Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
9842b72db0cb3fd8b30901af576d9860N.exe
Resource
win7-20240704-en
General
-
Target
9842b72db0cb3fd8b30901af576d9860N.exe
-
Size
163KB
-
MD5
9842b72db0cb3fd8b30901af576d9860
-
SHA1
85fd02f7056bb1a3528962b5b7cafa985621205c
-
SHA256
3250adccee67ba7ccd50a39d4b7b4ebd168e288f37504ec84312bf5823281fb7
-
SHA512
794d9a5b80cc75c28e9ddc47e1bbf44d26ebbe4547ef4afe121a8ade0b0c430fe1a47cbf3a968ec99a41f11a430ed392a7dc7eef2d101706455b61e151bf1506
-
SSDEEP
1536:P3O0RZViAazzxymcrT8UbYlEolProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:BVVGERYlEoltOrWKDBr+yJb
Malware Config
Extracted
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Apkbnibq.exeGmamfddp.exeDhibakmb.exeLiibgkoo.exeDoamhe32.exeHfajhblm.exeNjchfc32.exePpdfimji.exeHmijajbd.exeIfkfap32.exeMhbflj32.exeFljhmmci.exeHhogaamj.exeIencdc32.exeBeplcfmd.exeFbhfajia.exeKpoejbhe.exeNphghn32.exeDibhjokm.exeAbjeejep.exeGhqchi32.exeIggbdb32.exeAcejlfhl.exeLbplciof.exeCacegd32.exeHdcdfmqe.exePgopak32.exeOoemcb32.exeOahbjmjp.exeHhjgll32.exePgogla32.exeCedbmi32.exeIokdaa32.exeKekkkm32.exeKemgqm32.exeBlqmid32.exeLophacfl.exeJfpmifoa.exeLkoidcaj.exeKpcbhlki.exeOiqegb32.exeJhikhefb.exeMkfojakp.exeFlphccbp.exeOikeal32.exeBgkeol32.exeLadebd32.exeAedlhg32.exeLlomhllh.exeBemfjgdg.exeGcikfhed.exeNkjeod32.exeNqakim32.exeBjngbihn.exeIjlaloaf.exeJhkeelml.exeHmlmacfn.exeQlgndbil.exeKhcbpa32.exeLckpbm32.exeDcpoab32.exeMdeaim32.exeKpblne32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkbnibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmamfddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhibakmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doamhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfajhblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njchfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljhmmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iencdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beplcfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpoejbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibhjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjeejep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acejlfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbplciof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdcdfmqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooemcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oahbjmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgogla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemgqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blqmid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpmifoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkoidcaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcbhlki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiqegb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhikhefb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkeol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomhllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemfjgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcikfhed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjeod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqakim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjngbihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkeelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlmacfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcbpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpcbhlki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpblne32.exe -
Executes dropped EXE 64 IoCs
Processes:
Lcmklh32.exeLhiddoph.exeLaahme32.exeLadebd32.exeLohelidp.exeMnmbme32.exeMgegfk32.exeMpnkopeh.exeMjfphf32.exeMcodqkbi.exeMoeeelhn.exeMlieoqgg.exeNllbdp32.exeNhbciaki.exeNnokahip.exeNgjlpmnn.exeOgliemkk.exeOmiand32.exeOjmbgh32.exeOcefpnom.exeOaigib32.exeOmphocck.exeOleepo32.exePenihe32.exePpcmfn32.exePhobjp32.exePebbcdkn.exePaiche32.exePnmdbi32.exePhehko32.exeQigebglj.exeQdlipplq.exeQlgndbil.exeAmgjnepn.exeAohgfm32.exeAedlhg32.exeAompambg.exeAkdafn32.exeAhhaobfe.exeAndjgidl.exeBikjmj32.exeBccoeo32.exeBjngbihn.exeBdckobhd.exeBnlphh32.exeBgddam32.exeBlqmid32.exeBaneak32.exeCkfjjqhd.exeCfknhi32.exeCkhfpp32.exeCkkcep32.exeDcokpa32.exeDfpcblfp.exeDinpnged.exeDnkhfnck.exeDeeqch32.exeDgcmod32.exeEnneln32.exeEegmhhie.exeEjdfqogm.exeEejjnhgc.exeEldbkbop.exeEmeobj32.exepid process 2328 Lcmklh32.exe 2140 Lhiddoph.exe 2668 Laahme32.exe 2920 Ladebd32.exe 2376 Lohelidp.exe 2676 Mnmbme32.exe 3004 Mgegfk32.exe 1072 Mpnkopeh.exe 1124 Mjfphf32.exe 2880 Mcodqkbi.exe 1028 Moeeelhn.exe 472 Mlieoqgg.exe 892 Nllbdp32.exe 2108 Nhbciaki.exe 1720 Nnokahip.exe 1848 Ngjlpmnn.exe 1608 Ogliemkk.exe 1768 Omiand32.exe 1460 Ojmbgh32.exe 1276 Ocefpnom.exe 2924 Oaigib32.exe 1360 Omphocck.exe 2276 Oleepo32.exe 2908 Penihe32.exe 1916 Ppcmfn32.exe 1800 Phobjp32.exe 1596 Pebbcdkn.exe 548 Paiche32.exe 2784 Pnmdbi32.exe 2620 Phehko32.exe 2740 Qigebglj.exe 1392 Qdlipplq.exe 2528 Qlgndbil.exe 2540 Amgjnepn.exe 768 Aohgfm32.exe 2988 Aedlhg32.exe 2828 Aompambg.exe 2056 Akdafn32.exe 2948 Ahhaobfe.exe 2336 Andjgidl.exe 1060 Bikjmj32.exe 280 Bccoeo32.exe 1144 Bjngbihn.exe 1628 Bdckobhd.exe 1688 Bnlphh32.exe 2264 Bgddam32.exe 968 Blqmid32.exe 2952 Baneak32.exe 2976 Ckfjjqhd.exe 2780 Cfknhi32.exe 2452 Ckhfpp32.exe 2640 Ckkcep32.exe 2628 Dcokpa32.exe 1684 Dfpcblfp.exe 1740 Dinpnged.exe 1704 Dnkhfnck.exe 2560 Deeqch32.exe 272 Dgcmod32.exe 2412 Enneln32.exe 1604 Eegmhhie.exe 588 Ejdfqogm.exe 1180 Eejjnhgc.exe 2672 Eldbkbop.exe 2156 Emeobj32.exe -
Loads dropped DLL 64 IoCs
Processes:
9842b72db0cb3fd8b30901af576d9860N.exeLcmklh32.exeLhiddoph.exeLaahme32.exeLadebd32.exeLohelidp.exeMnmbme32.exeMgegfk32.exeMpnkopeh.exeMjfphf32.exeMcodqkbi.exeMoeeelhn.exeMlieoqgg.exeNllbdp32.exeNhbciaki.exeNnokahip.exeNgjlpmnn.exeOgliemkk.exeOmiand32.exeOjmbgh32.exeOcefpnom.exeOaigib32.exeOmphocck.exeOleepo32.exePenihe32.exePpcmfn32.exePhobjp32.exePebbcdkn.exePaiche32.exePnmdbi32.exePhehko32.exeQigebglj.exepid process 2448 9842b72db0cb3fd8b30901af576d9860N.exe 2448 9842b72db0cb3fd8b30901af576d9860N.exe 2328 Lcmklh32.exe 2328 Lcmklh32.exe 2140 Lhiddoph.exe 2140 Lhiddoph.exe 2668 Laahme32.exe 2668 Laahme32.exe 2920 Ladebd32.exe 2920 Ladebd32.exe 2376 Lohelidp.exe 2376 Lohelidp.exe 2676 Mnmbme32.exe 2676 Mnmbme32.exe 3004 Mgegfk32.exe 3004 Mgegfk32.exe 1072 Mpnkopeh.exe 1072 Mpnkopeh.exe 1124 Mjfphf32.exe 1124 Mjfphf32.exe 2880 Mcodqkbi.exe 2880 Mcodqkbi.exe 1028 Moeeelhn.exe 1028 Moeeelhn.exe 472 Mlieoqgg.exe 472 Mlieoqgg.exe 892 Nllbdp32.exe 892 Nllbdp32.exe 2108 Nhbciaki.exe 2108 Nhbciaki.exe 1720 Nnokahip.exe 1720 Nnokahip.exe 1848 Ngjlpmnn.exe 1848 Ngjlpmnn.exe 1608 Ogliemkk.exe 1608 Ogliemkk.exe 1768 Omiand32.exe 1768 Omiand32.exe 1460 Ojmbgh32.exe 1460 Ojmbgh32.exe 1276 Ocefpnom.exe 1276 Ocefpnom.exe 2924 Oaigib32.exe 2924 Oaigib32.exe 1360 Omphocck.exe 1360 Omphocck.exe 2276 Oleepo32.exe 2276 Oleepo32.exe 2908 Penihe32.exe 2908 Penihe32.exe 1916 Ppcmfn32.exe 1916 Ppcmfn32.exe 1800 Phobjp32.exe 1800 Phobjp32.exe 1596 Pebbcdkn.exe 1596 Pebbcdkn.exe 548 Paiche32.exe 548 Paiche32.exe 2784 Pnmdbi32.exe 2784 Pnmdbi32.exe 2620 Phehko32.exe 2620 Phehko32.exe 2740 Qigebglj.exe 2740 Qigebglj.exe -
Drops file in System32 directory 64 IoCs
Processes:
Hnikmnho.exeOleepo32.exeQlgndbil.exeFegjgkla.exePdkhag32.exeBfmjoqoe.exeBefpkmph.exeHhmhcigh.exeAiaqle32.exeMjeffc32.exeNkjeod32.exeCkfjjqhd.exeLlomhllh.exePogaeg32.exeIcnbic32.exeBgkeol32.exeDmalmdcg.exeGlfgnh32.exePimkbbpi.exeJpnkep32.exeKkfhglen.exeDkekmp32.exeGihpcn32.exeDlcfnk32.exeIomcpe32.exeFmbgageq.exeMecbjd32.exeBkhjcing.exeKiofnm32.exeGbffjmmp.exeNedifo32.exeGppkkikh.exeKfobmc32.exeGaeqmk32.exeQnpcpa32.exeEgmbnkie.exeMmkcoq32.exeIfengpdh.exeLhoohgdg.exeJlaeab32.exeHibebeqb.exeAblbjj32.exeAnpooe32.exeFpbihl32.exeKmabqf32.exeDcpoab32.exeJlbjcd32.exeKndbko32.exeIfkfap32.exeGnhkkjbf.exeBccoeo32.exeBgddam32.exeHkdgecna.exeDeiipp32.exeJpcfih32.exeQnoklc32.exeDfpcblfp.exeNljhhi32.exeCjhdgk32.exeAhlnmjkf.exeJfpmifoa.exeJdmfdgbj.exeAlknnodh.exeEhiiop32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Hjplao32.exe Hnikmnho.exe File opened for modification C:\Windows\SysWOW64\Penihe32.exe Oleepo32.exe File opened for modification C:\Windows\SysWOW64\Amgjnepn.exe Qlgndbil.exe File created C:\Windows\SysWOW64\Kembedli.dll Fegjgkla.exe File opened for modification C:\Windows\SysWOW64\Pnfipm32.exe Pdkhag32.exe File opened for modification C:\Windows\SysWOW64\Bhnffi32.exe Bfmjoqoe.exe File created C:\Windows\SysWOW64\Cdlmlidp.exe Befpkmph.exe File created C:\Windows\SysWOW64\Lpefmn32.dll Hhmhcigh.exe File opened for modification C:\Windows\SysWOW64\Abjeejep.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Mpaoojjb.exe Mjeffc32.exe File created C:\Windows\SysWOW64\Hmdcof32.dll Nkjeod32.exe File created C:\Windows\SysWOW64\Gffeolhl.dll Ckfjjqhd.exe File created C:\Windows\SysWOW64\Ljbmbpkb.exe Llomhllh.exe File created C:\Windows\SysWOW64\Qmlbaipp.dll Pogaeg32.exe File created C:\Windows\SysWOW64\Incgfl32.exe Icnbic32.exe File created C:\Windows\SysWOW64\Cihikk32.dll Bgkeol32.exe File created C:\Windows\SysWOW64\Dckdio32.exe Dmalmdcg.exe File created C:\Windows\SysWOW64\Lnapncmc.dll Glfgnh32.exe File created C:\Windows\SysWOW64\Qobbcpoc.dll Pimkbbpi.exe File created C:\Windows\SysWOW64\Jkdoci32.exe Jpnkep32.exe File opened for modification C:\Windows\SysWOW64\Kcamln32.exe Kkfhglen.exe File opened for modification C:\Windows\SysWOW64\Dcpoab32.exe Dkekmp32.exe File created C:\Windows\SysWOW64\Hbqdldhi.exe Gihpcn32.exe File created C:\Windows\SysWOW64\Dmgokcja.exe Dlcfnk32.exe File created C:\Windows\SysWOW64\Cqekiefo.dll Iomcpe32.exe File opened for modification C:\Windows\SysWOW64\Fjfhkl32.exe Fmbgageq.exe File created C:\Windows\SysWOW64\Mnkfcjqe.exe Mecbjd32.exe File created C:\Windows\SysWOW64\Affdii32.dll Bkhjcing.exe File created C:\Windows\SysWOW64\Mghomh32.dll Kiofnm32.exe File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gbffjmmp.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Nedifo32.exe File opened for modification C:\Windows\SysWOW64\Gihpcn32.exe Gppkkikh.exe File created C:\Windows\SysWOW64\Lhpkoo32.exe Kfobmc32.exe File created C:\Windows\SysWOW64\Ggbieb32.exe Gaeqmk32.exe File created C:\Windows\SysWOW64\Qcmkhi32.exe Qnpcpa32.exe File created C:\Windows\SysWOW64\Chehgk32.dll Egmbnkie.exe File opened for modification C:\Windows\SysWOW64\Mjodhe32.exe Mmkcoq32.exe File created C:\Windows\SysWOW64\Pgiolk32.dll Ifengpdh.exe File created C:\Windows\SysWOW64\Mdepmh32.exe Lhoohgdg.exe File opened for modification C:\Windows\SysWOW64\Jaonji32.exe Jlaeab32.exe File created C:\Windows\SysWOW64\Ibjikk32.exe Hibebeqb.exe File created C:\Windows\SysWOW64\Ehbgahjb.dll Ablbjj32.exe File created C:\Windows\SysWOW64\Bfpmog32.exe Anpooe32.exe File created C:\Windows\SysWOW64\Facfpddd.exe Fpbihl32.exe File created C:\Windows\SysWOW64\Kbqgolpf.exe Kmabqf32.exe File created C:\Windows\SysWOW64\Adaflhhb.dll Dcpoab32.exe File opened for modification C:\Windows\SysWOW64\Jhikhefb.exe Jlbjcd32.exe File opened for modification C:\Windows\SysWOW64\Kglfcd32.exe Kndbko32.exe File opened for modification C:\Windows\SysWOW64\Iaegbmlq.exe Ifkfap32.exe File opened for modification C:\Windows\SysWOW64\Gklkdn32.exe Gnhkkjbf.exe File created C:\Windows\SysWOW64\Bjngbihn.exe Bccoeo32.exe File opened for modification C:\Windows\SysWOW64\Blqmid32.exe Bgddam32.exe File opened for modification C:\Windows\SysWOW64\Iqapnjli.exe Hkdgecna.exe File opened for modification C:\Windows\SysWOW64\Doamhe32.exe Deiipp32.exe File created C:\Windows\SysWOW64\Lpeeon32.dll Jpcfih32.exe File created C:\Windows\SysWOW64\Hmpjieck.dll Qnoklc32.exe File created C:\Windows\SysWOW64\Cfmlpf32.dll Dfpcblfp.exe File created C:\Windows\SysWOW64\Gimpofjk.dll Nljhhi32.exe File created C:\Windows\SysWOW64\Gobopn32.dll Cjhdgk32.exe File created C:\Windows\SysWOW64\Pphqlc32.dll Ahlnmjkf.exe File created C:\Windows\SysWOW64\Jafmngde.exe Jfpmifoa.exe File created C:\Windows\SysWOW64\Ecogcf32.dll Jdmfdgbj.exe File opened for modification C:\Windows\SysWOW64\Aokfpjai.exe Alknnodh.exe File created C:\Windows\SysWOW64\Ekgfkl32.exe Ehiiop32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4140 2544 WerFault.exe Iqmcmaja.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Lchqcd32.exeFmodaadg.exeHfajhblm.exeEldbkbop.exeIkfdkc32.exeKglfcd32.exeMaabcc32.exeFehmlh32.exeBlgfml32.exeApkbnibq.exeKmoekf32.exePdkhag32.exeBclcfnih.exeGhkbccdn.exePebbeq32.exeFljhmmci.exeKmhhae32.exeDkpabqoa.exeNloedjin.exeGdfmccfm.exeIlnqhddd.exeOclpdf32.exeAkdafn32.exeLijiaabk.exeQnpcpa32.exeAbdeoe32.exeHdhdlbpk.exeOaigib32.exeAompambg.exeEkbhnkhf.exeEhlmnfeo.exeEfmckpko.exeCpbkhabp.exeLckflc32.exeEcjibgdh.exeFhnjdfcl.exeLjndga32.exeNhakecld.exeEhfkphnd.exeIbgglfdl.exeJpndkj32.exeCmocha32.exeEehqme32.exeMkgeehnl.exePimkbbpi.exeLmpeljkm.exeDhekodik.exeMoeeelhn.exeDcokpa32.exeLohelidp.exeLpdankjg.exeNiombolm.exeNalldh32.exeLdhgnk32.exeElnonp32.exeEegmhhie.exeHalcmn32.exeOjlife32.exeQdlipplq.exeBgddam32.exeHeqimm32.exeKjfdcc32.exeNhffikob.exePenihe32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmodaadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfajhblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldbkbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfdkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maabcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgfml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmoekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkhag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclcfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbccdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmhhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkpabqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloedjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnqhddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhdlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaigib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbhnkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmckpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbkhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckflc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjibgdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhnjdfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljndga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfkphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgglfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpndkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgeehnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpeljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhekodik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moeeelhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcokpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohelidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalldh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegmhhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlife32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlipplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgddam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Penihe32.exe -
Modifies registry class 64 IoCs
Processes:
Omiand32.exeBaneak32.exeIcabeo32.exeLcmklh32.exeBkdbab32.exeKobfqc32.exeApkbnibq.exeIopeoknn.exeNoplmlok.exeEehqme32.exeKpblne32.exeMnmbme32.exeAmgjnepn.exeFjfhkl32.exeEnngdgim.exeMiiaogio.exeKmabqf32.exeJephgi32.exeOjceef32.exeAhfgbkpl.exeAokfpjai.exeOakcan32.exeDgemgm32.exeHmlmacfn.exeDfpcblfp.exeHcdifa32.exeMalmllfb.exePqgilnji.exeMhikae32.exeCejfckie.exeMjodhe32.exeLadebd32.exePaiche32.exeAkdafn32.exeCfaqfh32.exeDgqion32.exePeqhgmdd.exePgopak32.exeGcikfhed.exeLkhcdhmk.exeNbmcjc32.exeQidckjae.exeDomffn32.exeIagchmjn.exeLkoidcaj.exeNphghn32.exeNdpmbjbk.exeAnkckagj.exeBdckobhd.exePpkmjlca.exeBjalndpb.exeHfajhblm.exeOafhmf32.exeOjlife32.exeDoqkpl32.exeDfbbpd32.exeIomcpe32.exePeiaij32.exeDahobdpe.exeFbimkpmm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omiand32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baneak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icabeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkdbab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfihln.dll" Kobfqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkbnibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iopeoknn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noplmlok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehqme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnekb32.dll" Mnmbme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgajcccj.dll" Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knohabdl.dll" Amgjnepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miiaogio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll" Kmabqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfbfl32.dll" Noplmlok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jephgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojceef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahfgbkpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfebofm.dll" Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqknf32.dll" Dgemgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlmacfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpcblfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmodqio.dll" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhikae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cejfckie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjodhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ladebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfqppk.dll" Paiche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdcijc.dll" Akdafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfaqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimkklpe.dll" Peqhgmdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgopak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcikfhed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpamlo32.dll" Nbmcjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iagchmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmcpglh.dll" Lkoidcaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankckagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfbm32.dll" Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjalndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gohqfe32.dll" Hfajhblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfgi32.dll" Oafhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojlife32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll" Doqkpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfbbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqekiefo.dll" Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll" Cfaqfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnklmfhi.dll" Fbimkpmm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9842b72db0cb3fd8b30901af576d9860N.exeLcmklh32.exeLhiddoph.exeLaahme32.exeLadebd32.exeLohelidp.exeMnmbme32.exeMgegfk32.exeMpnkopeh.exeMjfphf32.exeMcodqkbi.exeMoeeelhn.exeMlieoqgg.exeNllbdp32.exeNhbciaki.exeNnokahip.exedescription pid process target process PID 2448 wrote to memory of 2328 2448 9842b72db0cb3fd8b30901af576d9860N.exe Lcmklh32.exe PID 2448 wrote to memory of 2328 2448 9842b72db0cb3fd8b30901af576d9860N.exe Lcmklh32.exe PID 2448 wrote to memory of 2328 2448 9842b72db0cb3fd8b30901af576d9860N.exe Lcmklh32.exe PID 2448 wrote to memory of 2328 2448 9842b72db0cb3fd8b30901af576d9860N.exe Lcmklh32.exe PID 2328 wrote to memory of 2140 2328 Lcmklh32.exe Lhiddoph.exe PID 2328 wrote to memory of 2140 2328 Lcmklh32.exe Lhiddoph.exe PID 2328 wrote to memory of 2140 2328 Lcmklh32.exe Lhiddoph.exe PID 2328 wrote to memory of 2140 2328 Lcmklh32.exe Lhiddoph.exe PID 2140 wrote to memory of 2668 2140 Lhiddoph.exe Laahme32.exe PID 2140 wrote to memory of 2668 2140 Lhiddoph.exe Laahme32.exe PID 2140 wrote to memory of 2668 2140 Lhiddoph.exe Laahme32.exe PID 2140 wrote to memory of 2668 2140 Lhiddoph.exe Laahme32.exe PID 2668 wrote to memory of 2920 2668 Laahme32.exe Ladebd32.exe PID 2668 wrote to memory of 2920 2668 Laahme32.exe Ladebd32.exe PID 2668 wrote to memory of 2920 2668 Laahme32.exe Ladebd32.exe PID 2668 wrote to memory of 2920 2668 Laahme32.exe Ladebd32.exe PID 2920 wrote to memory of 2376 2920 Ladebd32.exe Lohelidp.exe PID 2920 wrote to memory of 2376 2920 Ladebd32.exe Lohelidp.exe PID 2920 wrote to memory of 2376 2920 Ladebd32.exe Lohelidp.exe PID 2920 wrote to memory of 2376 2920 Ladebd32.exe Lohelidp.exe PID 2376 wrote to memory of 2676 2376 Lohelidp.exe Mnmbme32.exe PID 2376 wrote to memory of 2676 2376 Lohelidp.exe Mnmbme32.exe PID 2376 wrote to memory of 2676 2376 Lohelidp.exe Mnmbme32.exe PID 2376 wrote to memory of 2676 2376 Lohelidp.exe Mnmbme32.exe PID 2676 wrote to memory of 3004 2676 Mnmbme32.exe Mgegfk32.exe PID 2676 wrote to memory of 3004 2676 Mnmbme32.exe Mgegfk32.exe PID 2676 wrote to memory of 3004 2676 Mnmbme32.exe Mgegfk32.exe PID 2676 wrote to memory of 3004 2676 Mnmbme32.exe Mgegfk32.exe PID 3004 wrote to memory of 1072 3004 Mgegfk32.exe Mpnkopeh.exe PID 3004 wrote to memory of 1072 3004 Mgegfk32.exe Mpnkopeh.exe PID 3004 wrote to memory of 1072 3004 Mgegfk32.exe Mpnkopeh.exe PID 3004 wrote to memory of 1072 3004 Mgegfk32.exe Mpnkopeh.exe PID 1072 wrote to memory of 1124 1072 Mpnkopeh.exe Mjfphf32.exe PID 1072 wrote to memory of 1124 1072 Mpnkopeh.exe Mjfphf32.exe PID 1072 wrote to memory of 1124 1072 Mpnkopeh.exe Mjfphf32.exe PID 1072 wrote to memory of 1124 1072 Mpnkopeh.exe Mjfphf32.exe PID 1124 wrote to memory of 2880 1124 Mjfphf32.exe Mcodqkbi.exe PID 1124 wrote to memory of 2880 1124 Mjfphf32.exe Mcodqkbi.exe PID 1124 wrote to memory of 2880 1124 Mjfphf32.exe Mcodqkbi.exe PID 1124 wrote to memory of 2880 1124 Mjfphf32.exe Mcodqkbi.exe PID 2880 wrote to memory of 1028 2880 Mcodqkbi.exe Moeeelhn.exe PID 2880 wrote to memory of 1028 2880 Mcodqkbi.exe Moeeelhn.exe PID 2880 wrote to memory of 1028 2880 Mcodqkbi.exe Moeeelhn.exe PID 2880 wrote to memory of 1028 2880 Mcodqkbi.exe Moeeelhn.exe PID 1028 wrote to memory of 472 1028 Moeeelhn.exe Mlieoqgg.exe PID 1028 wrote to memory of 472 1028 Moeeelhn.exe Mlieoqgg.exe PID 1028 wrote to memory of 472 1028 Moeeelhn.exe Mlieoqgg.exe PID 1028 wrote to memory of 472 1028 Moeeelhn.exe Mlieoqgg.exe PID 472 wrote to memory of 892 472 Mlieoqgg.exe Nllbdp32.exe PID 472 wrote to memory of 892 472 Mlieoqgg.exe Nllbdp32.exe PID 472 wrote to memory of 892 472 Mlieoqgg.exe Nllbdp32.exe PID 472 wrote to memory of 892 472 Mlieoqgg.exe Nllbdp32.exe PID 892 wrote to memory of 2108 892 Nllbdp32.exe Nhbciaki.exe PID 892 wrote to memory of 2108 892 Nllbdp32.exe Nhbciaki.exe PID 892 wrote to memory of 2108 892 Nllbdp32.exe Nhbciaki.exe PID 892 wrote to memory of 2108 892 Nllbdp32.exe Nhbciaki.exe PID 2108 wrote to memory of 1720 2108 Nhbciaki.exe Nnokahip.exe PID 2108 wrote to memory of 1720 2108 Nhbciaki.exe Nnokahip.exe PID 2108 wrote to memory of 1720 2108 Nhbciaki.exe Nnokahip.exe PID 2108 wrote to memory of 1720 2108 Nhbciaki.exe Nnokahip.exe PID 1720 wrote to memory of 1848 1720 Nnokahip.exe Ngjlpmnn.exe PID 1720 wrote to memory of 1848 1720 Nnokahip.exe Ngjlpmnn.exe PID 1720 wrote to memory of 1848 1720 Nnokahip.exe Ngjlpmnn.exe PID 1720 wrote to memory of 1848 1720 Nnokahip.exe Ngjlpmnn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9842b72db0cb3fd8b30901af576d9860N.exe"C:\Users\Admin\AppData\Local\Temp\9842b72db0cb3fd8b30901af576d9860N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Lhiddoph.exeC:\Windows\system32\Lhiddoph.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe36⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe40⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe41⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe42⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe46⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe51⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe52⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe53⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe57⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe58⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe59⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe60⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe62⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe63⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe65⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe66⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe67⤵PID:1632
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe68⤵PID:1760
-
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe69⤵PID:1892
-
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe70⤵PID:1672
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe71⤵PID:2300
-
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe72⤵
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe73⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe74⤵PID:2636
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe75⤵PID:2872
-
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe76⤵PID:2716
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe77⤵PID:2380
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe78⤵PID:1756
-
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe79⤵PID:1272
-
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe80⤵PID:896
-
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe81⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe82⤵PID:2460
-
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe83⤵PID:1780
-
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe84⤵PID:1496
-
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe86⤵PID:1744
-
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe87⤵PID:364
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe88⤵PID:2816
-
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe89⤵PID:2904
-
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe90⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe91⤵PID:1508
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe92⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe93⤵PID:1924
-
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe95⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe96⤵PID:2360
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe97⤵PID:1292
-
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe98⤵PID:2592
-
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe99⤵PID:1920
-
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe101⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe102⤵PID:2604
-
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe104⤵PID:1100
-
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe105⤵PID:2012
-
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe107⤵PID:1616
-
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe108⤵PID:1948
-
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe109⤵PID:2440
-
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe110⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe112⤵PID:1160
-
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe113⤵PID:2436
-
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe114⤵PID:1236
-
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe115⤵PID:824
-
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe116⤵PID:2944
-
C:\Windows\SysWOW64\Jijacjnc.exeC:\Windows\system32\Jijacjnc.exe117⤵PID:2224
-
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe118⤵PID:2760
-
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe119⤵PID:2736
-
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe120⤵PID:2660
-
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe121⤵PID:1896
-
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe122⤵PID:2216
-
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe123⤵PID:2896
-
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe124⤵PID:2768
-
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe125⤵PID:2844
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe126⤵PID:2044
-
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe127⤵PID:2020
-
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe128⤵PID:2368
-
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe129⤵PID:2248
-
C:\Windows\SysWOW64\Khojcj32.exeC:\Windows\system32\Khojcj32.exe130⤵PID:2512
-
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe131⤵PID:2580
-
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe132⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe133⤵PID:2832
-
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe134⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe135⤵PID:2244
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe136⤵PID:2612
-
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe137⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1552 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe138⤵PID:2228
-
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe139⤵PID:2444
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe140⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe141⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe142⤵PID:2232
-
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe143⤵PID:2400
-
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe144⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe145⤵PID:2824
-
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe146⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe147⤵PID:1104
-
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe148⤵PID:2708
-
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1560 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe150⤵PID:1700
-
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe151⤵PID:788
-
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe152⤵PID:2524
-
C:\Windows\SysWOW64\Ooggpiek.exeC:\Windows\system32\Ooggpiek.exe153⤵PID:1716
-
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe154⤵PID:1080
-
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe155⤵PID:2664
-
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe156⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe157⤵PID:2936
-
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe158⤵PID:2576
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe160⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe161⤵PID:1668
-
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe162⤵
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe163⤵PID:1820
-
C:\Windows\SysWOW64\Qekbgbpf.exeC:\Windows\system32\Qekbgbpf.exe164⤵PID:1064
-
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe165⤵PID:2500
-
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe166⤵PID:1128
-
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe167⤵PID:2756
-
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe168⤵PID:2332
-
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe169⤵PID:564
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe170⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Abjeejep.exeC:\Windows\system32\Abjeejep.exe171⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe172⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe173⤵PID:2128
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe174⤵PID:2840
-
C:\Windows\SysWOW64\Bihgmdih.exeC:\Windows\system32\Bihgmdih.exe175⤵PID:2764
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe176⤵PID:2024
-
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe177⤵PID:1088
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe178⤵PID:1524
-
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe179⤵PID:2424
-
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe180⤵PID:2596
-
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe181⤵PID:2652
-
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe182⤵PID:3028
-
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe183⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe184⤵PID:1844
-
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe185⤵
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe186⤵PID:1600
-
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe187⤵PID:1696
-
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe188⤵PID:3112
-
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe189⤵PID:3152
-
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe190⤵PID:3192
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe191⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe192⤵PID:3272
-
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe193⤵PID:3312
-
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe194⤵PID:3356
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe195⤵
- Modifies registry class
PID:3396 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe196⤵PID:3440
-
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe197⤵PID:3488
-
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe198⤵PID:3528
-
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe199⤵PID:3568
-
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe200⤵PID:3608
-
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe201⤵PID:3648
-
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3688 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe203⤵
- Drops file in System32 directory
PID:3728 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe204⤵
- Modifies registry class
PID:3768 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe205⤵PID:3808
-
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe206⤵PID:3852
-
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe207⤵
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe208⤵PID:3932
-
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe209⤵PID:3972
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe210⤵PID:4012
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe211⤵PID:4052
-
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe212⤵PID:2964
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3084 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe214⤵PID:3168
-
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe215⤵PID:3216
-
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe216⤵PID:3264
-
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe217⤵PID:760
-
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe218⤵PID:3372
-
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe219⤵PID:3408
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe220⤵
- Modifies registry class
PID:3472 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe221⤵PID:3516
-
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe222⤵PID:3576
-
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe223⤵PID:3628
-
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe224⤵PID:3660
-
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe225⤵PID:3720
-
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe226⤵PID:3760
-
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe227⤵PID:3816
-
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe228⤵PID:3868
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe229⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe230⤵PID:3968
-
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe231⤵
- Drops file in System32 directory
PID:4024 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe232⤵
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe233⤵PID:3104
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe234⤵PID:3132
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe235⤵PID:3240
-
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe236⤵
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\Lmpeljkm.exeC:\Windows\system32\Lmpeljkm.exe237⤵
- System Location Discovery: System Language Discovery
PID:3388 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe238⤵PID:3328
-
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe239⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3480 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe240⤵
- Drops file in System32 directory
PID:3548 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe241⤵PID:3632
-
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe242⤵PID:3748