Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 13:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f6cff7c8044f299315696c314a69d80N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9f6cff7c8044f299315696c314a69d80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9f6cff7c8044f299315696c314a69d80N.exe
-
Size
108KB
-
MD5
9f6cff7c8044f299315696c314a69d80
-
SHA1
c8c4506355ce6cacaa3a958e860aa61877255b0b
-
SHA256
87e969113a982f8790162b56506f6cfbd8af312d4d07c547e9fb7c142bc8c022
-
SHA512
a335387b63c0ca2470bafc909cdad1bcbb76467a2c659a1c3d347ea3d850359a54e199d8e0ce6bfba1cbe452a7a0229dc99bfb33cd5f67e4575e43ea177ad7c4
-
SSDEEP
3072:ddSVDB7GSDMhaP+2BJG+NGCwK3DZyG1PGwwc5nTJI46gs1EyFcFmKcUsvKwF:dwKSDMbUDx1Pri1EKUs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kghoan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjfhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfgiabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ileoknhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpeafo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jllakpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nahfkigd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplmflde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edpoeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdgefn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gplebjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ileoknhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbijcgbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljjqbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhniebne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmlnjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcnhmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qifpqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afecna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddliklgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabfjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Defljp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkhnmfle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclfhgaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbncof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdmhfpkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqbifhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkcebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biiiempl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdcdfmqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnbkodci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdqifajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojkib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpgglifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iaddid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idemkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkebkjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eplmflde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiaknmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdmbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjojphb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ileoknhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oemhjlha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcjiodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epipql32.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Mlgdhcmb.exe 2716 Nacmpj32.exe 3032 Ndbile32.exe 3008 Ndbile32.exe 2952 Nhnemdbf.exe 2684 Nogmin32.exe 2148 Npiiafpa.exe 1504 Nhpabdqd.exe 2052 Nknnnoph.exe 2080 Nmmjjk32.exe 2968 Nahfkigd.exe 2884 Ngencpel.exe 880 Nickoldp.exe 1064 Npnclf32.exe 1940 Ncloha32.exe 1984 Nejkdm32.exe 1216 Nifgekbm.exe 2120 Nldcagaq.exe 2136 Npppaejj.exe 632 Ogjhnp32.exe 1792 Oemhjlha.exe 1816 Oihdjk32.exe 1036 Olgpff32.exe 2200 Oaciom32.exe 1212 Oikapk32.exe 2864 Ohmalgeb.exe 2944 Oklmhcdf.exe 2592 Oeaael32.exe 2084 Oddbqhkf.exe 2424 Ohpnag32.exe 1128 Onmfin32.exe 2740 Oecnkk32.exe 2940 Ohbjgg32.exe 2140 Okqgcb32.exe 2972 Oajopl32.exe 1972 Ohdglfoj.exe 2552 Oggghc32.exe 1296 Ojfcdo32.exe 1616 Onapdmma.exe 1092 Pdkhag32.exe 788 Pcnhmdli.exe 1804 Pjhpin32.exe 2172 Pncljmko.exe 1964 Pqbifhjb.exe 972 Pdndggcl.exe 2324 Pcqebd32.exe 2708 Pfoanp32.exe 3016 Pnfipm32.exe 1048 Pogegeoj.exe 2036 Pccahc32.exe 2828 Pqgbah32.exe 2176 Poibmdmh.exe 2632 Pbhoip32.exe 2256 Pfcjiodd.exe 384 Pmmcfi32.exe 2960 Pkpcbecl.exe 1612 Pffgonbb.exe 488 Pdigkk32.exe 3028 Qmpplh32.exe 2068 Qonlhd32.exe 1648 Qnalcqpm.exe 284 Qbmhdp32.exe 2732 Qekdpkgj.exe 2984 Qifpqi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 9f6cff7c8044f299315696c314a69d80N.exe 2400 9f6cff7c8044f299315696c314a69d80N.exe 2768 Mlgdhcmb.exe 2768 Mlgdhcmb.exe 2716 Nacmpj32.exe 2716 Nacmpj32.exe 3032 Ndbile32.exe 3032 Ndbile32.exe 3008 Ndbile32.exe 3008 Ndbile32.exe 2952 Nhnemdbf.exe 2952 Nhnemdbf.exe 2684 Nogmin32.exe 2684 Nogmin32.exe 2148 Npiiafpa.exe 2148 Npiiafpa.exe 1504 Nhpabdqd.exe 1504 Nhpabdqd.exe 2052 Nknnnoph.exe 2052 Nknnnoph.exe 2080 Nmmjjk32.exe 2080 Nmmjjk32.exe 2968 Nahfkigd.exe 2968 Nahfkigd.exe 2884 Ngencpel.exe 2884 Ngencpel.exe 880 Nickoldp.exe 880 Nickoldp.exe 1064 Npnclf32.exe 1064 Npnclf32.exe 1940 Ncloha32.exe 1940 Ncloha32.exe 1984 Nejkdm32.exe 1984 Nejkdm32.exe 1216 Nifgekbm.exe 1216 Nifgekbm.exe 2120 Nldcagaq.exe 2120 Nldcagaq.exe 2136 Npppaejj.exe 2136 Npppaejj.exe 632 Ogjhnp32.exe 632 Ogjhnp32.exe 1792 Oemhjlha.exe 1792 Oemhjlha.exe 1816 Oihdjk32.exe 1816 Oihdjk32.exe 1036 Olgpff32.exe 1036 Olgpff32.exe 2200 Oaciom32.exe 2200 Oaciom32.exe 1212 Oikapk32.exe 1212 Oikapk32.exe 2864 Ohmalgeb.exe 2864 Ohmalgeb.exe 2944 Oklmhcdf.exe 2944 Oklmhcdf.exe 2592 Oeaael32.exe 2592 Oeaael32.exe 2084 Oddbqhkf.exe 2084 Oddbqhkf.exe 2424 Ohpnag32.exe 2424 Ohpnag32.exe 1128 Onmfin32.exe 1128 Onmfin32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ogjhnp32.exe Npppaejj.exe File created C:\Windows\SysWOW64\Dblangpk.dll Jghcbjll.exe File created C:\Windows\SysWOW64\Jdeadmlb.dll Lcffgnnc.exe File opened for modification C:\Windows\SysWOW64\Nhakecld.exe Ninjjf32.exe File created C:\Windows\SysWOW64\Nedeohin.dll Dammoahg.exe File created C:\Windows\SysWOW64\Mbnmpd32.dll Gplebjbk.exe File opened for modification C:\Windows\SysWOW64\Kdnlpaln.exe Kqcqpc32.exe File opened for modification C:\Windows\SysWOW64\Lijepc32.exe Lenioenj.exe File created C:\Windows\SysWOW64\Bnobnc32.dll Ffkncf32.exe File opened for modification C:\Windows\SysWOW64\Giejkp32.exe Geinjapb.exe File created C:\Windows\SysWOW64\Ejccaofe.dll Jidbifmb.exe File created C:\Windows\SysWOW64\Dfddnb32.dll Khglkqfj.exe File created C:\Windows\SysWOW64\Kjihci32.exe Kkfhglen.exe File opened for modification C:\Windows\SysWOW64\Nogmin32.exe Nhnemdbf.exe File created C:\Windows\SysWOW64\Olgpff32.exe Oihdjk32.exe File opened for modification C:\Windows\SysWOW64\Oeaael32.exe Oklmhcdf.exe File created C:\Windows\SysWOW64\Ldchnbji.dll Dkmghe32.exe File created C:\Windows\SysWOW64\Fcoolj32.exe Fpcblkje.exe File opened for modification C:\Windows\SysWOW64\Hpjeknfi.exe Hagepa32.exe File created C:\Windows\SysWOW64\Hjdlgkfb.dll Ohmalgeb.exe File created C:\Windows\SysWOW64\Hdhllcnb.dll Kkckblgq.exe File created C:\Windows\SysWOW64\Hipdajoc.dll Nilndfgl.exe File created C:\Windows\SysWOW64\Pihjghlh.dll Ninjjf32.exe File opened for modification C:\Windows\SysWOW64\Qkelme32.exe Qifpqi32.exe File created C:\Windows\SysWOW64\Echlmh32.exe Edelakoq.exe File created C:\Windows\SysWOW64\Bbiboe32.dll Ebofcd32.exe File created C:\Windows\SysWOW64\Jeoolq32.dll Fkldgi32.exe File opened for modification C:\Windows\SysWOW64\Lqjfpbmm.exe Lmnkpc32.exe File opened for modification C:\Windows\SysWOW64\Dlbaljhn.exe Dhgelk32.exe File created C:\Windows\SysWOW64\Ogihnoda.dll Fjfjcdln.exe File created C:\Windows\SysWOW64\Noplll32.dll Ncloha32.exe File created C:\Windows\SysWOW64\Cooddbfh.exe Ckchcc32.exe File created C:\Windows\SysWOW64\Oaecdo32.dll Oacbdg32.exe File opened for modification C:\Windows\SysWOW64\Capmemci.exe Cmdaeo32.exe File created C:\Windows\SysWOW64\Kmnechcf.dll Egchmfnd.exe File created C:\Windows\SysWOW64\Lkjlbg32.dll Kdgfpbaf.exe File created C:\Windows\SysWOW64\Lpcmlnnp.exe Lkhalo32.exe File created C:\Windows\SysWOW64\Hlcbfnjk.exe Hmpbja32.exe File created C:\Windows\SysWOW64\Jnlnid32.dll Kfbemi32.exe File opened for modification C:\Windows\SysWOW64\Onmfin32.exe Ohpnag32.exe File created C:\Windows\SysWOW64\Ddliklgk.exe Deiipp32.exe File created C:\Windows\SysWOW64\Fohphgce.exe Fkldgi32.exe File created C:\Windows\SysWOW64\Fkihmn32.dll Gipqpplq.exe File opened for modification C:\Windows\SysWOW64\Iaddid32.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Naheae32.dll Koogbk32.exe File opened for modification C:\Windows\SysWOW64\Iiipeb32.exe Iencdc32.exe File created C:\Windows\SysWOW64\Kopnjkfp.dll Qekdpkgj.exe File created C:\Windows\SysWOW64\Ejlgciom.dll Hlecmkel.exe File opened for modification C:\Windows\SysWOW64\Hibidc32.exe Hjoiiffo.exe File created C:\Windows\SysWOW64\Kkckblgq.exe Kghoan32.exe File created C:\Windows\SysWOW64\Fgqhgjbb.exe Fhngkm32.exe File created C:\Windows\SysWOW64\Mjgqcj32.exe Mfkebkjk.exe File created C:\Windows\SysWOW64\Abldccka.exe Apnhggln.exe File created C:\Windows\SysWOW64\Hfodmhbk.exe Hhlcal32.exe File opened for modification C:\Windows\SysWOW64\Cpidai32.exe Chblqlcj.exe File created C:\Windows\SysWOW64\Hplbamdf.exe Hlqfqo32.exe File opened for modification C:\Windows\SysWOW64\Idgjqook.exe Iplnpq32.exe File created C:\Windows\SysWOW64\Bbcjca32.exe Bnhncclq.exe File created C:\Windows\SysWOW64\Kekjepjd.dll Dgalhgpg.exe File opened for modification C:\Windows\SysWOW64\Ioaobjin.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Jdpcdjii.dll Ajjinaco.exe File opened for modification C:\Windows\SysWOW64\Gbmoceol.exe Gnabcf32.exe File opened for modification C:\Windows\SysWOW64\Iencdc32.exe Iabhdefo.exe File created C:\Windows\SysWOW64\Enlhahnp.dll Chblqlcj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5740 5560 WerFault.exe 564 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkhag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afecna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnkpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckloge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhpca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfihml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naionh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikfklni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplmflde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gindjqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcmlnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmalgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbjgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camqpnel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcdfmqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qonlhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfodmhbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcblkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlqfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmpnjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncloha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbppdfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loocanbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikgda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geinjapb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkeneja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemhjlha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekdpkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfjiali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfhglen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfogneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlapaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhdefo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poibmdmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifpqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giejkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhagiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaikfkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieppjclf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fohphgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghenamai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encbem32.dll" Hpjeknfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgahboge.dll" Gegaeabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folqfbjh.dll" Hipmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodkcd32.dll" Pqgbah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioaobjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jempcgad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chilje32.dll" Pqbifhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfmjoqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjkiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifhgcgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmnkpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmmfl32.dll" Bfmjoqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gipqpplq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jfbinf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nokcbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bepjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakahn32.dll" Hhopgkin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbdbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aidpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnkap32.dll" Fjhgidjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnmihgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljakp32.dll" Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbqhkfi.dll" Mganfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lelljepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnhncclq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgjkmijh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhakecld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bclqme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcjpbbk.dll" Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcejbh32.dll" Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bemmenhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blgeahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgmggec.dll" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onobqhia.dll" Okqgcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjffbhnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hibidc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkjkcfjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieppjclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnechcf.dll" Egchmfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhlidkdc.dll" Kheofahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfihml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igcjgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noplll32.dll" Ncloha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aempha32.dll" Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldlipnke.dll" Fdehpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdlnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbdcjgi.dll" Gnmihgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glcfgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnflnfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iiipeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nljjqbfp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2768 2400 9f6cff7c8044f299315696c314a69d80N.exe 30 PID 2400 wrote to memory of 2768 2400 9f6cff7c8044f299315696c314a69d80N.exe 30 PID 2400 wrote to memory of 2768 2400 9f6cff7c8044f299315696c314a69d80N.exe 30 PID 2400 wrote to memory of 2768 2400 9f6cff7c8044f299315696c314a69d80N.exe 30 PID 2768 wrote to memory of 2716 2768 Mlgdhcmb.exe 31 PID 2768 wrote to memory of 2716 2768 Mlgdhcmb.exe 31 PID 2768 wrote to memory of 2716 2768 Mlgdhcmb.exe 31 PID 2768 wrote to memory of 2716 2768 Mlgdhcmb.exe 31 PID 2716 wrote to memory of 3032 2716 Nacmpj32.exe 32 PID 2716 wrote to memory of 3032 2716 Nacmpj32.exe 32 PID 2716 wrote to memory of 3032 2716 Nacmpj32.exe 32 PID 2716 wrote to memory of 3032 2716 Nacmpj32.exe 32 PID 3032 wrote to memory of 3008 3032 Ndbile32.exe 33 PID 3032 wrote to memory of 3008 3032 Ndbile32.exe 33 PID 3032 wrote to memory of 3008 3032 Ndbile32.exe 33 PID 3032 wrote to memory of 3008 3032 Ndbile32.exe 33 PID 3008 wrote to memory of 2952 3008 Ndbile32.exe 34 PID 3008 wrote to memory of 2952 3008 Ndbile32.exe 34 PID 3008 wrote to memory of 2952 3008 Ndbile32.exe 34 PID 3008 wrote to memory of 2952 3008 Ndbile32.exe 34 PID 2952 wrote to memory of 2684 2952 Nhnemdbf.exe 35 PID 2952 wrote to memory of 2684 2952 Nhnemdbf.exe 35 PID 2952 wrote to memory of 2684 2952 Nhnemdbf.exe 35 PID 2952 wrote to memory of 2684 2952 Nhnemdbf.exe 35 PID 2684 wrote to memory of 2148 2684 Nogmin32.exe 36 PID 2684 wrote to memory of 2148 2684 Nogmin32.exe 36 PID 2684 wrote to memory of 2148 2684 Nogmin32.exe 36 PID 2684 wrote to memory of 2148 2684 Nogmin32.exe 36 PID 2148 wrote to memory of 1504 2148 Npiiafpa.exe 37 PID 2148 wrote to memory of 1504 2148 Npiiafpa.exe 37 PID 2148 wrote to memory of 1504 2148 Npiiafpa.exe 37 PID 2148 wrote to memory of 1504 2148 Npiiafpa.exe 37 PID 1504 wrote to memory of 2052 1504 Nhpabdqd.exe 38 PID 1504 wrote to memory of 2052 1504 Nhpabdqd.exe 38 PID 1504 wrote to memory of 2052 1504 Nhpabdqd.exe 38 PID 1504 wrote to memory of 2052 1504 Nhpabdqd.exe 38 PID 2052 wrote to memory of 2080 2052 Nknnnoph.exe 39 PID 2052 wrote to memory of 2080 2052 Nknnnoph.exe 39 PID 2052 wrote to memory of 2080 2052 Nknnnoph.exe 39 PID 2052 wrote to memory of 2080 2052 Nknnnoph.exe 39 PID 2080 wrote to memory of 2968 2080 Nmmjjk32.exe 40 PID 2080 wrote to memory of 2968 2080 Nmmjjk32.exe 40 PID 2080 wrote to memory of 2968 2080 Nmmjjk32.exe 40 PID 2080 wrote to memory of 2968 2080 Nmmjjk32.exe 40 PID 2968 wrote to memory of 2884 2968 Nahfkigd.exe 41 PID 2968 wrote to memory of 2884 2968 Nahfkigd.exe 41 PID 2968 wrote to memory of 2884 2968 Nahfkigd.exe 41 PID 2968 wrote to memory of 2884 2968 Nahfkigd.exe 41 PID 2884 wrote to memory of 880 2884 Ngencpel.exe 42 PID 2884 wrote to memory of 880 2884 Ngencpel.exe 42 PID 2884 wrote to memory of 880 2884 Ngencpel.exe 42 PID 2884 wrote to memory of 880 2884 Ngencpel.exe 42 PID 880 wrote to memory of 1064 880 Nickoldp.exe 43 PID 880 wrote to memory of 1064 880 Nickoldp.exe 43 PID 880 wrote to memory of 1064 880 Nickoldp.exe 43 PID 880 wrote to memory of 1064 880 Nickoldp.exe 43 PID 1064 wrote to memory of 1940 1064 Npnclf32.exe 44 PID 1064 wrote to memory of 1940 1064 Npnclf32.exe 44 PID 1064 wrote to memory of 1940 1064 Npnclf32.exe 44 PID 1064 wrote to memory of 1940 1064 Npnclf32.exe 44 PID 1940 wrote to memory of 1984 1940 Ncloha32.exe 45 PID 1940 wrote to memory of 1984 1940 Ncloha32.exe 45 PID 1940 wrote to memory of 1984 1940 Ncloha32.exe 45 PID 1940 wrote to memory of 1984 1940 Ncloha32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6cff7c8044f299315696c314a69d80N.exe"C:\Users\Admin\AppData\Local\Temp\9f6cff7c8044f299315696c314a69d80N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Nhnemdbf.exeC:\Windows\system32\Nhnemdbf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Nhpabdqd.exeC:\Windows\system32\Nhpabdqd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Nknnnoph.exeC:\Windows\system32\Nknnnoph.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Nmmjjk32.exeC:\Windows\system32\Nmmjjk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Nifgekbm.exeC:\Windows\system32\Nifgekbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe33⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe36⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ohdglfoj.exeC:\Windows\system32\Ohdglfoj.exe37⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Oggghc32.exeC:\Windows\system32\Oggghc32.exe38⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe39⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe43⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe44⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Pqbifhjb.exeC:\Windows\system32\Pqbifhjb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe46⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Pcqebd32.exeC:\Windows\system32\Pcqebd32.exe47⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe48⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe50⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe51⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Pfcjiodd.exeC:\Windows\system32\Pfcjiodd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe56⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe57⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe58⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe59⤵
- Executes dropped EXE
PID:488 -
C:\Windows\SysWOW64\Qmpplh32.exeC:\Windows\system32\Qmpplh32.exe60⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe62⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Qkelme32.exeC:\Windows\system32\Qkelme32.exe66⤵PID:2964
-
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe67⤵PID:1952
-
C:\Windows\SysWOW64\Qbodjofc.exeC:\Windows\system32\Qbodjofc.exe68⤵PID:2824
-
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe69⤵PID:604
-
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe70⤵PID:2264
-
C:\Windows\SysWOW64\Aiimfi32.exeC:\Windows\system32\Aiimfi32.exe71⤵PID:1960
-
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe72⤵PID:2300
-
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe73⤵
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Abaaoodq.exeC:\Windows\system32\Abaaoodq.exe74⤵PID:1764
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe75⤵PID:1812
-
C:\Windows\SysWOW64\Agnjge32.exeC:\Windows\system32\Agnjge32.exe76⤵PID:1132
-
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe78⤵PID:1924
-
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe79⤵PID:900
-
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe80⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe81⤵PID:3068
-
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe82⤵PID:1676
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe84⤵PID:1716
-
C:\Windows\SysWOW64\Aaikfkgf.exeC:\Windows\system32\Aaikfkgf.exe85⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe86⤵PID:2436
-
C:\Windows\SysWOW64\Afecna32.exeC:\Windows\system32\Afecna32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2504 -
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe89⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe90⤵PID:2800
-
C:\Windows\SysWOW64\Apnhggln.exeC:\Windows\system32\Apnhggln.exe91⤵
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe92⤵PID:2372
-
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe94⤵PID:2028
-
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe95⤵PID:472
-
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe96⤵PID:2880
-
C:\Windows\SysWOW64\Bclqme32.exeC:\Windows\system32\Bclqme32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe98⤵PID:1032
-
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe99⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:848 -
C:\Windows\SysWOW64\Bmdefk32.exeC:\Windows\system32\Bmdefk32.exe101⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Blgeahoo.exeC:\Windows\system32\Blgeahoo.exe102⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Bpbabf32.exeC:\Windows\system32\Bpbabf32.exe103⤵PID:2356
-
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe104⤵PID:2304
-
C:\Windows\SysWOW64\Bfmjoqoe.exeC:\Windows\system32\Bfmjoqoe.exe105⤵
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe106⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe107⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Bpengf32.exeC:\Windows\system32\Bpengf32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe110⤵PID:1300
-
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe111⤵PID:2648
-
C:\Windows\SysWOW64\Bimbql32.exeC:\Windows\system32\Bimbql32.exe112⤵PID:2260
-
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe113⤵PID:2848
-
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe114⤵PID:2412
-
C:\Windows\SysWOW64\Bojkib32.exeC:\Windows\system32\Bojkib32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1492 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:336 -
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe117⤵PID:2248
-
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe118⤵PID:2712
-
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe119⤵PID:2888
-
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe120⤵PID:3052
-
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe121⤵PID:2464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-