Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/08/2024, 02:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe
-
Size
78KB
-
MD5
b60f4562d072b299876fc8e2dff46654
-
SHA1
68033e91fbc59a6dc20f04445662416b240a7835
-
SHA256
be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361
-
SHA512
2e8492edc4b8975bbcc5e7e3a597672bdca602fe65c395e85ef4fd6e64e0ac917faf8317df56ec8519b928ea83cc52a3f093376f15e6c370283ebe2348129558
-
SSDEEP
1536:as3Qpww4lp1JIy2ri7vLfMbXWRAqOn0w4B8mkIggsJVHcbns:aCTw4jP8rUvLesAJ0xB8mogsDes
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhdgdmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injqmdki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikldqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdhefpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggapbcne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdkpiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdkjmip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deondj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gglbfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgfekpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfaeme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmiag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnkdmec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocpbfei.exe -
Executes dropped EXE 64 IoCs
pid Process 2764 Bhonjg32.exe 2572 Boifga32.exe 2924 Bfcodkcb.exe 2568 Bhbkpgbf.exe 2076 Bolcma32.exe 1620 Bhdhefpc.exe 2320 Bjedmo32.exe 2804 Bdkhjgeh.exe 2832 Cgidfcdk.exe 2964 Cdmepgce.exe 1240 Cfoaho32.exe 1308 Cqdfehii.exe 2156 Ccbbachm.exe 2364 Cceogcfj.exe 2960 Cfckcoen.exe 944 Ckpckece.exe 3008 Cbjlhpkb.exe 2100 Cfehhn32.exe 1768 Cehhdkjf.exe 2468 Cmppehkh.exe 1984 Ckbpqe32.exe 2416 Dgiaefgg.exe 1968 Dncibp32.exe 2472 Dlgjldnm.exe 2716 Dadbdkld.exe 2868 Deondj32.exe 2644 Dnhbmpkn.exe 2388 Dafoikjb.exe 2812 Dcdkef32.exe 2404 Dnjoco32.exe 2500 Dahkok32.exe 2912 Dpklkgoj.exe 860 Eicpcm32.exe 2800 Eakhdj32.exe 2036 Efhqmadd.exe 600 Eldiehbk.exe 1772 Eppefg32.exe 2652 Edlafebn.exe 3068 Eemnnn32.exe 1612 Emdeok32.exe 920 Epbbkf32.exe 2152 Eoebgcol.exe 1720 Efljhq32.exe 1524 Eikfdl32.exe 2192 Elibpg32.exe 2512 Eogolc32.exe 2172 Ebckmaec.exe 1496 Eeagimdf.exe 1680 Eimcjl32.exe 2860 Elkofg32.exe 2748 Eojlbb32.exe 2600 Fahhnn32.exe 2664 Feddombd.exe 1748 Fhbpkh32.exe 2952 Flnlkgjq.exe 1852 Folhgbid.exe 328 Fmohco32.exe 1048 Fefqdl32.exe 2176 Fhdmph32.exe 1164 Fkcilc32.exe 2260 Fmaeho32.exe 3036 Fppaej32.exe 960 Fdkmeiei.exe 1664 Fkefbcmf.exe -
Loads dropped DLL 64 IoCs
pid Process 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 2764 Bhonjg32.exe 2764 Bhonjg32.exe 2572 Boifga32.exe 2572 Boifga32.exe 2924 Bfcodkcb.exe 2924 Bfcodkcb.exe 2568 Bhbkpgbf.exe 2568 Bhbkpgbf.exe 2076 Bolcma32.exe 2076 Bolcma32.exe 1620 Bhdhefpc.exe 1620 Bhdhefpc.exe 2320 Bjedmo32.exe 2320 Bjedmo32.exe 2804 Bdkhjgeh.exe 2804 Bdkhjgeh.exe 2832 Cgidfcdk.exe 2832 Cgidfcdk.exe 2964 Cdmepgce.exe 2964 Cdmepgce.exe 1240 Cfoaho32.exe 1240 Cfoaho32.exe 1308 Cqdfehii.exe 1308 Cqdfehii.exe 2156 Ccbbachm.exe 2156 Ccbbachm.exe 2364 Cceogcfj.exe 2364 Cceogcfj.exe 2960 Cfckcoen.exe 2960 Cfckcoen.exe 944 Ckpckece.exe 944 Ckpckece.exe 3008 Cbjlhpkb.exe 3008 Cbjlhpkb.exe 2100 Cfehhn32.exe 2100 Cfehhn32.exe 1768 Cehhdkjf.exe 1768 Cehhdkjf.exe 2468 Cmppehkh.exe 2468 Cmppehkh.exe 1984 Ckbpqe32.exe 1984 Ckbpqe32.exe 2416 Dgiaefgg.exe 2416 Dgiaefgg.exe 1968 Dncibp32.exe 1968 Dncibp32.exe 2472 Dlgjldnm.exe 2472 Dlgjldnm.exe 2716 Dadbdkld.exe 2716 Dadbdkld.exe 2868 Deondj32.exe 2868 Deondj32.exe 2644 Dnhbmpkn.exe 2644 Dnhbmpkn.exe 2388 Dafoikjb.exe 2388 Dafoikjb.exe 2812 Dcdkef32.exe 2812 Dcdkef32.exe 2404 Dnjoco32.exe 2404 Dnjoco32.exe 2500 Dahkok32.exe 2500 Dahkok32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gkcekfad.exe Ghdiokbq.exe File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Mgqbajfj.dll Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Kablnadm.exe Kocpbfei.exe File opened for modification C:\Windows\SysWOW64\Cceogcfj.exe Ccbbachm.exe File opened for modification C:\Windows\SysWOW64\Dgiaefgg.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Feddombd.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Bhbkpgbf.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Iampng32.dll Eemnnn32.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Fppaej32.exe File opened for modification C:\Windows\SysWOW64\Hqiqjlga.exe Hmmdin32.exe File opened for modification C:\Windows\SysWOW64\Hnmacpfj.exe Hqiqjlga.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cmppehkh.exe File opened for modification C:\Windows\SysWOW64\Eicpcm32.exe Dpklkgoj.exe File created C:\Windows\SysWOW64\Nmogcf32.dll Hhkopj32.exe File opened for modification C:\Windows\SysWOW64\Gglbfg32.exe Ghibjjnk.exe File created C:\Windows\SysWOW64\Inhdgdmk.exe Ioeclg32.exe File opened for modification C:\Windows\SysWOW64\Jmdgipkk.exe Jnagmc32.exe File created C:\Windows\SysWOW64\Pbpifm32.dll Iclbpj32.exe File created C:\Windows\SysWOW64\Phblkn32.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Cdmepgce.exe File opened for modification C:\Windows\SysWOW64\Eogolc32.exe Elibpg32.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Igebkiof.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Eimcjl32.exe File created C:\Windows\SysWOW64\Dfggnkoj.dll Fmaeho32.exe File created C:\Windows\SysWOW64\Moibemdg.dll Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Ghibjjnk.exe Gekfnoog.exe File opened for modification C:\Windows\SysWOW64\Boifga32.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Bhbkpgbf.exe Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe Jmkmjoec.exe File opened for modification C:\Windows\SysWOW64\Inojhc32.exe Igebkiof.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Jnagmc32.exe File opened for modification C:\Windows\SysWOW64\Dcdkef32.exe Dafoikjb.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Eikfdl32.exe File opened for modification C:\Windows\SysWOW64\Gojhafnb.exe Gpggei32.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File opened for modification C:\Windows\SysWOW64\Kkojbf32.exe Kbhbai32.exe File opened for modification C:\Windows\SysWOW64\Dafoikjb.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Gefmcp32.exe File created C:\Windows\SysWOW64\Hqhepmkh.dll Gonale32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Inojhc32.exe Igebkiof.exe File created C:\Windows\SysWOW64\Iffhohhi.dll Fefqdl32.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fkefbcmf.exe File created C:\Windows\SysWOW64\Feachqgb.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Jllqplnp.exe File created C:\Windows\SysWOW64\Ebenek32.dll Jmkmjoec.exe File created C:\Windows\SysWOW64\Pofhpf32.dll Cfehhn32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Goldfelp.exe File created C:\Windows\SysWOW64\Fkpeem32.dll Glbaei32.exe File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe Injqmdki.exe File created C:\Windows\SysWOW64\Jgjkfi32.exe Jpbcek32.exe File created C:\Windows\SysWOW64\Nlqmdnof.dll Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fpdkpiik.exe File created C:\Windows\SysWOW64\Gicaikhj.dll Fpdkpiik.exe File created C:\Windows\SysWOW64\Fkhbgbkc.exe Fcqjfeja.exe File created C:\Windows\SysWOW64\Hjleia32.dll Fmfocnjg.exe File created C:\Windows\SysWOW64\Keclgbfi.dll Gmhkin32.exe File created C:\Windows\SysWOW64\Giolnomh.exe Ggapbcne.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3688 3664 WerFault.exe 221 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqiqjlga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnapkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdgipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifbdnbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icncgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbkpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipejmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmeiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdkjmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjlhpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmklbll.dll" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghibjjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkefbcmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll" Kjeglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgjldnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghgfekpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egldgl32.dll" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll" Ibacbcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll" Hifbdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmblbf32.dll" Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhcghdk.dll" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfoaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbnjjkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licpomcb.dll" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjgpkif.dll" Cfoaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmppehkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hjfnnajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imbjcpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmaeho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflfedag.dll" Hklhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogcf32.dll" Hhkopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifbdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jefbnacn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkihbho.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 280 wrote to memory of 2764 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 30 PID 280 wrote to memory of 2764 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 30 PID 280 wrote to memory of 2764 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 30 PID 280 wrote to memory of 2764 280 be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe 30 PID 2764 wrote to memory of 2572 2764 Bhonjg32.exe 31 PID 2764 wrote to memory of 2572 2764 Bhonjg32.exe 31 PID 2764 wrote to memory of 2572 2764 Bhonjg32.exe 31 PID 2764 wrote to memory of 2572 2764 Bhonjg32.exe 31 PID 2572 wrote to memory of 2924 2572 Boifga32.exe 32 PID 2572 wrote to memory of 2924 2572 Boifga32.exe 32 PID 2572 wrote to memory of 2924 2572 Boifga32.exe 32 PID 2572 wrote to memory of 2924 2572 Boifga32.exe 32 PID 2924 wrote to memory of 2568 2924 Bfcodkcb.exe 33 PID 2924 wrote to memory of 2568 2924 Bfcodkcb.exe 33 PID 2924 wrote to memory of 2568 2924 Bfcodkcb.exe 33 PID 2924 wrote to memory of 2568 2924 Bfcodkcb.exe 33 PID 2568 wrote to memory of 2076 2568 Bhbkpgbf.exe 34 PID 2568 wrote to memory of 2076 2568 Bhbkpgbf.exe 34 PID 2568 wrote to memory of 2076 2568 Bhbkpgbf.exe 34 PID 2568 wrote to memory of 2076 2568 Bhbkpgbf.exe 34 PID 2076 wrote to memory of 1620 2076 Bolcma32.exe 35 PID 2076 wrote to memory of 1620 2076 Bolcma32.exe 35 PID 2076 wrote to memory of 1620 2076 Bolcma32.exe 35 PID 2076 wrote to memory of 1620 2076 Bolcma32.exe 35 PID 1620 wrote to memory of 2320 1620 Bhdhefpc.exe 36 PID 1620 wrote to memory of 2320 1620 Bhdhefpc.exe 36 PID 1620 wrote to memory of 2320 1620 Bhdhefpc.exe 36 PID 1620 wrote to memory of 2320 1620 Bhdhefpc.exe 36 PID 2320 wrote to memory of 2804 2320 Bjedmo32.exe 37 PID 2320 wrote to memory of 2804 2320 Bjedmo32.exe 37 PID 2320 wrote to memory of 2804 2320 Bjedmo32.exe 37 PID 2320 wrote to memory of 2804 2320 Bjedmo32.exe 37 PID 2804 wrote to memory of 2832 2804 Bdkhjgeh.exe 38 PID 2804 wrote to memory of 2832 2804 Bdkhjgeh.exe 38 PID 2804 wrote to memory of 2832 2804 Bdkhjgeh.exe 38 PID 2804 wrote to memory of 2832 2804 Bdkhjgeh.exe 38 PID 2832 wrote to memory of 2964 2832 Cgidfcdk.exe 39 PID 2832 wrote to memory of 2964 2832 Cgidfcdk.exe 39 PID 2832 wrote to memory of 2964 2832 Cgidfcdk.exe 39 PID 2832 wrote to memory of 2964 2832 Cgidfcdk.exe 39 PID 2964 wrote to memory of 1240 2964 Cdmepgce.exe 40 PID 2964 wrote to memory of 1240 2964 Cdmepgce.exe 40 PID 2964 wrote to memory of 1240 2964 Cdmepgce.exe 40 PID 2964 wrote to memory of 1240 2964 Cdmepgce.exe 40 PID 1240 wrote to memory of 1308 1240 Cfoaho32.exe 41 PID 1240 wrote to memory of 1308 1240 Cfoaho32.exe 41 PID 1240 wrote to memory of 1308 1240 Cfoaho32.exe 41 PID 1240 wrote to memory of 1308 1240 Cfoaho32.exe 41 PID 1308 wrote to memory of 2156 1308 Cqdfehii.exe 42 PID 1308 wrote to memory of 2156 1308 Cqdfehii.exe 42 PID 1308 wrote to memory of 2156 1308 Cqdfehii.exe 42 PID 1308 wrote to memory of 2156 1308 Cqdfehii.exe 42 PID 2156 wrote to memory of 2364 2156 Ccbbachm.exe 43 PID 2156 wrote to memory of 2364 2156 Ccbbachm.exe 43 PID 2156 wrote to memory of 2364 2156 Ccbbachm.exe 43 PID 2156 wrote to memory of 2364 2156 Ccbbachm.exe 43 PID 2364 wrote to memory of 2960 2364 Cceogcfj.exe 44 PID 2364 wrote to memory of 2960 2364 Cceogcfj.exe 44 PID 2364 wrote to memory of 2960 2364 Cceogcfj.exe 44 PID 2364 wrote to memory of 2960 2364 Cceogcfj.exe 44 PID 2960 wrote to memory of 944 2960 Cfckcoen.exe 45 PID 2960 wrote to memory of 944 2960 Cfckcoen.exe 45 PID 2960 wrote to memory of 944 2960 Cfckcoen.exe 45 PID 2960 wrote to memory of 944 2960 Cfckcoen.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe"C:\Users\Admin\AppData\Local\Temp\be8cac54754b1ff1f113f38e429a65c526ec9258016b22f7f177aa85b0082361.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Bdkhjgeh.exeC:\Windows\system32\Bdkhjgeh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cgidfcdk.exeC:\Windows\system32\Cgidfcdk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Deondj32.exeC:\Windows\system32\Deondj32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Efhqmadd.exeC:\Windows\system32\Efhqmadd.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Eppefg32.exeC:\Windows\system32\Eppefg32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Eemnnn32.exeC:\Windows\system32\Eemnnn32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Eoebgcol.exeC:\Windows\system32\Eoebgcol.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Efljhq32.exeC:\Windows\system32\Efljhq32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Ebckmaec.exeC:\Windows\system32\Ebckmaec.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe49⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe52⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Feddombd.exeC:\Windows\system32\Feddombd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Flnlkgjq.exeC:\Windows\system32\Flnlkgjq.exe56⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:328 -
C:\Windows\SysWOW64\Fefqdl32.exeC:\Windows\system32\Fefqdl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Fhdmph32.exeC:\Windows\system32\Fhdmph32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Fmaeho32.exeC:\Windows\system32\Fmaeho32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Fdkmeiei.exeC:\Windows\system32\Fdkmeiei.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1096 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe69⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe72⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Fgocmc32.exeC:\Windows\system32\Fgocmc32.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe75⤵PID:2616
-
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe77⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe78⤵PID:2928
-
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Giolnomh.exeC:\Windows\system32\Giolnomh.exe80⤵PID:2116
-
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe81⤵PID:408
-
C:\Windows\SysWOW64\Goldfelp.exeC:\Windows\system32\Goldfelp.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Gefmcp32.exeC:\Windows\system32\Gefmcp32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1816 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Gamnhq32.exeC:\Windows\system32\Gamnhq32.exe87⤵PID:352
-
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe90⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe91⤵PID:2096
-
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe92⤵PID:1148
-
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe93⤵
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gglbfg32.exeC:\Windows\system32\Gglbfg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2020 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe96⤵PID:2452
-
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe98⤵PID:3064
-
C:\Windows\SysWOW64\Hhkopj32.exeC:\Windows\system32\Hhkopj32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe101⤵PID:912
-
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe102⤵PID:1312
-
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe103⤵PID:1952
-
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe104⤵
- Modifies registry class
PID:1128 -
C:\Windows\SysWOW64\Hjohmbpd.exeC:\Windows\system32\Hjohmbpd.exe105⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Hnmacpfj.exeC:\Windows\system32\Hnmacpfj.exe108⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe109⤵PID:2940
-
C:\Windows\SysWOW64\Honnki32.exeC:\Windows\system32\Honnki32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe111⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe114⤵PID:2396
-
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe116⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\SysWOW64\Hjfnnajl.exeC:\Windows\system32\Hjfnnajl.exe117⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Ikgkei32.exeC:\Windows\system32\Ikgkei32.exe119⤵PID:2936
-
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Ibacbcgg.exeC:\Windows\system32\Ibacbcgg.exe121⤵
- Modifies registry class
PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-