Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2fafdbf92895bd70636abf7a2398eca0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
2fafdbf92895bd70636abf7a2398eca0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
2fafdbf92895bd70636abf7a2398eca0N.exe
-
Size
285KB
-
MD5
2fafdbf92895bd70636abf7a2398eca0
-
SHA1
209c0945e7bfb59fc341b8aac6bf46a53e6cd450
-
SHA256
bd1e1a7366f36d9ab513abaf71e6f14af36453023a29670ae35f698c9841d847
-
SHA512
4ea160884b40257ea3ca14fbd7a07e1667b8a6fb8ab51f29d2cfa84b53ecf5759da1e36660ea7969ae79a220125b3286426c334bb663466fb3ff9719004e0adc
-
SSDEEP
3072:LscueEqsieQKVcbMloVRr3uMg0kAqSxYiJ2QM4GKch:Lsos5QKQIoi7tWa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Enfgfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phpjnnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahifbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kncaojfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phhjblpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qinjgbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnldjekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omcifpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfpdkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgigil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdgfelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaijak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmqpam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqcjlhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eheecbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njdqka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Noemqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihfap32.exe -
Executes dropped EXE 64 IoCs
pid Process 2516 Meffhnal.exe 2164 Mmakmp32.exe 2892 Mfjoeeeh.exe 2744 Mpbdnk32.exe 2844 Mjhhld32.exe 2808 Mpdqdkie.exe 2244 Mjjdacik.exe 1880 Mpgmijgc.exe 1084 Mfaefd32.exe 1980 Noljjglk.exe 2424 Nfcbldmm.exe 2712 Noogpfjh.exe 1996 Nehomq32.exe 2708 Noacef32.exe 780 Ndnlnm32.exe 1764 Nmfqgbmm.exe 1124 Nemhhpmp.exe 1932 Noemqe32.exe 608 Nmhmlbkk.exe 788 Npgihn32.exe 2436 Ogqaehak.exe 916 Omkjbb32.exe 2440 Opifnm32.exe 2384 Odebolpe.exe 2520 Okojkf32.exe 2296 Odgodl32.exe 2916 Ocjophem.exe 2736 Olbchn32.exe 2112 Opnpimdf.exe 1684 Oifdbb32.exe 2732 Oldpnn32.exe 3064 Opplolac.exe 1112 Oaaifdhb.exe 2832 Poeipifl.exe 1720 Padeldeo.exe 2024 Phnnho32.exe 1228 Pohfehdi.exe 2580 Pafbadcm.exe 568 Peanbblf.exe 2596 Phpjnnki.exe 440 Pahogc32.exe 1276 Pdgkco32.exe 2124 Pkacpihj.exe 1520 Pqnlhpfb.exe 1644 Pclhdl32.exe 1340 Pggdejno.exe 1272 Pjfpafmb.exe 2968 Pnalad32.exe 2248 Pqphnp32.exe 2992 Pcnejk32.exe 2880 Qfmafg32.exe 2780 Qjhmfekp.exe 2624 Qmgibqjc.exe 1608 Qglmpi32.exe 1048 Qjkjle32.exe 2860 Qinjgbpg.exe 692 Qogbdl32.exe 1948 Accnekon.exe 820 Ajmfad32.exe 3008 Aipfmane.exe 2352 Akncimmh.exe 1592 Acekjjmk.exe 1924 Afdgfelo.exe 2076 Aeggbbci.exe -
Loads dropped DLL 64 IoCs
pid Process 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 2516 Meffhnal.exe 2516 Meffhnal.exe 2164 Mmakmp32.exe 2164 Mmakmp32.exe 2892 Mfjoeeeh.exe 2892 Mfjoeeeh.exe 2744 Mpbdnk32.exe 2744 Mpbdnk32.exe 2844 Mjhhld32.exe 2844 Mjhhld32.exe 2808 Mpdqdkie.exe 2808 Mpdqdkie.exe 2244 Mjjdacik.exe 2244 Mjjdacik.exe 1880 Mpgmijgc.exe 1880 Mpgmijgc.exe 1084 Mfaefd32.exe 1084 Mfaefd32.exe 1980 Noljjglk.exe 1980 Noljjglk.exe 2424 Nfcbldmm.exe 2424 Nfcbldmm.exe 2712 Noogpfjh.exe 2712 Noogpfjh.exe 1996 Nehomq32.exe 1996 Nehomq32.exe 2708 Noacef32.exe 2708 Noacef32.exe 780 Ndnlnm32.exe 780 Ndnlnm32.exe 1764 Nmfqgbmm.exe 1764 Nmfqgbmm.exe 1124 Nemhhpmp.exe 1124 Nemhhpmp.exe 1932 Noemqe32.exe 1932 Noemqe32.exe 608 Nmhmlbkk.exe 608 Nmhmlbkk.exe 788 Npgihn32.exe 788 Npgihn32.exe 2436 Ogqaehak.exe 2436 Ogqaehak.exe 916 Omkjbb32.exe 916 Omkjbb32.exe 2440 Opifnm32.exe 2440 Opifnm32.exe 2384 Odebolpe.exe 2384 Odebolpe.exe 2520 Okojkf32.exe 2520 Okojkf32.exe 2296 Odgodl32.exe 2296 Odgodl32.exe 2916 Ocjophem.exe 2916 Ocjophem.exe 2736 Olbchn32.exe 2736 Olbchn32.exe 2112 Opnpimdf.exe 2112 Opnpimdf.exe 1684 Oifdbb32.exe 1684 Oifdbb32.exe 2732 Oldpnn32.exe 2732 Oldpnn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Pnjofo32.exe Pecgea32.exe File created C:\Windows\SysWOW64\Cdbhodcb.dll Hhcmhdke.exe File created C:\Windows\SysWOW64\Jepmgj32.exe Jniefm32.exe File opened for modification C:\Windows\SysWOW64\Mccbmh32.exe Meabakda.exe File created C:\Windows\SysWOW64\Pdaemiaj.dll Cfpldf32.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Lonpma32.exe File created C:\Windows\SysWOW64\Pgddfe32.dll Lnhgim32.exe File created C:\Windows\SysWOW64\Pghaaidm.dll Oibmpl32.exe File opened for modification C:\Windows\SysWOW64\Acqnnndl.exe Aababceh.exe File created C:\Windows\SysWOW64\Fheabelm.exe Fgcejm32.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Fcbecl32.exe Fogibnha.exe File opened for modification C:\Windows\SysWOW64\Pjfpafmb.exe Pggdejno.exe File opened for modification C:\Windows\SysWOW64\Lcdfnehp.exe Lqejbiim.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Clbnhmjo.exe Cehfkb32.exe File created C:\Windows\SysWOW64\Dbncjf32.exe Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe Nenkqi32.exe File created C:\Windows\SysWOW64\Andgop32.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Bnhoag32.exe Bfagpiam.exe File created C:\Windows\SysWOW64\Aqonbm32.exe Aihfap32.exe File created C:\Windows\SysWOW64\Bmpcfg32.dll Aihfap32.exe File opened for modification C:\Windows\SysWOW64\Dicnkdnf.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Iplfej32.dll Hemqpf32.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mcqombic.exe File created C:\Windows\SysWOW64\Nlqmmd32.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oococb32.exe File opened for modification C:\Windows\SysWOW64\Pclhdl32.exe Pqnlhpfb.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Bqijljfd.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Nbhbjgmd.dll Aigmnqgm.exe File opened for modification C:\Windows\SysWOW64\Cbajkiof.exe Clgbno32.exe File created C:\Windows\SysWOW64\Koddccaa.exe Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Dhmhhmlm.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Pkacpihj.exe Pdgkco32.exe File opened for modification C:\Windows\SysWOW64\Eeielfhk.exe Eamilh32.exe File opened for modification C:\Windows\SysWOW64\Oeehln32.exe Oajlkojn.exe File opened for modification C:\Windows\SysWOW64\Bammlq32.exe Bjbeofpp.exe File created C:\Windows\SysWOW64\Eklqcl32.exe Elipgofb.exe File created C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Ajnfie32.dll Elldgehk.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lgehno32.exe File opened for modification C:\Windows\SysWOW64\Nbmaon32.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Olbfagca.exe Ompefj32.exe File created C:\Windows\SysWOW64\Hapklimq.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Knakol32.dll Melifl32.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Aciqcifh.exe File created C:\Windows\SysWOW64\Nefpcolp.dll Qglmpi32.exe File opened for modification C:\Windows\SysWOW64\Qinjgbpg.exe Qjkjle32.exe File opened for modification C:\Windows\SysWOW64\Ajmfad32.exe Accnekon.exe File opened for modification C:\Windows\SysWOW64\Iiecgjba.exe Ibkkjp32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qqfkln32.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Bammlq32.exe File created C:\Windows\SysWOW64\Clbnhmjo.exe Cehfkb32.exe File opened for modification C:\Windows\SysWOW64\Elkmmodo.exe Eddeladm.exe File opened for modification C:\Windows\SysWOW64\Ndnlnm32.exe Noacef32.exe File created C:\Windows\SysWOW64\Gcbabpcf.exe Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Iimfld32.exe File created C:\Windows\SysWOW64\Klcdfdcb.dll Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Obhdcanc.exe Odedge32.exe File created C:\Windows\SysWOW64\Iennnogo.dll Pegqpacp.exe File opened for modification C:\Windows\SysWOW64\Imleli32.exe Iipiljgf.exe File created C:\Windows\SysWOW64\Pmmnhb32.dll Pcbncfjd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\system32†Eanenbmi.¾ll Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaifdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkifhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfldoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caidaeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqcjlhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnalad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclhdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpfmnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domqjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepmgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnpimdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdgfelo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfndmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpbjnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padeldeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfkloq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pafbadcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeoelgo.dll" Bfkifhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifmdk32.dll" Pahogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Biaign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbonei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibejjo32.dll" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfeeehni.dll" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ciifbchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkjdopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qhmcmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmakmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjknmf32.dll" Bfagpiam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngnjmjh.dll" Eaeipfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plgolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qjkjle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foehfmaf.dll" Pomhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cinafkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pecgea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fkpjnkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkllaj32.dll" Bpnddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbapc32.dll" Pclhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komnbg32.dll" Lmjnak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oaghki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmpdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehlenfjb.dll" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Oajlkojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajeeeblb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mpebmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohbak32.dll" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpjpn32.dll" Aapemc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2516 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 30 PID 2696 wrote to memory of 2516 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 30 PID 2696 wrote to memory of 2516 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 30 PID 2696 wrote to memory of 2516 2696 2fafdbf92895bd70636abf7a2398eca0N.exe 30 PID 2516 wrote to memory of 2164 2516 Meffhnal.exe 31 PID 2516 wrote to memory of 2164 2516 Meffhnal.exe 31 PID 2516 wrote to memory of 2164 2516 Meffhnal.exe 31 PID 2516 wrote to memory of 2164 2516 Meffhnal.exe 31 PID 2164 wrote to memory of 2892 2164 Mmakmp32.exe 32 PID 2164 wrote to memory of 2892 2164 Mmakmp32.exe 32 PID 2164 wrote to memory of 2892 2164 Mmakmp32.exe 32 PID 2164 wrote to memory of 2892 2164 Mmakmp32.exe 32 PID 2892 wrote to memory of 2744 2892 Mfjoeeeh.exe 33 PID 2892 wrote to memory of 2744 2892 Mfjoeeeh.exe 33 PID 2892 wrote to memory of 2744 2892 Mfjoeeeh.exe 33 PID 2892 wrote to memory of 2744 2892 Mfjoeeeh.exe 33 PID 2744 wrote to memory of 2844 2744 Mpbdnk32.exe 34 PID 2744 wrote to memory of 2844 2744 Mpbdnk32.exe 34 PID 2744 wrote to memory of 2844 2744 Mpbdnk32.exe 34 PID 2744 wrote to memory of 2844 2744 Mpbdnk32.exe 34 PID 2844 wrote to memory of 2808 2844 Mjhhld32.exe 35 PID 2844 wrote to memory of 2808 2844 Mjhhld32.exe 35 PID 2844 wrote to memory of 2808 2844 Mjhhld32.exe 35 PID 2844 wrote to memory of 2808 2844 Mjhhld32.exe 35 PID 2808 wrote to memory of 2244 2808 Mpdqdkie.exe 36 PID 2808 wrote to memory of 2244 2808 Mpdqdkie.exe 36 PID 2808 wrote to memory of 2244 2808 Mpdqdkie.exe 36 PID 2808 wrote to memory of 2244 2808 Mpdqdkie.exe 36 PID 2244 wrote to memory of 1880 2244 Mjjdacik.exe 37 PID 2244 wrote to memory of 1880 2244 Mjjdacik.exe 37 PID 2244 wrote to memory of 1880 2244 Mjjdacik.exe 37 PID 2244 wrote to memory of 1880 2244 Mjjdacik.exe 37 PID 1880 wrote to memory of 1084 1880 Mpgmijgc.exe 38 PID 1880 wrote to memory of 1084 1880 Mpgmijgc.exe 38 PID 1880 wrote to memory of 1084 1880 Mpgmijgc.exe 38 PID 1880 wrote to memory of 1084 1880 Mpgmijgc.exe 38 PID 1084 wrote to memory of 1980 1084 Mfaefd32.exe 39 PID 1084 wrote to memory of 1980 1084 Mfaefd32.exe 39 PID 1084 wrote to memory of 1980 1084 Mfaefd32.exe 39 PID 1084 wrote to memory of 1980 1084 Mfaefd32.exe 39 PID 1980 wrote to memory of 2424 1980 Noljjglk.exe 40 PID 1980 wrote to memory of 2424 1980 Noljjglk.exe 40 PID 1980 wrote to memory of 2424 1980 Noljjglk.exe 40 PID 1980 wrote to memory of 2424 1980 Noljjglk.exe 40 PID 2424 wrote to memory of 2712 2424 Nfcbldmm.exe 41 PID 2424 wrote to memory of 2712 2424 Nfcbldmm.exe 41 PID 2424 wrote to memory of 2712 2424 Nfcbldmm.exe 41 PID 2424 wrote to memory of 2712 2424 Nfcbldmm.exe 41 PID 2712 wrote to memory of 1996 2712 Noogpfjh.exe 42 PID 2712 wrote to memory of 1996 2712 Noogpfjh.exe 42 PID 2712 wrote to memory of 1996 2712 Noogpfjh.exe 42 PID 2712 wrote to memory of 1996 2712 Noogpfjh.exe 42 PID 1996 wrote to memory of 2708 1996 Nehomq32.exe 43 PID 1996 wrote to memory of 2708 1996 Nehomq32.exe 43 PID 1996 wrote to memory of 2708 1996 Nehomq32.exe 43 PID 1996 wrote to memory of 2708 1996 Nehomq32.exe 43 PID 2708 wrote to memory of 780 2708 Noacef32.exe 44 PID 2708 wrote to memory of 780 2708 Noacef32.exe 44 PID 2708 wrote to memory of 780 2708 Noacef32.exe 44 PID 2708 wrote to memory of 780 2708 Noacef32.exe 44 PID 780 wrote to memory of 1764 780 Ndnlnm32.exe 45 PID 780 wrote to memory of 1764 780 Ndnlnm32.exe 45 PID 780 wrote to memory of 1764 780 Ndnlnm32.exe 45 PID 780 wrote to memory of 1764 780 Ndnlnm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fafdbf92895bd70636abf7a2398eca0N.exe"C:\Users\Admin\AppData\Local\Temp\2fafdbf92895bd70636abf7a2398eca0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe33⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe35⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe37⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe38⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe40⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe44⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe48⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe50⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe51⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe53⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe54⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe58⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe60⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe61⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe62⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe63⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe65⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe66⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe67⤵PID:1028
-
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe68⤵PID:2920
-
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe69⤵PID:2772
-
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe70⤵PID:2812
-
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe71⤵PID:2256
-
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe72⤵PID:672
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe73⤵
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe74⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe75⤵
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe76⤵PID:2956
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe77⤵PID:760
-
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe80⤵PID:1504
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe81⤵PID:920
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe82⤵PID:2716
-
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe84⤵PID:2928
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe85⤵PID:2784
-
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe86⤵PID:1256
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe87⤵PID:1668
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe89⤵PID:1280
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe90⤵PID:1600
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe91⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe92⤵PID:2232
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe93⤵PID:2120
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe94⤵PID:1652
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe95⤵PID:2252
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe97⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe99⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe100⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe102⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe103⤵PID:2072
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe104⤵PID:2800
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe105⤵PID:1836
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe106⤵PID:1568
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe107⤵PID:2776
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe108⤵PID:2068
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe109⤵PID:2676
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe110⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe111⤵PID:1912
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe112⤵PID:2212
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe113⤵PID:996
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe114⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe115⤵PID:1536
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe116⤵PID:1672
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe117⤵PID:2828
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe118⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe119⤵PID:2620
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe120⤵PID:2364
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-