Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe
-
Size
56KB
-
MD5
e5bb49b59907f3c4e32baa8a89db4ae0
-
SHA1
8cfa669c163f2e3b5be9b9adb520e89953078578
-
SHA256
d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246
-
SHA512
17dbd91e7e430b3b8809144db031d7687ed61d7969688cf77b980814d7c608d381dbd1527679523c6a96964990b8449fd42cc7f64e3a68cac75241429a598d0b
-
SSDEEP
768:+G21bvYVgabvEYMNdI11kXfsWcOglyVgmApauzq0oCZEYhP5/1H5+Xdnhg:+r1bvRNdo1kVcwgmAYyhPbyW
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfdhojb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkljdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinqgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcopdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdgfelo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmdafpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldebkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkifhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdhjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkhaqpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfccei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclbcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooclji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdlkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinklffl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmand32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeded32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akqpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabkom32.exe -
Executes dropped EXE 64 IoCs
pid Process 2660 Mlpneh32.exe 2884 Mclcijfd.exe 2716 Mmdgbp32.exe 2276 Mpbdnk32.exe 2736 Mmfdhojb.exe 2632 Mbcmpfhi.exe 2964 Mmhamoho.exe 1712 Mdbiji32.exe 324 Nmkncofl.exe 1720 Noljjglk.exe 1844 Nhdocl32.exe 1420 Nbjcqe32.exe 2616 Nlbgikia.exe 292 Neklbppb.exe 2920 Nledoj32.exe 3024 Nmfqgbmm.exe 2468 Noemqe32.exe 1224 Nmhmlbkk.exe 1680 Ogqaehak.exe 2256 Oionacqo.exe 896 Opifnm32.exe 3016 Ogcnkgoh.exe 2940 Opkccm32.exe 1484 Ogekpg32.exe 2204 Ooqpdj32.exe 2788 Oghhfg32.exe 2436 Oldpnn32.exe 2600 Ooclji32.exe 2580 Oihqgbhd.exe 1536 Olgmcmgh.exe 1692 Padeldeo.exe 2020 Pdbahpec.exe 1824 Plijimee.exe 2328 Pkljdj32.exe 1192 Pnjfae32.exe 1248 Peanbblf.exe 1612 Pgckjk32.exe 1620 Pojbkh32.exe 1832 Pahogc32.exe 1540 Pdgkco32.exe 968 Pgegok32.exe 836 Pjcckf32.exe 1896 Pakllc32.exe 904 Pdihiook.exe 352 Pggdejno.exe 1432 Pnalad32.exe 1508 Pdldnomh.exe 2544 Qgjqjjll.exe 2784 Qndigd32.exe 2844 Qmgibqjc.exe 2588 Qoeeolig.exe 2628 Qfonkfqd.exe 848 Qjkjle32.exe 1856 Qmifhq32.exe 1624 Qogbdl32.exe 764 Abfnpg32.exe 804 Ajmfad32.exe 2472 Amkbnp32.exe 584 Akncimmh.exe 2440 Acekjjmk.exe 2392 Afdgfelo.exe 1468 Aibcba32.exe 680 Akqpom32.exe 1412 Anolkh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 2660 Mlpneh32.exe 2660 Mlpneh32.exe 2884 Mclcijfd.exe 2884 Mclcijfd.exe 2716 Mmdgbp32.exe 2716 Mmdgbp32.exe 2276 Mpbdnk32.exe 2276 Mpbdnk32.exe 2736 Mmfdhojb.exe 2736 Mmfdhojb.exe 2632 Mbcmpfhi.exe 2632 Mbcmpfhi.exe 2964 Mmhamoho.exe 2964 Mmhamoho.exe 1712 Mdbiji32.exe 1712 Mdbiji32.exe 324 Nmkncofl.exe 324 Nmkncofl.exe 1720 Noljjglk.exe 1720 Noljjglk.exe 1844 Nhdocl32.exe 1844 Nhdocl32.exe 1420 Nbjcqe32.exe 1420 Nbjcqe32.exe 2616 Nlbgikia.exe 2616 Nlbgikia.exe 292 Neklbppb.exe 292 Neklbppb.exe 2920 Nledoj32.exe 2920 Nledoj32.exe 3024 Nmfqgbmm.exe 3024 Nmfqgbmm.exe 2468 Noemqe32.exe 2468 Noemqe32.exe 1224 Nmhmlbkk.exe 1224 Nmhmlbkk.exe 1680 Ogqaehak.exe 1680 Ogqaehak.exe 2256 Oionacqo.exe 2256 Oionacqo.exe 896 Opifnm32.exe 896 Opifnm32.exe 3016 Ogcnkgoh.exe 3016 Ogcnkgoh.exe 2940 Opkccm32.exe 2940 Opkccm32.exe 1484 Ogekpg32.exe 1484 Ogekpg32.exe 2204 Ooqpdj32.exe 2204 Ooqpdj32.exe 2788 Oghhfg32.exe 2788 Oghhfg32.exe 2436 Oldpnn32.exe 2436 Oldpnn32.exe 2600 Ooclji32.exe 2600 Ooclji32.exe 2580 Oihqgbhd.exe 2580 Oihqgbhd.exe 1536 Olgmcmgh.exe 1536 Olgmcmgh.exe 1692 Padeldeo.exe 1692 Padeldeo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bleeioil.exe Bigimdjh.exe File created C:\Windows\SysWOW64\Dafmqb32.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Codfplej.dll Jikeeh32.exe File created C:\Windows\SysWOW64\Ajfgpl32.dll Deollamj.exe File created C:\Windows\SysWOW64\Gomhii32.dll Mbcmpfhi.exe File created C:\Windows\SysWOW64\Gmfhfajb.dll Oionacqo.exe File created C:\Windows\SysWOW64\Ikekpn32.dll Olgmcmgh.exe File created C:\Windows\SysWOW64\Fmcjhdbc.exe Ffibkj32.exe File created C:\Windows\SysWOW64\Kmkejc32.dll Hjipenda.exe File opened for modification C:\Windows\SysWOW64\Lqncaj32.exe Lnpgeopa.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Bnldjekl.exe File created C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Ogekpg32.exe Opkccm32.exe File opened for modification C:\Windows\SysWOW64\Bjallg32.exe Bcgdom32.exe File created C:\Windows\SysWOW64\Clmfcd32.dll Cdgpnqpo.exe File opened for modification C:\Windows\SysWOW64\Iegjqk32.exe Ifdjeoep.exe File created C:\Windows\SysWOW64\Bbbpenco.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Apofpf32.dll Peanbblf.exe File created C:\Windows\SysWOW64\Jkdgkc32.dll Ajjfkh32.exe File created C:\Windows\SysWOW64\Ciifbchf.exe Bfkifhib.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Aippal32.dll Gjpqpl32.exe File created C:\Windows\SysWOW64\Mlhnifmq.exe Meoell32.exe File opened for modification C:\Windows\SysWOW64\Agdmdg32.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Eclbcj32.exe Edibhmml.exe File opened for modification C:\Windows\SysWOW64\Pplaki32.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Mmpife32.dll Knnkpobc.exe File opened for modification C:\Windows\SysWOW64\Lbnpkmfg.exe Lnbdko32.exe File created C:\Windows\SysWOW64\Ihpfgalh.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Fljiqocb.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Oiffkkbk.exe File created C:\Windows\SysWOW64\Alqnah32.exe Ahebaiac.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Plijimee.exe File created C:\Windows\SysWOW64\Dgnjacmq.dll Anolkh32.exe File created C:\Windows\SysWOW64\Fdfeim32.dll Epbfmd32.exe File opened for modification C:\Windows\SysWOW64\Akabgebj.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Dnoldn32.dll Lbnpkmfg.exe File opened for modification C:\Windows\SysWOW64\Nmlgfnal.exe Mjnjjbbh.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Lkgngb32.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Qlfgce32.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Bhjlli32.exe File created C:\Windows\SysWOW64\Cjgoje32.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gbohehoj.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Khielcfh.exe Kekiphge.exe File created C:\Windows\SysWOW64\Kcnfobob.dll Lohccp32.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Epbpbnan.exe Ehkhaqpk.exe File created C:\Windows\SysWOW64\Oionacqo.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Aoohekal.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Jdaqmg32.exe Jenpajfb.exe File opened for modification C:\Windows\SysWOW64\Jdhgnf32.exe Jnnnalph.exe File created C:\Windows\SysWOW64\Heapkela.dll Lmjnak32.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Akkoig32.exe File created C:\Windows\SysWOW64\Bkkpkade.dll Edibhmml.exe File created C:\Windows\SysWOW64\Jhebgh32.dll Klbdgb32.exe File opened for modification C:\Windows\SysWOW64\Kaajei32.exe Kocmim32.exe File created C:\Windows\SysWOW64\Akhfoldn.exe Acqnnndl.exe File created C:\Windows\SysWOW64\Kfeoelgo.dll Bfkifhib.exe File opened for modification C:\Windows\SysWOW64\Eclbcj32.exe Edibhmml.exe File created C:\Windows\SysWOW64\Eknmhk32.exe Elkmmodo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7728 7448 WerFault.exe 818 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peanbblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpabcbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiecgjba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffljlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnkgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opifnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilofhffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopahjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldkmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpbdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidphq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpgjepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peedka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgbhbgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meoell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmpibam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padeldeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmbfggdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbaken32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcikef32.dll" Mejlalji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpebakpc.dll" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjlhfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiekpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbfagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Befmfpbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpcckck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peanbblf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dljkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaemgpd.dll" Foccjood.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpkflne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diibmpdj.dll" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpbdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjjmbgi.dll" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqbhp32.dll" Odhhgkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgabdlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jodhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfqgbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpdod32.dll" Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njemfifg.dll" Bpjkiogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opifnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaccbmie.dll" Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igogan32.dll" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgbbce32.dll" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpodcba.dll" Dchmkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enkpahon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohafell.dll" Gbjojh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2660 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 30 PID 2512 wrote to memory of 2660 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 30 PID 2512 wrote to memory of 2660 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 30 PID 2512 wrote to memory of 2660 2512 d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe 30 PID 2660 wrote to memory of 2884 2660 Mlpneh32.exe 31 PID 2660 wrote to memory of 2884 2660 Mlpneh32.exe 31 PID 2660 wrote to memory of 2884 2660 Mlpneh32.exe 31 PID 2660 wrote to memory of 2884 2660 Mlpneh32.exe 31 PID 2884 wrote to memory of 2716 2884 Mclcijfd.exe 32 PID 2884 wrote to memory of 2716 2884 Mclcijfd.exe 32 PID 2884 wrote to memory of 2716 2884 Mclcijfd.exe 32 PID 2884 wrote to memory of 2716 2884 Mclcijfd.exe 32 PID 2716 wrote to memory of 2276 2716 Mmdgbp32.exe 33 PID 2716 wrote to memory of 2276 2716 Mmdgbp32.exe 33 PID 2716 wrote to memory of 2276 2716 Mmdgbp32.exe 33 PID 2716 wrote to memory of 2276 2716 Mmdgbp32.exe 33 PID 2276 wrote to memory of 2736 2276 Mpbdnk32.exe 34 PID 2276 wrote to memory of 2736 2276 Mpbdnk32.exe 34 PID 2276 wrote to memory of 2736 2276 Mpbdnk32.exe 34 PID 2276 wrote to memory of 2736 2276 Mpbdnk32.exe 34 PID 2736 wrote to memory of 2632 2736 Mmfdhojb.exe 35 PID 2736 wrote to memory of 2632 2736 Mmfdhojb.exe 35 PID 2736 wrote to memory of 2632 2736 Mmfdhojb.exe 35 PID 2736 wrote to memory of 2632 2736 Mmfdhojb.exe 35 PID 2632 wrote to memory of 2964 2632 Mbcmpfhi.exe 36 PID 2632 wrote to memory of 2964 2632 Mbcmpfhi.exe 36 PID 2632 wrote to memory of 2964 2632 Mbcmpfhi.exe 36 PID 2632 wrote to memory of 2964 2632 Mbcmpfhi.exe 36 PID 2964 wrote to memory of 1712 2964 Mmhamoho.exe 37 PID 2964 wrote to memory of 1712 2964 Mmhamoho.exe 37 PID 2964 wrote to memory of 1712 2964 Mmhamoho.exe 37 PID 2964 wrote to memory of 1712 2964 Mmhamoho.exe 37 PID 1712 wrote to memory of 324 1712 Mdbiji32.exe 38 PID 1712 wrote to memory of 324 1712 Mdbiji32.exe 38 PID 1712 wrote to memory of 324 1712 Mdbiji32.exe 38 PID 1712 wrote to memory of 324 1712 Mdbiji32.exe 38 PID 324 wrote to memory of 1720 324 Nmkncofl.exe 39 PID 324 wrote to memory of 1720 324 Nmkncofl.exe 39 PID 324 wrote to memory of 1720 324 Nmkncofl.exe 39 PID 324 wrote to memory of 1720 324 Nmkncofl.exe 39 PID 1720 wrote to memory of 1844 1720 Noljjglk.exe 40 PID 1720 wrote to memory of 1844 1720 Noljjglk.exe 40 PID 1720 wrote to memory of 1844 1720 Noljjglk.exe 40 PID 1720 wrote to memory of 1844 1720 Noljjglk.exe 40 PID 1844 wrote to memory of 1420 1844 Nhdocl32.exe 41 PID 1844 wrote to memory of 1420 1844 Nhdocl32.exe 41 PID 1844 wrote to memory of 1420 1844 Nhdocl32.exe 41 PID 1844 wrote to memory of 1420 1844 Nhdocl32.exe 41 PID 1420 wrote to memory of 2616 1420 Nbjcqe32.exe 42 PID 1420 wrote to memory of 2616 1420 Nbjcqe32.exe 42 PID 1420 wrote to memory of 2616 1420 Nbjcqe32.exe 42 PID 1420 wrote to memory of 2616 1420 Nbjcqe32.exe 42 PID 2616 wrote to memory of 292 2616 Nlbgikia.exe 43 PID 2616 wrote to memory of 292 2616 Nlbgikia.exe 43 PID 2616 wrote to memory of 292 2616 Nlbgikia.exe 43 PID 2616 wrote to memory of 292 2616 Nlbgikia.exe 43 PID 292 wrote to memory of 2920 292 Neklbppb.exe 44 PID 292 wrote to memory of 2920 292 Neklbppb.exe 44 PID 292 wrote to memory of 2920 292 Neklbppb.exe 44 PID 292 wrote to memory of 2920 292 Neklbppb.exe 44 PID 2920 wrote to memory of 3024 2920 Nledoj32.exe 45 PID 2920 wrote to memory of 3024 2920 Nledoj32.exe 45 PID 2920 wrote to memory of 3024 2920 Nledoj32.exe 45 PID 2920 wrote to memory of 3024 2920 Nledoj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe"C:\Users\Admin\AppData\Local\Temp\d9d4ba6515117a872a36f162f3a3304e016641d58803a4e1806a0e2b0462b246N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Nmkncofl.exeC:\Windows\system32\Nmkncofl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1536 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe33⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe36⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe38⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe39⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe40⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe41⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe42⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe43⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe45⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe46⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe47⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe48⤵PID:2996
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe49⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe50⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe51⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe55⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe56⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe57⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe58⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe61⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe64⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe68⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe69⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe70⤵PID:2840
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe72⤵PID:2768
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe73⤵PID:2620
-
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe74⤵PID:1388
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe75⤵PID:2828
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe76⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe77⤵PID:2672
-
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe78⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe79⤵PID:1732
-
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe81⤵PID:2556
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe82⤵PID:2300
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe83⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe84⤵PID:2956
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe86⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe88⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe89⤵PID:1152
-
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe90⤵PID:1104
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe91⤵PID:1016
-
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe92⤵PID:1900
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe93⤵PID:2216
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe94⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe95⤵PID:1172
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe98⤵PID:2284
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe99⤵PID:2508
-
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe100⤵PID:2684
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe101⤵PID:3060
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe102⤵PID:2752
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe103⤵PID:1948
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe104⤵PID:1716
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe105⤵PID:1564
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe106⤵PID:2116
-
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe107⤵PID:2124
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe109⤵PID:908
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe110⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe111⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe112⤵PID:3004
-
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe113⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe114⤵PID:2700
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe115⤵
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe116⤵PID:2120
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe117⤵PID:1952
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe118⤵PID:712
-
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe119⤵PID:916
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe120⤵PID:2924
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe121⤵PID:920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-