Analysis
-
max time kernel
73s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 15:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
228febe9ed7f80b9388e438745e5a4c0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
228febe9ed7f80b9388e438745e5a4c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
228febe9ed7f80b9388e438745e5a4c0N.exe
-
Size
368KB
-
MD5
228febe9ed7f80b9388e438745e5a4c0
-
SHA1
9022b8e8fbb85fae3104b7f3eca641f2bfd9a4d4
-
SHA256
d2a6111782d692ee7e38d3e85c44f1e36e8f806c1b4a27019670ff1f9934528f
-
SHA512
fe382a6036fb9866b44b6156096db00325f3bf402d5e4f31c616c1c6f3b2b8f17d1b31549178e6f49fb0b6dbd0c413a7af7ab99b1e4d3785a710fe31dd43853f
-
SSDEEP
6144:CeypKo3391blTjZXvEQo9dfJBEdKFckUQ/4TIHD4xutM3VOEIuV5t6R+0I/Vzogc:CrQs93T9XvEhdfJkKSkU3kHyuaRB5t6J
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdmgclfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfpafmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ceebklai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgkocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjegqif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liminmmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilofhffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnalad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmofdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dcfpel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjekfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifpcchai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ocjophem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoohekal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgopf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oiljam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eddeladm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedlag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhelbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbidne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idcacc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gkpfmnlb.exe -
Executes dropped EXE 64 IoCs
pid Process 2796 Ghmkjedk.exe 2836 Gngcgp32.exe 2788 Hafock32.exe 2840 Hhpgpebh.exe 2996 Hnjplo32.exe 1772 Hjcmgp32.exe 1292 Hldjnhce.exe 708 Hmcfhkjg.exe 2420 Hflkaq32.exe 1912 Ilicig32.exe 2792 Ihpdoh32.exe 1052 Iahhgnkd.exe 2268 Idfdcijh.exe 2472 Imoilo32.exe 628 Ihdmihpn.exe 1532 Idknoi32.exe 2272 Ikefkcmo.exe 712 Idmkdh32.exe 2096 Jkgcab32.exe 1540 Jnfomn32.exe 1688 Jdpgjhbm.exe 2056 Jgncfcaa.exe 372 Jlklnjoh.exe 2744 Joihjfnl.exe 1716 Jlmicj32.exe 2688 Jpiedieo.exe 2768 Jfemlpdf.exe 2868 Jlpeij32.exe 2604 Jfhjbobc.exe 2196 Jdkjnl32.exe 264 Kbokgpgg.exe 1696 Kdmgclfk.exe 1964 Kkgopf32.exe 2036 Kqdhhm32.exe 2020 Khkpijma.exe 2984 Kjllab32.exe 1752 Kdbpnk32.exe 2484 Kklikejc.exe 2584 Knjegqif.exe 2456 Kddmdk32.exe 1016 Kgbipf32.exe 2328 Kjaelaok.exe 1512 Kmobhmnn.exe 1584 Kcijeg32.exe 848 Kgefefnd.exe 3028 Lifbmn32.exe 2216 Lmbonmll.exe 2852 Lclgjg32.exe 2252 Lfjcfb32.exe 2188 Lihobnap.exe 2772 Lobgoh32.exe 2480 Lbackc32.exe 2696 Lmfhil32.exe 2012 Lpedeg32.exe 1740 Lnhdqdnd.exe 1488 Lfolaang.exe 2040 Liminmmk.exe 2928 Lklejh32.exe 2708 Lnjafd32.exe 2192 Lahmbo32.exe 2352 Lgbeoibb.exe 792 Llnaoh32.exe 1544 Mbhjlbbh.exe 2956 Meffhnal.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 2796 Ghmkjedk.exe 2796 Ghmkjedk.exe 2836 Gngcgp32.exe 2836 Gngcgp32.exe 2788 Hafock32.exe 2788 Hafock32.exe 2840 Hhpgpebh.exe 2840 Hhpgpebh.exe 2996 Hnjplo32.exe 2996 Hnjplo32.exe 1772 Hjcmgp32.exe 1772 Hjcmgp32.exe 1292 Hldjnhce.exe 1292 Hldjnhce.exe 708 Hmcfhkjg.exe 708 Hmcfhkjg.exe 2420 Hflkaq32.exe 2420 Hflkaq32.exe 1912 Ilicig32.exe 1912 Ilicig32.exe 2792 Ihpdoh32.exe 2792 Ihpdoh32.exe 1052 Iahhgnkd.exe 1052 Iahhgnkd.exe 2268 Idfdcijh.exe 2268 Idfdcijh.exe 2472 Imoilo32.exe 2472 Imoilo32.exe 628 Ihdmihpn.exe 628 Ihdmihpn.exe 1532 Idknoi32.exe 1532 Idknoi32.exe 2272 Ikefkcmo.exe 2272 Ikefkcmo.exe 712 Idmkdh32.exe 712 Idmkdh32.exe 2096 Jkgcab32.exe 2096 Jkgcab32.exe 1540 Jnfomn32.exe 1540 Jnfomn32.exe 1688 Jdpgjhbm.exe 1688 Jdpgjhbm.exe 2056 Jgncfcaa.exe 2056 Jgncfcaa.exe 372 Jlklnjoh.exe 372 Jlklnjoh.exe 2744 Joihjfnl.exe 2744 Joihjfnl.exe 1716 Jlmicj32.exe 1716 Jlmicj32.exe 2688 Jpiedieo.exe 2688 Jpiedieo.exe 2768 Jfemlpdf.exe 2768 Jfemlpdf.exe 2868 Jlpeij32.exe 2868 Jlpeij32.exe 2604 Jfhjbobc.exe 2604 Jfhjbobc.exe 2196 Jdkjnl32.exe 2196 Jdkjnl32.exe 264 Kbokgpgg.exe 264 Kbokgpgg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Opfegp32.exe Process not Found File created C:\Windows\SysWOW64\Ellqil32.dll Process not Found File created C:\Windows\SysWOW64\Eemjkkbq.dll Nigafnck.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Ngdjaofc.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Process not Found File created C:\Windows\SysWOW64\Bckjhl32.exe Bammlq32.exe File created C:\Windows\SysWOW64\Gmkame32.dll Boljgg32.exe File created C:\Windows\SysWOW64\Hofjjbcd.dll Hfepod32.exe File created C:\Windows\SysWOW64\Fkiolmdc.dll Fgnadkic.exe File created C:\Windows\SysWOW64\Fpjofl32.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Jhjbqo32.exe Jbnjhh32.exe File opened for modification C:\Windows\SysWOW64\Nqmnjd32.exe Nnnbni32.exe File opened for modification C:\Windows\SysWOW64\Nggggoda.exe Nckkgp32.exe File created C:\Windows\SysWOW64\Bbejeo32.dll Nlnnnk32.exe File created C:\Windows\SysWOW64\Haaemgpd.dll Fnfcel32.exe File created C:\Windows\SysWOW64\Gpabcbdb.exe Gqnbhf32.exe File opened for modification C:\Windows\SysWOW64\Mhfjjdjf.exe Mciabmlo.exe File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Hqfaldbo.exe File created C:\Windows\SysWOW64\Phqmgg32.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Jlnfak32.dll Lpabpcdf.exe File created C:\Windows\SysWOW64\Monoflqe.dll Dljmlj32.exe File created C:\Windows\SysWOW64\Jdjjgb32.dll Mdogedmh.exe File created C:\Windows\SysWOW64\Aaqbpk32.dll Process not Found File created C:\Windows\SysWOW64\Neqnqofm.exe Nlhjhi32.exe File created C:\Windows\SysWOW64\Hnppof32.dll Diidjpbe.exe File created C:\Windows\SysWOW64\Naolaobc.dll Elcpbigl.exe File opened for modification C:\Windows\SysWOW64\Fnofjfhk.exe Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Nfdddm32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Elgfkhpi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncmglp32.exe Npbklabl.exe File created C:\Windows\SysWOW64\Ghddel32.dll Joihjfnl.exe File created C:\Windows\SysWOW64\Ndlaqocp.dll Hofngkga.exe File opened for modification C:\Windows\SysWOW64\Lgngbmjp.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Pkcbnanl.exe Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Apkgpf32.exe Process not Found File created C:\Windows\SysWOW64\Bghgmd32.dll Process not Found File created C:\Windows\SysWOW64\Kqdhhm32.exe Kkgopf32.exe File opened for modification C:\Windows\SysWOW64\Hhjcic32.exe Hdoghdmd.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Odmabj32.exe File created C:\Windows\SysWOW64\Bmnlbcfg.exe Bfccei32.exe File created C:\Windows\SysWOW64\Hmffen32.dll Njnmbk32.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Qododfek.exe File created C:\Windows\SysWOW64\Ncehag32.dll Ajgbkbjp.exe File created C:\Windows\SysWOW64\Lgdqap32.dll Egajnfoe.exe File opened for modification C:\Windows\SysWOW64\Fjdnlhco.exe Ffibkj32.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Nqfnjifg.dll Lklejh32.exe File opened for modification C:\Windows\SysWOW64\Mikhgqbi.exe Mfllkece.exe File opened for modification C:\Windows\SysWOW64\Nlpkdkkd.exe Nianhplq.exe File created C:\Windows\SysWOW64\Dbmqec32.dll Khkpijma.exe File created C:\Windows\SysWOW64\Hpjeialg.exe Hipmmg32.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Iclnjd32.dll Eakooqih.exe File created C:\Windows\SysWOW64\Bokblhqh.dll Kpdcfoph.exe File created C:\Windows\SysWOW64\Gcgqgd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mmdjkhdh.exe Mjfnomde.exe File created C:\Windows\SysWOW64\Ckjamgmk.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Dlofgj32.exe Dhckfkbh.exe File opened for modification C:\Windows\SysWOW64\Fgjjad32.exe Process not Found File created C:\Windows\SysWOW64\Giolnomh.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 2812 2028 Process not Found 1335 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojhejbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nianhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkndb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhikme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijdkcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaihob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbeiefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcipc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgnkdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcijeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidkmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqnbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mamgmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edclib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkpijma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldebkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qododfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbackc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ednbncmb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Meicnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfomkg32.dll" Ipehmebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdkak32.dll" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlfji32.dll" Jdcmbgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jagpdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogcnkgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bcgdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lpedeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojdjpd.dll" Nblpfepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" Nenkqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bchfhfeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfpae32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfmfh32.dll" Mbeiefff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbnfqia.dll" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfknbfkf.dll" Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaqjmil.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnpqce.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lbackc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjekfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gcahoqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihglhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icfpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boddiidc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hblgnkdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" Odedge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejcohho.dll" Hbidne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldokfakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ghacfmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eakooqih.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2796 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 30 PID 2092 wrote to memory of 2796 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 30 PID 2092 wrote to memory of 2796 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 30 PID 2092 wrote to memory of 2796 2092 228febe9ed7f80b9388e438745e5a4c0N.exe 30 PID 2796 wrote to memory of 2836 2796 Ghmkjedk.exe 31 PID 2796 wrote to memory of 2836 2796 Ghmkjedk.exe 31 PID 2796 wrote to memory of 2836 2796 Ghmkjedk.exe 31 PID 2796 wrote to memory of 2836 2796 Ghmkjedk.exe 31 PID 2836 wrote to memory of 2788 2836 Gngcgp32.exe 32 PID 2836 wrote to memory of 2788 2836 Gngcgp32.exe 32 PID 2836 wrote to memory of 2788 2836 Gngcgp32.exe 32 PID 2836 wrote to memory of 2788 2836 Gngcgp32.exe 32 PID 2788 wrote to memory of 2840 2788 Hafock32.exe 33 PID 2788 wrote to memory of 2840 2788 Hafock32.exe 33 PID 2788 wrote to memory of 2840 2788 Hafock32.exe 33 PID 2788 wrote to memory of 2840 2788 Hafock32.exe 33 PID 2840 wrote to memory of 2996 2840 Hhpgpebh.exe 34 PID 2840 wrote to memory of 2996 2840 Hhpgpebh.exe 34 PID 2840 wrote to memory of 2996 2840 Hhpgpebh.exe 34 PID 2840 wrote to memory of 2996 2840 Hhpgpebh.exe 34 PID 2996 wrote to memory of 1772 2996 Hnjplo32.exe 35 PID 2996 wrote to memory of 1772 2996 Hnjplo32.exe 35 PID 2996 wrote to memory of 1772 2996 Hnjplo32.exe 35 PID 2996 wrote to memory of 1772 2996 Hnjplo32.exe 35 PID 1772 wrote to memory of 1292 1772 Hjcmgp32.exe 36 PID 1772 wrote to memory of 1292 1772 Hjcmgp32.exe 36 PID 1772 wrote to memory of 1292 1772 Hjcmgp32.exe 36 PID 1772 wrote to memory of 1292 1772 Hjcmgp32.exe 36 PID 1292 wrote to memory of 708 1292 Hldjnhce.exe 37 PID 1292 wrote to memory of 708 1292 Hldjnhce.exe 37 PID 1292 wrote to memory of 708 1292 Hldjnhce.exe 37 PID 1292 wrote to memory of 708 1292 Hldjnhce.exe 37 PID 708 wrote to memory of 2420 708 Hmcfhkjg.exe 38 PID 708 wrote to memory of 2420 708 Hmcfhkjg.exe 38 PID 708 wrote to memory of 2420 708 Hmcfhkjg.exe 38 PID 708 wrote to memory of 2420 708 Hmcfhkjg.exe 38 PID 2420 wrote to memory of 1912 2420 Hflkaq32.exe 39 PID 2420 wrote to memory of 1912 2420 Hflkaq32.exe 39 PID 2420 wrote to memory of 1912 2420 Hflkaq32.exe 39 PID 2420 wrote to memory of 1912 2420 Hflkaq32.exe 39 PID 1912 wrote to memory of 2792 1912 Ilicig32.exe 40 PID 1912 wrote to memory of 2792 1912 Ilicig32.exe 40 PID 1912 wrote to memory of 2792 1912 Ilicig32.exe 40 PID 1912 wrote to memory of 2792 1912 Ilicig32.exe 40 PID 2792 wrote to memory of 1052 2792 Ihpdoh32.exe 41 PID 2792 wrote to memory of 1052 2792 Ihpdoh32.exe 41 PID 2792 wrote to memory of 1052 2792 Ihpdoh32.exe 41 PID 2792 wrote to memory of 1052 2792 Ihpdoh32.exe 41 PID 1052 wrote to memory of 2268 1052 Iahhgnkd.exe 42 PID 1052 wrote to memory of 2268 1052 Iahhgnkd.exe 42 PID 1052 wrote to memory of 2268 1052 Iahhgnkd.exe 42 PID 1052 wrote to memory of 2268 1052 Iahhgnkd.exe 42 PID 2268 wrote to memory of 2472 2268 Idfdcijh.exe 43 PID 2268 wrote to memory of 2472 2268 Idfdcijh.exe 43 PID 2268 wrote to memory of 2472 2268 Idfdcijh.exe 43 PID 2268 wrote to memory of 2472 2268 Idfdcijh.exe 43 PID 2472 wrote to memory of 628 2472 Imoilo32.exe 44 PID 2472 wrote to memory of 628 2472 Imoilo32.exe 44 PID 2472 wrote to memory of 628 2472 Imoilo32.exe 44 PID 2472 wrote to memory of 628 2472 Imoilo32.exe 44 PID 628 wrote to memory of 1532 628 Ihdmihpn.exe 45 PID 628 wrote to memory of 1532 628 Ihdmihpn.exe 45 PID 628 wrote to memory of 1532 628 Ihdmihpn.exe 45 PID 628 wrote to memory of 1532 628 Ihdmihpn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\228febe9ed7f80b9388e438745e5a4c0N.exe"C:\Users\Admin\AppData\Local\Temp\228febe9ed7f80b9388e438745e5a4c0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Gngcgp32.exeC:\Windows\system32\Gngcgp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:372 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe35⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe37⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe38⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe39⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe42⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe43⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe44⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe47⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe48⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe49⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe51⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe52⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe54⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe57⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe60⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe61⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe62⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe63⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe64⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe66⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe67⤵PID:2808
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe68⤵PID:2864
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe69⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe70⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe71⤵PID:3004
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe74⤵PID:1644
-
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe76⤵
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe77⤵PID:2100
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe78⤵PID:2940
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe79⤵PID:2776
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe80⤵PID:780
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe81⤵PID:1352
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe82⤵PID:1580
-
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe84⤵PID:2564
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe85⤵PID:1712
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe86⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe87⤵PID:2948
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe88⤵PID:1848
-
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe90⤵PID:1968
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe91⤵PID:1496
-
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe93⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe94⤵PID:840
-
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe95⤵PID:548
-
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe96⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe97⤵PID:2944
-
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe98⤵PID:2780
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe99⤵PID:2812
-
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe100⤵PID:2596
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe101⤵PID:1628
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe102⤵PID:1176
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe103⤵PID:1756
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe104⤵PID:1704
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe105⤵PID:2496
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe106⤵PID:1280
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe107⤵PID:1388
-
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe108⤵PID:960
-
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe109⤵PID:2576
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe110⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe113⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe115⤵PID:2936
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe116⤵PID:1852
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe117⤵PID:404
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe118⤵PID:1612
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe119⤵PID:1604
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe120⤵PID:2800
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-