Analysis
-
max time kernel
115s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1e5934d939a25bb0455cb5dbb419df0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
f1e5934d939a25bb0455cb5dbb419df0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
f1e5934d939a25bb0455cb5dbb419df0N.exe
-
Size
55KB
-
MD5
f1e5934d939a25bb0455cb5dbb419df0
-
SHA1
0155729db14d5d7c9baa7465e6a812f0c7869dcd
-
SHA256
987f4ceee861125dfbaf5d289396c2bdf31a066c0f0838dfd62373c9a80d347b
-
SHA512
fdceca38a9dbd91df6f4223861c3af2edc2c5264f10e33be8a78c8aa9480bfa2b5a6b5a3493a0cd155c190b230e10f9558eb9dd3ce7a35e1497bba5c5d51361f
-
SSDEEP
768:5ZKvgkEqDt8bztpaFbmkS02bxr5Tqx9mPKPh7JVA6jKWAJZ/1H5fXdnh:5ZugvzzaJFlurTWMstQWer
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oijnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omggkklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkocajap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onafhndi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicjbiok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjgkcpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khhmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdomkobi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemljhic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bidcig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfkmefhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fngghpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqggcnbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdegbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaphhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkbmhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhimnpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bekdnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcmqijif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpenppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniojdff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnjmdnfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdekepjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obdpcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boqlanop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfdgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfippfjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oapcdjcm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pienak32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfikgeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfimfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knlkocdd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkmbffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifcnjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbofgohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjdak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blboeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqcnhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngeafdoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joohmhfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmbnhcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcpmlpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfomigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnibpdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efgladnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmojfjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnfjc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqcgolhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopadf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgojcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnphqcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipiencpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokhiflf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obpfhcnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oilkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peahalmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biojnhem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkfbigme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelofl32.exe -
Executes dropped EXE 64 IoCs
pid Process 2932 Neepopej.exe 924 Nlohkj32.exe 1740 Nfdlhb32.exe 3644 Nmndem32.exe 3024 Nnpamejg.exe 5056 Nffinbjj.exe 4952 Nlcafiha.exe 1016 Onbnbdge.exe 1588 Ofiecbhg.exe 4592 Olfnli32.exe 1316 Obpfhcnk.exe 1912 Oijnem32.exe 3100 Olhkah32.exe 3916 Oilkkm32.exe 1852 Omggkklo.exe 1248 Obdpcb32.exe 3336 Oinhplac.exe 5080 Omjdak32.exe 2276 Ophpmf32.exe 2920 Oiqdflop.exe 3020 Ppkmbffm.exe 1972 Ponmnc32.exe 984 Pmomljef.exe 880 Ppmihfdj.exe 4544 Pfgaep32.exe 2444 Pienak32.exe 4476 Ppofnebg.exe 2796 Pbnbja32.exe 408 Pelofl32.exe 1716 Ppacce32.exe 1692 Pflkpoha.exe 1584 Pmecmi32.exe 4508 Pogpdaem.exe 2036 Pbblep32.exe 4224 Peahalmj.exe 4984 Pmhpbiml.exe 1976 Qpflndlp.exe 3504 Qbehjplc.exe 3544 Qioagj32.exe 1964 Qlmmce32.exe 3996 Qolipa32.exe 3896 Qfbaqnbj.exe 4716 Qianmjam.exe 2180 Apkfid32.exe 2660 Abibeo32.exe 2088 Aicjbiok.exe 4816 Albfoeno.exe 3032 Abloko32.exe 3436 Aggklnnd.exe 2232 Aejkgj32.exe 3528 Amachhea.exe 3144 Aobopp32.exe 4220 Agjgam32.exe 3596 Aihcmi32.exe 1116 Alfpjd32.exe 2316 Agldgm32.exe 1068 Amflcg32.exe 1936 Apdhpb32.exe 848 Aogikogj.exe 2964 Aimmhhgp.exe 4536 Blkidcfd.exe 3864 Bceaan32.exe 4072 Biojnhem.exe 5128 Blnfjc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fobebpad.dll Ioallj32.exe File created C:\Windows\SysWOW64\Oigkegco.exe Oapcdjcm.exe File created C:\Windows\SysWOW64\Biojnhem.exe Bceaan32.exe File created C:\Windows\SysWOW64\Dcajdj32.exe Dqcnhn32.exe File created C:\Windows\SysWOW64\Oqfolcqi.dll Gahiqieb.exe File created C:\Windows\SysWOW64\Qehidd32.dll Nmndem32.exe File created C:\Windows\SysWOW64\Iopjjnnh.dll Ophpmf32.exe File created C:\Windows\SysWOW64\Koanbocn.dll Nbhimnpg.exe File created C:\Windows\SysWOW64\Jicjei32.dll Mbljaoje.exe File created C:\Windows\SysWOW64\Eheidh32.dll Ifhgemcd.exe File created C:\Windows\SysWOW64\Kbiamhdg.dll Ldofbl32.exe File created C:\Windows\SysWOW64\Ldachlac.exe Lacgkqbp.exe File created C:\Windows\SysWOW64\Okgdgb32.exe Oiigkg32.exe File created C:\Windows\SysWOW64\Ocebdfnf.dll Cnibpdaf.exe File created C:\Windows\SysWOW64\Fkiaelal.dll Fngghpfd.exe File created C:\Windows\SysWOW64\Cecmhi32.dll Laidebkj.exe File created C:\Windows\SysWOW64\Ilgmdp32.dll Lkfbigme.exe File created C:\Windows\SysWOW64\Ejbhac32.exe Efgladnl.exe File opened for modification C:\Windows\SysWOW64\Kkkbmhgc.exe Khlfamho.exe File created C:\Windows\SysWOW64\Ldmjmm32.exe Lanmpa32.exe File opened for modification C:\Windows\SysWOW64\Emqdnnei.exe Ejbhac32.exe File created C:\Windows\SysWOW64\Dfimmo32.dll Cgojcj32.exe File opened for modification C:\Windows\SysWOW64\Khocgmfl.exe Kdcgfn32.exe File opened for modification C:\Windows\SysWOW64\Kofnng32.exe Kkkbmhgc.exe File opened for modification C:\Windows\SysWOW64\Cliefa32.exe Cfomigbg.exe File opened for modification C:\Windows\SysWOW64\Ejgblbbp.exe Eghepgcl.exe File created C:\Windows\SysWOW64\Hpgihdbp.exe Hnelplla.exe File created C:\Windows\SysWOW64\Aihcmi32.exe Agjgam32.exe File created C:\Windows\SysWOW64\Mjfeei32.dll Amflcg32.exe File created C:\Windows\SysWOW64\Lmepnjna.dll Bgcjgl32.exe File created C:\Windows\SysWOW64\Nogplb32.exe Ngphke32.exe File opened for modification C:\Windows\SysWOW64\Onbnbdge.exe Nlcafiha.exe File created C:\Windows\SysWOW64\Jphidn32.dll Ppacce32.exe File created C:\Windows\SysWOW64\Amflcg32.exe Agldgm32.exe File created C:\Windows\SysWOW64\Dqcnhn32.exe Dmgbgpnd.exe File created C:\Windows\SysWOW64\Manklhha.dll Lodkoecl.exe File created C:\Windows\SysWOW64\Kpcakp32.exe Kndeod32.exe File created C:\Windows\SysWOW64\Kgacbi32.exe Khocgmfl.exe File created C:\Windows\SysWOW64\Mkpepeek.exe Mhahcjfg.exe File opened for modification C:\Windows\SysWOW64\Opcpgaii.exe Okgdgb32.exe File created C:\Windows\SysWOW64\Bidcig32.exe Bcjklmik.exe File opened for modification C:\Windows\SysWOW64\Gnjmdnfo.exe Gmjqkk32.exe File created C:\Windows\SysWOW64\Bnickc32.dll Kdcgfn32.exe File created C:\Windows\SysWOW64\Gfeaipcj.exe Gahiqieb.exe File created C:\Windows\SysWOW64\Kpqdep32.exe Knbhie32.exe File created C:\Windows\SysWOW64\Lgmbnhcj.exe Ldofbl32.exe File opened for modification C:\Windows\SysWOW64\Fciikf32.exe Fmoaolii.exe File created C:\Windows\SysWOW64\Gmfgpkca.exe Gjgkcpdm.exe File created C:\Windows\SysWOW64\Fheoff32.dll Gmfgpkca.exe File created C:\Windows\SysWOW64\Nkigedmp.exe Nbacmo32.exe File created C:\Windows\SysWOW64\Hnofpm32.exe Hfgnop32.exe File created C:\Windows\SysWOW64\Jpnhpqne.exe Jmplceoa.exe File opened for modification C:\Windows\SysWOW64\Lanmpa32.exe Lopadf32.exe File created C:\Windows\SysWOW64\Hgkaki32.dll Nbacmo32.exe File created C:\Windows\SysWOW64\Cjbojedh.exe Clnoaafo.exe File created C:\Windows\SysWOW64\Ifekpneg.exe Idgncbfc.exe File created C:\Windows\SysWOW64\Kgmjgjal.exe Kdomkobi.exe File created C:\Windows\SysWOW64\Qolipa32.exe Qlmmce32.exe File created C:\Windows\SysWOW64\Kibcbn32.dll Hpdlbd32.exe File created C:\Windows\SysWOW64\Lkbhng32.exe Lhclbl32.exe File created C:\Windows\SysWOW64\Cfhldn32.dll Apdhpb32.exe File created C:\Windows\SysWOW64\Kdcgfn32.exe Kniojdff.exe File created C:\Windows\SysWOW64\Joheilfb.dll Lpldao32.exe File opened for modification C:\Windows\SysWOW64\Jplkjapg.exe Jaiknd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1960 8700 WerFault.exe 394 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnelplla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhpamjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1e5934d939a25bb0455cb5dbb419df0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qolipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfcoiak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgncbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnldfafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqdflop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgaep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogpdaem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopadf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjklmik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhmdfmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdlbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpfhcnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjdak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abloko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejkgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbljaoje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkopfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Molqpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggklnnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idndda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmiecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplkjapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjioi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecofehiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immfghof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdlhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfnli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pienak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agldgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfomigbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idikiadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkfnkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjgcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagnidkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onccnnbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omggkklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmqijif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmmce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkmefhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfgnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmbnhcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpflndlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qioagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbofgohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpbeefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fngghpfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeaipcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monmedka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipplnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgpfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amachhea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqomcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coeemmkj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdcgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amflcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjljodne.dll" Blnfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaibgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqcgolhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipdgc32.dll" Hpnfbejj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcmimnlg.dll" Cfdgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdeopdg.dll" Djiekdnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oboonm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifekpneg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbhng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhgkhbij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidkba32.dll" Idndda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goecbb32.dll" Lhfiglpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfenbb32.dll" Ldachlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggokh32.dll" Clnoaafo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbpjb32.dll" Ipiencpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aflbeipf.dll" Jpnhpqne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjdak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkddahgm.dll" Peahalmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bolbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nendebog.dll" Ffblmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnqjnoni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejbhac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioipgiqd.dll" Eooajjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqomcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lacgkqbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enbnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghjkn32.dll" Eqajiljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcfcoiak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oboonm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjifk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lokhiflf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiigkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfomigbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkhoopd.dll" Dnikgbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fciikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpake32.dll" Gnjmdnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iombakfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflofb32.dll" Bochgnmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clgiqblf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnphqcko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmlhd32.dll" Oijnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfdbanj.dll" Fppjqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qianmjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaenpf32.dll" Alfpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfomfded.dll" Eqomcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pogpdaem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hncpklnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noljgboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdphikd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dohkikke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbhimnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiaelal.dll" Fngghpfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdclmf32.dll" Iaibgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbehjplc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qianmjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bonoln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idgncbfc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2932 1560 f1e5934d939a25bb0455cb5dbb419df0N.exe 91 PID 1560 wrote to memory of 2932 1560 f1e5934d939a25bb0455cb5dbb419df0N.exe 91 PID 1560 wrote to memory of 2932 1560 f1e5934d939a25bb0455cb5dbb419df0N.exe 91 PID 2932 wrote to memory of 924 2932 Neepopej.exe 92 PID 2932 wrote to memory of 924 2932 Neepopej.exe 92 PID 2932 wrote to memory of 924 2932 Neepopej.exe 92 PID 924 wrote to memory of 1740 924 Nlohkj32.exe 93 PID 924 wrote to memory of 1740 924 Nlohkj32.exe 93 PID 924 wrote to memory of 1740 924 Nlohkj32.exe 93 PID 1740 wrote to memory of 3644 1740 Nfdlhb32.exe 94 PID 1740 wrote to memory of 3644 1740 Nfdlhb32.exe 94 PID 1740 wrote to memory of 3644 1740 Nfdlhb32.exe 94 PID 3644 wrote to memory of 3024 3644 Nmndem32.exe 95 PID 3644 wrote to memory of 3024 3644 Nmndem32.exe 95 PID 3644 wrote to memory of 3024 3644 Nmndem32.exe 95 PID 3024 wrote to memory of 5056 3024 Nnpamejg.exe 96 PID 3024 wrote to memory of 5056 3024 Nnpamejg.exe 96 PID 3024 wrote to memory of 5056 3024 Nnpamejg.exe 96 PID 5056 wrote to memory of 4952 5056 Nffinbjj.exe 98 PID 5056 wrote to memory of 4952 5056 Nffinbjj.exe 98 PID 5056 wrote to memory of 4952 5056 Nffinbjj.exe 98 PID 4952 wrote to memory of 1016 4952 Nlcafiha.exe 99 PID 4952 wrote to memory of 1016 4952 Nlcafiha.exe 99 PID 4952 wrote to memory of 1016 4952 Nlcafiha.exe 99 PID 1016 wrote to memory of 1588 1016 Onbnbdge.exe 100 PID 1016 wrote to memory of 1588 1016 Onbnbdge.exe 100 PID 1016 wrote to memory of 1588 1016 Onbnbdge.exe 100 PID 1588 wrote to memory of 4592 1588 Ofiecbhg.exe 102 PID 1588 wrote to memory of 4592 1588 Ofiecbhg.exe 102 PID 1588 wrote to memory of 4592 1588 Ofiecbhg.exe 102 PID 4592 wrote to memory of 1316 4592 Olfnli32.exe 103 PID 4592 wrote to memory of 1316 4592 Olfnli32.exe 103 PID 4592 wrote to memory of 1316 4592 Olfnli32.exe 103 PID 1316 wrote to memory of 1912 1316 Obpfhcnk.exe 104 PID 1316 wrote to memory of 1912 1316 Obpfhcnk.exe 104 PID 1316 wrote to memory of 1912 1316 Obpfhcnk.exe 104 PID 1912 wrote to memory of 3100 1912 Oijnem32.exe 105 PID 1912 wrote to memory of 3100 1912 Oijnem32.exe 105 PID 1912 wrote to memory of 3100 1912 Oijnem32.exe 105 PID 3100 wrote to memory of 3916 3100 Olhkah32.exe 107 PID 3100 wrote to memory of 3916 3100 Olhkah32.exe 107 PID 3100 wrote to memory of 3916 3100 Olhkah32.exe 107 PID 3916 wrote to memory of 1852 3916 Oilkkm32.exe 108 PID 3916 wrote to memory of 1852 3916 Oilkkm32.exe 108 PID 3916 wrote to memory of 1852 3916 Oilkkm32.exe 108 PID 1852 wrote to memory of 1248 1852 Omggkklo.exe 109 PID 1852 wrote to memory of 1248 1852 Omggkklo.exe 109 PID 1852 wrote to memory of 1248 1852 Omggkklo.exe 109 PID 1248 wrote to memory of 3336 1248 Obdpcb32.exe 110 PID 1248 wrote to memory of 3336 1248 Obdpcb32.exe 110 PID 1248 wrote to memory of 3336 1248 Obdpcb32.exe 110 PID 3336 wrote to memory of 5080 3336 Oinhplac.exe 111 PID 3336 wrote to memory of 5080 3336 Oinhplac.exe 111 PID 3336 wrote to memory of 5080 3336 Oinhplac.exe 111 PID 5080 wrote to memory of 2276 5080 Omjdak32.exe 112 PID 5080 wrote to memory of 2276 5080 Omjdak32.exe 112 PID 5080 wrote to memory of 2276 5080 Omjdak32.exe 112 PID 2276 wrote to memory of 2920 2276 Ophpmf32.exe 113 PID 2276 wrote to memory of 2920 2276 Ophpmf32.exe 113 PID 2276 wrote to memory of 2920 2276 Ophpmf32.exe 113 PID 2920 wrote to memory of 3020 2920 Oiqdflop.exe 114 PID 2920 wrote to memory of 3020 2920 Oiqdflop.exe 114 PID 2920 wrote to memory of 3020 2920 Oiqdflop.exe 114 PID 3020 wrote to memory of 1972 3020 Ppkmbffm.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e5934d939a25bb0455cb5dbb419df0N.exe"C:\Users\Admin\AppData\Local\Temp\f1e5934d939a25bb0455cb5dbb419df0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Neepopej.exeC:\Windows\system32\Neepopej.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Nlohkj32.exeC:\Windows\system32\Nlohkj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Nfdlhb32.exeC:\Windows\system32\Nfdlhb32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nmndem32.exeC:\Windows\system32\Nmndem32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Nnpamejg.exeC:\Windows\system32\Nnpamejg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Nffinbjj.exeC:\Windows\system32\Nffinbjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Nlcafiha.exeC:\Windows\system32\Nlcafiha.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Onbnbdge.exeC:\Windows\system32\Onbnbdge.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ofiecbhg.exeC:\Windows\system32\Ofiecbhg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Olfnli32.exeC:\Windows\system32\Olfnli32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Obpfhcnk.exeC:\Windows\system32\Obpfhcnk.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Oijnem32.exeC:\Windows\system32\Oijnem32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Olhkah32.exeC:\Windows\system32\Olhkah32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\Oilkkm32.exeC:\Windows\system32\Oilkkm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Omggkklo.exeC:\Windows\system32\Omggkklo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Obdpcb32.exeC:\Windows\system32\Obdpcb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Oinhplac.exeC:\Windows\system32\Oinhplac.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Omjdak32.exeC:\Windows\system32\Omjdak32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\Ophpmf32.exeC:\Windows\system32\Ophpmf32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Oiqdflop.exeC:\Windows\system32\Oiqdflop.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ppkmbffm.exeC:\Windows\system32\Ppkmbffm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ponmnc32.exeC:\Windows\system32\Ponmnc32.exe23⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pmomljef.exeC:\Windows\system32\Pmomljef.exe24⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Ppmihfdj.exeC:\Windows\system32\Ppmihfdj.exe25⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Pfgaep32.exeC:\Windows\system32\Pfgaep32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\Pienak32.exeC:\Windows\system32\Pienak32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Ppofnebg.exeC:\Windows\system32\Ppofnebg.exe28⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Pbnbja32.exeC:\Windows\system32\Pbnbja32.exe29⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Pelofl32.exeC:\Windows\system32\Pelofl32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Ppacce32.exeC:\Windows\system32\Ppacce32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Pflkpoha.exeC:\Windows\system32\Pflkpoha.exe32⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Pmecmi32.exeC:\Windows\system32\Pmecmi32.exe33⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Pogpdaem.exeC:\Windows\system32\Pogpdaem.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Pbblep32.exeC:\Windows\system32\Pbblep32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Peahalmj.exeC:\Windows\system32\Peahalmj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Pmhpbiml.exeC:\Windows\system32\Pmhpbiml.exe37⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Qpflndlp.exeC:\Windows\system32\Qpflndlp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Qbehjplc.exeC:\Windows\system32\Qbehjplc.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Qioagj32.exeC:\Windows\system32\Qioagj32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Windows\SysWOW64\Qlmmce32.exeC:\Windows\system32\Qlmmce32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Qolipa32.exeC:\Windows\system32\Qolipa32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\Qfbaqnbj.exeC:\Windows\system32\Qfbaqnbj.exe43⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Qianmjam.exeC:\Windows\system32\Qianmjam.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\Apkfid32.exeC:\Windows\system32\Apkfid32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Abibeo32.exeC:\Windows\system32\Abibeo32.exe46⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Aicjbiok.exeC:\Windows\system32\Aicjbiok.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Albfoeno.exeC:\Windows\system32\Albfoeno.exe48⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Abloko32.exeC:\Windows\system32\Abloko32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Aggklnnd.exeC:\Windows\system32\Aggklnnd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Aejkgj32.exeC:\Windows\system32\Aejkgj32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Amachhea.exeC:\Windows\system32\Amachhea.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\Aobopp32.exeC:\Windows\system32\Aobopp32.exe53⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Agjgam32.exeC:\Windows\system32\Agjgam32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe55⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Amflcg32.exeC:\Windows\system32\Amflcg32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Apdhpb32.exeC:\Windows\system32\Apdhpb32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Aogikogj.exeC:\Windows\system32\Aogikogj.exe60⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Aimmhhgp.exeC:\Windows\system32\Aimmhhgp.exe61⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Blkidcfd.exeC:\Windows\system32\Blkidcfd.exe62⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Bceaan32.exeC:\Windows\system32\Bceaan32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Windows\SysWOW64\Biojnhem.exeC:\Windows\system32\Biojnhem.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Blnfjc32.exeC:\Windows\system32\Blnfjc32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Bolbfo32.exeC:\Windows\system32\Bolbfo32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Bgcjgl32.exeC:\Windows\system32\Bgcjgl32.exe67⤵
- Drops file in System32 directory
PID:5208 -
C:\Windows\SysWOW64\Blpbpc32.exeC:\Windows\system32\Blpbpc32.exe68⤵PID:5248
-
C:\Windows\SysWOW64\Bonoln32.exeC:\Windows\system32\Bonoln32.exe69⤵
- Modifies registry class
PID:5288 -
C:\Windows\SysWOW64\Bcjklmik.exeC:\Windows\system32\Bcjklmik.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Windows\SysWOW64\Bidcig32.exeC:\Windows\system32\Bidcig32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Blboeb32.exeC:\Windows\system32\Blboeb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5424 -
C:\Windows\SysWOW64\Boqlanop.exeC:\Windows\system32\Boqlanop.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5464 -
C:\Windows\SysWOW64\Bekdnh32.exeC:\Windows\system32\Bekdnh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5516 -
C:\Windows\SysWOW64\Bldlkbni.exeC:\Windows\system32\Bldlkbni.exe75⤵PID:5560
-
C:\Windows\SysWOW64\Bochgnmm.exeC:\Windows\system32\Bochgnmm.exe76⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Cjhmdfmc.exeC:\Windows\system32\Cjhmdfmc.exe77⤵
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Clgiqblf.exeC:\Windows\system32\Clgiqblf.exe78⤵
- Modifies registry class
PID:5680 -
C:\Windows\SysWOW64\Coeemmkj.exeC:\Windows\system32\Coeemmkj.exe79⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\Cfomigbg.exeC:\Windows\system32\Cfomigbg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Cliefa32.exeC:\Windows\system32\Cliefa32.exe81⤵PID:5804
-
C:\Windows\SysWOW64\Cgojcj32.exeC:\Windows\system32\Cgojcj32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Cnibpdaf.exeC:\Windows\system32\Cnibpdaf.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5908 -
C:\Windows\SysWOW64\Cojohm32.exeC:\Windows\system32\Cojohm32.exe84⤵PID:5960
-
C:\Windows\SysWOW64\Cfdgdg32.exeC:\Windows\system32\Cfdgdg32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6024 -
C:\Windows\SysWOW64\Cjpbeefk.exeC:\Windows\system32\Cjpbeefk.exe86⤵
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\SysWOW64\Clnoaafo.exeC:\Windows\system32\Clnoaafo.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Cjbojedh.exeC:\Windows\system32\Cjbojedh.exe88⤵PID:5152
-
C:\Windows\SysWOW64\Dfippfjl.exeC:\Windows\system32\Dfippfjl.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5220 -
C:\Windows\SysWOW64\Dnphqcko.exeC:\Windows\system32\Dnphqcko.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Dqndmojb.exeC:\Windows\system32\Dqndmojb.exe91⤵PID:5356
-
C:\Windows\SysWOW64\Dcmqijif.exeC:\Windows\system32\Dcmqijif.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5456 -
C:\Windows\SysWOW64\Dfkmefhj.exeC:\Windows\system32\Dfkmefhj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Windows\SysWOW64\Dnbefcil.exeC:\Windows\system32\Dnbefcil.exe94⤵PID:5628
-
C:\Windows\SysWOW64\Dgjioi32.exeC:\Windows\system32\Dgjioi32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Windows\SysWOW64\Djiekdnp.exeC:\Windows\system32\Djiekdnp.exe96⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Dmgbgpnd.exeC:\Windows\system32\Dmgbgpnd.exe97⤵
- Drops file in System32 directory
PID:5876 -
C:\Windows\SysWOW64\Dqcnhn32.exeC:\Windows\system32\Dqcnhn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5952 -
C:\Windows\SysWOW64\Dcajdj32.exeC:\Windows\system32\Dcajdj32.exe99⤵PID:6044
-
C:\Windows\SysWOW64\Dngnab32.exeC:\Windows\system32\Dngnab32.exe100⤵
- Modifies registry class
PID:6100 -
C:\Windows\SysWOW64\Dohkikke.exeC:\Windows\system32\Dohkikke.exe101⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Dfbcfe32.exeC:\Windows\system32\Dfbcfe32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Dnikgbbd.exeC:\Windows\system32\Dnikgbbd.exe103⤵
- Modifies registry class
PID:5380 -
C:\Windows\SysWOW64\Dqggcnbg.exeC:\Windows\system32\Dqggcnbg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612 -
C:\Windows\SysWOW64\Dcfcoiak.exeC:\Windows\system32\Dcfcoiak.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Enkhlbqa.exeC:\Windows\system32\Enkhlbqa.exe106⤵PID:5860
-
C:\Windows\SysWOW64\Eqjdhmpe.exeC:\Windows\system32\Eqjdhmpe.exe107⤵PID:6076
-
C:\Windows\SysWOW64\Echpdioi.exeC:\Windows\system32\Echpdioi.exe108⤵PID:5176
-
C:\Windows\SysWOW64\Efgladnl.exeC:\Windows\system32\Efgladnl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Ejbhac32.exeC:\Windows\system32\Ejbhac32.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:5800 -
C:\Windows\SysWOW64\Emqdnnei.exeC:\Windows\system32\Emqdnnei.exe111⤵PID:5160
-
C:\Windows\SysWOW64\Eooajjdm.exeC:\Windows\system32\Eooajjdm.exe112⤵
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Egfikgeo.exeC:\Windows\system32\Egfikgeo.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6056 -
C:\Windows\SysWOW64\Ejdegbdc.exeC:\Windows\system32\Ejdegbdc.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Emcacncf.exeC:\Windows\system32\Emcacncf.exe115⤵PID:6184
-
C:\Windows\SysWOW64\Eqomcm32.exeC:\Windows\system32\Eqomcm32.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6244 -
C:\Windows\SysWOW64\Eoanoibj.exeC:\Windows\system32\Eoanoibj.exe117⤵PID:6288
-
C:\Windows\SysWOW64\Eghepgcl.exeC:\Windows\system32\Eghepgcl.exe118⤵
- Drops file in System32 directory
PID:6328 -
C:\Windows\SysWOW64\Ejgblbbp.exeC:\Windows\system32\Ejgblbbp.exe119⤵PID:6372
-
C:\Windows\SysWOW64\Enbnma32.exeC:\Windows\system32\Enbnma32.exe120⤵
- Modifies registry class
PID:6416 -
C:\Windows\SysWOW64\Eqajiljm.exeC:\Windows\system32\Eqajiljm.exe121⤵
- Modifies registry class
PID:6460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-