Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 02:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe
-
Size
465KB
-
MD5
b83dd5aaf32a41268e3084ab3becc916
-
SHA1
98d2dda31906ad54869b443c9b5d3faf3cec4522
-
SHA256
3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349
-
SHA512
564a56d5cc7a7739e1d96f7615647150b4231c86eb7891e79e56049f4b59f842233601bd300caee586f1a0fc122de09e0d66c5e16e1838def0512c9534ca2423
-
SSDEEP
6144:Rb84Tl/Lu3njPX9ZAkvntd4ljd3rKzwN8Jlljd3njPX9ZAk3fU:RtMjP9ZtVkjpKXjtjP9ZtM
Malware Config
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miapbpmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjklb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqbbhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmpkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfggkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kihpmnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhepoaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgbkacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqfhqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmoekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fapgblob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biqfpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecpnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdqpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkicbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onldqejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlablaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbkhabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkdpnil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkcep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapgblob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimpfmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egflml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfoboml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iecdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkifkdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmklak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbniohpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkghqpb.exe -
Gozi family
-
Executes dropped EXE 64 IoCs
pid Process 2784 Lgingm32.exe 2676 Lkggmldl.exe 2828 Laqojfli.exe 2748 Llmmpcfe.exe 800 Mgbaml32.exe 1096 Mopbgn32.exe 2396 Mdmkoepk.exe 2876 Mkipao32.exe 1580 Nkkmgncb.exe 2844 Ngdjaofc.exe 2888 Nqmnjd32.exe 1112 Nlilqbgp.exe 1156 Oeaqig32.exe 1076 Obgnhkkh.exe 1084 Olpbaa32.exe 2436 Ohipla32.exe 1740 Pmehdh32.exe 1644 Pbemboof.exe 1512 Pjleclph.exe 2268 Pfbfhm32.exe 280 Piabdiep.exe 2288 Picojhcm.exe 1008 Plbkfdba.exe 2908 Paocnkph.exe 3040 Qldhkc32.exe 2788 Qhkipdeb.exe 2052 Qoeamo32.exe 2916 Aklabp32.exe 2552 Aknngo32.exe 2592 Anljck32.exe 576 Adfbpega.exe 2160 Alageg32.exe 1664 Apppkekc.exe 1764 Acnlgajg.exe 1684 Ajhddk32.exe 1304 Bcpimq32.exe 896 Bjjaikoa.exe 604 Bogjaamh.exe 1800 Bddbjhlp.exe 2344 Bnlgbnbp.exe 1044 Bkpglbaj.exe 2424 Bnochnpm.exe 860 Bdhleh32.exe 1824 Bnapnm32.exe 856 Bqolji32.exe 2224 Ccnifd32.exe 1816 Cjhabndo.exe 1940 Cdmepgce.exe 1832 Ccpeld32.exe 1596 Cglalbbi.exe 2752 Cjjnhnbl.exe 2572 Cgnnab32.exe 2600 Ciokijfd.exe 3012 Coicfd32.exe 2088 Cceogcfj.exe 1376 Cfckcoen.exe 1240 Cbjlhpkb.exe 2640 Cehhdkjf.exe 2188 Cmppehkh.exe 1508 Dnqlmq32.exe 1952 Dblhmoio.exe 2512 Dekdikhc.exe 1728 Dgiaefgg.exe 2476 Dncibp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 2784 Lgingm32.exe 2784 Lgingm32.exe 2676 Lkggmldl.exe 2676 Lkggmldl.exe 2828 Laqojfli.exe 2828 Laqojfli.exe 2748 Llmmpcfe.exe 2748 Llmmpcfe.exe 800 Mgbaml32.exe 800 Mgbaml32.exe 1096 Mopbgn32.exe 1096 Mopbgn32.exe 2396 Mdmkoepk.exe 2396 Mdmkoepk.exe 2876 Mkipao32.exe 2876 Mkipao32.exe 1580 Nkkmgncb.exe 1580 Nkkmgncb.exe 2844 Ngdjaofc.exe 2844 Ngdjaofc.exe 2888 Nqmnjd32.exe 2888 Nqmnjd32.exe 1112 Nlilqbgp.exe 1112 Nlilqbgp.exe 1156 Oeaqig32.exe 1156 Oeaqig32.exe 1076 Obgnhkkh.exe 1076 Obgnhkkh.exe 1084 Olpbaa32.exe 1084 Olpbaa32.exe 2436 Ohipla32.exe 2436 Ohipla32.exe 1740 Pmehdh32.exe 1740 Pmehdh32.exe 1644 Pbemboof.exe 1644 Pbemboof.exe 1512 Pjleclph.exe 1512 Pjleclph.exe 2268 Pfbfhm32.exe 2268 Pfbfhm32.exe 280 Piabdiep.exe 280 Piabdiep.exe 2288 Picojhcm.exe 2288 Picojhcm.exe 1008 Plbkfdba.exe 1008 Plbkfdba.exe 2908 Paocnkph.exe 2908 Paocnkph.exe 1692 Qbnphngk.exe 1692 Qbnphngk.exe 2788 Qhkipdeb.exe 2788 Qhkipdeb.exe 2052 Qoeamo32.exe 2052 Qoeamo32.exe 2916 Aklabp32.exe 2916 Aklabp32.exe 2552 Aknngo32.exe 2552 Aknngo32.exe 2592 Anljck32.exe 2592 Anljck32.exe 576 Adfbpega.exe 576 Adfbpega.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qaablcej.exe Qldjdlgb.exe File created C:\Windows\SysWOW64\Lqcmmc32.dll Afcdpi32.exe File opened for modification C:\Windows\SysWOW64\Pjmnfk32.exe Pilbocej.exe File created C:\Windows\SysWOW64\Lalhgogb.exe Lkbpke32.exe File created C:\Windows\SysWOW64\Laodmoep.exe Lkelpd32.exe File opened for modification C:\Windows\SysWOW64\Nqpmimbe.exe Nfjildbp.exe File created C:\Windows\SysWOW64\Aeokba32.exe Anecfgdc.exe File opened for modification C:\Windows\SysWOW64\Bpjnmlel.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Pfbfhm32.exe Pjleclph.exe File created C:\Windows\SysWOW64\Ofdclinq.exe Ocefpnom.exe File opened for modification C:\Windows\SysWOW64\Kbeqjl32.exe Kmhhae32.exe File created C:\Windows\SysWOW64\Ifefbd32.dll Dajgfboj.exe File created C:\Windows\SysWOW64\Ffghjg32.exe Fcilnl32.exe File opened for modification C:\Windows\SysWOW64\Iaobkf32.exe Hkejnl32.exe File created C:\Windows\SysWOW64\Mkdbea32.exe Mdjihgef.exe File created C:\Windows\SysWOW64\Onipqp32.exe Ogohdeam.exe File opened for modification C:\Windows\SysWOW64\Abfoll32.exe Allgoa32.exe File created C:\Windows\SysWOW64\Bghgmd32.dll Efjmbaba.exe File created C:\Windows\SysWOW64\Jhgikm32.dll Ebckmaec.exe File created C:\Windows\SysWOW64\Dgcmod32.exe Dfbqgldn.exe File opened for modification C:\Windows\SysWOW64\Dqinhcoc.exe Djoeki32.exe File opened for modification C:\Windows\SysWOW64\Jegdgj32.exe Jfddkmch.exe File created C:\Windows\SysWOW64\Himocb32.dll Nhebhipj.exe File created C:\Windows\SysWOW64\Caenkc32.exe Cofaog32.exe File created C:\Windows\SysWOW64\Mpfbjp32.dll Fijnabef.exe File created C:\Windows\SysWOW64\Mdigoo32.exe Mpnkopeh.exe File created C:\Windows\SysWOW64\Mhaklk32.dll Mqbejp32.exe File opened for modification C:\Windows\SysWOW64\Pfjfql32.dll Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Njhbabif.exe Ncnjeh32.exe File opened for modification C:\Windows\SysWOW64\Dochelmj.exe Ddmchcnd.exe File created C:\Windows\SysWOW64\Cenmfbml.exe Ckiiiine.exe File created C:\Windows\SysWOW64\Loaokjjg.exe Lpnopm32.exe File opened for modification C:\Windows\SysWOW64\Cngcll32.exe Chjjde32.exe File opened for modification C:\Windows\SysWOW64\Phaoppja.exe Paggce32.exe File opened for modification C:\Windows\SysWOW64\Elaeeb32.exe Egfjdchi.exe File created C:\Windows\SysWOW64\Hqochjnk.exe Halcmn32.exe File created C:\Windows\SysWOW64\Dqinhcoc.exe Djoeki32.exe File created C:\Windows\SysWOW64\Pngjcj32.dll Oapcfo32.exe File created C:\Windows\SysWOW64\Ejhoapqd.dll Fjnkpf32.exe File opened for modification C:\Windows\SysWOW64\Cbjlhpkb.exe Cfckcoen.exe File opened for modification C:\Windows\SysWOW64\Cmppehkh.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Ieaikf32.dll Mpimbcnf.exe File created C:\Windows\SysWOW64\Ccqhdmbc.exe Cpbkhabp.exe File opened for modification C:\Windows\SysWOW64\Dkjhjm32.exe Dhklna32.exe File created C:\Windows\SysWOW64\Ijampgde.exe Ieeqpi32.exe File created C:\Windows\SysWOW64\Mpimbcnf.exe Mmkafhnb.exe File created C:\Windows\SysWOW64\Nmacej32.exe Nejkdm32.exe File created C:\Windows\SysWOW64\Pccohd32.dll Jgjkfi32.exe File created C:\Windows\SysWOW64\Flhhed32.exe Fhmldfdm.exe File opened for modification C:\Windows\SysWOW64\Mdepmh32.exe Mbdcepcm.exe File created C:\Windows\SysWOW64\Dmddik32.dll Mpnngi32.exe File opened for modification C:\Windows\SysWOW64\Neohqicc.exe Nacmpj32.exe File created C:\Windows\SysWOW64\Nmmjjk32.exe Nhpabdqd.exe File created C:\Windows\SysWOW64\Cpiaipmh.exe Cfcmlg32.exe File created C:\Windows\SysWOW64\Ippdloip.dll Dgqion32.exe File opened for modification C:\Windows\SysWOW64\Jmlobg32.exe Jbfkeo32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Qaqlbmbn.exe File opened for modification C:\Windows\SysWOW64\Hdefnjkj.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Gbfaddpc.dll Mkdioh32.exe File created C:\Windows\SysWOW64\Imbige32.dll Eifobe32.exe File created C:\Windows\SysWOW64\Lodnjboi.exe Ligfakaa.exe File opened for modification C:\Windows\SysWOW64\Hjmlhbbg.exe Hhkopj32.exe File opened for modification C:\Windows\SysWOW64\Mgjpaj32.exe Mdldeo32.exe File created C:\Windows\SysWOW64\Gebojbpo.dll Ladebd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3672 984 Process not Found 1054 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaigib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajkbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdepmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icncgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebknblho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladgkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnkanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmnfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooidei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjdcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiafpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkelkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaeqmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijnabef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfceom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppopja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdcojaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkefoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkobpmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehbpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckiiiine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkclkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omlncc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeghng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfnnkkc.dll" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgmpo32.dll" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlhbje32.dll" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpfnk32.dll" Mdldeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnfhqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipfpcm.dll" Fnadkjlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocgje32.dll" Gieaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkhmj32.dll" Fmaqgaae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omnkicen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknjoj32.dll" Bklpjlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlpei32.dll" Ihiabfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkofkccd.dll" Bphaglgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll" Nmmjjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkgdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Holldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfgkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpimq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mainndaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcfcddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopako32.dll" Iqllghon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkehql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekmeeno.dll" Gajjhkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbccb32.dll" Bddbjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafklo32.dll" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmbnam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebepdj32.dll" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihoo32.dll" Ghaeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdlpnamm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mblcin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Ibcphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfljfho.dll" Fnmjpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjbkefk.dll" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoipg32.dll" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceickb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Honnki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2784 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 30 PID 2644 wrote to memory of 2784 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 30 PID 2644 wrote to memory of 2784 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 30 PID 2644 wrote to memory of 2784 2644 3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe 30 PID 2784 wrote to memory of 2676 2784 Lgingm32.exe 31 PID 2784 wrote to memory of 2676 2784 Lgingm32.exe 31 PID 2784 wrote to memory of 2676 2784 Lgingm32.exe 31 PID 2784 wrote to memory of 2676 2784 Lgingm32.exe 31 PID 2676 wrote to memory of 2828 2676 Lkggmldl.exe 32 PID 2676 wrote to memory of 2828 2676 Lkggmldl.exe 32 PID 2676 wrote to memory of 2828 2676 Lkggmldl.exe 32 PID 2676 wrote to memory of 2828 2676 Lkggmldl.exe 32 PID 2828 wrote to memory of 2748 2828 Laqojfli.exe 33 PID 2828 wrote to memory of 2748 2828 Laqojfli.exe 33 PID 2828 wrote to memory of 2748 2828 Laqojfli.exe 33 PID 2828 wrote to memory of 2748 2828 Laqojfli.exe 33 PID 2748 wrote to memory of 800 2748 Llmmpcfe.exe 34 PID 2748 wrote to memory of 800 2748 Llmmpcfe.exe 34 PID 2748 wrote to memory of 800 2748 Llmmpcfe.exe 34 PID 2748 wrote to memory of 800 2748 Llmmpcfe.exe 34 PID 800 wrote to memory of 1096 800 Mgbaml32.exe 35 PID 800 wrote to memory of 1096 800 Mgbaml32.exe 35 PID 800 wrote to memory of 1096 800 Mgbaml32.exe 35 PID 800 wrote to memory of 1096 800 Mgbaml32.exe 35 PID 1096 wrote to memory of 2396 1096 Mopbgn32.exe 36 PID 1096 wrote to memory of 2396 1096 Mopbgn32.exe 36 PID 1096 wrote to memory of 2396 1096 Mopbgn32.exe 36 PID 1096 wrote to memory of 2396 1096 Mopbgn32.exe 36 PID 2396 wrote to memory of 2876 2396 Mdmkoepk.exe 37 PID 2396 wrote to memory of 2876 2396 Mdmkoepk.exe 37 PID 2396 wrote to memory of 2876 2396 Mdmkoepk.exe 37 PID 2396 wrote to memory of 2876 2396 Mdmkoepk.exe 37 PID 2876 wrote to memory of 1580 2876 Mkipao32.exe 38 PID 2876 wrote to memory of 1580 2876 Mkipao32.exe 38 PID 2876 wrote to memory of 1580 2876 Mkipao32.exe 38 PID 2876 wrote to memory of 1580 2876 Mkipao32.exe 38 PID 1580 wrote to memory of 2844 1580 Nkkmgncb.exe 39 PID 1580 wrote to memory of 2844 1580 Nkkmgncb.exe 39 PID 1580 wrote to memory of 2844 1580 Nkkmgncb.exe 39 PID 1580 wrote to memory of 2844 1580 Nkkmgncb.exe 39 PID 2844 wrote to memory of 2888 2844 Ngdjaofc.exe 40 PID 2844 wrote to memory of 2888 2844 Ngdjaofc.exe 40 PID 2844 wrote to memory of 2888 2844 Ngdjaofc.exe 40 PID 2844 wrote to memory of 2888 2844 Ngdjaofc.exe 40 PID 2888 wrote to memory of 1112 2888 Nqmnjd32.exe 41 PID 2888 wrote to memory of 1112 2888 Nqmnjd32.exe 41 PID 2888 wrote to memory of 1112 2888 Nqmnjd32.exe 41 PID 2888 wrote to memory of 1112 2888 Nqmnjd32.exe 41 PID 1112 wrote to memory of 1156 1112 Nlilqbgp.exe 42 PID 1112 wrote to memory of 1156 1112 Nlilqbgp.exe 42 PID 1112 wrote to memory of 1156 1112 Nlilqbgp.exe 42 PID 1112 wrote to memory of 1156 1112 Nlilqbgp.exe 42 PID 1156 wrote to memory of 1076 1156 Oeaqig32.exe 43 PID 1156 wrote to memory of 1076 1156 Oeaqig32.exe 43 PID 1156 wrote to memory of 1076 1156 Oeaqig32.exe 43 PID 1156 wrote to memory of 1076 1156 Oeaqig32.exe 43 PID 1076 wrote to memory of 1084 1076 Obgnhkkh.exe 44 PID 1076 wrote to memory of 1084 1076 Obgnhkkh.exe 44 PID 1076 wrote to memory of 1084 1076 Obgnhkkh.exe 44 PID 1076 wrote to memory of 1084 1076 Obgnhkkh.exe 44 PID 1084 wrote to memory of 2436 1084 Olpbaa32.exe 45 PID 1084 wrote to memory of 2436 1084 Olpbaa32.exe 45 PID 1084 wrote to memory of 2436 1084 Olpbaa32.exe 45 PID 1084 wrote to memory of 2436 1084 Olpbaa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe"C:\Users\Admin\AppData\Local\Temp\3109929759f9692a5ba915d95a4a7ab44e6e63fd70501a8a8fb1353d81cfd349.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe26⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe27⤵
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe34⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe35⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe36⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe37⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe39⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe42⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe43⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe44⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe45⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Bqolji32.exeC:\Windows\system32\Bqolji32.exe47⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Cjhabndo.exeC:\Windows\system32\Cjhabndo.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe50⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe51⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe52⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe53⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe54⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe55⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe56⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe57⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe59⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe61⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe62⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe64⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe65⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe66⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Djjjga32.exeC:\Windows\system32\Djjjga32.exe67⤵PID:2092
-
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe68⤵PID:1964
-
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe69⤵PID:1848
-
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe70⤵PID:1592
-
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe71⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe72⤵PID:888
-
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe73⤵PID:3056
-
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe74⤵PID:3020
-
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe75⤵
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe76⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe77⤵PID:1676
-
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe78⤵PID:2760
-
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe79⤵PID:2004
-
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe80⤵PID:2460
-
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe81⤵PID:444
-
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe82⤵PID:1092
-
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe83⤵PID:2956
-
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe84⤵PID:2064
-
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe86⤵PID:2464
-
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe87⤵PID:3032
-
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe88⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe90⤵PID:2420
-
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe91⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe92⤵PID:2060
-
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe94⤵PID:2320
-
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe95⤵PID:1712
-
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2952 -
C:\Windows\SysWOW64\Fdiqpigl.exeC:\Windows\system32\Fdiqpigl.exe97⤵PID:2528
-
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe98⤵PID:688
-
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe99⤵PID:2260
-
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe100⤵PID:1980
-
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe101⤵PID:2380
-
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe102⤵PID:1752
-
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe103⤵PID:2668
-
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe104⤵PID:2580
-
C:\Windows\SysWOW64\Fdpgph32.exeC:\Windows\system32\Fdpgph32.exe105⤵PID:2568
-
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe107⤵PID:2096
-
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe108⤵PID:1744
-
C:\Windows\SysWOW64\Gecpnp32.exeC:\Windows\system32\Gecpnp32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe110⤵PID:1704
-
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe111⤵PID:1444
-
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe112⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe113⤵PID:2448
-
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe114⤵PID:840
-
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe115⤵PID:712
-
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe116⤵PID:2324
-
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe117⤵PID:2240
-
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe119⤵PID:892
-
C:\Windows\SysWOW64\Gnfkba32.exeC:\Windows\system32\Gnfkba32.exe120⤵PID:2684
-
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe121⤵
- Drops file in System32 directory
PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-