Analysis
-
max time kernel
50s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 03:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f735d463a9852fd1fbe578649db41a0N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9f735d463a9852fd1fbe578649db41a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
9f735d463a9852fd1fbe578649db41a0N.exe
-
Size
380KB
-
MD5
9f735d463a9852fd1fbe578649db41a0
-
SHA1
b8b3783d5986cacff6b6d054223dd6c38936979c
-
SHA256
9964666e80454486f831a82f5559c12d311054f6a4f9d1e6930552138c5da59e
-
SHA512
829e3e2f7828e70003ee424300114a6e7e7e789cd352fbdb0f4808945faed5668cf9de0bce89bcb3232a0e0dd4a2217d0735135e0275f69f6fdc815ae448a7b5
-
SSDEEP
6144:N3m4hWYWxCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58Vh:N3hhWYLOtoq5t6NSN6G5tbt5t6NSN6T
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceeieced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhbdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahebaiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idadnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Najpll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoghdmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edfbaabj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjpom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbnljqic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkigoimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcijf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggabaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2076 Dedlag32.exe 2284 Dhbhmb32.exe 2760 Elqaca32.exe 2772 Eamilh32.exe 2808 Edlfhc32.exe 2756 Ednbncmb.exe 2652 Ekhkjm32.exe 2456 Epecbd32.exe 1816 Eccpoo32.exe 1812 Ekjgpm32.exe 1460 Eolmip32.exe 1492 Fgcejm32.exe 1708 Fjbafi32.exe 2688 Flqmbd32.exe 2404 Fcjeon32.exe 1948 Fjdnlhco.exe 2968 Fbbofjnh.exe 2044 Fdpkbf32.exe 2928 Fkjdopeh.exe 1840 Findhdcb.exe 2900 Fkmqdpce.exe 2132 Gnkmqkbi.exe 1520 Geeemeif.exe 2520 Ggcaiqhj.exe 1748 Gkomjo32.exe 2260 Gnmifk32.exe 2496 Gegabegc.exe 2500 Gfhnjm32.exe 2792 Gmbfggdo.exe 2452 Gpabcbdb.exe 852 Gfkkpmko.exe 1428 Gpcoib32.exe 1340 Gbaken32.exe 2620 Gjicfk32.exe 1648 Gmgpbf32.exe 2180 Gcahoqhf.exe 2088 Hebdfind.exe 1528 Hinqgg32.exe 2720 Hllmcc32.exe 1048 Hipmmg32.exe 688 Hnmeen32.exe 2680 Hegnahjo.exe 2248 Hlafnbal.exe 1668 Hnpbjnpo.exe 2112 Heikgh32.exe 2292 Hhhgcc32.exe 2464 Hjfcpo32.exe 2752 Hnbopmnm.exe 2844 Hapklimq.exe 676 Hdoghdmd.exe 2104 Hhjcic32.exe 1600 Hjipenda.exe 2020 Iabhah32.exe 3012 Idadnd32.exe 2716 Ihmpobck.exe 1992 Ijklknbn.exe 1824 Iinmfk32.exe 1012 Iaeegh32.exe 2432 Idcacc32.exe 484 Ifampo32.exe 3052 Ijmipn32.exe 3036 Imleli32.exe 2200 Ilofhffj.exe 556 Idfnicfl.exe -
Loads dropped DLL 64 IoCs
pid Process 2384 9f735d463a9852fd1fbe578649db41a0N.exe 2384 9f735d463a9852fd1fbe578649db41a0N.exe 2076 Dedlag32.exe 2076 Dedlag32.exe 2284 Dhbhmb32.exe 2284 Dhbhmb32.exe 2760 Elqaca32.exe 2760 Elqaca32.exe 2772 Eamilh32.exe 2772 Eamilh32.exe 2808 Edlfhc32.exe 2808 Edlfhc32.exe 2756 Ednbncmb.exe 2756 Ednbncmb.exe 2652 Ekhkjm32.exe 2652 Ekhkjm32.exe 2456 Epecbd32.exe 2456 Epecbd32.exe 1816 Eccpoo32.exe 1816 Eccpoo32.exe 1812 Ekjgpm32.exe 1812 Ekjgpm32.exe 1460 Eolmip32.exe 1460 Eolmip32.exe 1492 Fgcejm32.exe 1492 Fgcejm32.exe 1708 Fjbafi32.exe 1708 Fjbafi32.exe 2688 Flqmbd32.exe 2688 Flqmbd32.exe 2404 Fcjeon32.exe 2404 Fcjeon32.exe 1948 Fjdnlhco.exe 1948 Fjdnlhco.exe 2968 Fbbofjnh.exe 2968 Fbbofjnh.exe 2044 Fdpkbf32.exe 2044 Fdpkbf32.exe 2928 Fkjdopeh.exe 2928 Fkjdopeh.exe 1840 Findhdcb.exe 1840 Findhdcb.exe 2900 Fkmqdpce.exe 2900 Fkmqdpce.exe 2132 Gnkmqkbi.exe 2132 Gnkmqkbi.exe 1520 Geeemeif.exe 1520 Geeemeif.exe 2520 Ggcaiqhj.exe 2520 Ggcaiqhj.exe 1748 Gkomjo32.exe 1748 Gkomjo32.exe 2260 Gnmifk32.exe 2260 Gnmifk32.exe 2496 Gegabegc.exe 2496 Gegabegc.exe 2500 Gfhnjm32.exe 2500 Gfhnjm32.exe 2792 Gmbfggdo.exe 2792 Gmbfggdo.exe 2452 Gpabcbdb.exe 2452 Gpabcbdb.exe 852 Gfkkpmko.exe 852 Gfkkpmko.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bflbigdb.exe Bgibnj32.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gepafc32.exe File created C:\Windows\SysWOW64\Paodbg32.dll Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Omioekbo.exe Onfoin32.exe File created C:\Windows\SysWOW64\Eoobfoke.dll Aficjnpm.exe File created C:\Windows\SysWOW64\Bnjghm32.dll Imleli32.exe File opened for modification C:\Windows\SysWOW64\Ibkkjp32.exe Ilabmedg.exe File opened for modification C:\Windows\SysWOW64\Dmhdkdlg.exe Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Fhbnbpjc.exe Edfbaabj.exe File opened for modification C:\Windows\SysWOW64\Ihniaa32.exe Ieomef32.exe File created C:\Windows\SysWOW64\Fjjpjgjj.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Gdkgkcpq.exe Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Modcdaml.dll Findhdcb.exe File created C:\Windows\SysWOW64\Ljghjpfe.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Elfcbo32.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mdiefffn.exe File created C:\Windows\SysWOW64\Ncfoch32.exe Necogkbo.exe File opened for modification C:\Windows\SysWOW64\Qgmfchei.exe Qhjfgl32.exe File created C:\Windows\SysWOW64\Cpapdk32.dll Aciqcifh.exe File created C:\Windows\SysWOW64\Ejloak32.dll Jimbkh32.exe File created C:\Windows\SysWOW64\Alihaioe.exe Qnghel32.exe File created C:\Windows\SysWOW64\Gfhnjm32.exe Gegabegc.exe File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Onfoin32.exe Njjcip32.exe File created C:\Windows\SysWOW64\Pcljmdmj.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Agolnbok.exe Accqnc32.exe File opened for modification C:\Windows\SysWOW64\Fkjdopeh.exe Fdpkbf32.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Miehak32.exe File opened for modification C:\Windows\SysWOW64\Gqdefddb.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Nphgph32.dll Jeafjiop.exe File created C:\Windows\SysWOW64\Nlemad32.dll Mclebc32.exe File opened for modification C:\Windows\SysWOW64\Mnifja32.exe Mjnjjbbh.exe File created C:\Windows\SysWOW64\Djgkii32.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Gbhbdi32.exe File created C:\Windows\SysWOW64\Nbklpemb.dll Ohiffh32.exe File created C:\Windows\SysWOW64\Pijjilik.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Jbjpom32.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Egfokakc.dll Afffenbp.exe File opened for modification C:\Windows\SysWOW64\Hllmcc32.exe Hinqgg32.exe File created C:\Windows\SysWOW64\Lkfddc32.exe Lcomce32.exe File created C:\Windows\SysWOW64\Anjcbljh.dll Mbnljqic.exe File opened for modification C:\Windows\SysWOW64\Ncfoch32.exe Necogkbo.exe File created C:\Windows\SysWOW64\Nihqegkl.dll Anlhkbhq.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cegoqlof.exe File created C:\Windows\SysWOW64\Lqqpgj32.exe Lbnpkmfg.exe File opened for modification C:\Windows\SysWOW64\Pciddedl.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qaqnkafa.exe File created C:\Windows\SysWOW64\Ihdjpd32.dll Qgmfchei.exe File created C:\Windows\SysWOW64\Eicjoa32.dll Npjlhcmd.exe File created C:\Windows\SysWOW64\Khdecggq.dll Ndqkleln.exe File created C:\Windows\SysWOW64\Pkjphcff.exe Plgolf32.exe File created C:\Windows\SysWOW64\Oeckfndj.exe Oagoep32.exe File created C:\Windows\SysWOW64\Idgglb32.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Llbqfe32.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Pidfdofi.exe Pkaehb32.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Odchbe32.exe Opglafab.exe File created C:\Windows\SysWOW64\Gckemgnc.dll Jodhdp32.exe File created C:\Windows\SysWOW64\Ogdgeded.dll Pkdihhag.exe File created C:\Windows\SysWOW64\Djidckbd.dll Ehpalp32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process 7240 7300 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loefnpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdjkhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnlhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdmnam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjlebjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpabcbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldebkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpjjeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olebgfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meabakda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiqmlfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohagbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnebjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nallalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpeci32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnddef32.dll" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklodf32.dll" Eppcmncq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhomkcoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaqcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcghbo32.dll" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiebopf.dll" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" Pafdjmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhhhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfejjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcahoqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnldjekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfpifm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eejopecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncldi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beimfpfn.dll" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmeefl32.dll" Behilopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liqoflfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll" Jfliim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahebaiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moancj32.dll" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglfle32.dll" Mbkpeake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldebkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbold32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmifk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmbfggdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hebdfind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofaicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeohkeoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djgkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goknhdma.dll" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epilaieh.dll" Ndmecgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hcdnhoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Heikgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnlpnob.dll" Hpbdmo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2076 2384 9f735d463a9852fd1fbe578649db41a0N.exe 30 PID 2384 wrote to memory of 2076 2384 9f735d463a9852fd1fbe578649db41a0N.exe 30 PID 2384 wrote to memory of 2076 2384 9f735d463a9852fd1fbe578649db41a0N.exe 30 PID 2384 wrote to memory of 2076 2384 9f735d463a9852fd1fbe578649db41a0N.exe 30 PID 2076 wrote to memory of 2284 2076 Dedlag32.exe 31 PID 2076 wrote to memory of 2284 2076 Dedlag32.exe 31 PID 2076 wrote to memory of 2284 2076 Dedlag32.exe 31 PID 2076 wrote to memory of 2284 2076 Dedlag32.exe 31 PID 2284 wrote to memory of 2760 2284 Dhbhmb32.exe 32 PID 2284 wrote to memory of 2760 2284 Dhbhmb32.exe 32 PID 2284 wrote to memory of 2760 2284 Dhbhmb32.exe 32 PID 2284 wrote to memory of 2760 2284 Dhbhmb32.exe 32 PID 2760 wrote to memory of 2772 2760 Elqaca32.exe 33 PID 2760 wrote to memory of 2772 2760 Elqaca32.exe 33 PID 2760 wrote to memory of 2772 2760 Elqaca32.exe 33 PID 2760 wrote to memory of 2772 2760 Elqaca32.exe 33 PID 2772 wrote to memory of 2808 2772 Eamilh32.exe 34 PID 2772 wrote to memory of 2808 2772 Eamilh32.exe 34 PID 2772 wrote to memory of 2808 2772 Eamilh32.exe 34 PID 2772 wrote to memory of 2808 2772 Eamilh32.exe 34 PID 2808 wrote to memory of 2756 2808 Edlfhc32.exe 35 PID 2808 wrote to memory of 2756 2808 Edlfhc32.exe 35 PID 2808 wrote to memory of 2756 2808 Edlfhc32.exe 35 PID 2808 wrote to memory of 2756 2808 Edlfhc32.exe 35 PID 2756 wrote to memory of 2652 2756 Ednbncmb.exe 36 PID 2756 wrote to memory of 2652 2756 Ednbncmb.exe 36 PID 2756 wrote to memory of 2652 2756 Ednbncmb.exe 36 PID 2756 wrote to memory of 2652 2756 Ednbncmb.exe 36 PID 2652 wrote to memory of 2456 2652 Ekhkjm32.exe 37 PID 2652 wrote to memory of 2456 2652 Ekhkjm32.exe 37 PID 2652 wrote to memory of 2456 2652 Ekhkjm32.exe 37 PID 2652 wrote to memory of 2456 2652 Ekhkjm32.exe 37 PID 2456 wrote to memory of 1816 2456 Epecbd32.exe 38 PID 2456 wrote to memory of 1816 2456 Epecbd32.exe 38 PID 2456 wrote to memory of 1816 2456 Epecbd32.exe 38 PID 2456 wrote to memory of 1816 2456 Epecbd32.exe 38 PID 1816 wrote to memory of 1812 1816 Eccpoo32.exe 39 PID 1816 wrote to memory of 1812 1816 Eccpoo32.exe 39 PID 1816 wrote to memory of 1812 1816 Eccpoo32.exe 39 PID 1816 wrote to memory of 1812 1816 Eccpoo32.exe 39 PID 1812 wrote to memory of 1460 1812 Ekjgpm32.exe 40 PID 1812 wrote to memory of 1460 1812 Ekjgpm32.exe 40 PID 1812 wrote to memory of 1460 1812 Ekjgpm32.exe 40 PID 1812 wrote to memory of 1460 1812 Ekjgpm32.exe 40 PID 1460 wrote to memory of 1492 1460 Eolmip32.exe 41 PID 1460 wrote to memory of 1492 1460 Eolmip32.exe 41 PID 1460 wrote to memory of 1492 1460 Eolmip32.exe 41 PID 1460 wrote to memory of 1492 1460 Eolmip32.exe 41 PID 1492 wrote to memory of 1708 1492 Fgcejm32.exe 42 PID 1492 wrote to memory of 1708 1492 Fgcejm32.exe 42 PID 1492 wrote to memory of 1708 1492 Fgcejm32.exe 42 PID 1492 wrote to memory of 1708 1492 Fgcejm32.exe 42 PID 1708 wrote to memory of 2688 1708 Fjbafi32.exe 43 PID 1708 wrote to memory of 2688 1708 Fjbafi32.exe 43 PID 1708 wrote to memory of 2688 1708 Fjbafi32.exe 43 PID 1708 wrote to memory of 2688 1708 Fjbafi32.exe 43 PID 2688 wrote to memory of 2404 2688 Flqmbd32.exe 44 PID 2688 wrote to memory of 2404 2688 Flqmbd32.exe 44 PID 2688 wrote to memory of 2404 2688 Flqmbd32.exe 44 PID 2688 wrote to memory of 2404 2688 Flqmbd32.exe 44 PID 2404 wrote to memory of 1948 2404 Fcjeon32.exe 45 PID 2404 wrote to memory of 1948 2404 Fcjeon32.exe 45 PID 2404 wrote to memory of 1948 2404 Fcjeon32.exe 45 PID 2404 wrote to memory of 1948 2404 Fcjeon32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f735d463a9852fd1fbe578649db41a0N.exe"C:\Users\Admin\AppData\Local\Temp\9f735d463a9852fd1fbe578649db41a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe33⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe34⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe35⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe36⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe40⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe41⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe42⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe43⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe44⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe45⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe47⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe48⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe49⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe50⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe53⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe57⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe59⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe60⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe61⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe62⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe64⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe65⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe66⤵
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe67⤵PID:2812
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe68⤵PID:2636
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe69⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe70⤵PID:600
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe71⤵PID:1000
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe72⤵PID:648
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe73⤵PID:664
-
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe74⤵PID:1636
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe76⤵PID:2308
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe77⤵PID:2264
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe78⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe79⤵PID:2832
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe80⤵PID:2060
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe81⤵PID:2708
-
C:\Windows\SysWOW64\Jlhhndno.exeC:\Windows\system32\Jlhhndno.exe82⤵PID:2768
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe83⤵PID:2592
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe84⤵PID:1136
-
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe85⤵PID:3068
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe86⤵PID:1880
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe87⤵PID:2672
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe88⤵
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe91⤵PID:2436
-
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe93⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe94⤵PID:3056
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe95⤵PID:1884
-
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe96⤵PID:1356
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe97⤵PID:1888
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe98⤵PID:2372
-
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe99⤵PID:2848
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe100⤵PID:2884
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe101⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe103⤵PID:2868
-
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe104⤵PID:2220
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe105⤵PID:2588
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe106⤵PID:2348
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe107⤵PID:1300
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe108⤵PID:3008
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe109⤵PID:2800
-
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe110⤵PID:1736
-
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe112⤵PID:2948
-
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe113⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe114⤵PID:1160
-
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe115⤵PID:2028
-
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe116⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe117⤵PID:2004
-
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe118⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe119⤵PID:332
-
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe120⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe121⤵PID:1524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-