Analysis
-
max time kernel
36s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 21:33
Static task
static1
Behavioral task
behavioral1
Sample
d75917f21a4d7d390656e6dd745d9f50N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d75917f21a4d7d390656e6dd745d9f50N.exe
Resource
win10v2004-20240802-en
General
-
Target
d75917f21a4d7d390656e6dd745d9f50N.exe
-
Size
163KB
-
MD5
d75917f21a4d7d390656e6dd745d9f50
-
SHA1
130c3c494d77187d6e270dfb390e886f0a131756
-
SHA256
495ddd75f521d47500372fb8283229fd13590743bf58b7c1c0fc5a104cc21116
-
SHA512
e5d9b0de39d2d20562998b3b669d50ef5227636f802eca3a9adbe067675d7ce536f1df3a11777d8db46a988cc39c8398914e351b528fc40d06e682cbc0b42d33
-
SSDEEP
1536:PxA6PND932kx94uBpEtNEjWkFanohUHMmlProNVU4qNVUrk/9QbfBr+7GwKrPAsf:ZrgQ31hUHMmltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Oeobfgak.exePihlhagn.exeMkqbhf32.exeOjdlkp32.exeBgagnjbi.exeGinefe32.exeIfndph32.exeOjgado32.exeImgija32.exeJabajc32.exeMmgkoe32.exeAioppl32.exeGbigao32.exeJpajdi32.exeCcileljk.exeDpbenpqh.exeEkeiel32.exeGegbpe32.exeModano32.exeKjdiigbm.exeLaenqg32.exed75917f21a4d7d390656e6dd745d9f50N.exeAfeold32.exeDpmlcpdm.exeNpngng32.exeCgfqii32.exeFhfbmn32.exeGcfioj32.exeMhaobd32.exeNfcoel32.exeMjeholco.exeLnipgp32.exeBfcnfh32.exeDfegjknm.exeMkelcenm.exeAefhpc32.exeBfkakbpp.exeBocfch32.exeFgnfpm32.exeDkolblkk.exeFkbadifn.exeIjbjpg32.exeFfeoid32.exeFplknh32.exeJehbfjia.exeBbflkcao.exeHefibg32.exeLkepdbkb.exeFbbcdh32.exeNkphmc32.exeKmjfae32.exeIhooog32.exeLfedlb32.exeCmmcae32.exeDjcpqidc.exeKiamql32.exePfjiod32.exeJfnaok32.exeNcpjnahm.exeAbgeiaaf.exeDjoinbpm.exeHadece32.exeLlainlje.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihlhagn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdlkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifndph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgkoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aioppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbenpqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegbpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdiigbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" d75917f21a4d7d390656e6dd745d9f50N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmlcpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhaobd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcoel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnipgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfegjknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aefhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkakbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbadifn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijbjpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffeoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplknh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkphmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfedlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcpqidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfjiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnaok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpjnahm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgeiaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djoinbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llainlje.exe -
Executes dropped EXE 64 IoCs
Processes:
Fgcgebhd.exeFplknh32.exeFnplgl32.exeFdjddf32.exeFkdlaplh.exeFqqdigko.exeGbigao32.exeGielchpp.exeHkfeec32.exeHjmolp32.exeHajdniep.exeIbmmkaik.exeIlfadg32.exeIhooog32.exeIagchmjn.exeImndmnob.exeJmpqbnmp.exeJpajdi32.exeJmejmm32.exeJoicje32.exeKphpdhdh.exeKnbjgq32.exeKdlbckee.exeKkigfdjo.exeLnipgp32.exeLfedlb32.exeLlainlje.exeLhhjcmpj.exeLodoefed.exeMbehgabe.exeMjpmkdpp.exeMjbiac32.exeMgfjjh32.exeNijcgp32.exeNicfnn32.exeOejgbonl.exeOhkpdj32.exeOdaqikaa.exeOddmokoo.exeOmlahqeo.exeOegflcbj.exePhhonn32.exePihlhagn.exePdamhocm.exePknakhig.exePdffcn32.exeQggoeilh.exeQlcgmpkp.exeAcnpjj32.exeAlfdcp32.exeAenileon.exeAfqeaemk.exeAoijjjcl.exeAdfbbabc.exeAfeold32.exeBoncej32.exeBhfhnofg.exeBncpffdn.exeBgkeol32.exeBdoeipjh.exeBgnaekil.exeBoifinfg.exeBfcnfh32.exeBqhbcqmj.exepid process 2224 Fgcgebhd.exe 2816 Fplknh32.exe 2776 Fnplgl32.exe 2788 Fdjddf32.exe 2824 Fkdlaplh.exe 2660 Fqqdigko.exe 2652 Gbigao32.exe 2264 Gielchpp.exe 1060 Hkfeec32.exe 1148 Hjmolp32.exe 1100 Hajdniep.exe 3040 Ibmmkaik.exe 1944 Ilfadg32.exe 956 Ihooog32.exe 3000 Iagchmjn.exe 2332 Imndmnob.exe 808 Jmpqbnmp.exe 2028 Jpajdi32.exe 2608 Jmejmm32.exe 520 Joicje32.exe 1020 Kphpdhdh.exe 2976 Knbjgq32.exe 752 Kdlbckee.exe 2316 Kkigfdjo.exe 868 Lnipgp32.exe 2560 Lfedlb32.exe 2240 Llainlje.exe 2912 Lhhjcmpj.exe 2764 Lodoefed.exe 2916 Mbehgabe.exe 2904 Mjpmkdpp.exe 2796 Mjbiac32.exe 2752 Mgfjjh32.exe 2484 Nijcgp32.exe 1692 Nicfnn32.exe 1764 Oejgbonl.exe 1152 Ohkpdj32.exe 2924 Odaqikaa.exe 2728 Oddmokoo.exe 1180 Omlahqeo.exe 3012 Oegflcbj.exe 1584 Phhonn32.exe 2000 Pihlhagn.exe 1640 Pdamhocm.exe 1788 Pknakhig.exe 1712 Pdffcn32.exe 2604 Qggoeilh.exe 948 Qlcgmpkp.exe 2112 Acnpjj32.exe 1968 Alfdcp32.exe 3036 Aenileon.exe 2968 Afqeaemk.exe 2772 Aoijjjcl.exe 2872 Adfbbabc.exe 2896 Afeold32.exe 1312 Boncej32.exe 2680 Bhfhnofg.exe 2684 Bncpffdn.exe 2708 Bgkeol32.exe 832 Bdoeipjh.exe 1724 Bgnaekil.exe 1776 Boifinfg.exe 1064 Bfcnfh32.exe 2308 Bqhbcqmj.exe -
Loads dropped DLL 64 IoCs
Processes:
d75917f21a4d7d390656e6dd745d9f50N.exeFgcgebhd.exeFplknh32.exeFnplgl32.exeFdjddf32.exeFkdlaplh.exeFqqdigko.exeGbigao32.exeGielchpp.exeHkfeec32.exeHjmolp32.exeHajdniep.exeIbmmkaik.exeIlfadg32.exeIhooog32.exeIagchmjn.exeImndmnob.exeJmpqbnmp.exeJpajdi32.exeJmejmm32.exeJoicje32.exeKphpdhdh.exeKnbjgq32.exeKdlbckee.exeKkigfdjo.exeLnipgp32.exeLfedlb32.exeLlainlje.exeLhhjcmpj.exeLodoefed.exeMbehgabe.exeMjpmkdpp.exepid process 2488 d75917f21a4d7d390656e6dd745d9f50N.exe 2488 d75917f21a4d7d390656e6dd745d9f50N.exe 2224 Fgcgebhd.exe 2224 Fgcgebhd.exe 2816 Fplknh32.exe 2816 Fplknh32.exe 2776 Fnplgl32.exe 2776 Fnplgl32.exe 2788 Fdjddf32.exe 2788 Fdjddf32.exe 2824 Fkdlaplh.exe 2824 Fkdlaplh.exe 2660 Fqqdigko.exe 2660 Fqqdigko.exe 2652 Gbigao32.exe 2652 Gbigao32.exe 2264 Gielchpp.exe 2264 Gielchpp.exe 1060 Hkfeec32.exe 1060 Hkfeec32.exe 1148 Hjmolp32.exe 1148 Hjmolp32.exe 1100 Hajdniep.exe 1100 Hajdniep.exe 3040 Ibmmkaik.exe 3040 Ibmmkaik.exe 1944 Ilfadg32.exe 1944 Ilfadg32.exe 956 Ihooog32.exe 956 Ihooog32.exe 3000 Iagchmjn.exe 3000 Iagchmjn.exe 2332 Imndmnob.exe 2332 Imndmnob.exe 808 Jmpqbnmp.exe 808 Jmpqbnmp.exe 2028 Jpajdi32.exe 2028 Jpajdi32.exe 2608 Jmejmm32.exe 2608 Jmejmm32.exe 520 Joicje32.exe 520 Joicje32.exe 1020 Kphpdhdh.exe 1020 Kphpdhdh.exe 2976 Knbjgq32.exe 2976 Knbjgq32.exe 752 Kdlbckee.exe 752 Kdlbckee.exe 2316 Kkigfdjo.exe 2316 Kkigfdjo.exe 868 Lnipgp32.exe 868 Lnipgp32.exe 2560 Lfedlb32.exe 2560 Lfedlb32.exe 2240 Llainlje.exe 2240 Llainlje.exe 2912 Lhhjcmpj.exe 2912 Lhhjcmpj.exe 2764 Lodoefed.exe 2764 Lodoefed.exe 2916 Mbehgabe.exe 2916 Mbehgabe.exe 2904 Mjpmkdpp.exe 2904 Mjpmkdpp.exe -
Drops file in System32 directory 64 IoCs
Processes:
Djkodg32.exeDiklpn32.exeEimien32.exeGhlell32.exeIlfadg32.exeKphpdhdh.exeQggoeilh.exeLaknfmgd.exeIfoncgpc.exeElnonp32.exeKbgnil32.exeKfnmnojj.exeLgdcom32.exeJmejmm32.exeJafilj32.exeAioppl32.exeFmmjpoci.exeHekhid32.exeBnjipn32.exeFkbadifn.exeBoifinfg.exeDjcpqidc.exeDpbenpqh.exeLgejidgn.exed75917f21a4d7d390656e6dd745d9f50N.exeJpajdi32.exeHfmbfkhf.exeEdfqclni.exeMlhbgc32.exeAlicahno.exeJnfbcg32.exeNicfnn32.exeNjaoeq32.exeNcpjnahm.exeEnokidgl.exeLkepdbkb.exePinnfonh.exeCkilmfke.exeIgeggkoq.exeLodoefed.exePdamhocm.exeQlcgmpkp.exeEhiiop32.exeIggdmkmn.exeLnipgp32.exeDlfbck32.exeEbhjdc32.exeKjopnh32.exePejejkhl.exeOmlahqeo.exeJehbfjia.exeIionacad.exeMjeholco.exeKlgbfo32.exeCacegd32.exeAefhpc32.exeLhmjha32.exeObilip32.exeFdefgimi.exeJabajc32.exeBbflkcao.exeNqdjge32.exeCdpdpl32.exeHccbnhla.exedescription ioc process File created C:\Windows\SysWOW64\Hpipeaaf.dll Djkodg32.exe File created C:\Windows\SysWOW64\Dcppmg32.exe Diklpn32.exe File created C:\Windows\SysWOW64\Hnfdjdpm.dll Eimien32.exe File created C:\Windows\SysWOW64\Gepeep32.exe Ghlell32.exe File opened for modification C:\Windows\SysWOW64\Ihooog32.exe Ilfadg32.exe File created C:\Windows\SysWOW64\Knbjgq32.exe Kphpdhdh.exe File created C:\Windows\SysWOW64\Qlcgmpkp.exe Qggoeilh.exe File opened for modification C:\Windows\SysWOW64\Lhegcg32.exe Laknfmgd.exe File created C:\Windows\SysWOW64\Hchhlj32.dll Ifoncgpc.exe File created C:\Windows\SysWOW64\Hlgonj32.dll Elnonp32.exe File created C:\Windows\SysWOW64\Khdgabih.exe Kbgnil32.exe File opened for modification C:\Windows\SysWOW64\Kmgekh32.exe Kfnmnojj.exe File opened for modification C:\Windows\SysWOW64\Lophcpam.exe Lgdcom32.exe File created C:\Windows\SysWOW64\Joicje32.exe Jmejmm32.exe File created C:\Windows\SysWOW64\Opgmqq32.dll Jafilj32.exe File opened for modification C:\Windows\SysWOW64\Abgeiaaf.exe Aioppl32.exe File created C:\Windows\SysWOW64\Akinoefk.dll Fmmjpoci.exe File opened for modification C:\Windows\SysWOW64\Hgjdcghp.exe Hekhid32.exe File created C:\Windows\SysWOW64\Cfemdp32.exe Bnjipn32.exe File created C:\Windows\SysWOW64\Jfffhk32.dll Fkbadifn.exe File created C:\Windows\SysWOW64\Defppd32.dll Boifinfg.exe File opened for modification C:\Windows\SysWOW64\Dckdio32.exe Djcpqidc.exe File created C:\Windows\SysWOW64\Acloba32.dll Dpbenpqh.exe File opened for modification C:\Windows\SysWOW64\Laknfmgd.exe Lgejidgn.exe File created C:\Windows\SysWOW64\Fgcgebhd.exe d75917f21a4d7d390656e6dd745d9f50N.exe File opened for modification C:\Windows\SysWOW64\Jmejmm32.exe Jpajdi32.exe File created C:\Windows\SysWOW64\Hedllgjk.exe Hfmbfkhf.exe File created C:\Windows\SysWOW64\Gngcgmgi.dll Edfqclni.exe File created C:\Windows\SysWOW64\Mhobldaf.exe Mlhbgc32.exe File created C:\Windows\SysWOW64\Alkpgh32.exe Alicahno.exe File created C:\Windows\SysWOW64\Jccjln32.exe Jnfbcg32.exe File opened for modification C:\Windows\SysWOW64\Oejgbonl.exe Nicfnn32.exe File created C:\Windows\SysWOW64\Npngng32.exe Njaoeq32.exe File opened for modification C:\Windows\SysWOW64\Nqdjge32.exe Ncpjnahm.exe File created C:\Windows\SysWOW64\Nokabf32.dll Enokidgl.exe File opened for modification C:\Windows\SysWOW64\Mnfhfmhc.exe Lkepdbkb.exe File created C:\Windows\SysWOW64\Iggkphll.dll Pinnfonh.exe File created C:\Windows\SysWOW64\Jfkldo32.dll Ckilmfke.exe File opened for modification C:\Windows\SysWOW64\Iggdmkmn.exe Igeggkoq.exe File opened for modification C:\Windows\SysWOW64\Mbehgabe.exe Lodoefed.exe File opened for modification C:\Windows\SysWOW64\Pknakhig.exe Pdamhocm.exe File opened for modification C:\Windows\SysWOW64\Acnpjj32.exe Qlcgmpkp.exe File opened for modification C:\Windows\SysWOW64\Eaangfjf.exe Ehiiop32.exe File created C:\Windows\SysWOW64\Phgppddg.dll Iggdmkmn.exe File created C:\Windows\SysWOW64\Aadlgk32.dll Lnipgp32.exe File created C:\Windows\SysWOW64\Hgcojpej.dll Dlfbck32.exe File created C:\Windows\SysWOW64\Dmhocf32.dll Ebhjdc32.exe File opened for modification C:\Windows\SysWOW64\Kjdiigbm.exe Kjopnh32.exe File created C:\Windows\SysWOW64\Cinelbbc.dll Pejejkhl.exe File created C:\Windows\SysWOW64\Donklh32.dll Omlahqeo.exe File opened for modification C:\Windows\SysWOW64\Jblbpnhk.exe Jehbfjia.exe File created C:\Windows\SysWOW64\Jajbfeop.exe Iionacad.exe File created C:\Windows\SysWOW64\Aahqpjlb.dll Mjeholco.exe File created C:\Windows\SysWOW64\Dopnodpc.dll Klgbfo32.exe File opened for modification C:\Windows\SysWOW64\Cjljpjjk.exe Cacegd32.exe File opened for modification C:\Windows\SysWOW64\Bcjhig32.exe Aefhpc32.exe File created C:\Windows\SysWOW64\Laenqg32.exe Lhmjha32.exe File created C:\Windows\SysWOW64\Plbaafak.exe Obilip32.exe File opened for modification C:\Windows\SysWOW64\Fmmjpoci.exe Fdefgimi.exe File opened for modification C:\Windows\SysWOW64\Jnfbcg32.exe Jabajc32.exe File opened for modification C:\Windows\SysWOW64\Ckopch32.exe Bbflkcao.exe File created C:\Windows\SysWOW64\Nbegonmd.exe Nqdjge32.exe File created C:\Windows\SysWOW64\Ghdjffln.dll Cdpdpl32.exe File opened for modification C:\Windows\SysWOW64\Hllffmbb.exe Hccbnhla.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kclmbm32.exeMmgkoe32.exeDpbenpqh.exeJjlqpp32.exeMjeholco.exeNfcoel32.exeHfdkoc32.exeBqhbcqmj.exeKfenjq32.exeBbflkcao.exeEffidg32.exePinnfonh.exeKdmdlc32.exeLkolmk32.exeMgfjjh32.exeOhkpdj32.exePdamhocm.exeQlcgmpkp.exeMfamko32.exeHkidclbb.exeMbehgabe.exePhhonn32.exeEajhgg32.exeKemgqm32.exeGegbpe32.exeAamekk32.exeAfjncabj.exeAioppl32.exeFqqdigko.exeDpmlcpdm.exeOllncgjq.exeDghjmlnm.exeBnjipn32.exeKjdiigbm.exeFhfbmn32.exeHkfeec32.exeIbmmkaik.exeAenileon.exeCkopch32.exeIagchmjn.exeCmapna32.exeMhobldaf.exePmmppm32.exeMlcekgbb.exeBkgchckl.exeHajdniep.exeEmailhfb.exeFcegdnna.exeHefibg32.exeEhiiop32.exeMdigakic.exeOjdlkp32.exeFjjeid32.exeKbgnil32.exeEbhjdc32.exeMdnffpif.exeMjpmkdpp.exeFolhio32.exeLhegcg32.exeCofohkgi.exeGkfkoi32.exeKalkjh32.exeNbegonmd.exeFfeoid32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgkoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlqpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeholco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhbcqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmdlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkolmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfamko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkidclbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbehgabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhonn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemgqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjncabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqqdigko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollncgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnjipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdiigbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmmkaik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckopch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagchmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhobldaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcekgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgchckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajdniep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emailhfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcegdnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdlkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhjdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdnffpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpmkdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhegcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbegonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe -
Modifies registry class 64 IoCs
Processes:
Fkbadifn.exeIfoncgpc.exeIceiibef.exeLafekm32.exeOpqdcgib.exeBfkakbpp.exeDnpedghl.exeEibikc32.exeLepfoe32.exeKnbjgq32.exeOddmokoo.exeBbflkcao.exePlbaafak.exeElnonp32.exeJblbpnhk.exeIgeggkoq.exePhhonn32.exeDckdio32.exeEhiiop32.exeFmnakege.exeBfcnfh32.exeLaenqg32.exePppihdha.exeHefibg32.exeOjnhdn32.exeKdlbckee.exeKfenjq32.exeGlongpao.exeOjgado32.exeGielchpp.exeHajdniep.exeLfedlb32.exeBgnaekil.exeFdefgimi.exeMnfhfmhc.exeKlgbfo32.exeJmpqbnmp.exeOegflcbj.exeCgfqii32.exeMlcekgbb.exeDqiakm32.exeKclmbm32.exeMjeholco.exeGnocdb32.exeIbmmkaik.exeJpajdi32.exeQggoeilh.exeIiodliep.exeHnecjgch.exeLpodmb32.exeJigmeagl.exeEphhmn32.exeQhdabemb.exeNicfnn32.exeCacegd32.exeKoelibnh.exeLkepdbkb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifoncgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goqeoiki.dll" Iceiibef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll" Opqdcgib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkakbpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnpedghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knbjgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbhic32.dll" Igeggkoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Dckdio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqdcgib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonapd32.dll" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcnfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndcgd32.dll" Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnknedk.dll" Pppihdha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfhmqhk.dll" Hefibg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojnhdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdlbckee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hefibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkbglmp.dll" Kfenjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glongpao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgado32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gielchpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajdniep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnaekil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdefgimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfenjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klgbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpqbnmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhejkik.dll" Cgfqii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlcekgbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqiakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnocdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmmkaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpoboge.dll" Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiodliep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpodmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigmeagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmlank32.dll" Qhdabemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngobfm32.dll" Lfedlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nicfnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacegd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koelibnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhoqqojp.dll" Lkepdbkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d75917f21a4d7d390656e6dd745d9f50N.exeFgcgebhd.exeFplknh32.exeFnplgl32.exeFdjddf32.exeFkdlaplh.exeFqqdigko.exeGbigao32.exeGielchpp.exeHkfeec32.exeHjmolp32.exeHajdniep.exeIbmmkaik.exeIlfadg32.exeIhooog32.exeIagchmjn.exedescription pid process target process PID 2488 wrote to memory of 2224 2488 d75917f21a4d7d390656e6dd745d9f50N.exe Fgcgebhd.exe PID 2488 wrote to memory of 2224 2488 d75917f21a4d7d390656e6dd745d9f50N.exe Fgcgebhd.exe PID 2488 wrote to memory of 2224 2488 d75917f21a4d7d390656e6dd745d9f50N.exe Fgcgebhd.exe PID 2488 wrote to memory of 2224 2488 d75917f21a4d7d390656e6dd745d9f50N.exe Fgcgebhd.exe PID 2224 wrote to memory of 2816 2224 Fgcgebhd.exe Fplknh32.exe PID 2224 wrote to memory of 2816 2224 Fgcgebhd.exe Fplknh32.exe PID 2224 wrote to memory of 2816 2224 Fgcgebhd.exe Fplknh32.exe PID 2224 wrote to memory of 2816 2224 Fgcgebhd.exe Fplknh32.exe PID 2816 wrote to memory of 2776 2816 Fplknh32.exe Fnplgl32.exe PID 2816 wrote to memory of 2776 2816 Fplknh32.exe Fnplgl32.exe PID 2816 wrote to memory of 2776 2816 Fplknh32.exe Fnplgl32.exe PID 2816 wrote to memory of 2776 2816 Fplknh32.exe Fnplgl32.exe PID 2776 wrote to memory of 2788 2776 Fnplgl32.exe Fdjddf32.exe PID 2776 wrote to memory of 2788 2776 Fnplgl32.exe Fdjddf32.exe PID 2776 wrote to memory of 2788 2776 Fnplgl32.exe Fdjddf32.exe PID 2776 wrote to memory of 2788 2776 Fnplgl32.exe Fdjddf32.exe PID 2788 wrote to memory of 2824 2788 Fdjddf32.exe Fkdlaplh.exe PID 2788 wrote to memory of 2824 2788 Fdjddf32.exe Fkdlaplh.exe PID 2788 wrote to memory of 2824 2788 Fdjddf32.exe Fkdlaplh.exe PID 2788 wrote to memory of 2824 2788 Fdjddf32.exe Fkdlaplh.exe PID 2824 wrote to memory of 2660 2824 Fkdlaplh.exe Fqqdigko.exe PID 2824 wrote to memory of 2660 2824 Fkdlaplh.exe Fqqdigko.exe PID 2824 wrote to memory of 2660 2824 Fkdlaplh.exe Fqqdigko.exe PID 2824 wrote to memory of 2660 2824 Fkdlaplh.exe Fqqdigko.exe PID 2660 wrote to memory of 2652 2660 Fqqdigko.exe Gbigao32.exe PID 2660 wrote to memory of 2652 2660 Fqqdigko.exe Gbigao32.exe PID 2660 wrote to memory of 2652 2660 Fqqdigko.exe Gbigao32.exe PID 2660 wrote to memory of 2652 2660 Fqqdigko.exe Gbigao32.exe PID 2652 wrote to memory of 2264 2652 Gbigao32.exe Gielchpp.exe PID 2652 wrote to memory of 2264 2652 Gbigao32.exe Gielchpp.exe PID 2652 wrote to memory of 2264 2652 Gbigao32.exe Gielchpp.exe PID 2652 wrote to memory of 2264 2652 Gbigao32.exe Gielchpp.exe PID 2264 wrote to memory of 1060 2264 Gielchpp.exe Hkfeec32.exe PID 2264 wrote to memory of 1060 2264 Gielchpp.exe Hkfeec32.exe PID 2264 wrote to memory of 1060 2264 Gielchpp.exe Hkfeec32.exe PID 2264 wrote to memory of 1060 2264 Gielchpp.exe Hkfeec32.exe PID 1060 wrote to memory of 1148 1060 Hkfeec32.exe Hjmolp32.exe PID 1060 wrote to memory of 1148 1060 Hkfeec32.exe Hjmolp32.exe PID 1060 wrote to memory of 1148 1060 Hkfeec32.exe Hjmolp32.exe PID 1060 wrote to memory of 1148 1060 Hkfeec32.exe Hjmolp32.exe PID 1148 wrote to memory of 1100 1148 Hjmolp32.exe Hajdniep.exe PID 1148 wrote to memory of 1100 1148 Hjmolp32.exe Hajdniep.exe PID 1148 wrote to memory of 1100 1148 Hjmolp32.exe Hajdniep.exe PID 1148 wrote to memory of 1100 1148 Hjmolp32.exe Hajdniep.exe PID 1100 wrote to memory of 3040 1100 Hajdniep.exe Ibmmkaik.exe PID 1100 wrote to memory of 3040 1100 Hajdniep.exe Ibmmkaik.exe PID 1100 wrote to memory of 3040 1100 Hajdniep.exe Ibmmkaik.exe PID 1100 wrote to memory of 3040 1100 Hajdniep.exe Ibmmkaik.exe PID 3040 wrote to memory of 1944 3040 Ibmmkaik.exe Ilfadg32.exe PID 3040 wrote to memory of 1944 3040 Ibmmkaik.exe Ilfadg32.exe PID 3040 wrote to memory of 1944 3040 Ibmmkaik.exe Ilfadg32.exe PID 3040 wrote to memory of 1944 3040 Ibmmkaik.exe Ilfadg32.exe PID 1944 wrote to memory of 956 1944 Ilfadg32.exe Ihooog32.exe PID 1944 wrote to memory of 956 1944 Ilfadg32.exe Ihooog32.exe PID 1944 wrote to memory of 956 1944 Ilfadg32.exe Ihooog32.exe PID 1944 wrote to memory of 956 1944 Ilfadg32.exe Ihooog32.exe PID 956 wrote to memory of 3000 956 Ihooog32.exe Iagchmjn.exe PID 956 wrote to memory of 3000 956 Ihooog32.exe Iagchmjn.exe PID 956 wrote to memory of 3000 956 Ihooog32.exe Iagchmjn.exe PID 956 wrote to memory of 3000 956 Ihooog32.exe Iagchmjn.exe PID 3000 wrote to memory of 2332 3000 Iagchmjn.exe Imndmnob.exe PID 3000 wrote to memory of 2332 3000 Iagchmjn.exe Imndmnob.exe PID 3000 wrote to memory of 2332 3000 Iagchmjn.exe Imndmnob.exe PID 3000 wrote to memory of 2332 3000 Iagchmjn.exe Imndmnob.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d75917f21a4d7d390656e6dd745d9f50N.exe"C:\Users\Admin\AppData\Local\Temp\d75917f21a4d7d390656e6dd745d9f50N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Fnplgl32.exeC:\Windows\system32\Fnplgl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Hajdniep.exeC:\Windows\system32\Hajdniep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ihooog32.exeC:\Windows\system32\Ihooog32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Jmpqbnmp.exeC:\Windows\system32\Jmpqbnmp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe33⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe35⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe37⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe39⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe46⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe47⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe50⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe51⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe53⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe54⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe55⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe57⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe58⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe59⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe60⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe61⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Bfcnfh32.exeC:\Windows\system32\Bfcnfh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Bqhbcqmj.exeC:\Windows\system32\Bqhbcqmj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe66⤵PID:2284
-
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe67⤵PID:2464
-
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe70⤵PID:1732
-
C:\Windows\SysWOW64\Ckgmon32.exeC:\Windows\system32\Ckgmon32.exe71⤵PID:1596
-
C:\Windows\SysWOW64\Cacegd32.exeC:\Windows\system32\Cacegd32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cjljpjjk.exeC:\Windows\system32\Cjljpjjk.exe73⤵PID:860
-
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe74⤵PID:2724
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe79⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe81⤵PID:2920
-
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe82⤵PID:2964
-
C:\Windows\SysWOW64\Eojoelcm.exeC:\Windows\system32\Eojoelcm.exe83⤵PID:2068
-
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe86⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe87⤵PID:1192
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Eaangfjf.exeC:\Windows\system32\Eaangfjf.exe90⤵PID:2304
-
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe92⤵PID:2860
-
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe93⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe94⤵PID:1104
-
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe96⤵PID:2088
-
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe97⤵PID:1048
-
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe98⤵PID:2476
-
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe99⤵PID:2432
-
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe100⤵PID:1752
-
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe101⤵PID:568
-
C:\Windows\SysWOW64\Hfmbfkhf.exeC:\Windows\system32\Hfmbfkhf.exe102⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe103⤵PID:2368
-
C:\Windows\SysWOW64\Hnlqemal.exeC:\Windows\system32\Hnlqemal.exe104⤵PID:2864
-
C:\Windows\SysWOW64\Hefibg32.exeC:\Windows\system32\Hefibg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe106⤵PID:2888
-
C:\Windows\SysWOW64\Iclfccmq.exeC:\Windows\system32\Iclfccmq.exe107⤵PID:1956
-
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe108⤵PID:2528
-
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe110⤵PID:2944
-
C:\Windows\SysWOW64\Iiodliep.exeC:\Windows\system32\Iiodliep.exe111⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe112⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Jlpmndba.exeC:\Windows\system32\Jlpmndba.exe113⤵PID:1740
-
C:\Windows\SysWOW64\Jehbfjia.exeC:\Windows\system32\Jehbfjia.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe115⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe116⤵PID:1616
-
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe117⤵PID:1656
-
C:\Windows\SysWOW64\Jadlgjjq.exeC:\Windows\system32\Jadlgjjq.exe118⤵PID:1676
-
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe120⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Kiamql32.exeC:\Windows\system32\Kiamql32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2940 -
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe122⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Klbfbg32.exeC:\Windows\system32\Klbfbg32.exe123⤵PID:1428
-
C:\Windows\SysWOW64\Kghkppbp.exeC:\Windows\system32\Kghkppbp.exe124⤵PID:736
-
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe125⤵PID:2524
-
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe126⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe127⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe128⤵PID:2544
-
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe129⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Lojeda32.exeC:\Windows\system32\Lojeda32.exe130⤵PID:2272
-
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe131⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe132⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe133⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe134⤵PID:2748
-
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Mnfhfmhc.exeC:\Windows\system32\Mnfhfmhc.exe136⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe137⤵PID:2348
-
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe138⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe139⤵PID:2532
-
C:\Windows\SysWOW64\Mkqbhf32.exeC:\Windows\system32\Mkqbhf32.exe140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe141⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Mnakjaoc.exeC:\Windows\system32\Mnakjaoc.exe142⤵PID:396
-
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Nglmifca.exeC:\Windows\system32\Nglmifca.exe144⤵PID:2756
-
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe145⤵PID:1108
-
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe146⤵PID:2032
-
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe147⤵PID:2280
-
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe148⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Opqdcgib.exeC:\Windows\system32\Opqdcgib.exe151⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe152⤵PID:2580
-
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe153⤵PID:2704
-
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe154⤵PID:2688
-
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe155⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe156⤵PID:2808
-
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe157⤵PID:1612
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe158⤵PID:1808
-
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Pdnihiad.exeC:\Windows\system32\Pdnihiad.exe160⤵PID:1568
-
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe161⤵PID:1492
-
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe162⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe163⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe164⤵PID:1908
-
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe165⤵PID:1440
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe166⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe167⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe168⤵PID:904
-
C:\Windows\SysWOW64\Bnicddki.exeC:\Windows\system32\Bnicddki.exe169⤵PID:2780
-
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe170⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1388 -
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe172⤵
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe173⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe174⤵PID:1168
-
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe175⤵PID:1508
-
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe176⤵PID:1572
-
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe177⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe178⤵PID:2832
-
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe179⤵PID:1704
-
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe180⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe181⤵PID:1328
-
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe182⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe183⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Dbmnjenb.exeC:\Windows\system32\Dbmnjenb.exe184⤵PID:2208
-
C:\Windows\SysWOW64\Dlfbck32.exeC:\Windows\system32\Dlfbck32.exe185⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe186⤵PID:3008
-
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe187⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ephhmn32.exeC:\Windows\system32\Ephhmn32.exe188⤵
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe189⤵PID:3128
-
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe190⤵
- Drops file in System32 directory
PID:3168 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe191⤵
- Modifies registry class
PID:3208 -
C:\Windows\SysWOW64\Effidg32.exeC:\Windows\system32\Effidg32.exe192⤵
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe193⤵PID:3288
-
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe194⤵PID:3328
-
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe195⤵PID:3368
-
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3408 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe197⤵PID:3448
-
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe198⤵PID:3488
-
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe199⤵PID:3528
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe200⤵
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe201⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe203⤵PID:3688
-
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe204⤵
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe205⤵PID:3772
-
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe206⤵PID:3812
-
C:\Windows\SysWOW64\Ginefe32.exeC:\Windows\system32\Ginefe32.exe207⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3892 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe209⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe210⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\Hopgikop.exeC:\Windows\system32\Hopgikop.exe211⤵PID:4012
-
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe212⤵
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Hkidclbb.exeC:\Windows\system32\Hkidclbb.exe213⤵
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe214⤵PID:3156
-
C:\Windows\SysWOW64\Hcfenn32.exeC:\Windows\system32\Hcfenn32.exe215⤵PID:3224
-
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe216⤵PID:3284
-
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3324 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe218⤵PID:3376
-
C:\Windows\SysWOW64\Imccab32.exeC:\Windows\system32\Imccab32.exe219⤵PID:3436
-
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe220⤵PID:3476
-
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe221⤵PID:3500
-
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe222⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3588 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe223⤵PID:3624
-
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe224⤵
- Drops file in System32 directory
PID:3680 -
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe225⤵PID:3724
-
C:\Windows\SysWOW64\Jjbgok32.exeC:\Windows\system32\Jjbgok32.exe226⤵PID:3780
-
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe227⤵PID:3784
-
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3884 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe229⤵PID:3928
-
C:\Windows\SysWOW64\Jbdadl32.exeC:\Windows\system32\Jbdadl32.exe230⤵PID:3988
-
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4028 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe232⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\Khdgabih.exeC:\Windows\system32\Khdgabih.exe233⤵PID:3096
-
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe234⤵
- System Location Discovery: System Language Discovery
PID:3184 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe235⤵PID:3192
-
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe236⤵
- System Location Discovery: System Language Discovery
PID:3244 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe237⤵PID:3352
-
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe238⤵
- Drops file in System32 directory
PID:3428 -
C:\Windows\SysWOW64\Kmgekh32.exeC:\Windows\system32\Kmgekh32.exe239⤵PID:3468
-
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe240⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Laenqg32.exeC:\Windows\system32\Laenqg32.exe241⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe242⤵PID:3664