Analysis
-
max time kernel
41s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 02:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
General
-
Target
d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe
-
Size
163KB
-
MD5
ced3ed83128696c16eef4c0e8b87b972
-
SHA1
b5fbdb81356088a7ad2c43429e39a03577f4079a
-
SHA256
d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb
-
SHA512
4297de45b31d665a18c39cd244855d2fcb21378ab432799b2c371d5bea66d98df6c66df51275e967f4d0c61ad94b788f2b72135fc6f06cbd907b012a23d0c4bf
-
SSDEEP
1536:P3McDWqgZfhfAXBT4EwY8TJlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:+ZpcTPw9TJltOrWKDBr+yJb
Malware Config
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibeloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnnpbnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipecndab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakcan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgija32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiffngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjbehfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piiekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gepeep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijjgkmqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbnfdpge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hekhid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhqpqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemgqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpnbcfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcafbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npngng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnocdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibeloo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdplmflg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemgqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiehbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmljj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqnlpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifinfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkconepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omoehf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joicje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnpbnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiehbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgphke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejeknelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbilmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqnlpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joaebkni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgdgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncbdjhnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdgkkppm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnnpolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papkcd32.exe -
Executes dropped EXE 64 IoCs
pid Process 2224 Nmpiicdm.exe 2832 Ndiaem32.exe 2768 Obonfj32.exe 2824 Obcgaill.exe 892 Okolfkjg.exe 3056 Omoehf32.exe 1328 Oheieo32.exe 2508 Pppnia32.exe 2100 Papkcd32.exe 2696 Pglclk32.exe 292 Plneoace.exe 848 Qjbehfbo.exe 2212 Aoakfl32.exe 2268 Agloko32.exe 1344 Adppdckh.exe 1924 Adbmjbif.exe 920 Adeiobgc.exe 2376 Ajaagi32.exe 1552 Agebam32.exe 1064 Bfkobj32.exe 1604 Bnhqll32.exe 3032 Bineidcj.exe 1956 Bbfibj32.exe 1508 Cgeopqfp.exe 2472 Cfkkam32.exe 1568 Cappnf32.exe 2844 Cikdbhhi.exe 2976 Cfoellgb.exe 2812 Cpgieb32.exe 1484 Cipnng32.exe 2884 Dfdngl32.exe 2800 Doocln32.exe 2648 Dekhnh32.exe 324 Dkhpfo32.exe 1364 Dendcg32.exe 2956 Ddcadd32.exe 332 Eganqo32.exe 1560 Echoepmo.exe 2144 Egfglocf.exe 928 Elcpdeam.exe 2252 Eoalpaaa.exe 960 Eocieq32.exe 1900 Fhccoe32.exe 1384 Fakhhk32.exe 1544 Fghppa32.exe 1088 Fleihi32.exe 900 Fgjmfa32.exe 1340 Ggmjkapi.exe 2340 Gjkfglom.exe 876 Gfbfln32.exe 2776 Gojkecka.exe 2296 Gomhkb32.exe 2168 Gghloe32.exe 3048 Hbnqln32.exe 1948 Helmiiec.exe 2120 Hndaao32.exe 1496 Hgmfjdbe.exe 1992 Hccfoehi.exe 1972 Hfbckagm.exe 1216 Haggijgb.exe 1336 Hiblmldn.exe 1860 Hbkpfa32.exe 2876 Hiehbl32.exe 3012 Icjmpd32.exe -
Loads dropped DLL 64 IoCs
pid Process 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 2224 Nmpiicdm.exe 2224 Nmpiicdm.exe 2832 Ndiaem32.exe 2832 Ndiaem32.exe 2768 Obonfj32.exe 2768 Obonfj32.exe 2824 Obcgaill.exe 2824 Obcgaill.exe 892 Okolfkjg.exe 892 Okolfkjg.exe 3056 Omoehf32.exe 3056 Omoehf32.exe 1328 Oheieo32.exe 1328 Oheieo32.exe 2508 Pppnia32.exe 2508 Pppnia32.exe 2100 Papkcd32.exe 2100 Papkcd32.exe 2696 Pglclk32.exe 2696 Pglclk32.exe 292 Plneoace.exe 292 Plneoace.exe 848 Qjbehfbo.exe 848 Qjbehfbo.exe 2212 Aoakfl32.exe 2212 Aoakfl32.exe 2268 Agloko32.exe 2268 Agloko32.exe 1344 Adppdckh.exe 1344 Adppdckh.exe 1924 Adbmjbif.exe 1924 Adbmjbif.exe 920 Adeiobgc.exe 920 Adeiobgc.exe 2376 Ajaagi32.exe 2376 Ajaagi32.exe 1552 Agebam32.exe 1552 Agebam32.exe 1064 Bfkobj32.exe 1064 Bfkobj32.exe 1604 Bnhqll32.exe 1604 Bnhqll32.exe 3032 Bineidcj.exe 3032 Bineidcj.exe 1956 Bbfibj32.exe 1956 Bbfibj32.exe 1508 Cgeopqfp.exe 1508 Cgeopqfp.exe 2472 Cfkkam32.exe 2472 Cfkkam32.exe 1568 Cappnf32.exe 1568 Cappnf32.exe 2844 Cikdbhhi.exe 2844 Cikdbhhi.exe 2976 Cfoellgb.exe 2976 Cfoellgb.exe 2812 Cpgieb32.exe 2812 Cpgieb32.exe 1484 Cipnng32.exe 1484 Cipnng32.exe 2884 Dfdngl32.exe 2884 Dfdngl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ipkgikkp.dll Gpiffngk.exe File created C:\Windows\SysWOW64\Ohmljj32.exe Nbinad32.exe File created C:\Windows\SysWOW64\Jocceo32.exe Jhikhefb.exe File created C:\Windows\SysWOW64\Ogeeme32.dll Kldlmqml.exe File created C:\Windows\SysWOW64\Opjdhb32.dll Qfganb32.exe File created C:\Windows\SysWOW64\Eaodhk32.dll Faedpdcc.exe File created C:\Windows\SysWOW64\Hfdbji32.exe Hjnaehgj.exe File opened for modification C:\Windows\SysWOW64\Aogpmcmb.exe Abpohb32.exe File created C:\Windows\SysWOW64\Cmkkpnfp.dll Ikcpmieg.exe File created C:\Windows\SysWOW64\Jhikhefb.exe Jblbpnhk.exe File created C:\Windows\SysWOW64\Cdnhiihl.dll Nmmgafjh.exe File created C:\Windows\SysWOW64\Fghppa32.exe Fakhhk32.exe File opened for modification C:\Windows\SysWOW64\Mdahnmck.exe Lkhcdhmk.exe File opened for modification C:\Windows\SysWOW64\Ifikehii.exe Iiekkdjo.exe File created C:\Windows\SysWOW64\Gpiffngk.exe Gohjnf32.exe File opened for modification C:\Windows\SysWOW64\Jhchjgoh.exe Imndmnob.exe File created C:\Windows\SysWOW64\Cfjdfg32.exe Cfghagio.exe File created C:\Windows\SysWOW64\Cjmhanqn.dll Kjdpcnfi.exe File created C:\Windows\SysWOW64\Gnocdb32.exe Gdgoll32.exe File created C:\Windows\SysWOW64\Pkjpacdo.dll Jiinmnaa.exe File opened for modification C:\Windows\SysWOW64\Kiqdmm32.exe Kbflqccl.exe File opened for modification C:\Windows\SysWOW64\Gljdlq32.exe Gpccgppq.exe File created C:\Windows\SysWOW64\Fncddc32.exe Eapcjo32.exe File opened for modification C:\Windows\SysWOW64\Mchjjc32.exe Mojaceln.exe File opened for modification C:\Windows\SysWOW64\Gpccgppq.exe Gcocnk32.exe File created C:\Windows\SysWOW64\Lbnbfb32.exe Lhenmm32.exe File created C:\Windows\SysWOW64\Ponioeij.dll Fgnfpm32.exe File created C:\Windows\SysWOW64\Diklpn32.exe Dihojnqo.exe File created C:\Windows\SysWOW64\Hllffmbb.exe Hafbid32.exe File created C:\Windows\SysWOW64\Kcgdgnmc.exe Kceganoe.exe File created C:\Windows\SysWOW64\Gghloe32.exe Gomhkb32.exe File created C:\Windows\SysWOW64\Eehfdldj.dll Jdmfdgbj.exe File opened for modification C:\Windows\SysWOW64\Ehbcnajn.exe Ebekej32.exe File created C:\Windows\SysWOW64\Jcdmpg32.dll Cqlhlo32.exe File created C:\Windows\SysWOW64\Kmphpc32.exe Kcgdgnmc.exe File created C:\Windows\SysWOW64\Ccdhfhda.dll Hfbckagm.exe File created C:\Windows\SysWOW64\Llcfck32.exe Lbnbfb32.exe File opened for modification C:\Windows\SysWOW64\Achlch32.exe Ankckagj.exe File created C:\Windows\SysWOW64\Bkmcni32.exe Bfpkfb32.exe File created C:\Windows\SysWOW64\Kppmhmhh.dll Echoepmo.exe File created C:\Windows\SysWOW64\Jhahcjcf.exe Joicje32.exe File created C:\Windows\SysWOW64\Moelcodj.dll Gfbfln32.exe File created C:\Windows\SysWOW64\Kdlbckee.exe Kkdnke32.exe File opened for modification C:\Windows\SysWOW64\Qeglqpaj.exe Qlnghj32.exe File opened for modification C:\Windows\SysWOW64\Efdmohmm.exe Emlhfb32.exe File opened for modification C:\Windows\SysWOW64\Faedpdcc.exe Eigbfb32.exe File opened for modification C:\Windows\SysWOW64\Happkf32.exe Gheola32.exe File created C:\Windows\SysWOW64\Ikhpoi32.dll Dfdngl32.exe File opened for modification C:\Windows\SysWOW64\Ddcadd32.exe Dendcg32.exe File created C:\Windows\SysWOW64\Liibigjq.exe Lanmde32.exe File opened for modification C:\Windows\SysWOW64\Lhhmle32.exe Lckdcn32.exe File opened for modification C:\Windows\SysWOW64\Dddmkkpb.exe Dklibf32.exe File opened for modification C:\Windows\SysWOW64\Bineidcj.exe Bnhqll32.exe File opened for modification C:\Windows\SysWOW64\Bocfch32.exe Boainhic.exe File created C:\Windows\SysWOW64\Pgihlk32.dll Jpnfdbig.exe File opened for modification C:\Windows\SysWOW64\Jdbhcfjd.exe Jjjdjp32.exe File opened for modification C:\Windows\SysWOW64\Dmobpn32.exe Dddmkkpb.exe File created C:\Windows\SysWOW64\Lnlmmo32.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Ojjkim32.dll Lnlmmo32.exe File opened for modification C:\Windows\SysWOW64\Khdgabih.exe Knkbimbg.exe File created C:\Windows\SysWOW64\Jigagocd.exe Jhfepfme.exe File opened for modification C:\Windows\SysWOW64\Ngoinfao.exe Nbaafocg.exe File created C:\Windows\SysWOW64\Mjhlcioh.dll Dpdbdo32.exe File created C:\Windows\SysWOW64\Klmhcl32.dll Ngiiip32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaangfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibigjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egljjmkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koelibnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phelnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmcni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adbmjbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggncop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imifpagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagchmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankckagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhjejai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldknmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdciq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faimkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pppnia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegbmlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbinad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcccglnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhccoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobjgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoakfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhqll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekhid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceganoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbflqccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaafocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbilmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibeloo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbadifn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndiaem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agilkijf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kifgllbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joaebkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgdgnmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikdbhhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljndga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcocnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdpcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgkqmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fleihi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnke32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpiffngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolohhpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joaebkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leialh32.dll" Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabjhddb.dll" Hiehbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popoobmg.dll" Lcfhpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkdoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdciq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mainpc32.dll" Elnagijk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdgkkppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Onkjocjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmjkf32.dll" Cilfka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikcpmieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjmoh32.dll" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdncfedn.dll" Lckdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmhcl32.dll" Ngiiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oloioh32.dll" Omhjejai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcccglnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdplmflg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiehbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfioeef.dll" Ehbcnajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkdfgmp.dll" Odgchjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcmhmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmocok32.dll" Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhmnf32.dll" Plneoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flpkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkconepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmfdi32.dll" Mognco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkaaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljndga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipnhkpd.dll" Alfdcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaajfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcignoki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqmkflcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfpegkn.dll" Nbaafocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhjejai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgdgnmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ledpjdid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpnbcfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbnfdpge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeada32.dll" Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaman32.dll" Phklcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhohapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehbcnajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfdlmpf.dll" Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclmbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omoehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnhokob.dll" Fdbgia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmkmlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfnnpbnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qifnkg32.dll" Jcmhmp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 624 wrote to memory of 2224 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 30 PID 624 wrote to memory of 2224 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 30 PID 624 wrote to memory of 2224 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 30 PID 624 wrote to memory of 2224 624 d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe 30 PID 2224 wrote to memory of 2832 2224 Nmpiicdm.exe 31 PID 2224 wrote to memory of 2832 2224 Nmpiicdm.exe 31 PID 2224 wrote to memory of 2832 2224 Nmpiicdm.exe 31 PID 2224 wrote to memory of 2832 2224 Nmpiicdm.exe 31 PID 2832 wrote to memory of 2768 2832 Ndiaem32.exe 32 PID 2832 wrote to memory of 2768 2832 Ndiaem32.exe 32 PID 2832 wrote to memory of 2768 2832 Ndiaem32.exe 32 PID 2832 wrote to memory of 2768 2832 Ndiaem32.exe 32 PID 2768 wrote to memory of 2824 2768 Obonfj32.exe 33 PID 2768 wrote to memory of 2824 2768 Obonfj32.exe 33 PID 2768 wrote to memory of 2824 2768 Obonfj32.exe 33 PID 2768 wrote to memory of 2824 2768 Obonfj32.exe 33 PID 2824 wrote to memory of 892 2824 Obcgaill.exe 34 PID 2824 wrote to memory of 892 2824 Obcgaill.exe 34 PID 2824 wrote to memory of 892 2824 Obcgaill.exe 34 PID 2824 wrote to memory of 892 2824 Obcgaill.exe 34 PID 892 wrote to memory of 3056 892 Okolfkjg.exe 35 PID 892 wrote to memory of 3056 892 Okolfkjg.exe 35 PID 892 wrote to memory of 3056 892 Okolfkjg.exe 35 PID 892 wrote to memory of 3056 892 Okolfkjg.exe 35 PID 3056 wrote to memory of 1328 3056 Omoehf32.exe 36 PID 3056 wrote to memory of 1328 3056 Omoehf32.exe 36 PID 3056 wrote to memory of 1328 3056 Omoehf32.exe 36 PID 3056 wrote to memory of 1328 3056 Omoehf32.exe 36 PID 1328 wrote to memory of 2508 1328 Oheieo32.exe 37 PID 1328 wrote to memory of 2508 1328 Oheieo32.exe 37 PID 1328 wrote to memory of 2508 1328 Oheieo32.exe 37 PID 1328 wrote to memory of 2508 1328 Oheieo32.exe 37 PID 2508 wrote to memory of 2100 2508 Pppnia32.exe 38 PID 2508 wrote to memory of 2100 2508 Pppnia32.exe 38 PID 2508 wrote to memory of 2100 2508 Pppnia32.exe 38 PID 2508 wrote to memory of 2100 2508 Pppnia32.exe 38 PID 2100 wrote to memory of 2696 2100 Papkcd32.exe 39 PID 2100 wrote to memory of 2696 2100 Papkcd32.exe 39 PID 2100 wrote to memory of 2696 2100 Papkcd32.exe 39 PID 2100 wrote to memory of 2696 2100 Papkcd32.exe 39 PID 2696 wrote to memory of 292 2696 Pglclk32.exe 40 PID 2696 wrote to memory of 292 2696 Pglclk32.exe 40 PID 2696 wrote to memory of 292 2696 Pglclk32.exe 40 PID 2696 wrote to memory of 292 2696 Pglclk32.exe 40 PID 292 wrote to memory of 848 292 Plneoace.exe 41 PID 292 wrote to memory of 848 292 Plneoace.exe 41 PID 292 wrote to memory of 848 292 Plneoace.exe 41 PID 292 wrote to memory of 848 292 Plneoace.exe 41 PID 848 wrote to memory of 2212 848 Qjbehfbo.exe 42 PID 848 wrote to memory of 2212 848 Qjbehfbo.exe 42 PID 848 wrote to memory of 2212 848 Qjbehfbo.exe 42 PID 848 wrote to memory of 2212 848 Qjbehfbo.exe 42 PID 2212 wrote to memory of 2268 2212 Aoakfl32.exe 43 PID 2212 wrote to memory of 2268 2212 Aoakfl32.exe 43 PID 2212 wrote to memory of 2268 2212 Aoakfl32.exe 43 PID 2212 wrote to memory of 2268 2212 Aoakfl32.exe 43 PID 2268 wrote to memory of 1344 2268 Agloko32.exe 44 PID 2268 wrote to memory of 1344 2268 Agloko32.exe 44 PID 2268 wrote to memory of 1344 2268 Agloko32.exe 44 PID 2268 wrote to memory of 1344 2268 Agloko32.exe 44 PID 1344 wrote to memory of 1924 1344 Adppdckh.exe 45 PID 1344 wrote to memory of 1924 1344 Adppdckh.exe 45 PID 1344 wrote to memory of 1924 1344 Adppdckh.exe 45 PID 1344 wrote to memory of 1924 1344 Adppdckh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe"C:\Users\Admin\AppData\Local\Temp\d59e7f2e3257fc708af0b90e91462efc2b6ca885af5c6f6dfe473a5fa412a6eb.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Cikdbhhi.exeC:\Windows\system32\Cikdbhhi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Dfdngl32.exeC:\Windows\system32\Dfdngl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe34⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe35⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe37⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe40⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe41⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe42⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe43⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe46⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe48⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ggmjkapi.exeC:\Windows\system32\Ggmjkapi.exe49⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe50⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe55⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe56⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe57⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe58⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe59⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe61⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe62⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe63⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe65⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe66⤵PID:1700
-
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe67⤵PID:1868
-
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe68⤵PID:1784
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe69⤵
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe70⤵PID:2364
-
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe71⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe73⤵
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe74⤵PID:2780
-
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe75⤵PID:1624
-
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe76⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe77⤵
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe78⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe79⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Jdobjgqg.exeC:\Windows\system32\Jdobjgqg.exe80⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe81⤵PID:2280
-
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Jhahcjcf.exeC:\Windows\system32\Jhahcjcf.exe83⤵PID:2208
-
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe85⤵PID:1168
-
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe86⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe87⤵PID:2184
-
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe89⤵PID:2164
-
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe90⤵PID:2968
-
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe91⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe96⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe97⤵PID:2920
-
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe99⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe100⤵PID:2360
-
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe101⤵PID:2156
-
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe102⤵
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe103⤵PID:2764
-
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe104⤵PID:1460
-
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe105⤵PID:1092
-
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe106⤵
- Modifies registry class
PID:2408 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe107⤵PID:2424
-
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe108⤵PID:2312
-
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe109⤵PID:1756
-
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe111⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe114⤵PID:2396
-
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe115⤵PID:2444
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe116⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe117⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe118⤵PID:2748
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe119⤵PID:2628
-
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe120⤵PID:2992
-
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-