Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/07/2024, 03:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44815c66de5391dd91fecf4b12b789c0N.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
44815c66de5391dd91fecf4b12b789c0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
44815c66de5391dd91fecf4b12b789c0N.exe
-
Size
163KB
-
MD5
44815c66de5391dd91fecf4b12b789c0
-
SHA1
f9093c592d7f6070d13d91a66f54d04a34656122
-
SHA256
45325cce22e233483dcd908eb03a46903def87ee765e24d215694102b7227b32
-
SHA512
289bcf4cefaa6536e45d7c2045ea6f052103f07400fa53aecd20f407fcad0754fd6e6a846b388ab0de6972021ce36f191664073145cc8055aad31c1b3b7d5cff
-
SSDEEP
1536:P3bWxuKEXi++Oor8i6Pk2lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:/b+oXi++Oor8i6PpltOrWKDBr+yJb
Malware Config
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmeen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecbhdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgjodmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necogkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpkflne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafmqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goplilpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkchmo32.exe -
Executes dropped EXE 64 IoCs
pid Process 1772 Hbfepmmn.exe 2576 Hipmmg32.exe 2764 Hloiib32.exe 2920 Hnmeen32.exe 2316 Hjdfjo32.exe 2852 Hhhgcc32.exe 2628 Hjfcpo32.exe 3060 Hhjcic32.exe 1132 Hfmddp32.exe 784 Ipehmebh.exe 2836 Ijklknbn.exe 440 Iphecepe.exe 1836 Ifampo32.exe 1596 Ipjahd32.exe 1364 Iegjqk32.exe 2296 Ioooiack.exe 1016 Ifffkncm.exe 3016 Ihhcbf32.exe 1632 Ibmgpoia.exe 852 Iigpli32.exe 1444 Jkhldafl.exe 2588 Jdaqmg32.exe 892 Jofejpmc.exe 3024 Jaeafklf.exe 2416 Jgaiobjn.exe 2192 Joiappkp.exe 2308 Jagnlkjd.exe 1980 Jhafhe32.exe 2904 Jnnnalph.exe 2988 Jplkmgol.exe 2972 Jckgicnp.exe 2908 Jnpkflne.exe 2748 Jpogbgmi.exe 2256 Kdjccf32.exe 2804 Kghpoa32.exe 2612 Klehgh32.exe 552 Kjihalag.exe 2856 Kcamjb32.exe 1600 Kfpifm32.exe 1728 Kohnoc32.exe 2540 Kfbfkmeh.exe 2096 Khabghdl.exe 1704 Kkoncdcp.exe 1372 Khcomhbi.exe 1096 Kgfoie32.exe 1392 Lnpgeopa.exe 1608 Lqncaj32.exe 2984 Lhelbh32.exe 1832 Lbnpkmfg.exe 1828 Ldllgiek.exe 1976 Lkfddc32.exe 1272 Ljieppcb.exe 2776 Lmgalkcf.exe 2736 Lfpeeqig.exe 2660 Lngnfnji.exe 2796 Lohjnf32.exe 2624 Lgoboc32.exe 3064 Ljnnko32.exe 2664 Lmljgj32.exe 2684 Lokgcf32.exe 2864 Lcfbdd32.exe 1336 Mfdopp32.exe 2280 Mmogmjmn.exe 2164 Mkaghg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 44815c66de5391dd91fecf4b12b789c0N.exe 2400 44815c66de5391dd91fecf4b12b789c0N.exe 1772 Hbfepmmn.exe 1772 Hbfepmmn.exe 2576 Hipmmg32.exe 2576 Hipmmg32.exe 2764 Hloiib32.exe 2764 Hloiib32.exe 2920 Hnmeen32.exe 2920 Hnmeen32.exe 2316 Hjdfjo32.exe 2316 Hjdfjo32.exe 2852 Hhhgcc32.exe 2852 Hhhgcc32.exe 2628 Hjfcpo32.exe 2628 Hjfcpo32.exe 3060 Hhjcic32.exe 3060 Hhjcic32.exe 1132 Hfmddp32.exe 1132 Hfmddp32.exe 784 Ipehmebh.exe 784 Ipehmebh.exe 2836 Ijklknbn.exe 2836 Ijklknbn.exe 440 Iphecepe.exe 440 Iphecepe.exe 1836 Ifampo32.exe 1836 Ifampo32.exe 1596 Ipjahd32.exe 1596 Ipjahd32.exe 1364 Iegjqk32.exe 1364 Iegjqk32.exe 2296 Ioooiack.exe 2296 Ioooiack.exe 1016 Ifffkncm.exe 1016 Ifffkncm.exe 3016 Ihhcbf32.exe 3016 Ihhcbf32.exe 1632 Ibmgpoia.exe 1632 Ibmgpoia.exe 852 Iigpli32.exe 852 Iigpli32.exe 1444 Jkhldafl.exe 1444 Jkhldafl.exe 2588 Jdaqmg32.exe 2588 Jdaqmg32.exe 892 Jofejpmc.exe 892 Jofejpmc.exe 3024 Jaeafklf.exe 3024 Jaeafklf.exe 2416 Jgaiobjn.exe 2416 Jgaiobjn.exe 2192 Joiappkp.exe 2192 Joiappkp.exe 2308 Jagnlkjd.exe 2308 Jagnlkjd.exe 1980 Jhafhe32.exe 1980 Jhafhe32.exe 2904 Jnnnalph.exe 2904 Jnnnalph.exe 2988 Jplkmgol.exe 2988 Jplkmgol.exe 2972 Jckgicnp.exe 2972 Jckgicnp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hefhqhka.dll Nfkapb32.exe File created C:\Windows\SysWOW64\Emclhigi.dll Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Anlhkbhq.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lfhhjklc.exe File created C:\Windows\SysWOW64\Bhjlli32.exe Aqbdkk32.exe File created C:\Windows\SysWOW64\Hbocphim.dll Cjonncab.exe File created C:\Windows\SysWOW64\Idbfpfoc.dll Ipjahd32.exe File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Biolanld.exe File created C:\Windows\SysWOW64\Hemqpf32.exe Hfjpdjjo.exe File created C:\Windows\SysWOW64\Lonpma32.exe Klpdaf32.exe File created C:\Windows\SysWOW64\Odgamdef.exe Olpilg32.exe File created C:\Windows\SysWOW64\Lkjjma32.exe Llgjaeoj.exe File created C:\Windows\SysWOW64\Aqcifjof.dll Pdgmlhha.exe File opened for modification C:\Windows\SysWOW64\Mgmahg32.exe Macilmnk.exe File created C:\Windows\SysWOW64\Mbbfep32.exe Mngjeamd.exe File opened for modification C:\Windows\SysWOW64\Nmlgfnal.exe Mjnjjbbh.exe File created C:\Windows\SysWOW64\Efpolbgp.dll Npdfhhhe.exe File created C:\Windows\SysWOW64\Djgompkk.dll Eklqcl32.exe File created C:\Windows\SysWOW64\Anloijlk.dll Lokgcf32.exe File opened for modification C:\Windows\SysWOW64\Nfidjbdg.exe Nbniid32.exe File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe Pojecajj.exe File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe Qlgkki32.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Boljgg32.exe File created C:\Windows\SysWOW64\Kjihalag.exe Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Kjihalag.exe Klehgh32.exe File created C:\Windows\SysWOW64\Bbgqjdce.exe Boidnh32.exe File created C:\Windows\SysWOW64\Jojfgkfk.dll Gkpfmnlb.exe File created C:\Windows\SysWOW64\Aaimopli.exe Apgagg32.exe File opened for modification C:\Windows\SysWOW64\Mggabaea.exe Mdiefffn.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Lngnfnji.exe Lfpeeqig.exe File created C:\Windows\SysWOW64\Eeaiio32.dll Lmljgj32.exe File created C:\Windows\SysWOW64\Ccgibpac.dll Lcfbdd32.exe File created C:\Windows\SysWOW64\Klpdaf32.exe Kjahej32.exe File created C:\Windows\SysWOW64\Dombicdm.dll Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Afgmodel.exe Agdmdg32.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Elipgofb.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Fhbnbpjc.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fdkklp32.exe File created C:\Windows\SysWOW64\Mdeobp32.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Gbdcic32.dll Hakkgc32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lnpgeopa.exe File created C:\Windows\SysWOW64\Cplpppdf.dll Mfdopp32.exe File created C:\Windows\SysWOW64\Mpamde32.exe Mgjebg32.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe Bieopm32.exe File created C:\Windows\SysWOW64\Aficjnpm.exe Anbkipok.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe File created C:\Windows\SysWOW64\Dnoldn32.dll Lbnpkmfg.exe File created C:\Windows\SysWOW64\Ngjhpb32.dll Dknajh32.exe File created C:\Windows\SysWOW64\Odlhoigp.dll Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Phlclgfc.exe File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe Alqnah32.exe File created C:\Windows\SysWOW64\Lbnpkmfg.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Iennnogo.dll Palepb32.exe File created C:\Windows\SysWOW64\Egikjh32.exe Eobchk32.exe File created C:\Windows\SysWOW64\Majdmi32.dll Jlnklcej.exe File created C:\Windows\SysWOW64\Ijppackl.dll Clmdmm32.exe File created C:\Windows\SysWOW64\Eihgfd32.exe Eelkeeah.exe File created C:\Windows\SysWOW64\Qgmpibam.exe Qdncmgbj.exe File opened for modification C:\Windows\SysWOW64\Khcomhbi.exe Kkoncdcp.exe File created C:\Windows\SysWOW64\Liolokfg.dll Omefkplm.exe File created C:\Windows\SysWOW64\Lbnooiab.dll Hmkeke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6760 6740 WerFault.exe 675 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhafhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkibcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcldhnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfokinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhdddo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaiobjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcmap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfeepelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hneeilgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfdnihk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hebnlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mpgobc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndmecgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emagacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Accqnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnbnpkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmejllia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmapnj.dll" Mfokinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhelbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojfgkfk.dll" Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnfobob.dll" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohagbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjjed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihglhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobgihgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiioe32.dll" Edibhmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejobie32.dll" Cpkmcldj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhamo32.dll" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Obhdcanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olebgfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdgmlhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgibpac.dll" Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdiondb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbabpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll" Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahqmla32.dll" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdjpd32.dll" Qgmfchei.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1772 2400 44815c66de5391dd91fecf4b12b789c0N.exe 30 PID 2400 wrote to memory of 1772 2400 44815c66de5391dd91fecf4b12b789c0N.exe 30 PID 2400 wrote to memory of 1772 2400 44815c66de5391dd91fecf4b12b789c0N.exe 30 PID 2400 wrote to memory of 1772 2400 44815c66de5391dd91fecf4b12b789c0N.exe 30 PID 1772 wrote to memory of 2576 1772 Hbfepmmn.exe 31 PID 1772 wrote to memory of 2576 1772 Hbfepmmn.exe 31 PID 1772 wrote to memory of 2576 1772 Hbfepmmn.exe 31 PID 1772 wrote to memory of 2576 1772 Hbfepmmn.exe 31 PID 2576 wrote to memory of 2764 2576 Hipmmg32.exe 32 PID 2576 wrote to memory of 2764 2576 Hipmmg32.exe 32 PID 2576 wrote to memory of 2764 2576 Hipmmg32.exe 32 PID 2576 wrote to memory of 2764 2576 Hipmmg32.exe 32 PID 2764 wrote to memory of 2920 2764 Hloiib32.exe 33 PID 2764 wrote to memory of 2920 2764 Hloiib32.exe 33 PID 2764 wrote to memory of 2920 2764 Hloiib32.exe 33 PID 2764 wrote to memory of 2920 2764 Hloiib32.exe 33 PID 2920 wrote to memory of 2316 2920 Hnmeen32.exe 34 PID 2920 wrote to memory of 2316 2920 Hnmeen32.exe 34 PID 2920 wrote to memory of 2316 2920 Hnmeen32.exe 34 PID 2920 wrote to memory of 2316 2920 Hnmeen32.exe 34 PID 2316 wrote to memory of 2852 2316 Hjdfjo32.exe 35 PID 2316 wrote to memory of 2852 2316 Hjdfjo32.exe 35 PID 2316 wrote to memory of 2852 2316 Hjdfjo32.exe 35 PID 2316 wrote to memory of 2852 2316 Hjdfjo32.exe 35 PID 2852 wrote to memory of 2628 2852 Hhhgcc32.exe 36 PID 2852 wrote to memory of 2628 2852 Hhhgcc32.exe 36 PID 2852 wrote to memory of 2628 2852 Hhhgcc32.exe 36 PID 2852 wrote to memory of 2628 2852 Hhhgcc32.exe 36 PID 2628 wrote to memory of 3060 2628 Hjfcpo32.exe 37 PID 2628 wrote to memory of 3060 2628 Hjfcpo32.exe 37 PID 2628 wrote to memory of 3060 2628 Hjfcpo32.exe 37 PID 2628 wrote to memory of 3060 2628 Hjfcpo32.exe 37 PID 3060 wrote to memory of 1132 3060 Hhjcic32.exe 38 PID 3060 wrote to memory of 1132 3060 Hhjcic32.exe 38 PID 3060 wrote to memory of 1132 3060 Hhjcic32.exe 38 PID 3060 wrote to memory of 1132 3060 Hhjcic32.exe 38 PID 1132 wrote to memory of 784 1132 Hfmddp32.exe 39 PID 1132 wrote to memory of 784 1132 Hfmddp32.exe 39 PID 1132 wrote to memory of 784 1132 Hfmddp32.exe 39 PID 1132 wrote to memory of 784 1132 Hfmddp32.exe 39 PID 784 wrote to memory of 2836 784 Ipehmebh.exe 40 PID 784 wrote to memory of 2836 784 Ipehmebh.exe 40 PID 784 wrote to memory of 2836 784 Ipehmebh.exe 40 PID 784 wrote to memory of 2836 784 Ipehmebh.exe 40 PID 2836 wrote to memory of 440 2836 Ijklknbn.exe 41 PID 2836 wrote to memory of 440 2836 Ijklknbn.exe 41 PID 2836 wrote to memory of 440 2836 Ijklknbn.exe 41 PID 2836 wrote to memory of 440 2836 Ijklknbn.exe 41 PID 440 wrote to memory of 1836 440 Iphecepe.exe 42 PID 440 wrote to memory of 1836 440 Iphecepe.exe 42 PID 440 wrote to memory of 1836 440 Iphecepe.exe 42 PID 440 wrote to memory of 1836 440 Iphecepe.exe 42 PID 1836 wrote to memory of 1596 1836 Ifampo32.exe 43 PID 1836 wrote to memory of 1596 1836 Ifampo32.exe 43 PID 1836 wrote to memory of 1596 1836 Ifampo32.exe 43 PID 1836 wrote to memory of 1596 1836 Ifampo32.exe 43 PID 1596 wrote to memory of 1364 1596 Ipjahd32.exe 44 PID 1596 wrote to memory of 1364 1596 Ipjahd32.exe 44 PID 1596 wrote to memory of 1364 1596 Ipjahd32.exe 44 PID 1596 wrote to memory of 1364 1596 Ipjahd32.exe 44 PID 1364 wrote to memory of 2296 1364 Iegjqk32.exe 45 PID 1364 wrote to memory of 2296 1364 Iegjqk32.exe 45 PID 1364 wrote to memory of 2296 1364 Iegjqk32.exe 45 PID 1364 wrote to memory of 2296 1364 Iegjqk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\44815c66de5391dd91fecf4b12b789c0N.exe"C:\Users\Admin\AppData\Local\Temp\44815c66de5391dd91fecf4b12b789c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe34⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe35⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe38⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe42⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe43⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe45⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe46⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe48⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe52⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe53⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe55⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe58⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe59⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe60⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe66⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe68⤵PID:1988
-
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe69⤵PID:1876
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe70⤵PID:1296
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe71⤵PID:1680
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe72⤵PID:1616
-
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe73⤵PID:2080
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe74⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe75⤵PID:2784
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe76⤵PID:2636
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe77⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe78⤵PID:2840
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe79⤵PID:1824
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe80⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe81⤵PID:1940
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe82⤵PID:2108
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe83⤵PID:1156
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe84⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe85⤵PID:2216
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe87⤵PID:2600
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe89⤵PID:2732
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe90⤵PID:2948
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe91⤵PID:2104
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe92⤵PID:2032
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe93⤵PID:1692
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe94⤵PID:2340
-
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe95⤵PID:1796
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe96⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe97⤵PID:492
-
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe98⤵PID:544
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe99⤵PID:1864
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe100⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe101⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe103⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe105⤵PID:2676
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe106⤵PID:576
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe107⤵PID:1668
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe108⤵PID:2040
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe109⤵
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe110⤵PID:1516
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe111⤵
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe113⤵PID:1652
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe114⤵PID:2504
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe115⤵PID:1512
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe116⤵PID:1932
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe117⤵PID:2644
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe118⤵PID:680
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe121⤵PID:1484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-