Analysis
-
max time kernel
127s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 18:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe
Resource
win7-20241010-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe
-
Size
482KB
-
MD5
36d4d85edbc3fb3e74435c9679b25b38
-
SHA1
56259bf75cdb1b84c75080f8f0df6a67fb42757d
-
SHA256
184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d
-
SHA512
a7de31c221549f30719b04b91e2cab6e676ba6723a293b704ca339b8beaa789db95045937ca3c761eee4a969fe51f906d69ac1d751052e6855890833e1b1a4fe
-
SSDEEP
12288:LosFzGLMwGXAF5KLVGFB24lwR45FB24lQ:xKLZkO5KLVuPLPC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Blpibghg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpeajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efihcpqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqnclia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfgadbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opllclcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgkghp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgjngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdcqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmdkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epegae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfliqmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiichkog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knocpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjajno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpmkdpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njjieace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdllci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdmkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnclbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbcmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpoegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gflfidpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elnagijk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ihedan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlafmcpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggkqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmbbkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgbpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fopnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgjoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qnkdeagl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfnhcami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbmcjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licpki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afngoand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckjnfobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfocmhcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dghekobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ehpgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kiojqfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjnjhcqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfdnnlbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nldgdpjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dlebeg32.exe -
Executes dropped EXE 64 IoCs
pid Process 928 Opebpdad.exe 1632 Okkfmmqj.exe 2860 Pdonjf32.exe 2176 Qqoaefke.exe 2656 Afpchl32.exe 2644 Bpfgke32.exe 1676 Baecehhh.exe 1616 Cobjmq32.exe 2932 Chohqebq.exe 1788 Dglkba32.exe 1724 Dgnhhq32.exe 1884 Epdljjjm.exe 1444 Fjajno32.exe 1952 Fopole32.exe 2368 Ggdfff32.exe 2380 Hjcoaeol.exe 384 Iaoddodf.exe 1860 Ipijpkei.exe 1368 Jlbhjkij.exe 428 Jeofnpke.exe 1960 Jnjjcbiq.exe 2056 Klfndn32.exe 1640 Kfobmc32.exe 876 Lbjlnd32.exe 2248 Lbmicc32.exe 2924 Mcekkkmc.exe 2816 Mibdcakk.exe 2468 Mmpmjpba.exe 2840 Nlgfqldf.exe 2792 Nplhooec.exe 2744 Nblaajbd.exe 1044 Nifjnd32.exe 1864 Odlnkmjg.exe 2720 Odgqoa32.exe 1800 Phgfko32.exe 1748 Pglclk32.exe 1856 Aocgll32.exe 560 Abdpngjb.exe 1968 Ankabh32.exe 2332 Afhbljko.exe 3052 Bbocak32.exe 3048 Bocckoom.exe 1120 Bkjdpp32.exe 2068 Bebiifka.exe 940 Bnkmakbb.exe 2512 Bkonkpqk.exe 860 Cakfcfoc.exe 1480 Cghkepdm.exe 888 Cpcpjbah.exe 1596 Cmgpcg32.exe 1484 Cfoellgb.exe 2236 Cfaaalep.exe 2812 Domffn32.exe 2832 Dhekodik.exe 1376 Deikhhhe.exe 2336 Daplmimi.exe 3004 Dodlfmlb.exe 1268 Dgoakpjn.exe 2608 Ddcadd32.exe 1940 Epjbienl.exe 2420 Elqcnfdp.exe 2112 Epnldd32.exe 924 Eocieq32.exe 2156 Elgioe32.exe -
Loads dropped DLL 64 IoCs
pid Process 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 928 Opebpdad.exe 928 Opebpdad.exe 1632 Okkfmmqj.exe 1632 Okkfmmqj.exe 2860 Pdonjf32.exe 2860 Pdonjf32.exe 2176 Qqoaefke.exe 2176 Qqoaefke.exe 2656 Afpchl32.exe 2656 Afpchl32.exe 2644 Bpfgke32.exe 2644 Bpfgke32.exe 1676 Baecehhh.exe 1676 Baecehhh.exe 1616 Cobjmq32.exe 1616 Cobjmq32.exe 2932 Chohqebq.exe 2932 Chohqebq.exe 1788 Dglkba32.exe 1788 Dglkba32.exe 1724 Dgnhhq32.exe 1724 Dgnhhq32.exe 1884 Epdljjjm.exe 1884 Epdljjjm.exe 1444 Fjajno32.exe 1444 Fjajno32.exe 1952 Fopole32.exe 1952 Fopole32.exe 2368 Ggdfff32.exe 2368 Ggdfff32.exe 2380 Hjcoaeol.exe 2380 Hjcoaeol.exe 384 Iaoddodf.exe 384 Iaoddodf.exe 1860 Ipijpkei.exe 1860 Ipijpkei.exe 1368 Jlbhjkij.exe 1368 Jlbhjkij.exe 428 Jeofnpke.exe 428 Jeofnpke.exe 1960 Jnjjcbiq.exe 1960 Jnjjcbiq.exe 2056 Klfndn32.exe 2056 Klfndn32.exe 1640 Kfobmc32.exe 1640 Kfobmc32.exe 876 Lbjlnd32.exe 876 Lbjlnd32.exe 2248 Lbmicc32.exe 2248 Lbmicc32.exe 2924 Mcekkkmc.exe 2924 Mcekkkmc.exe 2816 Mibdcakk.exe 2816 Mibdcakk.exe 2468 Mmpmjpba.exe 2468 Mmpmjpba.exe 2840 Nlgfqldf.exe 2840 Nlgfqldf.exe 2792 Nplhooec.exe 2792 Nplhooec.exe 2744 Nblaajbd.exe 2744 Nblaajbd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iiaddb32.exe Icdllk32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe File created C:\Windows\SysWOW64\Ldfelj32.dll Mmpmjpba.exe File opened for modification C:\Windows\SysWOW64\Fehmlh32.exe Fhdlbd32.exe File created C:\Windows\SysWOW64\Dmdkkm32.exe Dclgbgbh.exe File created C:\Windows\SysWOW64\Glhjpjok.exe Fjdqbbkp.exe File created C:\Windows\SysWOW64\Qcfdji32.exe Qohkdkdn.exe File opened for modification C:\Windows\SysWOW64\Adjoqjfc.exe Alojlgii.exe File created C:\Windows\SysWOW64\Jedeea32.exe Jhpdlm32.exe File created C:\Windows\SysWOW64\Ncjgao32.exe Mcgjlp32.exe File created C:\Windows\SysWOW64\Fgkbac32.exe Fopnma32.exe File opened for modification C:\Windows\SysWOW64\Cfocmhcq.exe Bflghh32.exe File created C:\Windows\SysWOW64\Hojnkcbk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lkffohon.exe Llainlje.exe File opened for modification C:\Windows\SysWOW64\Lgnnicpe.exe Lnejqmie.exe File opened for modification C:\Windows\SysWOW64\Ibdcnm32.exe Imgjfe32.exe File opened for modification C:\Windows\SysWOW64\Iiaddb32.exe Icdllk32.exe File opened for modification C:\Windows\SysWOW64\Akoghnnj.exe Qafboi32.exe File created C:\Windows\SysWOW64\Bpqcoo32.dll Process not Found File created C:\Windows\SysWOW64\Dnqkammo.exe Dgdfocge.exe File opened for modification C:\Windows\SysWOW64\Licpki32.exe Lgbfin32.exe File opened for modification C:\Windows\SysWOW64\Enajgllm.exe Enomam32.exe File created C:\Windows\SysWOW64\Gkmckcja.dll Pcmadj32.exe File created C:\Windows\SysWOW64\Eikmkbeg.exe Eoeiniea.exe File opened for modification C:\Windows\SysWOW64\Hiahfo32.exe Gbhpidak.exe File created C:\Windows\SysWOW64\Ghhoej32.exe Goojldgf.exe File opened for modification C:\Windows\SysWOW64\Qhadob32.exe Qfpggjdh.exe File opened for modification C:\Windows\SysWOW64\Elqcnfdp.exe Epjbienl.exe File created C:\Windows\SysWOW64\Jkokef32.dll Nffcebdd.exe File opened for modification C:\Windows\SysWOW64\Bkjfhile.exe Bjgmka32.exe File opened for modification C:\Windows\SysWOW64\Megkgpaq.exe Mipjbokm.exe File created C:\Windows\SysWOW64\Fedqdl32.dll Odcmagip.exe File opened for modification C:\Windows\SysWOW64\Daghjj32.exe Dljoac32.exe File created C:\Windows\SysWOW64\Nnbagfdg.exe Nkddkk32.exe File created C:\Windows\SysWOW64\Dccbefif.dll Gielchpp.exe File opened for modification C:\Windows\SysWOW64\Nelkme32.exe Nldgdpjf.exe File created C:\Windows\SysWOW64\Nifjnd32.exe Nblaajbd.exe File created C:\Windows\SysWOW64\Kciifc32.exe Kiqdmm32.exe File created C:\Windows\SysWOW64\Nfppfcmj.exe Nqakim32.exe File created C:\Windows\SysWOW64\Nehjmppo.exe Npkaei32.exe File created C:\Windows\SysWOW64\Ldjmkq32.exe Ledpjdid.exe File created C:\Windows\SysWOW64\Ohhijpea.dll Liaggk32.exe File created C:\Windows\SysWOW64\Diaimceg.dll Qnkdeagl.exe File created C:\Windows\SysWOW64\Dgnhhq32.exe Dglkba32.exe File created C:\Windows\SysWOW64\Henjnica.exe Hqpahkmj.exe File created C:\Windows\SysWOW64\Qeihfp32.exe Qbkljd32.exe File created C:\Windows\SysWOW64\Cklpml32.exe Cofohkgi.exe File created C:\Windows\SysWOW64\Kamncagl.exe Kgdijk32.exe File created C:\Windows\SysWOW64\Hojeka32.exe Hljljflh.exe File created C:\Windows\SysWOW64\Jdghjg32.dll Ggicdo32.exe File opened for modification C:\Windows\SysWOW64\Gmnkqcem.exe Gceghn32.exe File created C:\Windows\SysWOW64\Adadnc32.dll Qafboi32.exe File created C:\Windows\SysWOW64\Ndblbo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ccjehkek.exe Ckopch32.exe File created C:\Windows\SysWOW64\Kofdia32.dll Liddljan.exe File created C:\Windows\SysWOW64\Babpgo32.exe Bcnomjbg.exe File created C:\Windows\SysWOW64\Kjcjhj32.dll Opllclcb.exe File opened for modification C:\Windows\SysWOW64\Einljkji.exe Epegae32.exe File opened for modification C:\Windows\SysWOW64\Fpedph32.exe Fcacfd32.exe File created C:\Windows\SysWOW64\Fdbidfjm.exe Fkjdkqcl.exe File opened for modification C:\Windows\SysWOW64\Babpgo32.exe Bcnomjbg.exe File opened for modification C:\Windows\SysWOW64\Fphqehda.exe Finhinmd.exe File opened for modification C:\Windows\SysWOW64\Ommfibdg.exe Oceaql32.exe File opened for modification C:\Windows\SysWOW64\Bhglpqeo.exe Bhdpjaga.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4044 3108 Process not Found 1097 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdpjaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfiqgfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejnqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djolbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babpgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbienj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkmhbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfljpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchaniho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjgkjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdllk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epegae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflcglho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcncg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjnkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogmaoib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedlph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alojlgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkekfkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelkme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoimmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjllqke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjknfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejldfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqoocmcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaakob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madbll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbegonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmebkg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efglmpbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hilghaqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejambd32.dll" Mgkncfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndlanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fnodob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjlgaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehjbaooe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epegae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkoblfc.dll" Mkeapgng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipofli32.dll" Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpmge32.dll" Afpchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mampci32.dll" Fbjchfaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onqjglfg.dll" Indiodbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ogldfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iapghlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nenaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opaeok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hjjknfin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkajof32.dll" Gdjblboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfocmhcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fcacfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nmohjopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Daplmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnlkl32.dll" Jlodma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cidklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mkdhlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkammkgj.dll" Ekiaac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnblkahe.dll" Acldpojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nnhakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edafjiqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nanlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfiapam.dll" Kpoegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eehpoaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Omonmpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kdgane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbpomi32.dll" Hjjknfin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eenfnmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoacfla.dll" Fpedph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmieb32.dll" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknglbbm.dll" Kjhajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gceghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qoimmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iilqnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoaabhm.dll" Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbkaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Deljfqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbabac32.dll" Glpbiaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aqapek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gojkecka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgejidgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjefmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bkjfhile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oeobfgak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poplqm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 928 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 29 PID 1048 wrote to memory of 928 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 29 PID 1048 wrote to memory of 928 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 29 PID 1048 wrote to memory of 928 1048 184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe 29 PID 928 wrote to memory of 1632 928 Opebpdad.exe 30 PID 928 wrote to memory of 1632 928 Opebpdad.exe 30 PID 928 wrote to memory of 1632 928 Opebpdad.exe 30 PID 928 wrote to memory of 1632 928 Opebpdad.exe 30 PID 1632 wrote to memory of 2860 1632 Okkfmmqj.exe 31 PID 1632 wrote to memory of 2860 1632 Okkfmmqj.exe 31 PID 1632 wrote to memory of 2860 1632 Okkfmmqj.exe 31 PID 1632 wrote to memory of 2860 1632 Okkfmmqj.exe 31 PID 2860 wrote to memory of 2176 2860 Pdonjf32.exe 32 PID 2860 wrote to memory of 2176 2860 Pdonjf32.exe 32 PID 2860 wrote to memory of 2176 2860 Pdonjf32.exe 32 PID 2860 wrote to memory of 2176 2860 Pdonjf32.exe 32 PID 2176 wrote to memory of 2656 2176 Qqoaefke.exe 33 PID 2176 wrote to memory of 2656 2176 Qqoaefke.exe 33 PID 2176 wrote to memory of 2656 2176 Qqoaefke.exe 33 PID 2176 wrote to memory of 2656 2176 Qqoaefke.exe 33 PID 2656 wrote to memory of 2644 2656 Afpchl32.exe 34 PID 2656 wrote to memory of 2644 2656 Afpchl32.exe 34 PID 2656 wrote to memory of 2644 2656 Afpchl32.exe 34 PID 2656 wrote to memory of 2644 2656 Afpchl32.exe 34 PID 2644 wrote to memory of 1676 2644 Bpfgke32.exe 35 PID 2644 wrote to memory of 1676 2644 Bpfgke32.exe 35 PID 2644 wrote to memory of 1676 2644 Bpfgke32.exe 35 PID 2644 wrote to memory of 1676 2644 Bpfgke32.exe 35 PID 1676 wrote to memory of 1616 1676 Baecehhh.exe 36 PID 1676 wrote to memory of 1616 1676 Baecehhh.exe 36 PID 1676 wrote to memory of 1616 1676 Baecehhh.exe 36 PID 1676 wrote to memory of 1616 1676 Baecehhh.exe 36 PID 1616 wrote to memory of 2932 1616 Cobjmq32.exe 37 PID 1616 wrote to memory of 2932 1616 Cobjmq32.exe 37 PID 1616 wrote to memory of 2932 1616 Cobjmq32.exe 37 PID 1616 wrote to memory of 2932 1616 Cobjmq32.exe 37 PID 2932 wrote to memory of 1788 2932 Chohqebq.exe 38 PID 2932 wrote to memory of 1788 2932 Chohqebq.exe 38 PID 2932 wrote to memory of 1788 2932 Chohqebq.exe 38 PID 2932 wrote to memory of 1788 2932 Chohqebq.exe 38 PID 1788 wrote to memory of 1724 1788 Dglkba32.exe 39 PID 1788 wrote to memory of 1724 1788 Dglkba32.exe 39 PID 1788 wrote to memory of 1724 1788 Dglkba32.exe 39 PID 1788 wrote to memory of 1724 1788 Dglkba32.exe 39 PID 1724 wrote to memory of 1884 1724 Dgnhhq32.exe 40 PID 1724 wrote to memory of 1884 1724 Dgnhhq32.exe 40 PID 1724 wrote to memory of 1884 1724 Dgnhhq32.exe 40 PID 1724 wrote to memory of 1884 1724 Dgnhhq32.exe 40 PID 1884 wrote to memory of 1444 1884 Epdljjjm.exe 41 PID 1884 wrote to memory of 1444 1884 Epdljjjm.exe 41 PID 1884 wrote to memory of 1444 1884 Epdljjjm.exe 41 PID 1884 wrote to memory of 1444 1884 Epdljjjm.exe 41 PID 1444 wrote to memory of 1952 1444 Fjajno32.exe 42 PID 1444 wrote to memory of 1952 1444 Fjajno32.exe 42 PID 1444 wrote to memory of 1952 1444 Fjajno32.exe 42 PID 1444 wrote to memory of 1952 1444 Fjajno32.exe 42 PID 1952 wrote to memory of 2368 1952 Fopole32.exe 43 PID 1952 wrote to memory of 2368 1952 Fopole32.exe 43 PID 1952 wrote to memory of 2368 1952 Fopole32.exe 43 PID 1952 wrote to memory of 2368 1952 Fopole32.exe 43 PID 2368 wrote to memory of 2380 2368 Ggdfff32.exe 44 PID 2368 wrote to memory of 2380 2368 Ggdfff32.exe 44 PID 2368 wrote to memory of 2380 2368 Ggdfff32.exe 44 PID 2368 wrote to memory of 2380 2368 Ggdfff32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe"C:\Users\Admin\AppData\Local\Temp\184dcb8e3db3535272401cb1921523df3bf47c0362db4e5e91c49fd32a28931d.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Qqoaefke.exeC:\Windows\system32\Qqoaefke.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:428 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Kfobmc32.exeC:\Windows\system32\Kfobmc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe33⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe34⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe35⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe36⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe37⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe38⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe39⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe40⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe41⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe42⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe43⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe44⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe45⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe46⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe48⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe49⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe51⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe52⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe53⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe56⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe58⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe59⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe60⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe62⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\Eocieq32.exeC:\Windows\system32\Eocieq32.exe64⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe65⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Fdcncg32.exeC:\Windows\system32\Fdcncg32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Fohbqpki.exeC:\Windows\system32\Fohbqpki.exe67⤵PID:1252
-
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe68⤵PID:1212
-
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe69⤵PID:2276
-
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe70⤵PID:2544
-
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe71⤵PID:2464
-
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Gfpjgn32.exeC:\Windows\system32\Gfpjgn32.exe73⤵PID:2820
-
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe74⤵PID:2912
-
C:\Windows\SysWOW64\Gojkecka.exeC:\Windows\system32\Gojkecka.exe75⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe76⤵PID:1696
-
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe77⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe78⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe80⤵PID:2548
-
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe81⤵PID:2108
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe82⤵PID:2188
-
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe83⤵PID:2132
-
C:\Windows\SysWOW64\Jgpklb32.exeC:\Windows\system32\Jgpklb32.exe84⤵PID:1536
-
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe85⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe86⤵PID:936
-
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe87⤵PID:1124
-
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe88⤵PID:1364
-
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe89⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe90⤵PID:1652
-
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe91⤵PID:1040
-
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe92⤵PID:2712
-
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe93⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe94⤵PID:3024
-
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe95⤵PID:2696
-
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe96⤵PID:648
-
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe98⤵PID:2636
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe99⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe100⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe101⤵PID:2732
-
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe102⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe105⤵PID:2400
-
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe106⤵PID:2200
-
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe108⤵PID:392
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe109⤵PID:1508
-
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe110⤵
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe111⤵PID:2100
-
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe112⤵PID:2772
-
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe113⤵PID:2256
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe114⤵PID:1680
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe115⤵PID:2664
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe116⤵PID:1996
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe117⤵PID:2252
-
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe118⤵PID:1280
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe119⤵PID:1944
-
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe120⤵
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-