Analysis
-
max time kernel
51s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 18:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe
-
Size
96KB
-
MD5
1a3a2f16017818c80ac64f642b36b81b
-
SHA1
c0d9ceb286854ee6411d8a82007a05a288e797c1
-
SHA256
0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0
-
SHA512
9902f175e2b2863eba6428f411744c82f0fae9d69173fee3f26afdb7ea7e8e7e0df1913e3ed15114729c47e37c23fcad047439a1b316b6f581c763ab9001faed
-
SSDEEP
1536:tNWZ9QJkDAVB5WVBv5vzpEBve++Uwo14hhYChZrhzBOEe9MbinV39+ChnSdFFn7M:1JkDAVB5ovzpE4FwohrhlbZAMbqV39Tx
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pooaaink.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmgddcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfklolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcbmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnbelong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnobl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imcaijia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekblplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faikbkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbckagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibbffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkeedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhlnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoonqmqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acemeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohnpcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomhkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhahcjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaaoakmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojaceln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkfmioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjdjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkccffq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbolge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmjgkpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjdpgnee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fghppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgmndokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmjgkpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgedepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknnil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplhooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plneoace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccloea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqcaoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmkoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclfccmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfeqli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkmln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfbfln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgobpd32.exe -
Executes dropped EXE 64 IoCs
pid Process 1084 Nplhooec.exe 1796 Nfeqli32.exe 2904 Nmpiicdm.exe 2212 Npneeocq.exe 3000 Nblaajbd.exe 2752 Njcibgcf.exe 2288 Nifjnd32.exe 2628 Nlefjpid.exe 2492 Odlnkmjg.exe 2084 Obonfj32.exe 448 Oemjbe32.exe 2708 Omdbdb32.exe 2960 Opbopn32.exe 2004 Obakli32.exe 2092 Oepghe32.exe 2228 Ohncdp32.exe 2448 Olioeoeo.exe 1648 Obcgaill.exe 2116 Oafhmf32.exe 2324 Oimpnc32.exe 2308 Ohppjpkc.exe 1708 Okolfkjg.exe 780 Oojhfj32.exe 932 Obfdgiji.exe 1780 Oedqcdim.exe 1624 Ohbmppia.exe 2892 Okailkhd.exe 2444 Okailkhd.exe 2128 Oakaheoa.exe 2692 Odimdqne.exe 568 Oheieo32.exe 2476 Pkcfak32.exe 2976 Pooaaink.exe 2912 Phgfko32.exe 2980 Pkebgj32.exe 996 Papkcd32.exe 1444 Pkholjam.exe 1984 Pnfkheap.exe 2260 Plildb32.exe 904 Pdpcep32.exe 2840 Pgopak32.exe 376 Pimlmf32.exe 1576 Pllhib32.exe 1816 Ppgdjqna.exe 1584 Pceqfl32.exe 2720 Pjpicfdb.exe 1756 Plneoace.exe 2172 Polakmbi.exe 2756 Qakmghbm.exe 2788 Qjbehfbo.exe 1676 Qhdfdb32.exe 1712 Qlpadaac.exe 1688 Qoonqmqf.exe 2336 Qcjjakip.exe 3036 Qfifmghc.exe 2580 Qdkfic32.exe 2872 Qhgbibgg.exe 1644 Qlbnja32.exe 2744 Aoakfl32.exe 2772 Aaogbh32.exe 1784 Afkccffq.exe 1952 Adncoc32.exe 2732 Agloko32.exe 2064 Aocgll32.exe -
Loads dropped DLL 64 IoCs
pid Process 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 1084 Nplhooec.exe 1084 Nplhooec.exe 1796 Nfeqli32.exe 1796 Nfeqli32.exe 2904 Nmpiicdm.exe 2904 Nmpiicdm.exe 2212 Npneeocq.exe 2212 Npneeocq.exe 3000 Nblaajbd.exe 3000 Nblaajbd.exe 2752 Njcibgcf.exe 2752 Njcibgcf.exe 2288 Nifjnd32.exe 2288 Nifjnd32.exe 2628 Nlefjpid.exe 2628 Nlefjpid.exe 2492 Odlnkmjg.exe 2492 Odlnkmjg.exe 2084 Obonfj32.exe 2084 Obonfj32.exe 448 Oemjbe32.exe 448 Oemjbe32.exe 2708 Omdbdb32.exe 2708 Omdbdb32.exe 2960 Opbopn32.exe 2960 Opbopn32.exe 2004 Obakli32.exe 2004 Obakli32.exe 2092 Oepghe32.exe 2092 Oepghe32.exe 2228 Ohncdp32.exe 2228 Ohncdp32.exe 2448 Olioeoeo.exe 2448 Olioeoeo.exe 1648 Obcgaill.exe 1648 Obcgaill.exe 2116 Oafhmf32.exe 2116 Oafhmf32.exe 2324 Oimpnc32.exe 2324 Oimpnc32.exe 2308 Ohppjpkc.exe 2308 Ohppjpkc.exe 1708 Okolfkjg.exe 1708 Okolfkjg.exe 780 Oojhfj32.exe 780 Oojhfj32.exe 932 Obfdgiji.exe 932 Obfdgiji.exe 1780 Oedqcdim.exe 1780 Oedqcdim.exe 1624 Ohbmppia.exe 1624 Ohbmppia.exe 2892 Okailkhd.exe 2892 Okailkhd.exe 2444 Okailkhd.exe 2444 Okailkhd.exe 2128 Oakaheoa.exe 2128 Oakaheoa.exe 2692 Odimdqne.exe 2692 Odimdqne.exe 568 Oheieo32.exe 568 Oheieo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bjlnaghp.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Obnkqlae.dll Gfpjgn32.exe File created C:\Windows\SysWOW64\Nnnlmn32.dll Hpjgdf32.exe File created C:\Windows\SysWOW64\Kghbmiik.dll Hcfceeff.exe File created C:\Windows\SysWOW64\Qhnibd32.dll Ipcjje32.exe File created C:\Windows\SysWOW64\Dcfknooi.exe Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Kidjfl32.exe Kdgane32.exe File opened for modification C:\Windows\SysWOW64\Anmnhhmd.exe Afffgjma.exe File created C:\Windows\SysWOW64\Ndkacjme.dll Ckajqo32.exe File created C:\Windows\SysWOW64\Gndebkii.exe Gjiibm32.exe File created C:\Windows\SysWOW64\Afobkm32.dll Plaoim32.exe File opened for modification C:\Windows\SysWOW64\Aagfffbo.exe Aknnil32.exe File created C:\Windows\SysWOW64\Ealleg32.dll Dbneekan.exe File created C:\Windows\SysWOW64\Lckbkfbb.exe Loofjg32.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Hggeeo32.exe File created C:\Windows\SysWOW64\Jlbjcd32.exe Jidngh32.exe File created C:\Windows\SysWOW64\Mjkckf32.dll Anngkg32.exe File created C:\Windows\SysWOW64\Jffakm32.exe Jnojjp32.exe File created C:\Windows\SysWOW64\Gdilkpbo.dll Klbfbg32.exe File created C:\Windows\SysWOW64\Nqnqdcmj.dll Ajoebigm.exe File created C:\Windows\SysWOW64\Lfceqc32.dll Cnacbj32.exe File created C:\Windows\SysWOW64\Gqcaoghl.exe Gmgenh32.exe File created C:\Windows\SysWOW64\Fkdaeb32.dll Mcmkoi32.exe File opened for modification C:\Windows\SysWOW64\Anhdmh32.exe Ajmhljip.exe File opened for modification C:\Windows\SysWOW64\Hccfoehi.exe Haejcj32.exe File created C:\Windows\SysWOW64\Kdakoj32.exe Kabobo32.exe File created C:\Windows\SysWOW64\Deacbgdc.dll Ckdpinhf.exe File created C:\Windows\SysWOW64\Ccdnipal.exe Ceanmc32.exe File created C:\Windows\SysWOW64\Dhniof32.dll Gnhkkjbf.exe File created C:\Windows\SysWOW64\Dlnjjc32.exe Dmljnfll.exe File created C:\Windows\SysWOW64\Ddqeodjj.exe Dendcg32.exe File created C:\Windows\SysWOW64\Dccbefif.dll Gnbelong.exe File created C:\Windows\SysWOW64\Ifkfap32.exe Ibpjaagi.exe File created C:\Windows\SysWOW64\Cipnng32.exe Cedbmi32.exe File opened for modification C:\Windows\SysWOW64\Ofefqf32.exe Obijpgcf.exe File opened for modification C:\Windows\SysWOW64\Eiimci32.exe Eenabkfk.exe File opened for modification C:\Windows\SysWOW64\Kaillp32.exe Kokppd32.exe File opened for modification C:\Windows\SysWOW64\Domffn32.exe Dlnjjc32.exe File created C:\Windows\SysWOW64\Jlhjijpe.exe Jiinmnaa.exe File created C:\Windows\SysWOW64\Mcllmmbh.dll Dajlhc32.exe File created C:\Windows\SysWOW64\Dadehh32.exe Dmiihjak.exe File opened for modification C:\Windows\SysWOW64\Hjmolp32.exe Hfbckagm.exe File opened for modification C:\Windows\SysWOW64\Fpfkhbon.exe Fimclh32.exe File created C:\Windows\SysWOW64\Jbkicgjf.dll Mkconepp.exe File opened for modification C:\Windows\SysWOW64\Jbbbed32.exe Jlhjijpe.exe File opened for modification C:\Windows\SysWOW64\Lflklaoc.exe Lbpolb32.exe File opened for modification C:\Windows\SysWOW64\Kadhen32.exe Koelibnh.exe File opened for modification C:\Windows\SysWOW64\Obfdgiji.exe Oojhfj32.exe File created C:\Windows\SysWOW64\Megohpba.dll Ilfadg32.exe File opened for modification C:\Windows\SysWOW64\Oaaghp32.exe Onbkle32.exe File created C:\Windows\SysWOW64\Bfqgmn32.dll Acplpjpj.exe File opened for modification C:\Windows\SysWOW64\Gopnca32.exe Gnoaliln.exe File created C:\Windows\SysWOW64\Biebdbhl.dll Cfkkam32.exe File created C:\Windows\SysWOW64\Djcdmp32.dll Cpcpjbah.exe File created C:\Windows\SysWOW64\Jqkhck32.dll Ododdlcd.exe File created C:\Windows\SysWOW64\Ahancp32.exe Adfbbabc.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Abjcleqm.exe File created C:\Windows\SysWOW64\Eehqme32.exe Ekblplgo.exe File created C:\Windows\SysWOW64\Neghbm32.dll Ajmhljip.exe File created C:\Windows\SysWOW64\Abdpngjb.exe Anhdmh32.exe File opened for modification C:\Windows\SysWOW64\Ddqeodjj.exe Dendcg32.exe File created C:\Windows\SysWOW64\Mcpgomne.dll Adfbbabc.exe File created C:\Windows\SysWOW64\Lnmomi32.dll Cjkamk32.exe File opened for modification C:\Windows\SysWOW64\Ldchdjom.exe Lllpclnk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8064 8040 WerFault.exe 737 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojkecka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmolp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbmppia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polakmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikhce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkkmln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljfdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfckbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneflplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfknooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnqhddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnhcgma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfceeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbipdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpmhgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plneoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodoefed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhbljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijbnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peolmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjbpkag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclfccmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbjcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnemidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haejcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokppd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npneeocq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkccffq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmlgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baiingae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfllm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnfdbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjfpokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkhpfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdlaplh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqhjdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Henjnica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiehbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpgeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbbabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhbcqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nicfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkfmioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakhhk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbkdgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjebph32.dll" Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omddmkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddqeodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimgpgk.dll" Febjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghnfci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankabh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhcnnel.dll" Emncci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkbkfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahllda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhklj32.dll" Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deajlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fakhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedcbj32.dll" Cakfcfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdpgnee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohbmppia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiqpab32.dll" Hkhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlenlhnc.dll" Hfdpaqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnhea32.dll" Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddggblin.dll" Aaogbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iniglajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalga32.dll" Qcjjakip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbopcm32.dll" Epqhjdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faconabh.dll" Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibpjaagi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfbdmgb.dll" Nlefjpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppdnf32.dll" Imcaijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjhbpic.dll" Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkedia32.dll" Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbpadcl.dll" Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iijbnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgcfia32.dll" Ieelnkpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfkheap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll" Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okailkhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqbnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keehmobp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdngl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoqofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkcibn.dll" Obijpgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdmkboi.dll" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicnbp32.dll" Dmgmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcfgfack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olobcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmgmf32.dll" Pdpcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnhahoi.dll" Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhikhefb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehfdldj.dll" Jbpfpd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1084 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 29 PID 1744 wrote to memory of 1084 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 29 PID 1744 wrote to memory of 1084 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 29 PID 1744 wrote to memory of 1084 1744 0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe 29 PID 1084 wrote to memory of 1796 1084 Nplhooec.exe 30 PID 1084 wrote to memory of 1796 1084 Nplhooec.exe 30 PID 1084 wrote to memory of 1796 1084 Nplhooec.exe 30 PID 1084 wrote to memory of 1796 1084 Nplhooec.exe 30 PID 1796 wrote to memory of 2904 1796 Nfeqli32.exe 31 PID 1796 wrote to memory of 2904 1796 Nfeqli32.exe 31 PID 1796 wrote to memory of 2904 1796 Nfeqli32.exe 31 PID 1796 wrote to memory of 2904 1796 Nfeqli32.exe 31 PID 2904 wrote to memory of 2212 2904 Nmpiicdm.exe 32 PID 2904 wrote to memory of 2212 2904 Nmpiicdm.exe 32 PID 2904 wrote to memory of 2212 2904 Nmpiicdm.exe 32 PID 2904 wrote to memory of 2212 2904 Nmpiicdm.exe 32 PID 2212 wrote to memory of 3000 2212 Npneeocq.exe 33 PID 2212 wrote to memory of 3000 2212 Npneeocq.exe 33 PID 2212 wrote to memory of 3000 2212 Npneeocq.exe 33 PID 2212 wrote to memory of 3000 2212 Npneeocq.exe 33 PID 3000 wrote to memory of 2752 3000 Nblaajbd.exe 34 PID 3000 wrote to memory of 2752 3000 Nblaajbd.exe 34 PID 3000 wrote to memory of 2752 3000 Nblaajbd.exe 34 PID 3000 wrote to memory of 2752 3000 Nblaajbd.exe 34 PID 2752 wrote to memory of 2288 2752 Njcibgcf.exe 35 PID 2752 wrote to memory of 2288 2752 Njcibgcf.exe 35 PID 2752 wrote to memory of 2288 2752 Njcibgcf.exe 35 PID 2752 wrote to memory of 2288 2752 Njcibgcf.exe 35 PID 2288 wrote to memory of 2628 2288 Nifjnd32.exe 36 PID 2288 wrote to memory of 2628 2288 Nifjnd32.exe 36 PID 2288 wrote to memory of 2628 2288 Nifjnd32.exe 36 PID 2288 wrote to memory of 2628 2288 Nifjnd32.exe 36 PID 2628 wrote to memory of 2492 2628 Nlefjpid.exe 37 PID 2628 wrote to memory of 2492 2628 Nlefjpid.exe 37 PID 2628 wrote to memory of 2492 2628 Nlefjpid.exe 37 PID 2628 wrote to memory of 2492 2628 Nlefjpid.exe 37 PID 2492 wrote to memory of 2084 2492 Odlnkmjg.exe 38 PID 2492 wrote to memory of 2084 2492 Odlnkmjg.exe 38 PID 2492 wrote to memory of 2084 2492 Odlnkmjg.exe 38 PID 2492 wrote to memory of 2084 2492 Odlnkmjg.exe 38 PID 2084 wrote to memory of 448 2084 Obonfj32.exe 39 PID 2084 wrote to memory of 448 2084 Obonfj32.exe 39 PID 2084 wrote to memory of 448 2084 Obonfj32.exe 39 PID 2084 wrote to memory of 448 2084 Obonfj32.exe 39 PID 448 wrote to memory of 2708 448 Oemjbe32.exe 40 PID 448 wrote to memory of 2708 448 Oemjbe32.exe 40 PID 448 wrote to memory of 2708 448 Oemjbe32.exe 40 PID 448 wrote to memory of 2708 448 Oemjbe32.exe 40 PID 2708 wrote to memory of 2960 2708 Omdbdb32.exe 41 PID 2708 wrote to memory of 2960 2708 Omdbdb32.exe 41 PID 2708 wrote to memory of 2960 2708 Omdbdb32.exe 41 PID 2708 wrote to memory of 2960 2708 Omdbdb32.exe 41 PID 2960 wrote to memory of 2004 2960 Opbopn32.exe 42 PID 2960 wrote to memory of 2004 2960 Opbopn32.exe 42 PID 2960 wrote to memory of 2004 2960 Opbopn32.exe 42 PID 2960 wrote to memory of 2004 2960 Opbopn32.exe 42 PID 2004 wrote to memory of 2092 2004 Obakli32.exe 43 PID 2004 wrote to memory of 2092 2004 Obakli32.exe 43 PID 2004 wrote to memory of 2092 2004 Obakli32.exe 43 PID 2004 wrote to memory of 2092 2004 Obakli32.exe 43 PID 2092 wrote to memory of 2228 2092 Oepghe32.exe 44 PID 2092 wrote to memory of 2228 2092 Oepghe32.exe 44 PID 2092 wrote to memory of 2228 2092 Oepghe32.exe 44 PID 2092 wrote to memory of 2228 2092 Oepghe32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe"C:\Users\Admin\AppData\Local\Temp\0fbe9fd9efdc2575b170b97ec187f141bb4efb7e2f872fed93f950afe8fc94d0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe33⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe35⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe36⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe37⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe38⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe40⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe42⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe44⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe45⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe46⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe47⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe50⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe51⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe52⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe53⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe56⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe57⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe58⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe59⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe60⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe64⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe66⤵PID:1600
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe67⤵PID:924
-
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe68⤵PID:1480
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe69⤵
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe70⤵PID:2860
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe72⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe73⤵PID:1232
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe76⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe77⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe78⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe79⤵PID:1592
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe80⤵PID:1268
-
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe82⤵PID:1348
-
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe83⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe84⤵PID:1968
-
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe85⤵PID:1504
-
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe86⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe87⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe88⤵PID:2660
-
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe89⤵PID:1448
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe90⤵PID:936
-
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe91⤵PID:2612
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe92⤵PID:1840
-
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe93⤵PID:2696
-
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe94⤵PID:1640
-
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe95⤵PID:852
-
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe96⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe99⤵PID:1980
-
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe100⤵PID:696
-
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe101⤵PID:1932
-
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe102⤵PID:2160
-
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe103⤵PID:1836
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe104⤵PID:2848
-
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe105⤵PID:1360
-
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe107⤵PID:2940
-
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe108⤵PID:3032
-
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe109⤵PID:1356
-
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2000 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe111⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Cegbce32.exeC:\Windows\system32\Cegbce32.exe112⤵PID:1540
-
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe113⤵PID:2468
-
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe114⤵
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe115⤵PID:2956
-
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe116⤵PID:2636
-
C:\Windows\SysWOW64\Ceioieei.exeC:\Windows\system32\Ceioieei.exe117⤵PID:1228
-
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe119⤵
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe120⤵PID:2056
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe121⤵
- Drops file in System32 directory
PID:1660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-