Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
de0799f65d8c71aa65bd92d1487edbe0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
de0799f65d8c71aa65bd92d1487edbe0N.exe
Resource
win10v2004-20240802-en
General
-
Target
de0799f65d8c71aa65bd92d1487edbe0N.exe
-
Size
49KB
-
MD5
de0799f65d8c71aa65bd92d1487edbe0
-
SHA1
7ccb9d0d10fa70bf695d5930bf1c312890cc9b73
-
SHA256
c0e8aded819f2e0dd1950de33180819f3877e1fe3d030ac86ff4bdae0858d820
-
SHA512
d98592c465cc2eddcd70ef4e6d5af2209a4aab3d4047f02867fc544207a574d1aca457f5cbb2f62e858c8f55e3fba764ad74031671d3b7d92dc30e039f8b51ae
-
SSDEEP
768:EnMNAWL80vzBU6g1+1pDLpxlRVP1lLi+59I27+SKVKSs2e1r/1H56L2Xdnh:EwnL80v9v19lH1lLiaX+0fbH
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hamblh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcnjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johbmill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagnidkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emeninad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnqjnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihegjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqecdleg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdele32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfaaen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khhmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeclpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffpogcfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgncbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noljgboa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doadhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjomoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnecin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkopfgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbocc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpphka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglmnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfnli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qolipa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnkncnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgojcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkmefhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqajiljm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdqajq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbehjplc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colkmleb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkidcfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgafijgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fckfafoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgpfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiboi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelfoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiioafq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaekjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okgdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blpbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjomoka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpflndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodiaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnidkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnkoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndalc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbhac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejbhac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqojml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojeaoeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpfpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgofmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiekdnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbhdbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqojml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emnhho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfbaqnbj.exe -
Executes dropped EXE 64 IoCs
pid Process 3652 Nfbocc32.exe 2216 Niplon32.exe 1364 Npjdlhep.exe 3700 Nbiphddc.exe 3544 Negldocg.exe 5056 Nmndem32.exe 1100 Npmqah32.exe 2444 Nffinbjj.exe 4068 Npomgh32.exe 3788 Obmicc32.exe 800 Oelfoo32.exe 4716 Olfnli32.exe 2252 Ondjhd32.exe 3756 Oenbenmo.exe 2660 Olhkah32.exe 2044 Ofnooa32.exe 2572 Omggkklo.exe 1816 Opfcgg32.exe 3144 Oeclpn32.exe 1776 Omjdak32.exe 4448 Ophpmf32.exe 4604 Obglib32.exe 1744 Omlqfk32.exe 1620 Ponmnc32.exe 668 Pbiioafq.exe 3312 Plangg32.exe 3148 Popjdb32.exe 4276 Pfgaep32.exe 4856 Pldjmg32.exe 2504 Ppofnebg.exe 3096 Pfinjpjd.exe 2092 Pmcggj32.exe 3540 Podcobgp.exe 3180 Pflkpoha.exe 2276 Pmecmi32.exe 3728 Ppdpie32.exe 3720 Pogpdaem.exe 1740 Pfnheo32.exe 5004 Pildaj32.exe 4708 Qpflndlp.exe 4284 Qbehjplc.exe 2716 Qfpdko32.exe 2684 Qioagj32.exe 3516 Qolipa32.exe 2868 Qfbaqnbj.exe 3092 Qmmimh32.exe 3076 Aonfeqoe.exe 1328 Afenfnpg.exe 1588 Aicjbiok.exe 1200 Apmboc32.exe 2856 Abloko32.exe 1572 Aifghi32.exe 2024 Aldcdd32.exe 1256 Aobopp32.exe 4976 Abnkqoci.exe 1932 Aihcmi32.exe 4796 Alfpjd32.exe 2272 Agldgm32.exe 3368 Aijpch32.exe 5096 Apdhpb32.exe 5144 Acceln32.exe 5184 Aeaahi32.exe 5224 Blkidcfd.exe 5264 Bojeaoeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oboonm32.exe Onccnnbf.exe File created C:\Windows\SysWOW64\Ofnooa32.exe Olhkah32.exe File opened for modification C:\Windows\SysWOW64\Qfbaqnbj.exe Qolipa32.exe File created C:\Windows\SysWOW64\Oqfolcqi.dll Gcgemddf.exe File opened for modification C:\Windows\SysWOW64\Hfaaen32.exe Hpgihdbp.exe File created C:\Windows\SysWOW64\Jqccgj32.dll Hjlmemae.exe File created C:\Windows\SysWOW64\Ikccfl32.exe Ihegjp32.exe File created C:\Windows\SysWOW64\Pildaj32.exe Pfnheo32.exe File created C:\Windows\SysWOW64\Nmaifgmi.dll Bcodgl32.exe File created C:\Windows\SysWOW64\Cchgnk32.exe Colkmleb.exe File created C:\Windows\SysWOW64\Afddkm32.dll Dndalc32.exe File opened for modification C:\Windows\SysWOW64\Npomgh32.exe Nffinbjj.exe File opened for modification C:\Windows\SysWOW64\Ppofnebg.exe Pldjmg32.exe File created C:\Windows\SysWOW64\Fckfafoc.exe Fgdele32.exe File opened for modification C:\Windows\SysWOW64\Hohifk32.exe Hjlmemae.exe File opened for modification C:\Windows\SysWOW64\Hpgihdbp.exe Hadilg32.exe File opened for modification C:\Windows\SysWOW64\Jdggkp32.exe Jokobi32.exe File created C:\Windows\SysWOW64\Negldocg.exe Nbiphddc.exe File created C:\Windows\SysWOW64\Djiekdnp.exe Dcomojgc.exe File created C:\Windows\SysWOW64\Nendebog.dll Ffblmb32.exe File created C:\Windows\SysWOW64\Abnkqoci.exe Aobopp32.exe File created C:\Windows\SysWOW64\Dhlnjnon.dll Fmoaolii.exe File opened for modification C:\Windows\SysWOW64\Kaggpbmm.exe Kdcgfn32.exe File created C:\Windows\SysWOW64\Gcgemddf.exe Gmmmpj32.exe File created C:\Windows\SysWOW64\Jdggkp32.exe Jokobi32.exe File created C:\Windows\SysWOW64\Lqcjankm.exe Laqjfa32.exe File opened for modification C:\Windows\SysWOW64\Djiekdnp.exe Dcomojgc.exe File created C:\Windows\SysWOW64\Hnofpm32.exe Hfgnop32.exe File created C:\Windows\SysWOW64\Npomgh32.exe Nffinbjj.exe File opened for modification C:\Windows\SysWOW64\Laqjfa32.exe Lkfbigme.exe File created C:\Windows\SysWOW64\Mmhngebm.dll Ngkopfgj.exe File opened for modification C:\Windows\SysWOW64\Gmmmpj32.exe Gcdigefi.exe File created C:\Windows\SysWOW64\Pohiljad.dll Jadacemb.exe File created C:\Windows\SysWOW64\Jdqajq32.exe Iodiaj32.exe File created C:\Windows\SysWOW64\Egfeia32.dll Lnpejc32.exe File opened for modification C:\Windows\SysWOW64\Ggiogdej.exe Faofjjnm.exe File created C:\Windows\SysWOW64\Jfpioqla.dll Hnelplla.exe File opened for modification C:\Windows\SysWOW64\Mgdiog32.exe Mbgpfp32.exe File opened for modification C:\Windows\SysWOW64\Dcmqijif.exe Doadhl32.exe File created C:\Windows\SysWOW64\Aniipj32.dll Ffpogcfa.exe File created C:\Windows\SysWOW64\Hdnkncnn.exe Haooahoj.exe File created C:\Windows\SysWOW64\Bopfochn.dll Ifekpneg.exe File opened for modification C:\Windows\SysWOW64\Mkkkdf32.exe Lgmbnhcj.exe File created C:\Windows\SysWOW64\Lqoeim32.dll Jgcgakig.exe File created C:\Windows\SysWOW64\Aifghi32.exe Abloko32.exe File opened for modification C:\Windows\SysWOW64\Coeemmkj.exe Cndhee32.exe File created C:\Windows\SysWOW64\Njhkomij.dll Fgdele32.exe File opened for modification C:\Windows\SysWOW64\Nfbocc32.exe de0799f65d8c71aa65bd92d1487edbe0N.exe File created C:\Windows\SysWOW64\Hniiqp32.dll Omlqfk32.exe File created C:\Windows\SysWOW64\Bidcig32.exe Behgihho.exe File created C:\Windows\SysWOW64\Cnkoed32.exe Cgafijgg.exe File opened for modification C:\Windows\SysWOW64\Kaekjb32.exe Kgofmj32.exe File opened for modification C:\Windows\SysWOW64\Okgdgb32.exe Oiigkg32.exe File opened for modification C:\Windows\SysWOW64\Emcacncf.exe Enpaga32.exe File opened for modification C:\Windows\SysWOW64\Ngeafdoo.exe Nedidian.exe File created C:\Windows\SysWOW64\Pflkpoha.exe Podcobgp.exe File created C:\Windows\SysWOW64\Ifdejf32.dll Cnmkkd32.exe File created C:\Windows\SysWOW64\Nppalian.dll Dcajdj32.exe File created C:\Windows\SysWOW64\Pbaonemd.dll Hadilg32.exe File created C:\Windows\SysWOW64\Egdleg32.exe Echpdioi.exe File opened for modification C:\Windows\SysWOW64\Gfeaipcj.exe Gcgemddf.exe File created C:\Windows\SysWOW64\Qbehjplc.exe Qpflndlp.exe File created C:\Windows\SysWOW64\Qioagj32.exe Qfpdko32.exe File created C:\Windows\SysWOW64\Ejbhac32.exe Egdleg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9136 8968 WerFault.exe 364 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflkpoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbaqnbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpnoaqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodahgao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicjbiok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdele32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obglib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eooajjdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgngmkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmqijif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcomojgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbhng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpejc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppofnebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjennp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlmemae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkfof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqndmojb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdpkdpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfejeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnikgbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfcoiak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmbnhcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogikad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnkqoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bghcbkpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpphka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifcnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkpehjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fciikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnfbejj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haooahoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaaen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadacemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogpdaem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqnblfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnqjnoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjldno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hamblh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiigkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgihdbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnhho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqecdleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojeaoeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnphqcko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iombakfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjdak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coeemmkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbhdbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Londofjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhclbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpepeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlqfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmkkd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eooajjdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlmemae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iojfkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhlmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efiifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cahdffcj.dll" Fjennp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nffinbjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofnooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadjng32.dll" Aonfeqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acceln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhnhqqgj.dll" Bgqnblfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfippfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olhkah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pogpdaem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjdkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdhihk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obglib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgafijgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doadhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaaen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqecdleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnofpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghomci32.dll" Aihcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdpkdpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfeaipcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iombakfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqhpjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohifk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Londofjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndebofkk.dll" Cgafijgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnikgbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjmgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbiphddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkmnijg.dll" Ondjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfbaqnbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlmjdcf.dll" Dngnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oekoeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidcig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfkmefhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bddglh32.dll" Fgfbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamdnlp.dll" Jkapgjpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmndem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmfgpkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpgihdbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echpdioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhlmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecofehiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnfbejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpajgpb.dll" Hpgihdbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkcmm32.dll" Negldocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogpdaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpflndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcbhq32.dll" Blpbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifcnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqanlnmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkkkdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faofjjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgaep32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 3652 1560 de0799f65d8c71aa65bd92d1487edbe0N.exe 91 PID 1560 wrote to memory of 3652 1560 de0799f65d8c71aa65bd92d1487edbe0N.exe 91 PID 1560 wrote to memory of 3652 1560 de0799f65d8c71aa65bd92d1487edbe0N.exe 91 PID 3652 wrote to memory of 2216 3652 Nfbocc32.exe 92 PID 3652 wrote to memory of 2216 3652 Nfbocc32.exe 92 PID 3652 wrote to memory of 2216 3652 Nfbocc32.exe 92 PID 2216 wrote to memory of 1364 2216 Niplon32.exe 93 PID 2216 wrote to memory of 1364 2216 Niplon32.exe 93 PID 2216 wrote to memory of 1364 2216 Niplon32.exe 93 PID 1364 wrote to memory of 3700 1364 Npjdlhep.exe 94 PID 1364 wrote to memory of 3700 1364 Npjdlhep.exe 94 PID 1364 wrote to memory of 3700 1364 Npjdlhep.exe 94 PID 3700 wrote to memory of 3544 3700 Nbiphddc.exe 95 PID 3700 wrote to memory of 3544 3700 Nbiphddc.exe 95 PID 3700 wrote to memory of 3544 3700 Nbiphddc.exe 95 PID 3544 wrote to memory of 5056 3544 Negldocg.exe 97 PID 3544 wrote to memory of 5056 3544 Negldocg.exe 97 PID 3544 wrote to memory of 5056 3544 Negldocg.exe 97 PID 5056 wrote to memory of 1100 5056 Nmndem32.exe 98 PID 5056 wrote to memory of 1100 5056 Nmndem32.exe 98 PID 5056 wrote to memory of 1100 5056 Nmndem32.exe 98 PID 1100 wrote to memory of 2444 1100 Npmqah32.exe 99 PID 1100 wrote to memory of 2444 1100 Npmqah32.exe 99 PID 1100 wrote to memory of 2444 1100 Npmqah32.exe 99 PID 2444 wrote to memory of 4068 2444 Nffinbjj.exe 100 PID 2444 wrote to memory of 4068 2444 Nffinbjj.exe 100 PID 2444 wrote to memory of 4068 2444 Nffinbjj.exe 100 PID 4068 wrote to memory of 3788 4068 Npomgh32.exe 102 PID 4068 wrote to memory of 3788 4068 Npomgh32.exe 102 PID 4068 wrote to memory of 3788 4068 Npomgh32.exe 102 PID 3788 wrote to memory of 800 3788 Obmicc32.exe 103 PID 3788 wrote to memory of 800 3788 Obmicc32.exe 103 PID 3788 wrote to memory of 800 3788 Obmicc32.exe 103 PID 800 wrote to memory of 4716 800 Oelfoo32.exe 104 PID 800 wrote to memory of 4716 800 Oelfoo32.exe 104 PID 800 wrote to memory of 4716 800 Oelfoo32.exe 104 PID 4716 wrote to memory of 2252 4716 Olfnli32.exe 105 PID 4716 wrote to memory of 2252 4716 Olfnli32.exe 105 PID 4716 wrote to memory of 2252 4716 Olfnli32.exe 105 PID 2252 wrote to memory of 3756 2252 Ondjhd32.exe 106 PID 2252 wrote to memory of 3756 2252 Ondjhd32.exe 106 PID 2252 wrote to memory of 3756 2252 Ondjhd32.exe 106 PID 3756 wrote to memory of 2660 3756 Oenbenmo.exe 107 PID 3756 wrote to memory of 2660 3756 Oenbenmo.exe 107 PID 3756 wrote to memory of 2660 3756 Oenbenmo.exe 107 PID 2660 wrote to memory of 2044 2660 Olhkah32.exe 109 PID 2660 wrote to memory of 2044 2660 Olhkah32.exe 109 PID 2660 wrote to memory of 2044 2660 Olhkah32.exe 109 PID 2044 wrote to memory of 2572 2044 Ofnooa32.exe 110 PID 2044 wrote to memory of 2572 2044 Ofnooa32.exe 110 PID 2044 wrote to memory of 2572 2044 Ofnooa32.exe 110 PID 2572 wrote to memory of 1816 2572 Omggkklo.exe 111 PID 2572 wrote to memory of 1816 2572 Omggkklo.exe 111 PID 2572 wrote to memory of 1816 2572 Omggkklo.exe 111 PID 1816 wrote to memory of 3144 1816 Opfcgg32.exe 112 PID 1816 wrote to memory of 3144 1816 Opfcgg32.exe 112 PID 1816 wrote to memory of 3144 1816 Opfcgg32.exe 112 PID 3144 wrote to memory of 1776 3144 Oeclpn32.exe 113 PID 3144 wrote to memory of 1776 3144 Oeclpn32.exe 113 PID 3144 wrote to memory of 1776 3144 Oeclpn32.exe 113 PID 1776 wrote to memory of 4448 1776 Omjdak32.exe 114 PID 1776 wrote to memory of 4448 1776 Omjdak32.exe 114 PID 1776 wrote to memory of 4448 1776 Omjdak32.exe 114 PID 4448 wrote to memory of 4604 4448 Ophpmf32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0799f65d8c71aa65bd92d1487edbe0N.exe"C:\Users\Admin\AppData\Local\Temp\de0799f65d8c71aa65bd92d1487edbe0N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Nfbocc32.exeC:\Windows\system32\Nfbocc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Niplon32.exeC:\Windows\system32\Niplon32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Npjdlhep.exeC:\Windows\system32\Npjdlhep.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Nbiphddc.exeC:\Windows\system32\Nbiphddc.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Negldocg.exeC:\Windows\system32\Negldocg.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Nmndem32.exeC:\Windows\system32\Nmndem32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Npmqah32.exeC:\Windows\system32\Npmqah32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Nffinbjj.exeC:\Windows\system32\Nffinbjj.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Npomgh32.exeC:\Windows\system32\Npomgh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Obmicc32.exeC:\Windows\system32\Obmicc32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\Oelfoo32.exeC:\Windows\system32\Oelfoo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Olfnli32.exeC:\Windows\system32\Olfnli32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Ondjhd32.exeC:\Windows\system32\Ondjhd32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Oenbenmo.exeC:\Windows\system32\Oenbenmo.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Olhkah32.exeC:\Windows\system32\Olhkah32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ofnooa32.exeC:\Windows\system32\Ofnooa32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Omggkklo.exeC:\Windows\system32\Omggkklo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Opfcgg32.exeC:\Windows\system32\Opfcgg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Oeclpn32.exeC:\Windows\system32\Oeclpn32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\Omjdak32.exeC:\Windows\system32\Omjdak32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ophpmf32.exeC:\Windows\system32\Ophpmf32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Obglib32.exeC:\Windows\system32\Obglib32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4604 -
C:\Windows\SysWOW64\Omlqfk32.exeC:\Windows\system32\Omlqfk32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Ponmnc32.exeC:\Windows\system32\Ponmnc32.exe25⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pbiioafq.exeC:\Windows\system32\Pbiioafq.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Plangg32.exeC:\Windows\system32\Plangg32.exe27⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Popjdb32.exeC:\Windows\system32\Popjdb32.exe28⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Pfgaep32.exeC:\Windows\system32\Pfgaep32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Pldjmg32.exeC:\Windows\system32\Pldjmg32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Ppofnebg.exeC:\Windows\system32\Ppofnebg.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Pfinjpjd.exeC:\Windows\system32\Pfinjpjd.exe32⤵
- Executes dropped EXE
PID:3096 -
C:\Windows\SysWOW64\Pmcggj32.exeC:\Windows\system32\Pmcggj32.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Podcobgp.exeC:\Windows\system32\Podcobgp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Pflkpoha.exeC:\Windows\system32\Pflkpoha.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Windows\SysWOW64\Pmecmi32.exeC:\Windows\system32\Pmecmi32.exe36⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ppdpie32.exeC:\Windows\system32\Ppdpie32.exe37⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Pogpdaem.exeC:\Windows\system32\Pogpdaem.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3720 -
C:\Windows\SysWOW64\Pfnheo32.exeC:\Windows\system32\Pfnheo32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pildaj32.exeC:\Windows\system32\Pildaj32.exe40⤵
- Executes dropped EXE
PID:5004 -
C:\Windows\SysWOW64\Qpflndlp.exeC:\Windows\system32\Qpflndlp.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Qbehjplc.exeC:\Windows\system32\Qbehjplc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4284 -
C:\Windows\SysWOW64\Qfpdko32.exeC:\Windows\system32\Qfpdko32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Qioagj32.exeC:\Windows\system32\Qioagj32.exe44⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Qolipa32.exeC:\Windows\system32\Qolipa32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3516 -
C:\Windows\SysWOW64\Qfbaqnbj.exeC:\Windows\system32\Qfbaqnbj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qmmimh32.exeC:\Windows\system32\Qmmimh32.exe47⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Aonfeqoe.exeC:\Windows\system32\Aonfeqoe.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Afenfnpg.exeC:\Windows\system32\Afenfnpg.exe49⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Aicjbiok.exeC:\Windows\system32\Aicjbiok.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Apmboc32.exeC:\Windows\system32\Apmboc32.exe51⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Abloko32.exeC:\Windows\system32\Abloko32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Aifghi32.exeC:\Windows\system32\Aifghi32.exe53⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Aldcdd32.exeC:\Windows\system32\Aldcdd32.exe54⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Aobopp32.exeC:\Windows\system32\Aobopp32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Abnkqoci.exeC:\Windows\system32\Abnkqoci.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4976 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe59⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Aijpch32.exeC:\Windows\system32\Aijpch32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3368 -
C:\Windows\SysWOW64\Apdhpb32.exeC:\Windows\system32\Apdhpb32.exe61⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Acceln32.exeC:\Windows\system32\Acceln32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Aeaahi32.exeC:\Windows\system32\Aeaahi32.exe63⤵
- Executes dropped EXE
PID:5184 -
C:\Windows\SysWOW64\Blkidcfd.exeC:\Windows\system32\Blkidcfd.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5224 -
C:\Windows\SysWOW64\Bojeaoeg.exeC:\Windows\system32\Bojeaoeg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Bgqnblfj.exeC:\Windows\system32\Bgqnblfj.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Bmkfof32.exeC:\Windows\system32\Bmkfof32.exe67⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Blnfjc32.exeC:\Windows\system32\Blnfjc32.exe68⤵
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Windows\SysWOW64\Bcgngmkn.exeC:\Windows\system32\Bcgngmkn.exe69⤵
- System Location Discovery: System Language Discovery
PID:5424 -
C:\Windows\SysWOW64\Befjcija.exeC:\Windows\system32\Befjcija.exe70⤵PID:5464
-
C:\Windows\SysWOW64\Blpbpc32.exeC:\Windows\system32\Blpbpc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Bonoln32.exeC:\Windows\system32\Bonoln32.exe72⤵PID:5544
-
C:\Windows\SysWOW64\Behgihho.exeC:\Windows\system32\Behgihho.exe73⤵
- Drops file in System32 directory
PID:5584 -
C:\Windows\SysWOW64\Bidcig32.exeC:\Windows\system32\Bidcig32.exe74⤵
- Modifies registry class
PID:5640 -
C:\Windows\SysWOW64\Boqlanop.exeC:\Windows\system32\Boqlanop.exe75⤵PID:5680
-
C:\Windows\SysWOW64\Bghcbkpa.exeC:\Windows\system32\Bghcbkpa.exe76⤵
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Windows\SysWOW64\Bnaloe32.exeC:\Windows\system32\Bnaloe32.exe77⤵PID:5760
-
C:\Windows\SysWOW64\Bpphka32.exeC:\Windows\system32\Bpphka32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Windows\SysWOW64\Bcodgl32.exeC:\Windows\system32\Bcodgl32.exe79⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Bemqdh32.exeC:\Windows\system32\Bemqdh32.exe80⤵PID:5880
-
C:\Windows\SysWOW64\Cndhee32.exeC:\Windows\system32\Cndhee32.exe81⤵
- Drops file in System32 directory
PID:5924 -
C:\Windows\SysWOW64\Coeemmkj.exeC:\Windows\system32\Coeemmkj.exe82⤵
- System Location Discovery: System Language Discovery
PID:5964 -
C:\Windows\SysWOW64\Cglmnk32.exeC:\Windows\system32\Cglmnk32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6008 -
C:\Windows\SysWOW64\Cnfejeci.exeC:\Windows\system32\Cnfejeci.exe84⤵
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\Cpeafpbm.exeC:\Windows\system32\Cpeafpbm.exe85⤵PID:6096
-
C:\Windows\SysWOW64\Cgojcj32.exeC:\Windows\system32\Cgojcj32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6140 -
C:\Windows\SysWOW64\Ccejhkon.exeC:\Windows\system32\Ccejhkon.exe87⤵PID:5212
-
C:\Windows\SysWOW64\Cgafijgg.exeC:\Windows\system32\Cgafijgg.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Cnkoed32.exeC:\Windows\system32\Cnkoed32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Clnoaafo.exeC:\Windows\system32\Clnoaafo.exe90⤵PID:5500
-
C:\Windows\SysWOW64\Colkmleb.exeC:\Windows\system32\Colkmleb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Cchgnk32.exeC:\Windows\system32\Cchgnk32.exe92⤵PID:5648
-
C:\Windows\SysWOW64\Cffcjf32.exeC:\Windows\system32\Cffcjf32.exe93⤵PID:5716
-
C:\Windows\SysWOW64\Cnmkkd32.exeC:\Windows\system32\Cnmkkd32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Dfippfjl.exeC:\Windows\system32\Dfippfjl.exe95⤵
- Modifies registry class
PID:5848 -
C:\Windows\SysWOW64\Dnphqcko.exeC:\Windows\system32\Dnphqcko.exe96⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\SysWOW64\Dqndmojb.exeC:\Windows\system32\Dqndmojb.exe97⤵
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Doadhl32.exeC:\Windows\system32\Doadhl32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Dcmqijif.exeC:\Windows\system32\Dcmqijif.exe99⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\SysWOW64\Dfkmefhj.exeC:\Windows\system32\Dfkmefhj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Dleeap32.exeC:\Windows\system32\Dleeap32.exe101⤵PID:5396
-
C:\Windows\SysWOW64\Dcomojgc.exeC:\Windows\system32\Dcomojgc.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5512 -
C:\Windows\SysWOW64\Djiekdnp.exeC:\Windows\system32\Djiekdnp.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Dndalc32.exeC:\Windows\system32\Dndalc32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Dofnckmg.exeC:\Windows\system32\Dofnckmg.exe105⤵PID:5836
-
C:\Windows\SysWOW64\Dcajdj32.exeC:\Windows\system32\Dcajdj32.exe106⤵
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Dfpfpe32.exeC:\Windows\system32\Dfpfpe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6084 -
C:\Windows\SysWOW64\Dngnab32.exeC:\Windows\system32\Dngnab32.exe108⤵
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Dmjomoka.exeC:\Windows\system32\Dmjomoka.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Dccgii32.exeC:\Windows\system32\Dccgii32.exe110⤵PID:5580
-
C:\Windows\SysWOW64\Dfbcfe32.exeC:\Windows\system32\Dfbcfe32.exe111⤵PID:5768
-
C:\Windows\SysWOW64\Dnikgbbd.exeC:\Windows\system32\Dnikgbbd.exe112⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5916 -
C:\Windows\SysWOW64\Dojgoj32.exeC:\Windows\system32\Dojgoj32.exe113⤵PID:5172
-
C:\Windows\SysWOW64\Dcfcoiak.exeC:\Windows\system32\Dcfcoiak.exe114⤵
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Windows\SysWOW64\Efdpkdpo.exeC:\Windows\system32\Efdpkdpo.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Ejpllc32.exeC:\Windows\system32\Ejpllc32.exe116⤵PID:6004
-
C:\Windows\SysWOW64\Emnhho32.exeC:\Windows\system32\Emnhho32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Eqjdhmpe.exeC:\Windows\system32\Eqjdhmpe.exe118⤵PID:6068
-
C:\Windows\SysWOW64\Echpdioi.exeC:\Windows\system32\Echpdioi.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\Egdleg32.exeC:\Windows\system32\Egdleg32.exe120⤵
- Drops file in System32 directory
PID:5912 -
C:\Windows\SysWOW64\Ejbhac32.exeC:\Windows\system32\Ejbhac32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6184 -
C:\Windows\SysWOW64\Emqdnnei.exeC:\Windows\system32\Emqdnnei.exe122⤵PID:6256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-