Analysis
-
max time kernel
118s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 14:50
Static task
static1
Behavioral task
behavioral1
Sample
bf0489adc7995d9c4809e59c6c5b2fb0N.exe
Resource
win7-20240708-en
General
-
Target
bf0489adc7995d9c4809e59c6c5b2fb0N.exe
-
Size
163KB
-
MD5
bf0489adc7995d9c4809e59c6c5b2fb0
-
SHA1
a008ece068b1e852f6f4671c5acb434b757cbfb0
-
SHA256
b83d9118060b32c33a00390223b3a485bb897f03f9f555e287e4a899cb6a44ac
-
SHA512
99d307c5b862653897fc9d3429221a4e4925a48b38a653999b0f2c7307d904da670ce24fa4e4bf38018360e53eaeff1687f517912524608774a441b9a2817d3e
-
SSDEEP
1536:Pb2AF0PDuq3BwA4SHhgERhovzZmFklProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:zuwA4SHXhuokltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Hjjnae32.exeNagpeo32.exeGemkelcd.exeMhbmphjm.exeCdlqqcnl.exeNhokljge.exePolppg32.exeHkpqkcpd.exeLqkgbcff.exeMadjhb32.exePhigif32.exeJgmjmjnb.exeNookip32.exeDlghoa32.exeBheplb32.exeCcdnjp32.exeEmcbio32.exeCmniml32.exeKgjgne32.exeLeenhhdn.exeJfbkpd32.exeKeqdmihc.exeMjokgg32.exeOdoogi32.exeCdnmfclj.exeObafpg32.exeGbabigfj.exeLmdemd32.exeAggegh32.exeInkjhi32.exeEpikpo32.exeGbnoiqdq.exeMffjcopi.exePgihfj32.exeQkjgegae.exeMkhapk32.exeFmnkkg32.exeGacjadad.exePpjgoaoj.exeDaediilg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjnae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagpeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemkelcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhbmphjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlqqcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Polppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpqkcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phigif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmjmjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbmphjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nookip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlghoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emcbio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmniml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjgne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leenhhdn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfbkpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keqdmihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjokgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odoogi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffjcopi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgihfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkjgegae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhapk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppjgoaoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daediilg.exe -
Executes dropped EXE 64 IoCs
Processes:
Dgbdlf32.exeDknpmdfc.exeDahhio32.exeEgdqae32.exeEajeon32.exeEdhakj32.exeEonehbjg.exeEehnem32.exeEgijmegb.exeEmcbio32.exeEdmjfifl.exeEhiffh32.exeEmeoooml.exeEemgplno.exeEkiohclf.exeFeocelll.exeFnjhjn32.exeFhpmgg32.exeFojedapj.exeFdfmlhna.exeFajnfl32.exeFefjfked.exeFnaokmco.exeFdkggg32.exeFkeodaai.exeFnckpmql.exeGdncmghi.exeGkglja32.exeGaadfkgc.exeGdppbfff.exeGkjhoq32.exeGadqlkep.exeGdbmhf32.exeGgqida32.exeGohaeo32.exeGfbibikg.exeGhpendjj.exeGkobjpin.exeGojnko32.exeGahjgj32.exeGgeboaob.exeHnoklk32.exeHheoid32.exeHoogfnnb.exeHfipbh32.exeHhgloc32.exeHgjljpkm.exeHnddgjbj.exeHdnldd32.exeHkhdqoac.exeHnfamjqg.exeHdpiid32.exeHgoeep32.exeHninbj32.exeHdbfodfa.exeHkmnln32.exeInkjhi32.exeIdebdcdo.exeIkokan32.exeInmgmijo.exeIdgojc32.exeIgfkfo32.exeInpccihl.exeIfgldfio.exepid process 2452 Dgbdlf32.exe 4800 Dknpmdfc.exe 3112 Dahhio32.exe 4876 Egdqae32.exe 3188 Eajeon32.exe 1844 Edhakj32.exe 4124 Eonehbjg.exe 1656 Eehnem32.exe 3480 Egijmegb.exe 4512 Emcbio32.exe 1864 Edmjfifl.exe 3656 Ehiffh32.exe 2480 Emeoooml.exe 2832 Eemgplno.exe 4296 Ekiohclf.exe 3636 Feocelll.exe 2416 Fnjhjn32.exe 4168 Fhpmgg32.exe 4864 Fojedapj.exe 4064 Fdfmlhna.exe 4316 Fajnfl32.exe 3236 Fefjfked.exe 544 Fnaokmco.exe 2760 Fdkggg32.exe 3772 Fkeodaai.exe 1824 Fnckpmql.exe 4580 Gdncmghi.exe 4324 Gkglja32.exe 2676 Gaadfkgc.exe 1700 Gdppbfff.exe 3060 Gkjhoq32.exe 4660 Gadqlkep.exe 2796 Gdbmhf32.exe 2044 Ggqida32.exe 4956 Gohaeo32.exe 1388 Gfbibikg.exe 1992 Ghpendjj.exe 1120 Gkobjpin.exe 2672 Gojnko32.exe 2960 Gahjgj32.exe 3692 Ggeboaob.exe 2524 Hnoklk32.exe 2032 Hheoid32.exe 3168 Hoogfnnb.exe 724 Hfipbh32.exe 2132 Hhgloc32.exe 3892 Hgjljpkm.exe 3916 Hnddgjbj.exe 4836 Hdnldd32.exe 1568 Hkhdqoac.exe 4960 Hnfamjqg.exe 3088 Hdpiid32.exe 3956 Hgoeep32.exe 4388 Hninbj32.exe 2236 Hdbfodfa.exe 3808 Hkmnln32.exe 1676 Inkjhi32.exe 3800 Idebdcdo.exe 4552 Ikokan32.exe 4008 Inmgmijo.exe 3608 Idgojc32.exe 2900 Igfkfo32.exe 3076 Inpccihl.exe 1500 Ifgldfio.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mlkepaam.exeLekmnajj.exeGfbibikg.exeLpneegel.exeHnddgjbj.exeBfhadc32.exeFgbfhmll.exeOoejohhq.exeCcchof32.exeCjmpkqqj.exeDomdjj32.exeBjicdmmd.exeJjafok32.exeGmimai32.exeJnkcogno.exeNlqomd32.exeIgchfiof.exeIqmidndd.exeKlfjijgq.exeBppfmigl.exeHcmbee32.exeFngcmcfe.exeOanfen32.exeOeokal32.exeGfodeohd.exeBkaobnio.exeQemhbj32.exeOocddono.exeQjnkcekm.exeAglnbhal.exeBlhpqhlh.exeKcndbp32.exeQhmqdemc.exeLdipha32.exeMgaokl32.exedescription ioc process File created C:\Windows\SysWOW64\Oefmflff.dll Mlkepaam.exe File created C:\Windows\SysWOW64\Gjmgfljg.dll Lekmnajj.exe File opened for modification C:\Windows\SysWOW64\Fqfojblo.exe File created C:\Windows\SysWOW64\Ofbmdj32.dll File created C:\Windows\SysWOW64\Ghpendjj.exe Gfbibikg.exe File created C:\Windows\SysWOW64\Lblaabdp.exe Lpneegel.exe File created C:\Windows\SysWOW64\Mcgiefen.exe File created C:\Windows\SysWOW64\Momcpa32.exe File created C:\Windows\SysWOW64\Ieccbbkn.exe File opened for modification C:\Windows\SysWOW64\Hdnldd32.exe Hnddgjbj.exe File created C:\Windows\SysWOW64\Bifmqo32.exe Bfhadc32.exe File opened for modification C:\Windows\SysWOW64\Fipbdikp.exe Fgbfhmll.exe File created C:\Windows\SysWOW64\Obafpg32.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Fhjaco32.dll File created C:\Windows\SysWOW64\Gidbch32.dll Ccchof32.exe File created C:\Windows\SysWOW64\Jnpnbg32.dll Cjmpkqqj.exe File created C:\Windows\SysWOW64\Ddjmba32.exe Domdjj32.exe File created C:\Windows\SysWOW64\Oojnjjli.dll File opened for modification C:\Windows\SysWOW64\Blhpqhlh.exe Bjicdmmd.exe File created C:\Windows\SysWOW64\Jlobkg32.exe Jjafok32.exe File created C:\Windows\SysWOW64\Gpgind32.exe Gmimai32.exe File opened for modification C:\Windows\SysWOW64\Pdmdnadc.exe File opened for modification C:\Windows\SysWOW64\Jfbkpd32.exe Jnkcogno.exe File created C:\Windows\SysWOW64\Dgooajdl.dll Nlqomd32.exe File created C:\Windows\SysWOW64\Dckhejil.dll Igchfiof.exe File created C:\Windows\SysWOW64\Hnjjdmoc.dll Iqmidndd.exe File created C:\Windows\SysWOW64\Iapjgo32.exe File opened for modification C:\Windows\SysWOW64\Mhiabbdi.exe File created C:\Windows\SysWOW64\Ffmnibme.dll File created C:\Windows\SysWOW64\Nofoidko.dll Klfjijgq.exe File opened for modification C:\Windows\SysWOW64\Qcncodki.exe File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe File created C:\Windows\SysWOW64\Fqfojblo.exe File created C:\Windows\SysWOW64\Fbfkceca.exe File created C:\Windows\SysWOW64\Noiilpik.dll Bppfmigl.exe File created C:\Windows\SysWOW64\Hkdjfb32.exe Hcmbee32.exe File opened for modification C:\Windows\SysWOW64\Ffnknafg.exe Fngcmcfe.exe File opened for modification C:\Windows\SysWOW64\Hiacacpg.exe File created C:\Windows\SysWOW64\Mioaanec.dll File opened for modification C:\Windows\SysWOW64\Amikgpcc.exe File created C:\Windows\SysWOW64\Fpiedd32.dll File created C:\Windows\SysWOW64\Ohhnbhok.exe Oanfen32.exe File created C:\Windows\SysWOW64\Plopnh32.dll Oeokal32.exe File created C:\Windows\SysWOW64\Gmimai32.exe Gfodeohd.exe File created C:\Windows\SysWOW64\Kofkbk32.exe File opened for modification C:\Windows\SysWOW64\Bnoknihb.exe Bkaobnio.exe File created C:\Windows\SysWOW64\Qhkdof32.exe Qemhbj32.exe File opened for modification C:\Windows\SysWOW64\Fnffhgon.exe File opened for modification C:\Windows\SysWOW64\Hbdgec32.exe File created C:\Windows\SysWOW64\Mklfjm32.exe File created C:\Windows\SysWOW64\Gphqhffa.dll Oocddono.exe File opened for modification C:\Windows\SysWOW64\Qlmgopjq.exe Qjnkcekm.exe File created C:\Windows\SysWOW64\Ajjjocap.exe Aglnbhal.exe File created C:\Windows\SysWOW64\Ikndgg32.exe Igchfiof.exe File created C:\Windows\SysWOW64\Lgilmo32.dll File created C:\Windows\SysWOW64\Bkkple32.exe Blhpqhlh.exe File opened for modification C:\Windows\SysWOW64\Kkeldnpi.exe Kcndbp32.exe File created C:\Windows\SysWOW64\Hemikcpm.dll File created C:\Windows\SysWOW64\Qklmpalf.exe Qhmqdemc.exe File created C:\Windows\SysWOW64\Cgkeml32.dll File opened for modification C:\Windows\SysWOW64\Hpmhdmea.exe File created C:\Windows\SysWOW64\Lclpdncg.exe Ldipha32.exe File created C:\Windows\SysWOW64\Kbgbpn32.dll Mgaokl32.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Kndojobi.exeLeopnglc.exeEjbbmnnb.exeEmbddb32.exeKmaopfjm.exeCcnncgmc.exePefabkej.exeGjfnedho.exeEfeihb32.exeHnddgjbj.exeLbgalmej.exeLhkgoiqe.exeMffjcopi.exeHgiepjga.exeNbcjnilj.exeLdipha32.exeBoeebnhp.exeEbnfbcbc.exeMjpbam32.exeAhippdbe.exeCpihcgoa.exeGfokoelp.exeHidgai32.exeIfomll32.exePllgnl32.exeAmjillkj.exePleaoa32.exeKgjgne32.exeCgqqdeod.exeJniood32.exeGppcmeem.exeEjpfhnpe.exeOkgaijaj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndojobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbbmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnncgmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefabkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnddgjbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgalmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkgoiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffjcopi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgiepjga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbcjnilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldipha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeebnhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahippdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpihcgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfokoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjillkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqqdeod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppcmeem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpfhnpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Qaalblgi.exeJicdap32.exeBblnindg.exeCmhigf32.exeEpmmqheb.exeGdppbfff.exeElpkep32.exeFffhifdk.exeFlpmagqi.exeHkhdqoac.exeMgclpkac.exeDmcain32.exeBcghch32.exeIinqbn32.exeIpjedh32.exeJnjejjgh.exePkegpb32.exeMojhgbdl.exeIkejgf32.exeEkkkoj32.exeEejeiocj.exeGemkelcd.exePhedhmhi.exeBoeebnhp.exeBfhadc32.exeGgnedlao.exeMbgjbkfg.exeFmqgpgoc.exeGpnmbl32.exebf0489adc7995d9c4809e59c6c5b2fb0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioodcbn.dll" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhbbnba.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbfoaba.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnech32.dll" Jicdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bblnindg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbblcj32.dll" Epmmqheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjbok32.dll" Gdppbfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpkep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll" Flpmagqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkhdqoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgmeiqa.dll" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picoja32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcghch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmhbpmi.dll" Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafipibl.dll" Jnjejjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkheoa32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mojhgbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmhkg32.dll" Ikejgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpejkd32.dll" Gemkelcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjef32.dll" Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomnmjjb.dll" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpgam32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnfmjbo.dll" Bfhadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laahglpp.dll" Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmqgpgoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdcmh32.dll" Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmmljnd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" bf0489adc7995d9c4809e59c6c5b2fb0N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bf0489adc7995d9c4809e59c6c5b2fb0N.exeDgbdlf32.exeDknpmdfc.exeDahhio32.exeEgdqae32.exeEajeon32.exeEdhakj32.exeEonehbjg.exeEehnem32.exeEgijmegb.exeEmcbio32.exeEdmjfifl.exeEhiffh32.exeEmeoooml.exeEemgplno.exeEkiohclf.exeFeocelll.exeFnjhjn32.exeFhpmgg32.exeFojedapj.exeFdfmlhna.exeFajnfl32.exedescription pid process target process PID 3864 wrote to memory of 2452 3864 bf0489adc7995d9c4809e59c6c5b2fb0N.exe Dgbdlf32.exe PID 3864 wrote to memory of 2452 3864 bf0489adc7995d9c4809e59c6c5b2fb0N.exe Dgbdlf32.exe PID 3864 wrote to memory of 2452 3864 bf0489adc7995d9c4809e59c6c5b2fb0N.exe Dgbdlf32.exe PID 2452 wrote to memory of 4800 2452 Dgbdlf32.exe Dknpmdfc.exe PID 2452 wrote to memory of 4800 2452 Dgbdlf32.exe Dknpmdfc.exe PID 2452 wrote to memory of 4800 2452 Dgbdlf32.exe Dknpmdfc.exe PID 4800 wrote to memory of 3112 4800 Dknpmdfc.exe Dahhio32.exe PID 4800 wrote to memory of 3112 4800 Dknpmdfc.exe Dahhio32.exe PID 4800 wrote to memory of 3112 4800 Dknpmdfc.exe Dahhio32.exe PID 3112 wrote to memory of 4876 3112 Dahhio32.exe Egdqae32.exe PID 3112 wrote to memory of 4876 3112 Dahhio32.exe Egdqae32.exe PID 3112 wrote to memory of 4876 3112 Dahhio32.exe Egdqae32.exe PID 4876 wrote to memory of 3188 4876 Egdqae32.exe Eajeon32.exe PID 4876 wrote to memory of 3188 4876 Egdqae32.exe Eajeon32.exe PID 4876 wrote to memory of 3188 4876 Egdqae32.exe Eajeon32.exe PID 3188 wrote to memory of 1844 3188 Eajeon32.exe Edhakj32.exe PID 3188 wrote to memory of 1844 3188 Eajeon32.exe Edhakj32.exe PID 3188 wrote to memory of 1844 3188 Eajeon32.exe Edhakj32.exe PID 1844 wrote to memory of 4124 1844 Edhakj32.exe Eonehbjg.exe PID 1844 wrote to memory of 4124 1844 Edhakj32.exe Eonehbjg.exe PID 1844 wrote to memory of 4124 1844 Edhakj32.exe Eonehbjg.exe PID 4124 wrote to memory of 1656 4124 Eonehbjg.exe Eehnem32.exe PID 4124 wrote to memory of 1656 4124 Eonehbjg.exe Eehnem32.exe PID 4124 wrote to memory of 1656 4124 Eonehbjg.exe Eehnem32.exe PID 1656 wrote to memory of 3480 1656 Eehnem32.exe Egijmegb.exe PID 1656 wrote to memory of 3480 1656 Eehnem32.exe Egijmegb.exe PID 1656 wrote to memory of 3480 1656 Eehnem32.exe Egijmegb.exe PID 3480 wrote to memory of 4512 3480 Egijmegb.exe Emcbio32.exe PID 3480 wrote to memory of 4512 3480 Egijmegb.exe Emcbio32.exe PID 3480 wrote to memory of 4512 3480 Egijmegb.exe Emcbio32.exe PID 4512 wrote to memory of 1864 4512 Emcbio32.exe Edmjfifl.exe PID 4512 wrote to memory of 1864 4512 Emcbio32.exe Edmjfifl.exe PID 4512 wrote to memory of 1864 4512 Emcbio32.exe Edmjfifl.exe PID 1864 wrote to memory of 3656 1864 Edmjfifl.exe Ehiffh32.exe PID 1864 wrote to memory of 3656 1864 Edmjfifl.exe Ehiffh32.exe PID 1864 wrote to memory of 3656 1864 Edmjfifl.exe Ehiffh32.exe PID 3656 wrote to memory of 2480 3656 Ehiffh32.exe Emeoooml.exe PID 3656 wrote to memory of 2480 3656 Ehiffh32.exe Emeoooml.exe PID 3656 wrote to memory of 2480 3656 Ehiffh32.exe Emeoooml.exe PID 2480 wrote to memory of 2832 2480 Emeoooml.exe Eemgplno.exe PID 2480 wrote to memory of 2832 2480 Emeoooml.exe Eemgplno.exe PID 2480 wrote to memory of 2832 2480 Emeoooml.exe Eemgplno.exe PID 2832 wrote to memory of 4296 2832 Eemgplno.exe Ekiohclf.exe PID 2832 wrote to memory of 4296 2832 Eemgplno.exe Ekiohclf.exe PID 2832 wrote to memory of 4296 2832 Eemgplno.exe Ekiohclf.exe PID 4296 wrote to memory of 3636 4296 Ekiohclf.exe Feocelll.exe PID 4296 wrote to memory of 3636 4296 Ekiohclf.exe Feocelll.exe PID 4296 wrote to memory of 3636 4296 Ekiohclf.exe Feocelll.exe PID 3636 wrote to memory of 2416 3636 Feocelll.exe Fnjhjn32.exe PID 3636 wrote to memory of 2416 3636 Feocelll.exe Fnjhjn32.exe PID 3636 wrote to memory of 2416 3636 Feocelll.exe Fnjhjn32.exe PID 2416 wrote to memory of 4168 2416 Fnjhjn32.exe Fhpmgg32.exe PID 2416 wrote to memory of 4168 2416 Fnjhjn32.exe Fhpmgg32.exe PID 2416 wrote to memory of 4168 2416 Fnjhjn32.exe Fhpmgg32.exe PID 4168 wrote to memory of 4864 4168 Fhpmgg32.exe Fojedapj.exe PID 4168 wrote to memory of 4864 4168 Fhpmgg32.exe Fojedapj.exe PID 4168 wrote to memory of 4864 4168 Fhpmgg32.exe Fojedapj.exe PID 4864 wrote to memory of 4064 4864 Fojedapj.exe Fdfmlhna.exe PID 4864 wrote to memory of 4064 4864 Fojedapj.exe Fdfmlhna.exe PID 4864 wrote to memory of 4064 4864 Fojedapj.exe Fdfmlhna.exe PID 4064 wrote to memory of 4316 4064 Fdfmlhna.exe Fajnfl32.exe PID 4064 wrote to memory of 4316 4064 Fdfmlhna.exe Fajnfl32.exe PID 4064 wrote to memory of 4316 4064 Fdfmlhna.exe Fajnfl32.exe PID 4316 wrote to memory of 3236 4316 Fajnfl32.exe Fefjfked.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf0489adc7995d9c4809e59c6c5b2fb0N.exe"C:\Users\Admin\AppData\Local\Temp\bf0489adc7995d9c4809e59c6c5b2fb0N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Dahhio32.exeC:\Windows\system32\Dahhio32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Eemgplno.exeC:\Windows\system32\Eemgplno.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe23⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Fnaokmco.exeC:\Windows\system32\Fnaokmco.exe24⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe25⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe26⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe27⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe28⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe29⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe30⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe32⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Gadqlkep.exeC:\Windows\system32\Gadqlkep.exe33⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe34⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe35⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe36⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe38⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe39⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Gojnko32.exeC:\Windows\system32\Gojnko32.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe41⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe42⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Hnoklk32.exeC:\Windows\system32\Hnoklk32.exe43⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe44⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe45⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe46⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe47⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe48⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3916 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe50⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe52⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe53⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe54⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe55⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe56⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe57⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe59⤵
- Executes dropped EXE
PID:3800 -
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe60⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe61⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe62⤵
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe63⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe64⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe65⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Iiehpahb.exeC:\Windows\system32\Iiehpahb.exe66⤵PID:3216
-
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe67⤵PID:1528
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe68⤵PID:2000
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe69⤵PID:116
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe70⤵PID:4724
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe71⤵PID:4160
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe72⤵PID:1912
-
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe73⤵PID:748
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe74⤵PID:4748
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe75⤵PID:1572
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe76⤵PID:3932
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe77⤵PID:1724
-
C:\Windows\SysWOW64\Jecofa32.exeC:\Windows\system32\Jecofa32.exe78⤵PID:4484
-
C:\Windows\SysWOW64\Jgakbm32.exeC:\Windows\system32\Jgakbm32.exe79⤵PID:528
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe80⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Jiaglp32.exeC:\Windows\system32\Jiaglp32.exe82⤵PID:912
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe83⤵PID:1084
-
C:\Windows\SysWOW64\Jfehed32.exeC:\Windows\system32\Jfehed32.exe84⤵PID:4668
-
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe85⤵
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Jblijebc.exeC:\Windows\system32\Jblijebc.exe86⤵PID:2396
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe87⤵PID:2572
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe88⤵PID:3640
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe89⤵PID:3460
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe90⤵
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Keonap32.exeC:\Windows\system32\Keonap32.exe91⤵PID:2876
-
C:\Windows\SysWOW64\Khmknk32.exeC:\Windows\system32\Khmknk32.exe92⤵PID:2140
-
C:\Windows\SysWOW64\Klifnj32.exeC:\Windows\system32\Klifnj32.exe93⤵PID:1456
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe94⤵PID:3736
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe95⤵PID:4392
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe96⤵PID:4240
-
C:\Windows\SysWOW64\Khbdikip.exeC:\Windows\system32\Khbdikip.exe97⤵PID:4472
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe98⤵PID:4728
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe99⤵PID:3848
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe101⤵PID:1348
-
C:\Windows\SysWOW64\Llpmoiof.exeC:\Windows\system32\Llpmoiof.exe102⤵PID:2952
-
C:\Windows\SysWOW64\Lfealaol.exeC:\Windows\system32\Lfealaol.exe103⤵PID:2332
-
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe104⤵PID:4068
-
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe105⤵
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe106⤵PID:2388
-
C:\Windows\SysWOW64\Lfhnaa32.exeC:\Windows\system32\Lfhnaa32.exe107⤵PID:4940
-
C:\Windows\SysWOW64\Lifjnm32.exeC:\Windows\system32\Lifjnm32.exe108⤵PID:5000
-
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe109⤵PID:1984
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe110⤵PID:5004
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe111⤵PID:1256
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe112⤵
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Loeolc32.exeC:\Windows\system32\Loeolc32.exe113⤵PID:2024
-
C:\Windows\SysWOW64\Lflgmqhd.exeC:\Windows\system32\Lflgmqhd.exe114⤵PID:5128
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe115⤵PID:5172
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe116⤵PID:5216
-
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe117⤵PID:5256
-
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe118⤵PID:5300
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe119⤵PID:5344
-
C:\Windows\SysWOW64\Mojhgbdl.exeC:\Windows\system32\Mojhgbdl.exe120⤵
- Modifies registry class
PID:5388 -
C:\Windows\SysWOW64\Mfaqhp32.exeC:\Windows\system32\Mfaqhp32.exe121⤵PID:5432
-
C:\Windows\SysWOW64\Mhbmphjm.exeC:\Windows\system32\Mhbmphjm.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5472 -
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe123⤵PID:5508
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe124⤵PID:5556
-
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe125⤵PID:5600
-
C:\Windows\SysWOW64\Mhdjehhj.exeC:\Windows\system32\Mhdjehhj.exe126⤵PID:5636
-
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe127⤵PID:5676
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe128⤵PID:5720
-
C:\Windows\SysWOW64\Mffjcopi.exeC:\Windows\system32\Mffjcopi.exe129⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe130⤵PID:5808
-
C:\Windows\SysWOW64\Mlbbkfoq.exeC:\Windows\system32\Mlbbkfoq.exe131⤵PID:5852
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe132⤵PID:5892
-
C:\Windows\SysWOW64\Mfhfhong.exeC:\Windows\system32\Mfhfhong.exe133⤵PID:5932
-
C:\Windows\SysWOW64\Mhicpg32.exeC:\Windows\system32\Mhicpg32.exe134⤵PID:5976
-
C:\Windows\SysWOW64\Mpqkad32.exeC:\Windows\system32\Mpqkad32.exe135⤵PID:6016
-
C:\Windows\SysWOW64\Mfjcnold.exeC:\Windows\system32\Mfjcnold.exe136⤵PID:6064
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe137⤵PID:6108
-
C:\Windows\SysWOW64\Noehba32.exeC:\Windows\system32\Noehba32.exe138⤵PID:5124
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe139⤵PID:5192
-
C:\Windows\SysWOW64\Nhnlkfpp.exeC:\Windows\system32\Nhnlkfpp.exe140⤵PID:5252
-
C:\Windows\SysWOW64\Npedmdab.exeC:\Windows\system32\Npedmdab.exe141⤵PID:5320
-
C:\Windows\SysWOW64\Nbcqiope.exeC:\Windows\system32\Nbcqiope.exe142⤵PID:5376
-
C:\Windows\SysWOW64\Ngomin32.exeC:\Windows\system32\Ngomin32.exe143⤵PID:5452
-
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe144⤵PID:5524
-
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe145⤵PID:5592
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe146⤵PID:5660
-
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe147⤵PID:5740
-
C:\Windows\SysWOW64\Nipekiep.exeC:\Windows\system32\Nipekiep.exe148⤵PID:5796
-
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe149⤵PID:5876
-
C:\Windows\SysWOW64\Nchjdo32.exeC:\Windows\system32\Nchjdo32.exe150⤵PID:5944
-
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe151⤵PID:6008
-
C:\Windows\SysWOW64\Nibbqicm.exeC:\Windows\system32\Nibbqicm.exe152⤵PID:6080
-
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe153⤵
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe154⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5212 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe155⤵PID:5332
-
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe156⤵PID:5440
-
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe157⤵PID:5568
-
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe158⤵PID:5656
-
C:\Windows\SysWOW64\Ohjlgefb.exeC:\Windows\system32\Ohjlgefb.exe159⤵PID:5776
-
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe160⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe161⤵PID:5992
-
C:\Windows\SysWOW64\Oiihahme.exeC:\Windows\system32\Oiihahme.exe162⤵PID:6076
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe163⤵PID:5160
-
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe164⤵PID:5316
-
C:\Windows\SysWOW64\Ogmijllo.exeC:\Windows\system32\Ogmijllo.exe165⤵PID:5516
-
C:\Windows\SysWOW64\Oileggkb.exeC:\Windows\system32\Oileggkb.exe166⤵PID:5644
-
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe167⤵PID:5888
-
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe168⤵PID:5960
-
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe169⤵PID:3500
-
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe170⤵PID:5420
-
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe171⤵PID:5716
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe172⤵PID:5940
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe173⤵PID:5168
-
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5672 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe175⤵PID:6132
-
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe176⤵PID:5424
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe177⤵PID:5292
-
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe178⤵PID:6160
-
C:\Windows\SysWOW64\Pckppl32.exeC:\Windows\system32\Pckppl32.exe179⤵PID:6200
-
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe180⤵PID:6240
-
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe181⤵PID:6280
-
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe182⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6320 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe183⤵PID:6360
-
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe184⤵
- System Location Discovery: System Language Discovery
PID:6404 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe185⤵PID:6440
-
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe186⤵PID:6480
-
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe187⤵PID:6516
-
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe188⤵PID:6556
-
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe189⤵PID:6592
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe190⤵PID:6636
-
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe191⤵PID:6676
-
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe192⤵PID:6712
-
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe193⤵PID:6752
-
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe194⤵
- Drops file in System32 directory
PID:6792 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe195⤵PID:6832
-
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe196⤵PID:6872
-
C:\Windows\SysWOW64\Afelhf32.exeC:\Windows\system32\Afelhf32.exe197⤵PID:6912
-
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe198⤵PID:6952
-
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe199⤵PID:6992
-
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe200⤵PID:7028
-
C:\Windows\SysWOW64\Afghneoo.exeC:\Windows\system32\Afghneoo.exe201⤵PID:7068
-
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe202⤵PID:7108
-
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe203⤵PID:7148
-
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe204⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6176 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe205⤵PID:6224
-
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe206⤵PID:6288
-
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe207⤵PID:6340
-
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe208⤵PID:6428
-
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe209⤵PID:6464
-
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe210⤵PID:6548
-
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe211⤵PID:6612
-
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe212⤵
- Drops file in System32 directory
PID:6664 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe213⤵PID:6744
-
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe214⤵PID:6828
-
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe215⤵PID:6908
-
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe216⤵PID:6936
-
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe217⤵PID:7016
-
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe218⤵PID:7084
-
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe219⤵PID:7144
-
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe220⤵PID:6196
-
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe221⤵PID:6336
-
C:\Windows\SysWOW64\Biadeoce.exeC:\Windows\system32\Biadeoce.exe222⤵PID:6436
-
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe223⤵PID:6524
-
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe224⤵
- Modifies registry class
PID:6660 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe225⤵PID:6760
-
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe226⤵PID:6856
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe227⤵PID:7012
-
C:\Windows\SysWOW64\Bciehh32.exeC:\Windows\system32\Bciehh32.exe228⤵PID:7060
-
C:\Windows\SysWOW64\Bfhadc32.exeC:\Windows\system32\Bfhadc32.exe229⤵
- Drops file in System32 directory
- Modifies registry class
PID:6168 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe230⤵PID:6348
-
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe231⤵
- Drops file in System32 directory
PID:6540 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe232⤵PID:6720
-
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe233⤵PID:6968
-
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe234⤵PID:7100
-
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe235⤵PID:6304
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe236⤵
- System Location Discovery: System Language Discovery
PID:6608 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe237⤵PID:6892
-
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe238⤵PID:6396
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe239⤵PID:6864
-
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe240⤵PID:6860
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe241⤵PID:7176
-
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe242⤵PID:7216