Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 19:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe
-
Size
181KB
-
MD5
0bd50cf754ea6a65669179717cd6a99b
-
SHA1
e2126005b3b5c34f4f387946631a7d25a7dc8cf1
-
SHA256
17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86
-
SHA512
8945a2ce11fe663c630e5425b3cd1ad90cf3e90a17c6e0f04eefd1d0d9f47890f3647f3c33fadc7962069dd5f258030bf3842f337f433e46071289493ba9eaab
-
SSDEEP
3072:xRU+s6oTaDrFDHZtOgxadeMZCTgDrFDHZtOg:xa+s6QC5tToZM45tT
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmepgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbpqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blfapfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnhpglg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmdapml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imlhebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gghmmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmeeepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphgln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbfbnddq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpafapbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojlbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajckilei.exe -
Executes dropped EXE 64 IoCs
pid Process 2324 Qnghel32.exe 560 Aebmjo32.exe 2400 Apgagg32.exe 2820 Afdiondb.exe 2772 Akabgebj.exe 2564 Afffenbp.exe 2532 Alqnah32.exe 3060 Aoojnc32.exe 2288 Adlcfjgh.exe 1212 Aoagccfn.exe 1188 Adnpkjde.exe 1660 Bgllgedi.exe 2860 Bdqlajbb.exe 3036 Bjmeiq32.exe 2952 Bdcifi32.exe 2132 Bgaebe32.exe 1288 Bmnnkl32.exe 2404 Bchfhfeh.exe 2900 Bjbndpmd.exe 2104 Bqlfaj32.exe 1304 Bcjcme32.exe 1708 Bfioia32.exe 2200 Bmbgfkje.exe 2260 Coacbfii.exe 1668 Cbppnbhm.exe 1840 Cenljmgq.exe 2312 Cocphf32.exe 2744 Cfmhdpnc.exe 2672 Ckjamgmk.exe 2656 Cnimiblo.exe 2768 Cnimiblo.exe 2540 Cgaaah32.exe 2176 Ckmnbg32.exe 2064 Cnkjnb32.exe 2792 Cjakccop.exe 1920 Cegoqlof.exe 1732 Cgfkmgnj.exe 1960 Dnpciaef.exe 2880 Dmbcen32.exe 632 Dhhhbg32.exe 448 Djfdob32.exe 468 Daplkmbg.exe 1636 Dbaice32.exe 844 Dmgmpnhl.exe 2204 Dbdehdfc.exe 2420 Debadpeg.exe 2304 Dlljaj32.exe 1656 Dokfme32.exe 2284 Dbfbnddq.exe 2844 Deenjpcd.exe 2824 Dlofgj32.exe 2836 Domccejd.exe 2920 Dbiocd32.exe 3064 Eibgpnjk.exe 1548 Elacliin.exe 2044 Eanldqgf.exe 1948 Eeiheo32.exe 1700 Ehhdaj32.exe 1924 Ekfpmf32.exe 2856 Eaphjp32.exe 640 Edoefl32.exe 2884 Ekhmcelc.exe 1360 Emgioakg.exe 932 Epeekmjk.exe -
Loads dropped DLL 64 IoCs
pid Process 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 2324 Qnghel32.exe 2324 Qnghel32.exe 560 Aebmjo32.exe 560 Aebmjo32.exe 2400 Apgagg32.exe 2400 Apgagg32.exe 2820 Afdiondb.exe 2820 Afdiondb.exe 2772 Akabgebj.exe 2772 Akabgebj.exe 2564 Afffenbp.exe 2564 Afffenbp.exe 2532 Alqnah32.exe 2532 Alqnah32.exe 3060 Aoojnc32.exe 3060 Aoojnc32.exe 2288 Adlcfjgh.exe 2288 Adlcfjgh.exe 1212 Aoagccfn.exe 1212 Aoagccfn.exe 1188 Adnpkjde.exe 1188 Adnpkjde.exe 1660 Bgllgedi.exe 1660 Bgllgedi.exe 2860 Bdqlajbb.exe 2860 Bdqlajbb.exe 3036 Bjmeiq32.exe 3036 Bjmeiq32.exe 2952 Bdcifi32.exe 2952 Bdcifi32.exe 2132 Bgaebe32.exe 2132 Bgaebe32.exe 1288 Bmnnkl32.exe 1288 Bmnnkl32.exe 2404 Bchfhfeh.exe 2404 Bchfhfeh.exe 2900 Bjbndpmd.exe 2900 Bjbndpmd.exe 2104 Bqlfaj32.exe 2104 Bqlfaj32.exe 1304 Bcjcme32.exe 1304 Bcjcme32.exe 1708 Bfioia32.exe 1708 Bfioia32.exe 2200 Bmbgfkje.exe 2200 Bmbgfkje.exe 2260 Coacbfii.exe 2260 Coacbfii.exe 1668 Cbppnbhm.exe 1668 Cbppnbhm.exe 1840 Cenljmgq.exe 1840 Cenljmgq.exe 2312 Cocphf32.exe 2312 Cocphf32.exe 2744 Cfmhdpnc.exe 2744 Cfmhdpnc.exe 2672 Ckjamgmk.exe 2672 Ckjamgmk.exe 2656 Cnimiblo.exe 2656 Cnimiblo.exe 2768 Cnimiblo.exe 2768 Cnimiblo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihkknn32.dll Flclam32.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jllqplnp.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Onqkclni.exe File created C:\Windows\SysWOW64\Pddjlb32.exe Pmjaohol.exe File opened for modification C:\Windows\SysWOW64\Ggkibhjf.exe Gconbj32.exe File created C:\Windows\SysWOW64\Hfijlo32.dll Bogjaamh.exe File created C:\Windows\SysWOW64\Bqmpdioa.exe Bolcma32.exe File created C:\Windows\SysWOW64\Aiodpjni.dll Jdflqo32.exe File opened for modification C:\Windows\SysWOW64\Jhdegn32.exe Jdhifooi.exe File created C:\Windows\SysWOW64\Kcginj32.exe Kkpqlm32.exe File opened for modification C:\Windows\SysWOW64\Lkicbk32.exe Lcblan32.exe File created C:\Windows\SysWOW64\Aclpaali.exe Alageg32.exe File created C:\Windows\SysWOW64\Bchfhfeh.exe Bmnnkl32.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hmpaom32.exe File created C:\Windows\SysWOW64\Igebkiof.exe Iegeonpc.exe File created C:\Windows\SysWOW64\Njboon32.dll Ifmocb32.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Flclam32.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File created C:\Windows\SysWOW64\Laleof32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Adnjbnhn.dll Gcgqgd32.exe File opened for modification C:\Windows\SysWOW64\Imgnjb32.exe Ijibng32.exe File created C:\Windows\SysWOW64\Eicpcm32.exe Efedga32.exe File opened for modification C:\Windows\SysWOW64\Fmfocnjg.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Nijpdfhm.exe Nflchkii.exe File created C:\Windows\SysWOW64\Kigndekn.exe Kfibhjlj.exe File created C:\Windows\SysWOW64\Lcmklh32.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Bknjfb32.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Dnjoco32.exe File created C:\Windows\SysWOW64\Gocbagqd.dll Efedga32.exe File created C:\Windows\SysWOW64\Hbofmcij.exe Hoqjqhjf.exe File created C:\Windows\SysWOW64\Iediin32.exe Injqmdki.exe File created C:\Windows\SysWOW64\Ilalae32.dll Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Dbaice32.exe File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Aknngo32.exe Agbbgqhh.exe File created C:\Windows\SysWOW64\Fbnbckhg.dll Cfmhdpnc.exe File created C:\Windows\SysWOW64\Aacjid32.dll Gghmmilh.exe File created C:\Windows\SysWOW64\Ongcaafk.dll Dnjoco32.exe File opened for modification C:\Windows\SysWOW64\Lhlqjone.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Kcdlhj32.exe Kpfplo32.exe File opened for modification C:\Windows\SysWOW64\Obgnhkkh.exe Onlahm32.exe File created C:\Windows\SysWOW64\Jjjdhc32.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Jhjikp32.dll Lncfcgeb.exe File created C:\Windows\SysWOW64\Lgljaj32.dll Aahfdihn.exe File created C:\Windows\SysWOW64\Pdnfmn32.dll Khjgel32.exe File opened for modification C:\Windows\SysWOW64\Dbaice32.exe Daplkmbg.exe File created C:\Windows\SysWOW64\Gjdldd32.exe Gkalhgfd.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Lhfnkqgk.exe File created C:\Windows\SysWOW64\Dngjbb32.dll Ekkjheja.exe File created C:\Windows\SysWOW64\Mhjcec32.exe Mflgih32.exe File created C:\Windows\SysWOW64\Jjhgbd32.exe Jfmkbebl.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Kdmban32.exe Kpafapbk.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Ofglaipf.dll Mbqkiind.exe File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Nppofado.exe File created C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Fnibcd32.exe Flhflleb.exe File opened for modification C:\Windows\SysWOW64\Lhhkapeh.exe Lanbdf32.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Oiafee32.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Eakhdj32.exe File opened for modification C:\Windows\SysWOW64\Kjeglh32.exe Klcgpkhh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5724 6008 WerFault.exe 581 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlilqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdompf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domccejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kindeddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgpnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncmcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhqmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deenjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhifooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkocg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpafapbk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnlocgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpacf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hjfnnajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkknn32.dll" Flclam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdecea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdhoc32.dll" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Lplbjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpgfeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohindnd.dll" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbfilffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhgdb32.dll" Lhfnkqgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiflohqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkeohhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmehhn32.dll" Ccbbachm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifpcchai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpdbohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piabdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijdkh32.dll" Eakhdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll" Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emgioakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqodqodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpnladjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeijod.dll" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddblcik.dll" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngjbb32.dll" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnlno32.dll" Gnnlocgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Legaoehg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2324 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 31 PID 2352 wrote to memory of 2324 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 31 PID 2352 wrote to memory of 2324 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 31 PID 2352 wrote to memory of 2324 2352 17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe 31 PID 2324 wrote to memory of 560 2324 Qnghel32.exe 32 PID 2324 wrote to memory of 560 2324 Qnghel32.exe 32 PID 2324 wrote to memory of 560 2324 Qnghel32.exe 32 PID 2324 wrote to memory of 560 2324 Qnghel32.exe 32 PID 560 wrote to memory of 2400 560 Aebmjo32.exe 33 PID 560 wrote to memory of 2400 560 Aebmjo32.exe 33 PID 560 wrote to memory of 2400 560 Aebmjo32.exe 33 PID 560 wrote to memory of 2400 560 Aebmjo32.exe 33 PID 2400 wrote to memory of 2820 2400 Apgagg32.exe 34 PID 2400 wrote to memory of 2820 2400 Apgagg32.exe 34 PID 2400 wrote to memory of 2820 2400 Apgagg32.exe 34 PID 2400 wrote to memory of 2820 2400 Apgagg32.exe 34 PID 2820 wrote to memory of 2772 2820 Afdiondb.exe 35 PID 2820 wrote to memory of 2772 2820 Afdiondb.exe 35 PID 2820 wrote to memory of 2772 2820 Afdiondb.exe 35 PID 2820 wrote to memory of 2772 2820 Afdiondb.exe 35 PID 2772 wrote to memory of 2564 2772 Akabgebj.exe 36 PID 2772 wrote to memory of 2564 2772 Akabgebj.exe 36 PID 2772 wrote to memory of 2564 2772 Akabgebj.exe 36 PID 2772 wrote to memory of 2564 2772 Akabgebj.exe 36 PID 2564 wrote to memory of 2532 2564 Afffenbp.exe 37 PID 2564 wrote to memory of 2532 2564 Afffenbp.exe 37 PID 2564 wrote to memory of 2532 2564 Afffenbp.exe 37 PID 2564 wrote to memory of 2532 2564 Afffenbp.exe 37 PID 2532 wrote to memory of 3060 2532 Alqnah32.exe 38 PID 2532 wrote to memory of 3060 2532 Alqnah32.exe 38 PID 2532 wrote to memory of 3060 2532 Alqnah32.exe 38 PID 2532 wrote to memory of 3060 2532 Alqnah32.exe 38 PID 3060 wrote to memory of 2288 3060 Aoojnc32.exe 39 PID 3060 wrote to memory of 2288 3060 Aoojnc32.exe 39 PID 3060 wrote to memory of 2288 3060 Aoojnc32.exe 39 PID 3060 wrote to memory of 2288 3060 Aoojnc32.exe 39 PID 2288 wrote to memory of 1212 2288 Adlcfjgh.exe 40 PID 2288 wrote to memory of 1212 2288 Adlcfjgh.exe 40 PID 2288 wrote to memory of 1212 2288 Adlcfjgh.exe 40 PID 2288 wrote to memory of 1212 2288 Adlcfjgh.exe 40 PID 1212 wrote to memory of 1188 1212 Aoagccfn.exe 41 PID 1212 wrote to memory of 1188 1212 Aoagccfn.exe 41 PID 1212 wrote to memory of 1188 1212 Aoagccfn.exe 41 PID 1212 wrote to memory of 1188 1212 Aoagccfn.exe 41 PID 1188 wrote to memory of 1660 1188 Adnpkjde.exe 42 PID 1188 wrote to memory of 1660 1188 Adnpkjde.exe 42 PID 1188 wrote to memory of 1660 1188 Adnpkjde.exe 42 PID 1188 wrote to memory of 1660 1188 Adnpkjde.exe 42 PID 1660 wrote to memory of 2860 1660 Bgllgedi.exe 43 PID 1660 wrote to memory of 2860 1660 Bgllgedi.exe 43 PID 1660 wrote to memory of 2860 1660 Bgllgedi.exe 43 PID 1660 wrote to memory of 2860 1660 Bgllgedi.exe 43 PID 2860 wrote to memory of 3036 2860 Bdqlajbb.exe 44 PID 2860 wrote to memory of 3036 2860 Bdqlajbb.exe 44 PID 2860 wrote to memory of 3036 2860 Bdqlajbb.exe 44 PID 2860 wrote to memory of 3036 2860 Bdqlajbb.exe 44 PID 3036 wrote to memory of 2952 3036 Bjmeiq32.exe 45 PID 3036 wrote to memory of 2952 3036 Bjmeiq32.exe 45 PID 3036 wrote to memory of 2952 3036 Bjmeiq32.exe 45 PID 3036 wrote to memory of 2952 3036 Bjmeiq32.exe 45 PID 2952 wrote to memory of 2132 2952 Bdcifi32.exe 46 PID 2952 wrote to memory of 2132 2952 Bdcifi32.exe 46 PID 2952 wrote to memory of 2132 2952 Bdcifi32.exe 46 PID 2952 wrote to memory of 2132 2952 Bdcifi32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe"C:\Users\Admin\AppData\Local\Temp\17e1111f1aaa6a2bd25319d744cd5bf860f1802ff5c3d76b4d1cf87006ab0c86.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Qnghel32.exeC:\Windows\system32\Qnghel32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Apgagg32.exeC:\Windows\system32\Apgagg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Akabgebj.exeC:\Windows\system32\Akabgebj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2656 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe35⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe36⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe38⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe39⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe40⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe41⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe42⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:468 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe45⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe46⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe47⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe49⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe52⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe54⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe56⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe57⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe58⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe60⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe62⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe63⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Epeekmjk.exeC:\Windows\system32\Epeekmjk.exe65⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe68⤵PID:896
-
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe69⤵PID:2264
-
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe70⤵PID:2740
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe71⤵PID:2576
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe73⤵PID:2388
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe74⤵PID:1228
-
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:676 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe76⤵PID:1576
-
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe77⤵PID:2868
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe78⤵PID:1880
-
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe80⤵PID:1768
-
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe81⤵PID:1452
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe82⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe83⤵PID:1744
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe84⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe85⤵PID:2848
-
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe86⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe87⤵PID:1564
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe88⤵PID:2360
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe89⤵PID:1412
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe90⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe91⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe92⤵PID:840
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe94⤵PID:1192
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe95⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe96⤵PID:1352
-
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe98⤵
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe99⤵PID:1876
-
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe100⤵
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1436 -
C:\Windows\SysWOW64\Gfkmie32.exeC:\Windows\system32\Gfkmie32.exe102⤵PID:1828
-
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe103⤵PID:2904
-
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe105⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe107⤵PID:1844
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe108⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe109⤵PID:2696
-
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe110⤵PID:2776
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe111⤵PID:1648
-
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe112⤵PID:2120
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe113⤵PID:1052
-
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe114⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe115⤵PID:1392
-
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe116⤵PID:1724
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe117⤵PID:2372
-
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe118⤵PID:2732
-
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe119⤵PID:788
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe120⤵PID:2660
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe121⤵PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-