UPX behavioral1/files/0x0005000000019622-387.dat UPX behavioral1/files/0x000500000001961f-377.dat UPX behavioral1/files/0x0005000000019626-399.dat UPX behavioral1/files/0x0005000000019638-407.dat UPX behavioral1/files/0x00050000000196bd-418.dat UPX behavioral1/files/0x00050000000199b8-429.dat UPX behavioral1/memory/2896-437-0x0000000000400000-0x0000000000459000-memory.dmp UPX behavioral1/files/0x0005000000019c54-439.dat UPX behavioral1/files/0x0005000000019c71-450.dat UPX behavioral1/files/0x0005000000019d60-460.dat UPX behavioral1/files/0x0005000000019dd5-469.dat UPX behavioral1/files/0x0005000000019fd8-479.dat UPX behavioral1/files/0x000500000001a09c-490.dat UPX behavioral1/files/0x000500000001a320-500.dat UPX behavioral1/files/0x000500000001a43c-510.dat UPX behavioral1/files/0x000500000001a440-520.dat UPX behavioral1/files/0x000500000001a44b-529.dat UPX behavioral1/files/0x000500000001a4a9-541.dat UPX behavioral1/files/0x000500000001a4b1-550.dat UPX behavioral1/files/0x000500000001a4c7-560.dat UPX behavioral1/files/0x000500000001a4cf-569.dat UPX behavioral1/files/0x000500000001a4d3-578.dat UPX behavioral1/files/0x000500000001a4d7-586.dat UPX behavioral1/files/0x000500000001a4db-595.dat UPX behavioral1/files/0x000500000001a4df-603.dat UPX behavioral1/files/0x000500000001a4e3-611.dat UPX behavioral1/files/0x000500000001a4e7-619.dat UPX behavioral1/files/0x000500000001a4eb-627.dat UPX behavioral1/files/0x000500000001a4ef-635.dat UPX behavioral1/files/0x000500000001a4f3-643.dat UPX behavioral1/files/0x000500000001a4f8-651.dat UPX behavioral1/files/0x000500000001a4fc-662.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 1264 Fdoclk32.exe 2004 Fmjejphb.exe 2764 Fbgmbg32.exe 2988 Ghfbqn32.exe 2580 Ghhofmql.exe 2572 Ghkllmoi.exe 2076 Gkkemh32.exe 2956 Hknach32.exe 1596 Hicodd32.exe 1612 Hiekid32.exe 2852 Hobcak32.exe 1312 Hodpgjha.exe 2064 Idceea32.exe 2536 Iokfhi32.exe 1720 Iqmcpahh.exe 1484 Incpoe32.exe 2516 Icpigm32.exe 1136 Jgnamk32.exe 1748 Jjlnif32.exe 1544 Jbgbni32.exe 1252 Jiakjb32.exe 928 Jokcgmee.exe 3028 Jicgpb32.exe 2108 Jonplmcb.exe 2144 Jkdpanhg.exe 2264 Kjjmbj32.exe 1592 Kneicieh.exe 2972 Kkijmm32.exe 2704 Kmjfdejp.exe 2708 Kcdnao32.exe 2796 Kpkofpgq.exe 2668 Kjqccigf.exe 2604 Kcihlong.exe 2328 Lemaif32.exe 2940 Llfifq32.exe 2008 Lflmci32.exe 2896 Lafndg32.exe 2800 Llkbap32.exe 1268 Ldfgebbe.exe 1448 Monhhk32.exe 316 Mamddf32.exe 2060 Mhgmapfi.exe 1040 Mbpnanch.exe 1632 Mpdnkb32.exe 1860 Meagci32.exe 1092 Meccii32.exe 1156 Miooigfo.exe 960 Nolhan32.exe 1060 Ncjqhmkm.exe 1968 Nhfipcid.exe 1964 Nncahjgl.exe 1988 Ndmjedoi.exe 2448 Nocnbmoo.exe 856 Nhkbkc32.exe 2468 Nnhkcj32.exe 2768 Npfgpe32.exe 2712 Ngpolo32.exe 2688 Olmhdf32.exe 2692 Ofelmloo.exe 2556 Oqkqkdne.exe 2628 Ocimgp32.exe 2724 Ofhick32.exe 2080 Ombapedi.exe 2860 Oclilp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 1264 Fdoclk32.exe 1264 Fdoclk32.exe 2004 Fmjejphb.exe 2004 Fmjejphb.exe 2764 Fbgmbg32.exe 2764 Fbgmbg32.exe 2988 Ghfbqn32.exe 2988 Ghfbqn32.exe 2580 Ghhofmql.exe 2580 Ghhofmql.exe 2572 Ghkllmoi.exe 2572 Ghkllmoi.exe 2076 Gkkemh32.exe 2076 Gkkemh32.exe 2956 Hknach32.exe 2956 Hknach32.exe 1596 Hicodd32.exe 1596 Hicodd32.exe 1612 Hiekid32.exe 1612 Hiekid32.exe 2852 Hobcak32.exe 2852 Hobcak32.exe 1312 Hodpgjha.exe 1312 Hodpgjha.exe 2064 Idceea32.exe 2064 Idceea32.exe 2536 Iokfhi32.exe 2536 Iokfhi32.exe 1720 Iqmcpahh.exe 1720 Iqmcpahh.exe 1484 Incpoe32.exe 1484 Incpoe32.exe 2516 Icpigm32.exe 2516 Icpigm32.exe 1136 Jgnamk32.exe 1136 Jgnamk32.exe 1748 Jjlnif32.exe 1748 Jjlnif32.exe 1544 Jbgbni32.exe 1544 Jbgbni32.exe 1252 Jiakjb32.exe 1252 Jiakjb32.exe 928 Jokcgmee.exe 928 Jokcgmee.exe 3028 Jicgpb32.exe 3028 Jicgpb32.exe 2108 Jonplmcb.exe 2108 Jonplmcb.exe 2144 Jkdpanhg.exe 2144 Jkdpanhg.exe 2264 Kjjmbj32.exe 2264 Kjjmbj32.exe 1592 Kneicieh.exe 1592 Kneicieh.exe 2972 Kkijmm32.exe 2972 Kkijmm32.exe 2704 Kmjfdejp.exe 2704 Kmjfdejp.exe 2708 Kcdnao32.exe 2708 Kcdnao32.exe 2796 Kpkofpgq.exe 2796 Kpkofpgq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Ndmjedoi.exe File created C:\Windows\SysWOW64\Qmaqpohl.dll Gifhnpea.exe File created C:\Windows\SysWOW64\Idcokkak.exe Illgimph.exe File created C:\Windows\SysWOW64\Mhdffl32.dll Jcjdpj32.exe File created C:\Windows\SysWOW64\Knpemf32.exe Kgemplap.exe File opened for modification C:\Windows\SysWOW64\Nljddpfe.exe Nilhhdga.exe File created C:\Windows\SysWOW64\Bfekgp32.dll Fmjejphb.exe File created C:\Windows\SysWOW64\Djmicm32.exe Dogefd32.exe File opened for modification C:\Windows\SysWOW64\Ehgppi32.exe Edkcojga.exe File opened for modification C:\Windows\SysWOW64\Fljafg32.exe Fhneehek.exe File opened for modification C:\Windows\SysWOW64\Gfobbc32.exe Gohjaf32.exe File created C:\Windows\SysWOW64\Pckoam32.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Aincgi32.dll Cilibi32.exe File opened for modification C:\Windows\SysWOW64\Pjadmnic.exe Pgbhabjp.exe File opened for modification C:\Windows\SysWOW64\Ocfigjlp.exe Ollajp32.exe File created C:\Windows\SysWOW64\Qhiphb32.dll Qijdocfj.exe File created C:\Windows\SysWOW64\Mdkjlm32.dll Nolhan32.exe File created C:\Windows\SysWOW64\Lfnjef32.dll Endhhp32.exe File created C:\Windows\SysWOW64\Hapicp32.exe Hgjefg32.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ihgainbg.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Okfgfl32.exe File created C:\Windows\SysWOW64\Pgeefbhm.exe Pqkmjh32.exe File opened for modification C:\Windows\SysWOW64\Edpmjj32.exe Enfenplo.exe File created C:\Windows\SysWOW64\Mdnfbe32.dll Kneicieh.exe File created C:\Windows\SysWOW64\Llgodg32.dll Ombapedi.exe File created C:\Windows\SysWOW64\Flehkhai.exe Fbmcbbki.exe File created C:\Windows\SysWOW64\Mkhofjoj.exe Mbmjah32.exe File opened for modification C:\Windows\SysWOW64\Ocdmaj32.exe Nljddpfe.exe File created C:\Windows\SysWOW64\Aeqabgoj.exe Acpdko32.exe File created C:\Windows\SysWOW64\Monhhk32.exe Ldfgebbe.exe File opened for modification C:\Windows\SysWOW64\Djmicm32.exe Dogefd32.exe File created C:\Windows\SysWOW64\Fjongcbl.exe Febfomdd.exe File created C:\Windows\SysWOW64\Kpjhkjde.exe Kgcpjmcb.exe File opened for modification C:\Windows\SysWOW64\Qflhbhgg.exe Poapfn32.exe File created C:\Windows\SysWOW64\Bmhideol.exe Aeqabgoj.exe File created C:\Windows\SysWOW64\Cdbdjhmp.exe Ccahbp32.exe File opened for modification C:\Windows\SysWOW64\Edkcojga.exe Dookgcij.exe File opened for modification C:\Windows\SysWOW64\Leljop32.exe Lnbbbffj.exe File opened for modification C:\Windows\SysWOW64\Ffklhqao.exe Flehkhai.exe File created C:\Windows\SysWOW64\Okfgfl32.exe Ogkkfmml.exe File opened for modification C:\Windows\SysWOW64\Gfjhgdck.exe Gpqpjj32.exe File created C:\Windows\SysWOW64\Pnjdhmdo.exe Pgplkb32.exe File created C:\Windows\SysWOW64\Acmmle32.dll Aefeijle.exe File created C:\Windows\SysWOW64\Hjphijco.dll Abphal32.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dolnad32.exe File created C:\Windows\SysWOW64\Edkcojga.exe Dookgcij.exe File created C:\Windows\SysWOW64\Mieeibkn.exe Mbkmlh32.exe File created C:\Windows\SysWOW64\Mamddf32.exe Monhhk32.exe File opened for modification C:\Windows\SysWOW64\Ombapedi.exe Ofhick32.exe File opened for modification C:\Windows\SysWOW64\Qimhoi32.exe Qpecfc32.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kincipnk.exe File created C:\Windows\SysWOW64\Ncjqhmkm.exe Nolhan32.exe File created C:\Windows\SysWOW64\Lchkpi32.dll Ekhhadmk.exe File created C:\Windows\SysWOW64\Ocdmaj32.exe Nljddpfe.exe File created C:\Windows\SysWOW64\Kijbioba.dll Dpbheh32.exe File created C:\Windows\SysWOW64\Acahnedo.dll Ngpolo32.exe File created C:\Windows\SysWOW64\Pbhmnkjf.exe Pjadmnic.exe File created C:\Windows\SysWOW64\Pmdjdh32.exe Pjenhm32.exe File created C:\Windows\SysWOW64\Apmabnaj.dll Pcnbablo.exe File created C:\Windows\SysWOW64\Lelpgepb.dll Aaobdjof.exe File opened for modification C:\Windows\SysWOW64\Aadloj32.exe Aoepcn32.exe File opened for modification C:\Windows\SysWOW64\Bblogakg.exe Boqbfb32.exe File created C:\Windows\SysWOW64\Gemaaoaf.dll Kkijmm32.exe File created C:\Windows\SysWOW64\Eqmbdn32.dll Lemaif32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4940 4920 WerFault.exe 388 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haloha32.dll" Bifgdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igonafba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhfdohg.dll" Fmpkjkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibijie32.dll" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gffoldhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knpemf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhigphio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekhhadmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfdhnai.dll" Jqgoiokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll" Lgmcqkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkbalifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" Ollajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll" Bdeeqehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giaekk32.dll" Biamilfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll" Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioaoic.dll" Qimhoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfoagoic.dll" Jfknbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daekko32.dll" Oopfakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Pkdgpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbgnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdbdjhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nanbpedg.dll" Cnkicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll" Labkdack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll" Ncbplk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmihhelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll" Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlilc32.dll" Llfifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbelgood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opiehf32.dll" Ckoilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbmjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqehhb32.dll" Mamddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edpmjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmmle32.dll" Aefeijle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dookgcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll" Eqbddk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfjhgdck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqlhdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflmci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjbaocl.dll" Meccii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedeic32.dll" Icmegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Jmbiipml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lndohedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnkpm32.dll" Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objbcm32.dll" Pbhmnkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pokieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkdik32.dll" Ckccgane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgeefbhm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 1264 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 28 PID 2408 wrote to memory of 1264 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 28 PID 2408 wrote to memory of 1264 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 28 PID 2408 wrote to memory of 1264 2408 07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe 28 PID 1264 wrote to memory of 2004 1264 Fdoclk32.exe 29 PID 1264 wrote to memory of 2004 1264 Fdoclk32.exe 29 PID 1264 wrote to memory of 2004 1264 Fdoclk32.exe 29 PID 1264 wrote to memory of 2004 1264 Fdoclk32.exe 29 PID 2004 wrote to memory of 2764 2004 Fmjejphb.exe 30 PID 2004 wrote to memory of 2764 2004 Fmjejphb.exe 30 PID 2004 wrote to memory of 2764 2004 Fmjejphb.exe 30 PID 2004 wrote to memory of 2764 2004 Fmjejphb.exe 30 PID 2764 wrote to memory of 2988 2764 Fbgmbg32.exe 31 PID 2764 wrote to memory of 2988 2764 Fbgmbg32.exe 31 PID 2764 wrote to memory of 2988 2764 Fbgmbg32.exe 31 PID 2764 wrote to memory of 2988 2764 Fbgmbg32.exe 31 PID 2988 wrote to memory of 2580 2988 Ghfbqn32.exe 32 PID 2988 wrote to memory of 2580 2988 Ghfbqn32.exe 32 PID 2988 wrote to memory of 2580 2988 Ghfbqn32.exe 32 PID 2988 wrote to memory of 2580 2988 Ghfbqn32.exe 32 PID 2580 wrote to memory of 2572 2580 Ghhofmql.exe 33 PID 2580 wrote to memory of 2572 2580 Ghhofmql.exe 33 PID 2580 wrote to memory of 2572 2580 Ghhofmql.exe 33 PID 2580 wrote to memory of 2572 2580 Ghhofmql.exe 33 PID 2572 wrote to memory of 2076 2572 Ghkllmoi.exe 34 PID 2572 wrote to memory of 2076 2572 Ghkllmoi.exe 34 PID 2572 wrote to memory of 2076 2572 Ghkllmoi.exe 34 PID 2572 wrote to memory of 2076 2572 Ghkllmoi.exe 34 PID 2076 wrote to memory of 2956 2076 Gkkemh32.exe 35 PID 2076 wrote to memory of 2956 2076 Gkkemh32.exe 35 PID 2076 wrote to memory of 2956 2076 Gkkemh32.exe 35 PID 2076 wrote to memory of 2956 2076 Gkkemh32.exe 35 PID 2956 wrote to memory of 1596 2956 Hknach32.exe 36 PID 2956 wrote to memory of 1596 2956 Hknach32.exe 36 PID 2956 wrote to memory of 1596 2956 Hknach32.exe 36 PID 2956 wrote to memory of 1596 2956 Hknach32.exe 36 PID 1596 wrote to memory of 1612 1596 Hicodd32.exe 37 PID 1596 wrote to memory of 1612 1596 Hicodd32.exe 37 PID 1596 wrote to memory of 1612 1596 Hicodd32.exe 37 PID 1596 wrote to memory of 1612 1596 Hicodd32.exe 37 PID 1612 wrote to memory of 2852 1612 Hiekid32.exe 38 PID 1612 wrote to memory of 2852 1612 Hiekid32.exe 38 PID 1612 wrote to memory of 2852 1612 Hiekid32.exe 38 PID 1612 wrote to memory of 2852 1612 Hiekid32.exe 38 PID 2852 wrote to memory of 1312 2852 Hobcak32.exe 39 PID 2852 wrote to memory of 1312 2852 Hobcak32.exe 39 PID 2852 wrote to memory of 1312 2852 Hobcak32.exe 39 PID 2852 wrote to memory of 1312 2852 Hobcak32.exe 39 PID 1312 wrote to memory of 2064 1312 Hodpgjha.exe 40 PID 1312 wrote to memory of 2064 1312 Hodpgjha.exe 40 PID 1312 wrote to memory of 2064 1312 Hodpgjha.exe 40 PID 1312 wrote to memory of 2064 1312 Hodpgjha.exe 40 PID 2064 wrote to memory of 2536 2064 Idceea32.exe 41 PID 2064 wrote to memory of 2536 2064 Idceea32.exe 41 PID 2064 wrote to memory of 2536 2064 Idceea32.exe 41 PID 2064 wrote to memory of 2536 2064 Idceea32.exe 41 PID 2536 wrote to memory of 1720 2536 Iokfhi32.exe 42 PID 2536 wrote to memory of 1720 2536 Iokfhi32.exe 42 PID 2536 wrote to memory of 1720 2536 Iokfhi32.exe 42 PID 2536 wrote to memory of 1720 2536 Iokfhi32.exe 42 PID 1720 wrote to memory of 1484 1720 Iqmcpahh.exe 43 PID 1720 wrote to memory of 1484 1720 Iqmcpahh.exe 43 PID 1720 wrote to memory of 1484 1720 Iqmcpahh.exe 43 PID 1720 wrote to memory of 1484 1720 Iqmcpahh.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe"C:\Users\Admin\AppData\Local\Temp\07079119ef5e28d242d181f8de964af9a1503f3458b3f4369ebdf56063bc5dd6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Fdoclk32.exeC:\Windows\system32\Fdoclk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Fmjejphb.exeC:\Windows\system32\Fmjejphb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Fbgmbg32.exeC:\Windows\system32\Fbgmbg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Ghfbqn32.exeC:\Windows\system32\Ghfbqn32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ghkllmoi.exeC:\Windows\system32\Ghkllmoi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Hknach32.exeC:\Windows\system32\Hknach32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Hicodd32.exeC:\Windows\system32\Hicodd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Hiekid32.exeC:\Windows\system32\Hiekid32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hodpgjha.exeC:\Windows\system32\Hodpgjha.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Iokfhi32.exeC:\Windows\system32\Iokfhi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Iqmcpahh.exeC:\Windows\system32\Iqmcpahh.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Incpoe32.exeC:\Windows\system32\Incpoe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Jjlnif32.exeC:\Windows\system32\Jjlnif32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Jbgbni32.exeC:\Windows\system32\Jbgbni32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Jokcgmee.exeC:\Windows\system32\Jokcgmee.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Jonplmcb.exeC:\Windows\system32\Jonplmcb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Kkijmm32.exeC:\Windows\system32\Kkijmm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Kmjfdejp.exeC:\Windows\system32\Kmjfdejp.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Kcdnao32.exeC:\Windows\system32\Kcdnao32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Kpkofpgq.exeC:\Windows\system32\Kpkofpgq.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Kjqccigf.exeC:\Windows\system32\Kjqccigf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Kcihlong.exeC:\Windows\system32\Kcihlong.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Lemaif32.exeC:\Windows\system32\Lemaif32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Llfifq32.exeC:\Windows\system32\Llfifq32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Lflmci32.exeC:\Windows\system32\Lflmci32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Lafndg32.exeC:\Windows\system32\Lafndg32.exe38⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Llkbap32.exeC:\Windows\system32\Llkbap32.exe39⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Ldfgebbe.exeC:\Windows\system32\Ldfgebbe.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Monhhk32.exeC:\Windows\system32\Monhhk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Mamddf32.exeC:\Windows\system32\Mamddf32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Mhgmapfi.exeC:\Windows\system32\Mhgmapfi.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mbpnanch.exeC:\Windows\system32\Mbpnanch.exe44⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Mpdnkb32.exeC:\Windows\system32\Mpdnkb32.exe45⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Meagci32.exeC:\Windows\system32\Meagci32.exe46⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Meccii32.exeC:\Windows\system32\Meccii32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Miooigfo.exeC:\Windows\system32\Miooigfo.exe48⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Nolhan32.exeC:\Windows\system32\Nolhan32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Ncjqhmkm.exeC:\Windows\system32\Ncjqhmkm.exe50⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Nhfipcid.exeC:\Windows\system32\Nhfipcid.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Nncahjgl.exeC:\Windows\system32\Nncahjgl.exe52⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ndmjedoi.exeC:\Windows\system32\Ndmjedoi.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Nocnbmoo.exeC:\Windows\system32\Nocnbmoo.exe54⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Nhkbkc32.exeC:\Windows\system32\Nhkbkc32.exe55⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Nnhkcj32.exeC:\Windows\system32\Nnhkcj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Npfgpe32.exeC:\Windows\system32\Npfgpe32.exe57⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ngpolo32.exeC:\Windows\system32\Ngpolo32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Olmhdf32.exeC:\Windows\system32\Olmhdf32.exe59⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ofelmloo.exeC:\Windows\system32\Ofelmloo.exe60⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Oqkqkdne.exeC:\Windows\system32\Oqkqkdne.exe61⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ocimgp32.exeC:\Windows\system32\Ocimgp32.exe62⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Ofhick32.exeC:\Windows\system32\Ofhick32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Ombapedi.exeC:\Windows\system32\Ombapedi.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Oclilp32.exeC:\Windows\system32\Oclilp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ojfaijcc.exeC:\Windows\system32\Ojfaijcc.exe66⤵PID:532
-
C:\Windows\SysWOW64\Omdneebf.exeC:\Windows\system32\Omdneebf.exe67⤵PID:2736
-
C:\Windows\SysWOW64\Oobjaqaj.exeC:\Windows\system32\Oobjaqaj.exe68⤵PID:1240
-
C:\Windows\SysWOW64\Obafnlpn.exeC:\Windows\system32\Obafnlpn.exe69⤵PID:3012
-
C:\Windows\SysWOW64\Omfkke32.exeC:\Windows\system32\Omfkke32.exe70⤵PID:1108
-
C:\Windows\SysWOW64\Pfoocjfd.exeC:\Windows\system32\Pfoocjfd.exe71⤵PID:2512
-
C:\Windows\SysWOW64\Pgplkb32.exeC:\Windows\system32\Pgplkb32.exe72⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Pnjdhmdo.exeC:\Windows\system32\Pnjdhmdo.exe73⤵PID:820
-
C:\Windows\SysWOW64\Pgbhabjp.exeC:\Windows\system32\Pgbhabjp.exe74⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Pjadmnic.exeC:\Windows\system32\Pjadmnic.exe75⤵
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Pbhmnkjf.exeC:\Windows\system32\Pbhmnkjf.exe76⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Pqkmjh32.exeC:\Windows\system32\Pqkmjh32.exe77⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Pgeefbhm.exeC:\Windows\system32\Pgeefbhm.exe78⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pjcabmga.exeC:\Windows\system32\Pjcabmga.exe79⤵PID:2784
-
C:\Windows\SysWOW64\Pjenhm32.exeC:\Windows\system32\Pjenhm32.exe80⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Pmdjdh32.exeC:\Windows\system32\Pmdjdh32.exe81⤵PID:2460
-
C:\Windows\SysWOW64\Pcnbablo.exeC:\Windows\system32\Pcnbablo.exe82⤵
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Pjhknm32.exeC:\Windows\system32\Pjhknm32.exe83⤵PID:1288
-
C:\Windows\SysWOW64\Qabcjgkh.exeC:\Windows\system32\Qabcjgkh.exe84⤵PID:796
-
C:\Windows\SysWOW64\Qpecfc32.exeC:\Windows\system32\Qpecfc32.exe85⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Qimhoi32.exeC:\Windows\system32\Qimhoi32.exe86⤵
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Qlkdkd32.exeC:\Windows\system32\Qlkdkd32.exe87⤵PID:848
-
C:\Windows\SysWOW64\Qbelgood.exeC:\Windows\system32\Qbelgood.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Amkpegnj.exeC:\Windows\system32\Amkpegnj.exe89⤵PID:704
-
C:\Windows\SysWOW64\Anlmmp32.exeC:\Windows\system32\Anlmmp32.exe90⤵PID:2540
-
C:\Windows\SysWOW64\Aefeijle.exeC:\Windows\system32\Aefeijle.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Alpmfdcb.exeC:\Windows\system32\Alpmfdcb.exe92⤵PID:2040
-
C:\Windows\SysWOW64\Anojbobe.exeC:\Windows\system32\Anojbobe.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Aamfnkai.exeC:\Windows\system32\Aamfnkai.exe94⤵PID:2472
-
C:\Windows\SysWOW64\Ahgnke32.exeC:\Windows\system32\Ahgnke32.exe95⤵PID:2832
-
C:\Windows\SysWOW64\Anafhopc.exeC:\Windows\system32\Anafhopc.exe96⤵PID:2716
-
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe97⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Adnopfoj.exeC:\Windows\system32\Adnopfoj.exe98⤵PID:2340
-
C:\Windows\SysWOW64\Ajhgmpfg.exeC:\Windows\system32\Ajhgmpfg.exe99⤵PID:2900
-
C:\Windows\SysWOW64\Amfcikek.exeC:\Windows\system32\Amfcikek.exe100⤵PID:264
-
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe101⤵PID:2740
-
C:\Windows\SysWOW64\Aoepcn32.exeC:\Windows\system32\Aoepcn32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Aadloj32.exeC:\Windows\system32\Aadloj32.exe103⤵PID:2920
-
C:\Windows\SysWOW64\Bhndldcn.exeC:\Windows\system32\Bhndldcn.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Bafidiio.exeC:\Windows\system32\Bafidiio.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Bdeeqehb.exeC:\Windows\system32\Bdeeqehb.exe106⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe107⤵
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Bpleef32.exeC:\Windows\system32\Bpleef32.exe108⤵PID:1636
-
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe109⤵PID:2636
-
C:\Windows\SysWOW64\Bidjnkdg.exeC:\Windows\system32\Bidjnkdg.exe110⤵PID:2456
-
C:\Windows\SysWOW64\Boqbfb32.exeC:\Windows\system32\Boqbfb32.exe111⤵
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Bifgdk32.exeC:\Windows\system32\Bifgdk32.exe113⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Bhigphio.exeC:\Windows\system32\Bhigphio.exe114⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Baakhm32.exeC:\Windows\system32\Baakhm32.exe115⤵PID:2748
-
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe116⤵PID:2964
-
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe117⤵
- Drops file in System32 directory
PID:1668 -
C:\Windows\SysWOW64\Cdbdjhmp.exeC:\Windows\system32\Cdbdjhmp.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Cohigamf.exeC:\Windows\system32\Cohigamf.exe119⤵PID:2888
-
C:\Windows\SysWOW64\Cnkicn32.exeC:\Windows\system32\Cnkicn32.exe120⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Cddaphkn.exeC:\Windows\system32\Cddaphkn.exe121⤵PID:1728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-