Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 11:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe
-
Size
832KB
-
MD5
d2741db0d7ce54dcb2818614bf390820
-
SHA1
9ef915272b93d97f97acdf93d78c0c648b014a55
-
SHA256
8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067e
-
SHA512
321b2b9880fe235c6f3a8fa365852201b08880f3a8482ff57154dae7ed4fa5d452e971f69b46b7491cee7d2de80685faa2cdd724586c7957562137c682b23b3e
-
SSDEEP
12288:VrSIkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLRi:VrhgsaDZgQjGkwlksH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gccmaack.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginenk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migcpneb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nieoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lglcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhceh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dendok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oookgbpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phpbffnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoconenj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbhgjoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohobebig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folkjnbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbjlgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iooimi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqbbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnoacp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopeofjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbpdgap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najjmjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkgejncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfqjhmhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eimelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqagkjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Janpnfee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eifffoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fempbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqdodo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpedgghj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonlimkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbnmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfpqap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifcnjpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgcooaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhffijdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjebpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ononmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fempbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfhjhdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lennpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geklckkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciqmjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iabodcnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnihnmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbalaoda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfemdcba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiahlkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aklciimh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcjgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmmcgbnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beaecjab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcooaah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjknakhq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmppneal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkpiled.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnbmqjjo.exe -
Executes dropped EXE 64 IoCs
pid Process 4884 Akihcfid.exe 1048 Acppddig.exe 4796 Aidomjaf.exe 2996 Bmagch32.exe 3448 Bbalaoda.exe 4300 Beaecjab.exe 992 Bcbeqaia.exe 1424 Clpgkcdj.exe 1992 Cdjlap32.exe 3884 Cboibm32.exe 888 Ddqbbo32.exe 3980 Dedkogqm.exe 3252 Dpllbp32.exe 4372 Ddjehneg.exe 4036 Egknji32.exe 2824 Emgblc32.exe 4460 Emioab32.exe 2748 Elolco32.exe 4856 Eibmlc32.exe 5076 Fpoaom32.exe 2804 Ffnglc32.exe 4248 Gjnlha32.exe 2220 Gqkajk32.exe 5108 Gnoacp32.exe 3868 Gdhjpjjd.exe 4328 Gqagkjne.exe 116 Hqddqj32.exe 600 Hcbpme32.exe 2636 Hfefdpfe.exe 4996 Hjcojo32.exe 4928 Iqpclh32.exe 4208 Ifoijonj.exe 4776 Imnjbhaa.exe 2816 Jgcooaah.exe 3220 Jakchf32.exe 3516 Jjdgal32.exe 780 Janpnfee.exe 2108 Jjfdfl32.exe 2428 Jelhcd32.exe 2844 Jjhalkjc.exe 3064 Jeneidji.exe 4940 Jjknakhq.exe 436 Jepbodhg.exe 3996 Kjmjgk32.exe 660 Kagbdenk.exe 4148 Kjpgmj32.exe 2084 Kdhlepkl.exe 4952 Kmppneal.exe 1900 Khfdlnab.exe 836 Kdmeqo32.exe 3468 Kjfmminc.exe 2088 Ldoafodd.exe 4272 Lennpb32.exe 3488 Ljkghi32.exe 4104 Laeoec32.exe 392 Ljncnhhk.exe 2764 Lechkaga.exe 1956 Lkppchfi.exe 4988 Lajhpbme.exe 4344 Lfgahikm.exe 3512 Malefbkc.exe 2448 Mopeofjl.exe 4360 Mdmngm32.exe 3668 Maaoaa32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfedmfqd.exe Clpppmqn.exe File opened for modification C:\Windows\SysWOW64\Ehkcgkdj.exe Eoconenj.exe File opened for modification C:\Windows\SysWOW64\Fbjcplhj.exe Fkbkoo32.exe File created C:\Windows\SysWOW64\Bqdlmo32.exe Bkhceh32.exe File created C:\Windows\SysWOW64\Pmhaae32.dll Giddddad.exe File created C:\Windows\SysWOW64\Nacmahgc.dll Onjebpml.exe File created C:\Windows\SysWOW64\Madfepmc.dll Eojeodga.exe File created C:\Windows\SysWOW64\Jkchehih.dll Fbhnec32.exe File created C:\Windows\SysWOW64\Jckeokan.exe Jqmicpbj.exe File created C:\Windows\SysWOW64\Emioab32.exe Emgblc32.exe File created C:\Windows\SysWOW64\Nlpnapfn.dll Gchflq32.exe File created C:\Windows\SysWOW64\Geklckkd.exe Ghgljg32.exe File opened for modification C:\Windows\SysWOW64\Ononmo32.exe Oahnhncc.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Bjhgke32.exe File created C:\Windows\SysWOW64\Bnicai32.exe Bngfli32.exe File created C:\Windows\SysWOW64\Nnjdkikf.dll Cnebmgjj.exe File opened for modification C:\Windows\SysWOW64\Dlpigk32.exe Dfcqod32.exe File opened for modification C:\Windows\SysWOW64\Kjipmoai.exe Kcphpdil.exe File created C:\Windows\SysWOW64\Kofheeoq.exe Kjipmoai.exe File created C:\Windows\SysWOW64\Mogdhape.dll Lihpdj32.exe File created C:\Windows\SysWOW64\Cifmoa32.exe Cicqja32.exe File created C:\Windows\SysWOW64\Dabmnd32.dll Ciqmjkno.exe File opened for modification C:\Windows\SysWOW64\Ilcjgm32.exe Icjengld.exe File opened for modification C:\Windows\SysWOW64\Phfhfa32.exe Onqdhh32.exe File opened for modification C:\Windows\SysWOW64\Icjengld.exe Iooimi32.exe File created C:\Windows\SysWOW64\Lfqjhmhk.exe Ljjicl32.exe File created C:\Windows\SysWOW64\Blcgdmeb.dll Dfcqod32.exe File created C:\Windows\SysWOW64\Fblpflfg.exe Fhflhcfa.exe File opened for modification C:\Windows\SysWOW64\Jloibkhh.exe Jokiig32.exe File created C:\Windows\SysWOW64\Jelhcd32.exe Jjfdfl32.exe File created C:\Windows\SysWOW64\Lfgahikm.exe Lajhpbme.exe File created C:\Windows\SysWOW64\Malefbkc.exe Lfgahikm.exe File created C:\Windows\SysWOW64\Cnebmgjj.exe Cihjeq32.exe File created C:\Windows\SysWOW64\Okleqm32.dll Eelpqi32.exe File created C:\Windows\SysWOW64\Kfpqap32.exe Kofheeoq.exe File opened for modification C:\Windows\SysWOW64\Bmagch32.exe Aidomjaf.exe File created C:\Windows\SysWOW64\Jahadh32.dll Qomghp32.exe File created C:\Windows\SysWOW64\Eeackh32.dll Aoapcood.exe File created C:\Windows\SysWOW64\Joobdfei.exe Jhejgl32.exe File created C:\Windows\SysWOW64\Dfcqod32.exe Decdeama.exe File created C:\Windows\SysWOW64\Fbhnec32.exe Eipilmgh.exe File created C:\Windows\SysWOW64\Icpecm32.exe Ihjafd32.exe File created C:\Windows\SysWOW64\Apqddgbj.dll Nhffijdm.exe File created C:\Windows\SysWOW64\Gchflq32.exe Gipbck32.exe File opened for modification C:\Windows\SysWOW64\Pnfdnnbo.exe Pfkpiled.exe File opened for modification C:\Windows\SysWOW64\Qomghp32.exe Phbolflm.exe File created C:\Windows\SysWOW64\Dlpigk32.exe Dfcqod32.exe File created C:\Windows\SysWOW64\Ndhqmknd.dll Cihjeq32.exe File created C:\Windows\SysWOW64\Conpjg32.dll Giboijgb.exe File created C:\Windows\SysWOW64\Fpffjn32.dll Naqqmieo.exe File created C:\Windows\SysWOW64\Phpklp32.exe Pnjgog32.exe File created C:\Windows\SysWOW64\Cejjdlap.exe Cgejkh32.exe File opened for modification C:\Windows\SysWOW64\Dedkogqm.exe Ddqbbo32.exe File created C:\Windows\SysWOW64\Gefpidln.dll Necqbo32.exe File created C:\Windows\SysWOW64\Cicqja32.exe Cfedmfqd.exe File created C:\Windows\SysWOW64\Qfkoaf32.dll Kiomnk32.exe File opened for modification C:\Windows\SysWOW64\Mffjnc32.exe Laiafl32.exe File created C:\Windows\SysWOW64\Dlkiaece.exe Dilmeida.exe File created C:\Windows\SysWOW64\Maehlqch.exe Mgpcohcb.exe File opened for modification C:\Windows\SysWOW64\Anncek32.exe Akogio32.exe File created C:\Windows\SysWOW64\Dhpdkm32.exe Dbckcf32.exe File created C:\Windows\SysWOW64\Fkgejncb.exe Fblpflfg.exe File created C:\Windows\SysWOW64\Kpbljo32.dll Iooimi32.exe File created C:\Windows\SysWOW64\Jchaoe32.exe Jloibkhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10152 9292 WerFault.exe 477 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffijdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlpgibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcmfchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmmnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlobmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnihnmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkcgkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhddgofo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmeqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladhkmno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebkid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjipmoai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maehlqch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbckcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeaeedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elfhmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpooanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefedcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcjgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkpipaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhefhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nieoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpdkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmcgbnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipffmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejglcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joobdfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqbbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lechkaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhicoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flekihpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miipencp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngklppei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkghqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkofofbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohobebig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffnglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhjpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakjnnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malnklgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emioab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoijonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oahnhncc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjqoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igieoleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdmdlie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohjgpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdlgmgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaijand.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jelhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocafeff.dll" Ngklppei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiomnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqddqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkgejncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpqap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljncnhhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnlpgibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjopgh32.dll" Ikmpcicg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiaogfai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgpp32.dll" Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicjl32.dll" Jakchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhefhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll" Mbjgcnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiopdhnf.dll" Belemd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Decdeama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kppbejka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbiabq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jchaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmkpipaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkbkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnndl32.dll" Kmppneal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laeoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmfodn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgaqphgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdagbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcommoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjjaci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glngep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilcjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpiidi32.dll" Aidomjaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okeklcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnoefagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgbhfhcl.dll" Hjlaoioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igalei32.dll" Ajaqjfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joobdfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kofheeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foeeml32.dll" Gqkajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcagf32.dll" Kifjip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjipmoai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhdicjfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oakjnnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgjbjed.dll" Dlmegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkeakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jakchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mopeofjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnmjomlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fcaqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hohjgpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqmicpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogmiepcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hchihhng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaoemei.dll" Ljffccjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Ciqmjkno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icmbcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmldpop.dll" Jokiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgeik32.dll" Kgemahmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qgehml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eelpqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khfdlnab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 4884 3944 8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe 89 PID 3944 wrote to memory of 4884 3944 8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe 89 PID 3944 wrote to memory of 4884 3944 8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe 89 PID 4884 wrote to memory of 1048 4884 Akihcfid.exe 90 PID 4884 wrote to memory of 1048 4884 Akihcfid.exe 90 PID 4884 wrote to memory of 1048 4884 Akihcfid.exe 90 PID 1048 wrote to memory of 4796 1048 Acppddig.exe 91 PID 1048 wrote to memory of 4796 1048 Acppddig.exe 91 PID 1048 wrote to memory of 4796 1048 Acppddig.exe 91 PID 4796 wrote to memory of 2996 4796 Aidomjaf.exe 92 PID 4796 wrote to memory of 2996 4796 Aidomjaf.exe 92 PID 4796 wrote to memory of 2996 4796 Aidomjaf.exe 92 PID 2996 wrote to memory of 3448 2996 Bmagch32.exe 93 PID 2996 wrote to memory of 3448 2996 Bmagch32.exe 93 PID 2996 wrote to memory of 3448 2996 Bmagch32.exe 93 PID 3448 wrote to memory of 4300 3448 Bbalaoda.exe 94 PID 3448 wrote to memory of 4300 3448 Bbalaoda.exe 94 PID 3448 wrote to memory of 4300 3448 Bbalaoda.exe 94 PID 4300 wrote to memory of 992 4300 Beaecjab.exe 95 PID 4300 wrote to memory of 992 4300 Beaecjab.exe 95 PID 4300 wrote to memory of 992 4300 Beaecjab.exe 95 PID 992 wrote to memory of 1424 992 Bcbeqaia.exe 96 PID 992 wrote to memory of 1424 992 Bcbeqaia.exe 96 PID 992 wrote to memory of 1424 992 Bcbeqaia.exe 96 PID 1424 wrote to memory of 1992 1424 Clpgkcdj.exe 97 PID 1424 wrote to memory of 1992 1424 Clpgkcdj.exe 97 PID 1424 wrote to memory of 1992 1424 Clpgkcdj.exe 97 PID 1992 wrote to memory of 3884 1992 Cdjlap32.exe 98 PID 1992 wrote to memory of 3884 1992 Cdjlap32.exe 98 PID 1992 wrote to memory of 3884 1992 Cdjlap32.exe 98 PID 3884 wrote to memory of 888 3884 Cboibm32.exe 99 PID 3884 wrote to memory of 888 3884 Cboibm32.exe 99 PID 3884 wrote to memory of 888 3884 Cboibm32.exe 99 PID 888 wrote to memory of 3980 888 Ddqbbo32.exe 100 PID 888 wrote to memory of 3980 888 Ddqbbo32.exe 100 PID 888 wrote to memory of 3980 888 Ddqbbo32.exe 100 PID 3980 wrote to memory of 3252 3980 Dedkogqm.exe 101 PID 3980 wrote to memory of 3252 3980 Dedkogqm.exe 101 PID 3980 wrote to memory of 3252 3980 Dedkogqm.exe 101 PID 3252 wrote to memory of 4372 3252 Dpllbp32.exe 102 PID 3252 wrote to memory of 4372 3252 Dpllbp32.exe 102 PID 3252 wrote to memory of 4372 3252 Dpllbp32.exe 102 PID 4372 wrote to memory of 4036 4372 Ddjehneg.exe 103 PID 4372 wrote to memory of 4036 4372 Ddjehneg.exe 103 PID 4372 wrote to memory of 4036 4372 Ddjehneg.exe 103 PID 4036 wrote to memory of 2824 4036 Egknji32.exe 104 PID 4036 wrote to memory of 2824 4036 Egknji32.exe 104 PID 4036 wrote to memory of 2824 4036 Egknji32.exe 104 PID 2824 wrote to memory of 4460 2824 Emgblc32.exe 105 PID 2824 wrote to memory of 4460 2824 Emgblc32.exe 105 PID 2824 wrote to memory of 4460 2824 Emgblc32.exe 105 PID 4460 wrote to memory of 2748 4460 Emioab32.exe 106 PID 4460 wrote to memory of 2748 4460 Emioab32.exe 106 PID 4460 wrote to memory of 2748 4460 Emioab32.exe 106 PID 2748 wrote to memory of 4856 2748 Elolco32.exe 107 PID 2748 wrote to memory of 4856 2748 Elolco32.exe 107 PID 2748 wrote to memory of 4856 2748 Elolco32.exe 107 PID 4856 wrote to memory of 5076 4856 Eibmlc32.exe 108 PID 4856 wrote to memory of 5076 4856 Eibmlc32.exe 108 PID 4856 wrote to memory of 5076 4856 Eibmlc32.exe 108 PID 5076 wrote to memory of 2804 5076 Fpoaom32.exe 109 PID 5076 wrote to memory of 2804 5076 Fpoaom32.exe 109 PID 5076 wrote to memory of 2804 5076 Fpoaom32.exe 109 PID 2804 wrote to memory of 4248 2804 Ffnglc32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe"C:\Users\Admin\AppData\Local\Temp\8679446f58f98f332e85932a7de5d3ea08bdbb0ca4bc63381128babb74af067eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\Clpgkcdj.exeC:\Windows\system32\Clpgkcdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Egknji32.exeC:\Windows\system32\Egknji32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Emioab32.exeC:\Windows\system32\Emioab32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe23⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Gnoacp32.exeC:\Windows\system32\Gnoacp32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\Gqagkjne.exeC:\Windows\system32\Gqagkjne.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe29⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Hfefdpfe.exeC:\Windows\system32\Hfefdpfe.exe30⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Hjcojo32.exeC:\Windows\system32\Hjcojo32.exe31⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\Ifoijonj.exeC:\Windows\system32\Ifoijonj.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\Imnjbhaa.exeC:\Windows\system32\Imnjbhaa.exe34⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Jgcooaah.exeC:\Windows\system32\Jgcooaah.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Jjdgal32.exeC:\Windows\system32\Jjdgal32.exe37⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Janpnfee.exeC:\Windows\system32\Janpnfee.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Jjfdfl32.exeC:\Windows\system32\Jjfdfl32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Jelhcd32.exeC:\Windows\system32\Jelhcd32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Jjhalkjc.exeC:\Windows\system32\Jjhalkjc.exe41⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jeneidji.exeC:\Windows\system32\Jeneidji.exe42⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jjknakhq.exeC:\Windows\system32\Jjknakhq.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Jepbodhg.exeC:\Windows\system32\Jepbodhg.exe44⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Kjmjgk32.exeC:\Windows\system32\Kjmjgk32.exe45⤵
- Executes dropped EXE
PID:3996 -
C:\Windows\SysWOW64\Kagbdenk.exeC:\Windows\system32\Kagbdenk.exe46⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Kjpgmj32.exeC:\Windows\system32\Kjpgmj32.exe47⤵
- Executes dropped EXE
PID:4148 -
C:\Windows\SysWOW64\Kdhlepkl.exeC:\Windows\system32\Kdhlepkl.exe48⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Kmppneal.exeC:\Windows\system32\Kmppneal.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4952 -
C:\Windows\SysWOW64\Khfdlnab.exeC:\Windows\system32\Khfdlnab.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Kdmeqo32.exeC:\Windows\system32\Kdmeqo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Kjfmminc.exeC:\Windows\system32\Kjfmminc.exe52⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Ldoafodd.exeC:\Windows\system32\Ldoafodd.exe53⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Lennpb32.exeC:\Windows\system32\Lennpb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Ljkghi32.exeC:\Windows\system32\Ljkghi32.exe55⤵
- Executes dropped EXE
PID:3488 -
C:\Windows\SysWOW64\Laeoec32.exeC:\Windows\system32\Laeoec32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:392 -
C:\Windows\SysWOW64\Lechkaga.exeC:\Windows\system32\Lechkaga.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Lkppchfi.exeC:\Windows\system32\Lkppchfi.exe59⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Lajhpbme.exeC:\Windows\system32\Lajhpbme.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988 -
C:\Windows\SysWOW64\Lfgahikm.exeC:\Windows\system32\Lfgahikm.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4344 -
C:\Windows\SysWOW64\Malefbkc.exeC:\Windows\system32\Malefbkc.exe62⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Mopeofjl.exeC:\Windows\system32\Mopeofjl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Mdmngm32.exeC:\Windows\system32\Mdmngm32.exe64⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Maaoaa32.exeC:\Windows\system32\Maaoaa32.exe65⤵
- Executes dropped EXE
PID:3668 -
C:\Windows\SysWOW64\Moeoje32.exeC:\Windows\system32\Moeoje32.exe66⤵PID:3452
-
C:\Windows\SysWOW64\Mdagbl32.exeC:\Windows\system32\Mdagbl32.exe67⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Mgpcohcb.exeC:\Windows\system32\Mgpcohcb.exe68⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Maehlqch.exeC:\Windows\system32\Maehlqch.exe69⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Mgbpdgap.exeC:\Windows\system32\Mgbpdgap.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3656 -
C:\Windows\SysWOW64\Necqbo32.exeC:\Windows\system32\Necqbo32.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\Nnoefagj.exeC:\Windows\system32\Nnoefagj.exe72⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe73⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Namnmp32.exeC:\Windows\system32\Namnmp32.exe74⤵PID:1444
-
C:\Windows\SysWOW64\Nhffijdm.exeC:\Windows\system32\Nhffijdm.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Nhicoi32.exeC:\Windows\system32\Nhicoi32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3420 -
C:\Windows\SysWOW64\Nockkcjg.exeC:\Windows\system32\Nockkcjg.exe77⤵PID:4312
-
C:\Windows\SysWOW64\Ndpcdjho.exeC:\Windows\system32\Ndpcdjho.exe78⤵PID:4112
-
C:\Windows\SysWOW64\Oeopnmoa.exeC:\Windows\system32\Oeopnmoa.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Onjebpml.exeC:\Windows\system32\Onjebpml.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3280 -
C:\Windows\SysWOW64\Oeamcmmo.exeC:\Windows\system32\Oeamcmmo.exe81⤵PID:5148
-
C:\Windows\SysWOW64\Oahnhncc.exeC:\Windows\system32\Oahnhncc.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Windows\SysWOW64\Ononmo32.exeC:\Windows\system32\Ononmo32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Oakjnnap.exeC:\Windows\system32\Oakjnnap.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Oookgbpj.exeC:\Windows\system32\Oookgbpj.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5324 -
C:\Windows\SysWOW64\Okeklcen.exeC:\Windows\system32\Okeklcen.exe86⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe88⤵PID:5468
-
C:\Windows\SysWOW64\Phlikg32.exeC:\Windows\system32\Phlikg32.exe89⤵PID:5524
-
C:\Windows\SysWOW64\Pbdmdlie.exeC:\Windows\system32\Pbdmdlie.exe90⤵
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\Phneqf32.exeC:\Windows\system32\Phneqf32.exe91⤵PID:5612
-
C:\Windows\SysWOW64\Pnknim32.exeC:\Windows\system32\Pnknim32.exe92⤵PID:5656
-
C:\Windows\SysWOW64\Phpbffnp.exeC:\Windows\system32\Phpbffnp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5700 -
C:\Windows\SysWOW64\Pnmjomlg.exeC:\Windows\system32\Pnmjomlg.exe94⤵
- Modifies registry class
PID:5744 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe95⤵
- Drops file in System32 directory
PID:5788 -
C:\Windows\SysWOW64\Qomghp32.exeC:\Windows\system32\Qomghp32.exe96⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Qghlmbae.exeC:\Windows\system32\Qghlmbae.exe97⤵PID:5876
-
C:\Windows\SysWOW64\Qbmpjkqk.exeC:\Windows\system32\Qbmpjkqk.exe98⤵PID:5924
-
C:\Windows\SysWOW64\Aoapcood.exeC:\Windows\system32\Aoapcood.exe99⤵
- Drops file in System32 directory
PID:5968 -
C:\Windows\SysWOW64\Agmehamp.exeC:\Windows\system32\Agmehamp.exe100⤵PID:6016
-
C:\Windows\SysWOW64\Abbiej32.exeC:\Windows\system32\Abbiej32.exe101⤵PID:6060
-
C:\Windows\SysWOW64\Adqeaf32.exeC:\Windows\system32\Adqeaf32.exe102⤵PID:6100
-
C:\Windows\SysWOW64\Abdfkj32.exeC:\Windows\system32\Abdfkj32.exe103⤵PID:2732
-
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe104⤵PID:5188
-
C:\Windows\SysWOW64\Akogio32.exeC:\Windows\system32\Akogio32.exe105⤵
- Drops file in System32 directory
PID:5268 -
C:\Windows\SysWOW64\Anncek32.exeC:\Windows\system32\Anncek32.exe106⤵PID:5336
-
C:\Windows\SysWOW64\Aeglbeea.exeC:\Windows\system32\Aeglbeea.exe107⤵PID:5420
-
C:\Windows\SysWOW64\Bomppneg.exeC:\Windows\system32\Bomppneg.exe108⤵PID:5484
-
C:\Windows\SysWOW64\Bejhhd32.exeC:\Windows\system32\Bejhhd32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Windows\SysWOW64\Bnbmqjjo.exeC:\Windows\system32\Bnbmqjjo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5644 -
C:\Windows\SysWOW64\Belemd32.exeC:\Windows\system32\Belemd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5716 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe112⤵PID:5776
-
C:\Windows\SysWOW64\Beobcdoi.exeC:\Windows\system32\Beobcdoi.exe113⤵PID:5828
-
C:\Windows\SysWOW64\Bgmnooom.exeC:\Windows\system32\Bgmnooom.exe114⤵
- Modifies registry class
PID:5884 -
C:\Windows\SysWOW64\Bngfli32.exeC:\Windows\system32\Bngfli32.exe115⤵
- Drops file in System32 directory
PID:5964 -
C:\Windows\SysWOW64\Bnicai32.exeC:\Windows\system32\Bnicai32.exe116⤵
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe117⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Cnlpgibd.exeC:\Windows\system32\Cnlpgibd.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6116 -
C:\Windows\SysWOW64\Clpppmqn.exeC:\Windows\system32\Clpppmqn.exe119⤵
- Drops file in System32 directory
PID:5508 -
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe120⤵
- Drops file in System32 directory
PID:5232 -
C:\Windows\SysWOW64\Cicqja32.exeC:\Windows\system32\Cicqja32.exe121⤵
- Drops file in System32 directory
PID:5356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-