Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 11:23
Static task
static1
Behavioral task
behavioral1
Sample
8f12f3041a88e821f79c1cde50053220N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8f12f3041a88e821f79c1cde50053220N.exe
Resource
win10v2004-20240802-en
General
-
Target
8f12f3041a88e821f79c1cde50053220N.exe
-
Size
163KB
-
MD5
8f12f3041a88e821f79c1cde50053220
-
SHA1
99627b9152f7106f4de08df258a4559cf869364c
-
SHA256
ad480dc74535a0a5bbdf0439002ac3adf443d4e99c933a74d37bb17d425c08cc
-
SHA512
5252e1184c4e8cd706b6b8c1dcea6d96bf23ebf9d266d8658407aaed1afbcc85071f4606c8ef89801e76a6f262715b1ce48a2958cd4a075ecff38f20f28192da
-
SSDEEP
3072:ENLkmsM4M+KelV8/lDKtltOrWKDBr+yJb:q2VlqlGtLOf
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dhiomn32.exeFpoolael.exeKdnild32.exeNpjlhcmd.exeMnbpjb32.exeCbiiog32.exeIppdgc32.exePhnpagdp.exePplaki32.exeQcachc32.exeIhpfgalh.exeLddlkg32.exeNhjjgd32.exeBmbgfkje.exeOagoep32.exeElfcbo32.exeHebnlb32.exeDhmhhmlm.exeDkqnoh32.exeHmkeke32.exeKdklfe32.exeOfadnq32.exePidfdofi.exeEdfbaabj.exeHmkeke32.exePhlclgfc.exeCmfkfa32.exeCehfkb32.exeEijdkcgn.exeEklqcl32.exeHbaaik32.exeNibqqh32.exeDemofaol.exeHmalldcn.exeLldmleam.exeBjkhdacm.exeBckjhl32.exeHcgjmo32.exeIeajkfmd.exePgcmbcih.exeAckmih32.exeFolfoj32.exeGkglnm32.exeLkjjma32.exeBjbndpmd.exeCpfmmf32.exeFdmhbplb.exeMkndhabp.exeBgaebe32.exeGolbnm32.exeJpgjgboe.exeOhiffh32.exeAciqcifh.exeNlefhcnc.exeOmnipjni.exeIliebpfc.exeLkgngb32.exeOemgplgo.exeBbbgod32.exeDdblgn32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpoolael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnbpjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjjgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elfcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebnlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdklfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofadnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eklqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbaaik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nibqqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgcmbcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aciqcifh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnipjni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemgplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippdgc32.exe -
Executes dropped EXE 64 IoCs
Processes:
Mnbpjb32.exeMfihkoal.exeMihdgkpp.exeMgjebg32.exeMacilmnk.exeMgmahg32.exeMjkndb32.exeMhonngce.exeNmlgfnal.exeNfdkoc32.exeNmnclmoj.exeNhdhif32.exeNjbdea32.exeNiedqnen.exeNbniid32.exeNpaich32.exeNbpeoc32.exeNlhjhi32.exeNoffdd32.exeOlkfmi32.exeOpfbngfb.exeOagoep32.exeOokpodkj.exeOeehln32.exeOkbpde32.exeOhfqmi32.exeOgiaif32.exeOpaebkmc.exeOhhmcinf.exeOkgjodmi.exePpcbgkka.exePdonhj32.exePkifdd32.exePpfomk32.exePdakniag.exePecgea32.exePphkbj32.exePoklngnf.exePiqpkpml.exePciddedl.exePjcmap32.exePhfmllbd.exePejmfqan.exePhhjblpa.exeQobbofgn.exeQfljkp32.exeQkibcg32.exeQackpado.exeQdaglmcb.exeAgpcihcf.exeAnjlebjc.exeAbegfa32.exeAgbpnh32.exeAjqljc32.exeAmohfo32.exeAciqcifh.exeAjcipc32.exeAnneqafn.exeAckmih32.exeAggiigmn.exeAjeeeblb.exeAmcbankf.exeAqonbm32.exeAcnjnh32.exepid process 2500 Mnbpjb32.exe 2816 Mfihkoal.exe 2736 Mihdgkpp.exe 2772 Mgjebg32.exe 2744 Macilmnk.exe 2792 Mgmahg32.exe 2668 Mjkndb32.exe 2412 Mhonngce.exe 1492 Nmlgfnal.exe 580 Nfdkoc32.exe 2992 Nmnclmoj.exe 2880 Nhdhif32.exe 1996 Njbdea32.exe 2252 Niedqnen.exe 2396 Nbniid32.exe 2204 Npaich32.exe 2296 Nbpeoc32.exe 1396 Nlhjhi32.exe 700 Noffdd32.exe 2004 Olkfmi32.exe 1544 Opfbngfb.exe 2564 Oagoep32.exe 1352 Ookpodkj.exe 2324 Oeehln32.exe 2128 Okbpde32.exe 2216 Ohfqmi32.exe 2820 Ogiaif32.exe 2828 Opaebkmc.exe 316 Ohhmcinf.exe 2652 Okgjodmi.exe 2844 Ppcbgkka.exe 2620 Pdonhj32.exe 2232 Pkifdd32.exe 2960 Ppfomk32.exe 2728 Pdakniag.exe 2968 Pecgea32.exe 2872 Pphkbj32.exe 1292 Poklngnf.exe 1028 Piqpkpml.exe 2424 Pciddedl.exe 2132 Pjcmap32.exe 448 Phfmllbd.exe 780 Pejmfqan.exe 2432 Phhjblpa.exe 844 Qobbofgn.exe 1364 Qfljkp32.exe 2260 Qkibcg32.exe 2312 Qackpado.exe 304 Qdaglmcb.exe 2076 Agpcihcf.exe 1604 Anjlebjc.exe 2732 Abegfa32.exe 2840 Agbpnh32.exe 2632 Ajqljc32.exe 2752 Amohfo32.exe 2848 Aciqcifh.exe 2740 Ajcipc32.exe 1296 Anneqafn.exe 2912 Ackmih32.exe 2264 Aggiigmn.exe 2860 Ajeeeblb.exe 3000 Amcbankf.exe 2032 Aqonbm32.exe 2408 Acnjnh32.exe -
Loads dropped DLL 64 IoCs
Processes:
8f12f3041a88e821f79c1cde50053220N.exeMnbpjb32.exeMfihkoal.exeMihdgkpp.exeMgjebg32.exeMacilmnk.exeMgmahg32.exeMjkndb32.exeMhonngce.exeNmlgfnal.exeNfdkoc32.exeNmnclmoj.exeNhdhif32.exeNjbdea32.exeNiedqnen.exeNbniid32.exeNpaich32.exeNbpeoc32.exeNlhjhi32.exeNoffdd32.exeOlkfmi32.exeOpfbngfb.exeOagoep32.exeOokpodkj.exeOeehln32.exeOkbpde32.exeOhfqmi32.exeOgiaif32.exeOpaebkmc.exeOhhmcinf.exeOkgjodmi.exePpcbgkka.exepid process 1820 8f12f3041a88e821f79c1cde50053220N.exe 1820 8f12f3041a88e821f79c1cde50053220N.exe 2500 Mnbpjb32.exe 2500 Mnbpjb32.exe 2816 Mfihkoal.exe 2816 Mfihkoal.exe 2736 Mihdgkpp.exe 2736 Mihdgkpp.exe 2772 Mgjebg32.exe 2772 Mgjebg32.exe 2744 Macilmnk.exe 2744 Macilmnk.exe 2792 Mgmahg32.exe 2792 Mgmahg32.exe 2668 Mjkndb32.exe 2668 Mjkndb32.exe 2412 Mhonngce.exe 2412 Mhonngce.exe 1492 Nmlgfnal.exe 1492 Nmlgfnal.exe 580 Nfdkoc32.exe 580 Nfdkoc32.exe 2992 Nmnclmoj.exe 2992 Nmnclmoj.exe 2880 Nhdhif32.exe 2880 Nhdhif32.exe 1996 Njbdea32.exe 1996 Njbdea32.exe 2252 Niedqnen.exe 2252 Niedqnen.exe 2396 Nbniid32.exe 2396 Nbniid32.exe 2204 Npaich32.exe 2204 Npaich32.exe 2296 Nbpeoc32.exe 2296 Nbpeoc32.exe 1396 Nlhjhi32.exe 1396 Nlhjhi32.exe 700 Noffdd32.exe 700 Noffdd32.exe 2004 Olkfmi32.exe 2004 Olkfmi32.exe 1544 Opfbngfb.exe 1544 Opfbngfb.exe 2564 Oagoep32.exe 2564 Oagoep32.exe 1352 Ookpodkj.exe 1352 Ookpodkj.exe 2324 Oeehln32.exe 2324 Oeehln32.exe 2128 Okbpde32.exe 2128 Okbpde32.exe 2216 Ohfqmi32.exe 2216 Ohfqmi32.exe 2820 Ogiaif32.exe 2820 Ogiaif32.exe 2828 Opaebkmc.exe 2828 Opaebkmc.exe 316 Ohhmcinf.exe 316 Ohhmcinf.exe 2652 Okgjodmi.exe 2652 Okgjodmi.exe 2844 Ppcbgkka.exe 2844 Ppcbgkka.exe -
Drops file in System32 directory 64 IoCs
Processes:
Cfcijf32.exeGncldi32.exeJimbkh32.exeBiaign32.exeHebnlb32.exePojecajj.exeKhghgchk.exeFolfoj32.exeAfffenbp.exeDbncjf32.exeIedfqeka.exeIakgefqe.exeOpnbbe32.exePaknelgk.exeQndkpmkm.exeDemofaol.exeKnfndjdp.exeBoljgg32.exeOpaebkmc.exeFlhmfbim.exeLkgngb32.exeNenkqi32.exePmkhjncg.exeBnknoogp.exeIllbhp32.exeKnkgpi32.exeIjehdl32.exeOkgjodmi.exePejmfqan.exeBnqned32.exeEacljf32.exeGneijien.exeJdnmma32.exeMbhlek32.exePepcelel.exeAohdmdoh.exeElfcbo32.exeGbhbdi32.exeIafnjg32.exeAjmijmnn.exeBjkhdacm.exeIhpfgalh.exeNfoghakb.exeCmfkfa32.exeEcnoijbd.exeKpkpadnl.exeEnlidg32.exeKjmnjkjd.exeEoiiijcc.exeOpqoge32.exePbagipfi.exeAccqnc32.exeAlqnah32.exeNjbdea32.exeHmoofdea.exeHmalldcn.exeLldmleam.exeKddomchg.exeCagienkb.exeDgbeiiqe.exeHfhcoj32.exeMbcoio32.exeBbgqjdce.exedescription ioc process File created C:\Windows\SysWOW64\Ceeieced.exe Cfcijf32.exe File created C:\Windows\SysWOW64\Gbohehoj.exe Gncldi32.exe File opened for modification C:\Windows\SysWOW64\Jmhnkfpa.exe Jimbkh32.exe File created C:\Windows\SysWOW64\Kikpibof.dll Biaign32.exe File created C:\Windows\SysWOW64\Hcdnhoac.exe Hebnlb32.exe File opened for modification C:\Windows\SysWOW64\Paiaplin.exe Pojecajj.exe File opened for modification C:\Windows\SysWOW64\Kkeecogo.exe Khghgchk.exe File created C:\Windows\SysWOW64\Nebhgckp.dll Folfoj32.exe File created C:\Windows\SysWOW64\Egfokakc.dll Afffenbp.exe File created C:\Windows\SysWOW64\Daacecfc.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Apgahbgk.dll Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Iefcfe32.exe Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Ppnnai32.exe Paknelgk.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qndkpmkm.exe File created C:\Windows\SysWOW64\Abillbab.dll Demofaol.exe File opened for modification C:\Windows\SysWOW64\Kaajei32.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Boljgg32.exe File created C:\Windows\SysWOW64\Ohhmcinf.exe Opaebkmc.exe File created C:\Windows\SysWOW64\Mkkeeecj.dll Flhmfbim.exe File created C:\Windows\SysWOW64\Qchaehnb.dll Lkgngb32.exe File created C:\Windows\SysWOW64\Bkpeci32.exe Biaign32.exe File created C:\Windows\SysWOW64\Bdclnelo.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pmkhjncg.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bnknoogp.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Illbhp32.exe File created C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Jmdepg32.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Pphcfh32.dll Okgjodmi.exe File opened for modification C:\Windows\SysWOW64\Phhjblpa.exe Pejmfqan.exe File created C:\Windows\SysWOW64\Bmcnqama.exe Bnqned32.exe File created C:\Windows\SysWOW64\Eijdkcgn.exe Eacljf32.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Gneijien.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Mdghaf32.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Phnpagdp.exe Pepcelel.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Aohdmdoh.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Elfcbo32.exe File opened for modification C:\Windows\SysWOW64\Gfcnegnk.exe Gbhbdi32.exe File created C:\Windows\SysWOW64\Cbkipjbh.dll Iafnjg32.exe File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe Ajmijmnn.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Illbhp32.exe Ihpfgalh.exe File created C:\Windows\SysWOW64\Gaokcb32.dll Nfoghakb.exe File created C:\Windows\SysWOW64\Cpdgbm32.exe Cmfkfa32.exe File created C:\Windows\SysWOW64\Mihmog32.dll Ecnoijbd.exe File created C:\Windows\SysWOW64\Hhdkmd32.dll Kpkpadnl.exe File created C:\Windows\SysWOW64\Moanlj32.dll Enlidg32.exe File opened for modification C:\Windows\SysWOW64\Knhjjj32.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Enlidg32.exe Eoiiijcc.exe File opened for modification C:\Windows\SysWOW64\Oococb32.exe Opqoge32.exe File opened for modification C:\Windows\SysWOW64\Pepcelel.exe Pbagipfi.exe File created C:\Windows\SysWOW64\Ekndacia.dll Accqnc32.exe File created C:\Windows\SysWOW64\Akcomepg.exe Alqnah32.exe File opened for modification C:\Windows\SysWOW64\Niedqnen.exe Njbdea32.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hmoofdea.exe File created C:\Windows\SysWOW64\Hldlga32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Qpceaipi.dll Lldmleam.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll Kddomchg.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cagienkb.exe File opened for modification C:\Windows\SysWOW64\Dknajh32.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Jcidje32.dll Hfhcoj32.exe File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Bbgqjdce.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5420 5336 WerFault.exe Dpapaj32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Oippjl32.exeCagienkb.exePjcmap32.exeCpiqmlfm.exeFjlmpfhg.exeJedcpi32.exeLlbqfe32.exeNpaich32.exeQackpado.exeIikifegp.exeKaompi32.exeBofgii32.exeBnqned32.exeEihgfd32.exeDemofaol.exeJbqmhnbo.exeLdpbpgoh.exePohhna32.exeKdbbgdjj.exeNmfbpk32.exeOmklkkpl.exeOhiffh32.exeQcachc32.exeOadkej32.exeCebeem32.exeNoffdd32.exeAjgbkbjp.exeBgblmk32.exeEhmdgp32.exeMbhlek32.exeEdfbaabj.exeGiipab32.exeHihlqeib.exeKddomchg.exeMnbpjb32.exeBnldjekl.exeFnofjfhk.exeGfcnegnk.exeCfhkhd32.exeAjqljc32.exeBiaign32.exeEhpalp32.exeEoiiijcc.exeCkmnbg32.exeAqonbm32.exeNnafnopi.exeApgagg32.exeFkecij32.exeGdhkfd32.exePhcilf32.exeAhpifj32.exeFolfoj32.exeIedfqeka.exeLbafdlod.exeCpfmmf32.exeNiedqnen.exeBckjhl32.exeHldlga32.exeLjddjj32.exeAjmijmnn.exeBgllgedi.exeClojhf32.exeOpfbngfb.exeFhbnbpjc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcmap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npaich32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofgii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgblmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmdgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnegnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajqljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biaign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoiiijcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafnopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe -
Modifies registry class 64 IoCs
Processes:
Jmhnkfpa.exeLbafdlod.exeMkqqnq32.exeDemofaol.exeCmedlk32.exeMggabaea.exeOhfqmi32.exeJialfgcc.exeOpfbngfb.exeHmkeke32.exeHfegij32.exeIeajkfmd.exeIdkpganf.exeQkfocaki.exeCnimiblo.exeKdbbgdjj.exeCmjdaqgi.exeHfhcoj32.exeNbniid32.exeBbmcibjp.exeCgoelh32.exeQackpado.exePcljmdmj.exeLoqmba32.exeBmnnkl32.exeAnneqafn.exeEoepnk32.exeFfodjh32.exeCopjdhib.exeFnflke32.exeQeppdo32.exeAojabdlf.exeCbiiog32.exeEejopecj.exeGmmfaa32.exeBflbigdb.exeFmkilb32.exeCillkbac.exePplaki32.exeOokpodkj.exeHmoofdea.exeLqipkhbj.exeNmlgfnal.exeHcgjmo32.exePkcbnanl.exeOpnbbe32.exeLjddjj32.exeGfhgpg32.exeAmohfo32.exeBofgii32.exeCegoqlof.exeHjlioj32.exeEcploipa.exeMfmndn32.exeCenljmgq.exeMgmahg32.exeDejbqb32.exeLfoojj32.exeBjdkjpkb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmnnh32.dll" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbafdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Demofaol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopjqipp.dll" Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhclbka.dll" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihifg32.dll" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" Qkfocaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmjdaqgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkfk32.dll" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeobp32.dll" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfqmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbiiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejopecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmkilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkenb32.dll" Ookpodkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjpijfl.dll" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golnjpio.dll" Bofgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegoqlof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmndn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmahg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Ieajkfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfoojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjdkjpkb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8f12f3041a88e821f79c1cde50053220N.exeMnbpjb32.exeMfihkoal.exeMihdgkpp.exeMgjebg32.exeMacilmnk.exeMgmahg32.exeMjkndb32.exeMhonngce.exeNmlgfnal.exeNfdkoc32.exeNmnclmoj.exeNhdhif32.exeNjbdea32.exeNiedqnen.exeNbniid32.exedescription pid process target process PID 1820 wrote to memory of 2500 1820 8f12f3041a88e821f79c1cde50053220N.exe Mnbpjb32.exe PID 1820 wrote to memory of 2500 1820 8f12f3041a88e821f79c1cde50053220N.exe Mnbpjb32.exe PID 1820 wrote to memory of 2500 1820 8f12f3041a88e821f79c1cde50053220N.exe Mnbpjb32.exe PID 1820 wrote to memory of 2500 1820 8f12f3041a88e821f79c1cde50053220N.exe Mnbpjb32.exe PID 2500 wrote to memory of 2816 2500 Mnbpjb32.exe Mfihkoal.exe PID 2500 wrote to memory of 2816 2500 Mnbpjb32.exe Mfihkoal.exe PID 2500 wrote to memory of 2816 2500 Mnbpjb32.exe Mfihkoal.exe PID 2500 wrote to memory of 2816 2500 Mnbpjb32.exe Mfihkoal.exe PID 2816 wrote to memory of 2736 2816 Mfihkoal.exe Mihdgkpp.exe PID 2816 wrote to memory of 2736 2816 Mfihkoal.exe Mihdgkpp.exe PID 2816 wrote to memory of 2736 2816 Mfihkoal.exe Mihdgkpp.exe PID 2816 wrote to memory of 2736 2816 Mfihkoal.exe Mihdgkpp.exe PID 2736 wrote to memory of 2772 2736 Mihdgkpp.exe Mgjebg32.exe PID 2736 wrote to memory of 2772 2736 Mihdgkpp.exe Mgjebg32.exe PID 2736 wrote to memory of 2772 2736 Mihdgkpp.exe Mgjebg32.exe PID 2736 wrote to memory of 2772 2736 Mihdgkpp.exe Mgjebg32.exe PID 2772 wrote to memory of 2744 2772 Mgjebg32.exe Macilmnk.exe PID 2772 wrote to memory of 2744 2772 Mgjebg32.exe Macilmnk.exe PID 2772 wrote to memory of 2744 2772 Mgjebg32.exe Macilmnk.exe PID 2772 wrote to memory of 2744 2772 Mgjebg32.exe Macilmnk.exe PID 2744 wrote to memory of 2792 2744 Macilmnk.exe Mgmahg32.exe PID 2744 wrote to memory of 2792 2744 Macilmnk.exe Mgmahg32.exe PID 2744 wrote to memory of 2792 2744 Macilmnk.exe Mgmahg32.exe PID 2744 wrote to memory of 2792 2744 Macilmnk.exe Mgmahg32.exe PID 2792 wrote to memory of 2668 2792 Mgmahg32.exe Mjkndb32.exe PID 2792 wrote to memory of 2668 2792 Mgmahg32.exe Mjkndb32.exe PID 2792 wrote to memory of 2668 2792 Mgmahg32.exe Mjkndb32.exe PID 2792 wrote to memory of 2668 2792 Mgmahg32.exe Mjkndb32.exe PID 2668 wrote to memory of 2412 2668 Mjkndb32.exe Mhonngce.exe PID 2668 wrote to memory of 2412 2668 Mjkndb32.exe Mhonngce.exe PID 2668 wrote to memory of 2412 2668 Mjkndb32.exe Mhonngce.exe PID 2668 wrote to memory of 2412 2668 Mjkndb32.exe Mhonngce.exe PID 2412 wrote to memory of 1492 2412 Mhonngce.exe Nmlgfnal.exe PID 2412 wrote to memory of 1492 2412 Mhonngce.exe Nmlgfnal.exe PID 2412 wrote to memory of 1492 2412 Mhonngce.exe Nmlgfnal.exe PID 2412 wrote to memory of 1492 2412 Mhonngce.exe Nmlgfnal.exe PID 1492 wrote to memory of 580 1492 Nmlgfnal.exe Nfdkoc32.exe PID 1492 wrote to memory of 580 1492 Nmlgfnal.exe Nfdkoc32.exe PID 1492 wrote to memory of 580 1492 Nmlgfnal.exe Nfdkoc32.exe PID 1492 wrote to memory of 580 1492 Nmlgfnal.exe Nfdkoc32.exe PID 580 wrote to memory of 2992 580 Nfdkoc32.exe Nmnclmoj.exe PID 580 wrote to memory of 2992 580 Nfdkoc32.exe Nmnclmoj.exe PID 580 wrote to memory of 2992 580 Nfdkoc32.exe Nmnclmoj.exe PID 580 wrote to memory of 2992 580 Nfdkoc32.exe Nmnclmoj.exe PID 2992 wrote to memory of 2880 2992 Nmnclmoj.exe Nhdhif32.exe PID 2992 wrote to memory of 2880 2992 Nmnclmoj.exe Nhdhif32.exe PID 2992 wrote to memory of 2880 2992 Nmnclmoj.exe Nhdhif32.exe PID 2992 wrote to memory of 2880 2992 Nmnclmoj.exe Nhdhif32.exe PID 2880 wrote to memory of 1996 2880 Nhdhif32.exe Njbdea32.exe PID 2880 wrote to memory of 1996 2880 Nhdhif32.exe Njbdea32.exe PID 2880 wrote to memory of 1996 2880 Nhdhif32.exe Njbdea32.exe PID 2880 wrote to memory of 1996 2880 Nhdhif32.exe Njbdea32.exe PID 1996 wrote to memory of 2252 1996 Njbdea32.exe Niedqnen.exe PID 1996 wrote to memory of 2252 1996 Njbdea32.exe Niedqnen.exe PID 1996 wrote to memory of 2252 1996 Njbdea32.exe Niedqnen.exe PID 1996 wrote to memory of 2252 1996 Njbdea32.exe Niedqnen.exe PID 2252 wrote to memory of 2396 2252 Niedqnen.exe Nbniid32.exe PID 2252 wrote to memory of 2396 2252 Niedqnen.exe Nbniid32.exe PID 2252 wrote to memory of 2396 2252 Niedqnen.exe Nbniid32.exe PID 2252 wrote to memory of 2396 2252 Niedqnen.exe Nbniid32.exe PID 2396 wrote to memory of 2204 2396 Nbniid32.exe Npaich32.exe PID 2396 wrote to memory of 2204 2396 Nbniid32.exe Npaich32.exe PID 2396 wrote to memory of 2204 2396 Nbniid32.exe Npaich32.exe PID 2396 wrote to memory of 2204 2396 Nbniid32.exe Npaich32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f12f3041a88e821f79c1cde50053220N.exe"C:\Users\Admin\AppData\Local\Temp\8f12f3041a88e821f79c1cde50053220N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe34⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe35⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe36⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe38⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe39⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe40⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe41⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe43⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe45⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe46⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe47⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe48⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe50⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe51⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe52⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe58⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe61⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe62⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe63⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe65⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe66⤵PID:2812
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe67⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe68⤵PID:336
-
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe69⤵PID:1724
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe71⤵PID:1928
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe72⤵PID:2104
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe74⤵PID:2780
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe75⤵PID:3036
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe77⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe78⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe79⤵PID:1832
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe81⤵PID:1792
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe82⤵PID:2724
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe83⤵PID:964
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe86⤵PID:1304
-
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe87⤵PID:1728
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe89⤵PID:2856
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe90⤵PID:1864
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe91⤵PID:3060
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe92⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe93⤵PID:2976
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe94⤵PID:584
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe96⤵PID:2180
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe97⤵PID:960
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe98⤵PID:1800
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe99⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe100⤵PID:1084
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe101⤵PID:2304
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe102⤵PID:2008
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe103⤵PID:1692
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe104⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe105⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe106⤵PID:1036
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe107⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe108⤵PID:2964
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe109⤵PID:1020
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2360 -
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe112⤵PID:2536
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe113⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe114⤵
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe116⤵PID:1580
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe117⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe118⤵PID:2628
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe120⤵PID:1008
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe121⤵PID:1340
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1208 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe124⤵PID:2268
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe125⤵PID:1212
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe126⤵PID:1720
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe127⤵PID:1512
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe128⤵PID:2952
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe129⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe130⤵PID:2852
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe131⤵PID:2684
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe132⤵PID:2240
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe133⤵PID:908
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe134⤵PID:1920
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe135⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1116 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe136⤵PID:1848
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe137⤵PID:1736
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe138⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe139⤵PID:2444
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe140⤵PID:2664
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe141⤵PID:2696
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe142⤵
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe143⤵PID:2256
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe144⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe145⤵PID:1384
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe147⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe148⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe149⤵
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe150⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe151⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe152⤵PID:1568
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe153⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe154⤵PID:2176
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe155⤵PID:2892
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe156⤵PID:1056
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe157⤵
- System Location Discovery: System Language Discovery
PID:272 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe158⤵PID:1636
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe159⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe160⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe161⤵PID:1916
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe162⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe163⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe164⤵PID:2716
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe165⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe166⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe167⤵PID:2676
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe168⤵PID:1752
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe169⤵PID:2648
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe170⤵PID:784
-
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe171⤵PID:1392
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe173⤵PID:544
-
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe174⤵PID:2748
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe175⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe176⤵PID:2996
-
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe177⤵PID:900
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3088 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe179⤵PID:3128
-
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe180⤵
- Modifies registry class
PID:3172 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe181⤵
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe182⤵
- Drops file in System32 directory
PID:3252 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe183⤵PID:3292
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe184⤵PID:3332
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe185⤵PID:3372
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe186⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Windows\SysWOW64\Fmkilb32.exeC:\Windows\system32\Fmkilb32.exe187⤵
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe188⤵PID:3492
-
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe189⤵
- Drops file in System32 directory
PID:3532 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe190⤵
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe191⤵PID:3612
-
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe192⤵
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe193⤵PID:3692
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe194⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3732 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe195⤵PID:3772
-
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe196⤵
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe197⤵PID:3852
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe198⤵PID:3892
-
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe199⤵PID:3932
-
C:\Windows\SysWOW64\Gnaooi32.exeC:\Windows\system32\Gnaooi32.exe200⤵PID:3972
-
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe201⤵
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe202⤵PID:4052
-
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe203⤵PID:4092
-
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe204⤵PID:3100
-
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe205⤵
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe206⤵PID:3208
-
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe207⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe208⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3312 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe209⤵
- Drops file in System32 directory
PID:3360 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe210⤵PID:3396
-
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe211⤵PID:3472
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe212⤵PID:3504
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe213⤵PID:3556
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe214⤵
- Modifies registry class
PID:3596 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe215⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe216⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3700 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe217⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3724 -
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe218⤵PID:3780
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe219⤵PID:3832
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe220⤵PID:3872
-
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe221⤵PID:3924
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe222⤵PID:3980
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe223⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4032 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe224⤵
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe225⤵PID:3108
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe226⤵
- Drops file in System32 directory
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe227⤵PID:3240
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe228⤵PID:3300
-
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe229⤵PID:3344
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe230⤵
- Drops file in System32 directory
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3484 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe232⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe233⤵PID:3604
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe234⤵PID:3688
-
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe235⤵PID:3752
-
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe236⤵
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe237⤵PID:3888
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe238⤵PID:3920
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe239⤵PID:3996
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe240⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4048 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe241⤵PID:2088
-
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe242⤵
- System Location Discovery: System Language Discovery
PID:3160