Analysis
-
max time kernel
114s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
d1ce46a294aa753f37a2439866120bd0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1ce46a294aa753f37a2439866120bd0N.exe
Resource
win10v2004-20240802-en
General
-
Target
d1ce46a294aa753f37a2439866120bd0N.exe
-
Size
181KB
-
MD5
d1ce46a294aa753f37a2439866120bd0
-
SHA1
4b23d93b21c16c8e01aa691b4102d1ace526fe5d
-
SHA256
42e5c3c4c4777f60ea1b94080104b08815dc5caa2f932325d88830f6ca3da520
-
SHA512
696aa505ba96e27cba652d3f5df253344cf7a68507f9c66459d48109237a56f272eb3775f6c29705ffb20d35dca2851cb4f9eff8f70ec4e0ee58d8e6d0f635f4
-
SSDEEP
3072:G0Ko7vUpp5xKfiDrFDHZtOg1DN0EKF5FDDFfgV4DrFDHZtOgB:G0Kozw7kq5tTNN0EKF5FD4w5tTB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olnmdi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphbpehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ialhdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihlahjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbcdieb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moacbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqbpjmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkojo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclpamg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjcmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclpbqal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmgggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijigfaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnmpbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjmcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbeaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaidf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkilbni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goamlkpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcngddao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqbadf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qednnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciefek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmhqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbllc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhlnjpdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opefdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmefiakh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apobakpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmndkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdihfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enfcjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmmfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoibmmpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdghmfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfpejcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofheeoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhkchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmjcgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmommn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nofmndkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkbhbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejaecdnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pllieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goipae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aifpoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfikaqme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Locgagli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjhpqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapobl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgbjkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhpge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fifhbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmiaig32.exe -
Executes dropped EXE 64 IoCs
pid Process 324 Ogmiepcf.exe 4420 Odaiodbp.exe 1456 Oinbgk32.exe 1140 Odcfdc32.exe 660 Omlkmign.exe 3376 Odfcjc32.exe 1464 Okpkgm32.exe 1924 Odhppclh.exe 1532 Oalpigkb.exe 2984 Pgihanii.exe 3692 Pjgemi32.exe 4324 Phiekaql.exe 1960 Paaidf32.exe 2800 Pnhjig32.exe 1332 Ppffec32.exe 2516 Pnjgog32.exe 4716 Pddokabk.exe 4468 Qpkppbho.exe 3688 Qkqdnkge.exe 3736 Qdihfq32.exe 1216 Qjeaog32.exe 2228 Aqpika32.exe 452 Akenij32.exe 448 Aqbfaa32.exe 4316 Aglnnkid.exe 220 Adpogp32.exe 5096 Anhcpeon.exe 2952 Aqfolqna.exe 4720 Ahngmnnd.exe 2268 Ajodef32.exe 3740 Addhbo32.exe 4008 Akopoi32.exe 1488 Anmmkd32.exe 3556 Bgeadjai.exe 4512 Bjcmpepm.exe 404 Bqnemp32.exe 1868 Bggnijof.exe 4144 Bnaffdfc.exe 2568 Bqpbboeg.exe 2200 Bgjjoi32.exe 3588 Bndblcdq.exe 3756 Bqbohocd.exe 1348 Biigildg.exe 2392 Bkhceh32.exe 3304 Bdphnmjk.exe 2400 Cbdhgaid.exe 1176 Cinpdl32.exe 4796 Cgaqphgl.exe 3616 Cnkilbni.exe 4380 Ceeaim32.exe 2288 Ckoifgmb.exe 2708 Cnmebblf.exe 3520 Calbnnkj.exe 4616 Cgejkh32.exe 1388 Cnpbgajc.exe 1660 Canocm32.exe 2316 Ciefek32.exe 1204 Cjfclcpg.exe 1928 Capkim32.exe 3088 Capkim32.exe 4448 Cigcjj32.exe 676 Dndlba32.exe 496 Dendok32.exe 4012 Daeddlco.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjhpqn32.exe Bcngddao.exe File created C:\Windows\SysWOW64\Lqlhniij.dll Meepoc32.exe File created C:\Windows\SysWOW64\Odnfkbla.dll Bpgnmcdh.exe File opened for modification C:\Windows\SysWOW64\Meepoc32.exe Lkmkfncf.exe File opened for modification C:\Windows\SysWOW64\Paaidf32.exe Phiekaql.exe File created C:\Windows\SysWOW64\Cnmoglij.exe Cddjofbj.exe File created C:\Windows\SysWOW64\Qeddkilb.dll Dgcoaock.exe File created C:\Windows\SysWOW64\Lpdbnm32.dll Iamoon32.exe File created C:\Windows\SysWOW64\Koceep32.exe Jdnqgg32.exe File opened for modification C:\Windows\SysWOW64\Bedgejbo.exe Bgafin32.exe File created C:\Windows\SysWOW64\Mgbomcqc.dll Ffahnd32.exe File created C:\Windows\SysWOW64\Olgnnqpe.exe Niiaae32.exe File created C:\Windows\SysWOW64\Plbeef32.dll Fmejlcoj.exe File opened for modification C:\Windows\SysWOW64\Gmnmbbgp.exe Ghadjkhh.exe File created C:\Windows\SysWOW64\Lgqhki32.exe Ldblon32.exe File created C:\Windows\SysWOW64\Cdbhncfq.dll Daeddlco.exe File created C:\Windows\SysWOW64\Eeailhme.exe Ebbmpmnb.exe File opened for modification C:\Windows\SysWOW64\Jookjpam.exe Jefgak32.exe File opened for modification C:\Windows\SysWOW64\Jkomhhae.exe Jbghpc32.exe File created C:\Windows\SysWOW64\Ialhdh32.exe Ikbphn32.exe File opened for modification C:\Windows\SysWOW64\Boaeioej.exe Bnphag32.exe File created C:\Windows\SysWOW64\Hhegjdag.exe Gmpcmkaa.exe File created C:\Windows\SysWOW64\Haphiiee.exe Hnblmnfa.exe File opened for modification C:\Windows\SysWOW64\Jdhpba32.exe Jmnheggo.exe File opened for modification C:\Windows\SysWOW64\Eljknl32.exe Eaegqc32.exe File opened for modification C:\Windows\SysWOW64\Hhkgpjqn.exe Hkggfe32.exe File created C:\Windows\SysWOW64\Bibpkiie.exe Bgdcom32.exe File opened for modification C:\Windows\SysWOW64\Mminfech.exe Mbcjimda.exe File created C:\Windows\SysWOW64\Gbbfag32.dll Jkqccbkf.exe File created C:\Windows\SysWOW64\Pifghmae.exe Pfhklabb.exe File opened for modification C:\Windows\SysWOW64\Kpkqbq32.exe Knldfe32.exe File created C:\Windows\SysWOW64\Igkmbn32.exe Ipaeedpp.exe File created C:\Windows\SysWOW64\Mdibplaf.exe Mkangg32.exe File opened for modification C:\Windows\SysWOW64\Jcknee32.exe Jjbjlpga.exe File created C:\Windows\SysWOW64\Fjdajhbi.exe Fegiba32.exe File created C:\Windows\SysWOW64\Linojbdc.exe Lfpcngdo.exe File created C:\Windows\SysWOW64\Ghjlocgj.dll Hkggfe32.exe File opened for modification C:\Windows\SysWOW64\Nicalpak.exe Nbiioe32.exe File created C:\Windows\SysWOW64\Fqfmlm32.exe Ffahnd32.exe File opened for modification C:\Windows\SysWOW64\Fmpjfn32.exe Fjanjb32.exe File opened for modification C:\Windows\SysWOW64\Mojmbf32.exe Mqimdomb.exe File created C:\Windows\SysWOW64\Odhppclh.exe Okpkgm32.exe File opened for modification C:\Windows\SysWOW64\Pnjgog32.exe Ppffec32.exe File opened for modification C:\Windows\SysWOW64\Bpmobi32.exe Bjcfeola.exe File created C:\Windows\SysWOW64\Lnfngj32.exe Lkhbko32.exe File created C:\Windows\SysWOW64\Njmopj32.exe Npgjbabk.exe File opened for modification C:\Windows\SysWOW64\Olgnnqpe.exe Niiaae32.exe File created C:\Windows\SysWOW64\Agnblobc.dll Dqigee32.exe File created C:\Windows\SysWOW64\Omfigmch.dll Nblfee32.exe File created C:\Windows\SysWOW64\Gacbag32.dll Dbgndoho.exe File opened for modification C:\Windows\SysWOW64\Komhkn32.exe Khbpndnp.exe File opened for modification C:\Windows\SysWOW64\Kafcadej.exe Kklkej32.exe File created C:\Windows\SysWOW64\Cgejkh32.exe Calbnnkj.exe File created C:\Windows\SysWOW64\Pdooddpo.dll Hkaqgjme.exe File opened for modification C:\Windows\SysWOW64\Amibqhed.exe Aebjokda.exe File opened for modification C:\Windows\SysWOW64\Liabjh32.exe Lcdjba32.exe File created C:\Windows\SysWOW64\Giliddlo.dll Hoibmmpi.exe File opened for modification C:\Windows\SysWOW64\Lfjchn32.exe Lckglc32.exe File created C:\Windows\SysWOW64\Qidimpef.dll Anhcpeon.exe File opened for modification C:\Windows\SysWOW64\Cbdhgaid.exe Bilcol32.exe File created C:\Windows\SysWOW64\Fifhbf32.exe Faopah32.exe File created C:\Windows\SysWOW64\Nghjle32.dll Iaqapggb.exe File created C:\Windows\SysWOW64\Ebbmpmnb.exe Enedio32.exe File created C:\Windows\SysWOW64\Nblidf32.dll Njmopj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13796 13716 WerFault.exe 674 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqnemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhbko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bleebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgndoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfqjhmhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbphn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpkppbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdphnmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocjaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnoalehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciefek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejglcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnndhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfajlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojmbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppoijn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgcoaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmedi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofalfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agojdnng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdalkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklffq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doidql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjimaole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfchjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqlgdhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okodlgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goamlkpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcngddao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpjjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkilbni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkiqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkgpjqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdano32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pboblika.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdajhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnkfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aghdco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkqepi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odaiodbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccigpbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhnocfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgejncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgnka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfejmobh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqgjoenq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eobffk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajggjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafaem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giahndcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcknee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbkdald.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Ceeaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbapoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niadfpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfcbi32.dll" Lbqdmodg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enaaiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhgojef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ildpbfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apobakpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilbnhc.dll" Cgnmpbec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfejmobh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehcfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkchpoka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncecioib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmgmph.dll" Lnfngj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgafin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcahbiba.dll" Lnhdbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebbmpmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaoihfoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjlocgj.dll" Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpomglp.dll" Melfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdqfa32.dll" Deqqek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqigee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idhgkcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paaidf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll" Qdihfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggnijof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fegiba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapbodql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahedoci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlobkie.dll" Enigjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnoalehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obnlpnbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flplcjpa.dll" Gplbcgbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqlbnh32.dll" Ikifhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpebbije.dll" Jpfnqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbkojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnojon32.dll" Dilmeida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjcmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajhee32.dll" Jbghpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nffljjfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemjonmn.dll" Eljknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaqapggb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daeddlco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfnoi32.dll" Goamlkpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajlpepbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmibojk.dll" Ghadjkhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdgjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnfkbla.dll" Bpgnmcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjnfnn32.dll" Mqkijnkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfdafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekijfnm.dll" Lckglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjambdq.dll" Pldcdhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akenij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhbko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfcla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejglcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgiggcgj.dll" Obafjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggldde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbjbfjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpcklpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 324 2968 d1ce46a294aa753f37a2439866120bd0N.exe 92 PID 2968 wrote to memory of 324 2968 d1ce46a294aa753f37a2439866120bd0N.exe 92 PID 2968 wrote to memory of 324 2968 d1ce46a294aa753f37a2439866120bd0N.exe 92 PID 324 wrote to memory of 4420 324 Ogmiepcf.exe 93 PID 324 wrote to memory of 4420 324 Ogmiepcf.exe 93 PID 324 wrote to memory of 4420 324 Ogmiepcf.exe 93 PID 4420 wrote to memory of 1456 4420 Odaiodbp.exe 94 PID 4420 wrote to memory of 1456 4420 Odaiodbp.exe 94 PID 4420 wrote to memory of 1456 4420 Odaiodbp.exe 94 PID 1456 wrote to memory of 1140 1456 Oinbgk32.exe 95 PID 1456 wrote to memory of 1140 1456 Oinbgk32.exe 95 PID 1456 wrote to memory of 1140 1456 Oinbgk32.exe 95 PID 1140 wrote to memory of 660 1140 Odcfdc32.exe 96 PID 1140 wrote to memory of 660 1140 Odcfdc32.exe 96 PID 1140 wrote to memory of 660 1140 Odcfdc32.exe 96 PID 660 wrote to memory of 3376 660 Omlkmign.exe 97 PID 660 wrote to memory of 3376 660 Omlkmign.exe 97 PID 660 wrote to memory of 3376 660 Omlkmign.exe 97 PID 3376 wrote to memory of 1464 3376 Odfcjc32.exe 99 PID 3376 wrote to memory of 1464 3376 Odfcjc32.exe 99 PID 3376 wrote to memory of 1464 3376 Odfcjc32.exe 99 PID 1464 wrote to memory of 1924 1464 Okpkgm32.exe 100 PID 1464 wrote to memory of 1924 1464 Okpkgm32.exe 100 PID 1464 wrote to memory of 1924 1464 Okpkgm32.exe 100 PID 1924 wrote to memory of 1532 1924 Odhppclh.exe 101 PID 1924 wrote to memory of 1532 1924 Odhppclh.exe 101 PID 1924 wrote to memory of 1532 1924 Odhppclh.exe 101 PID 1532 wrote to memory of 2984 1532 Oalpigkb.exe 102 PID 1532 wrote to memory of 2984 1532 Oalpigkb.exe 102 PID 1532 wrote to memory of 2984 1532 Oalpigkb.exe 102 PID 2984 wrote to memory of 3692 2984 Pgihanii.exe 103 PID 2984 wrote to memory of 3692 2984 Pgihanii.exe 103 PID 2984 wrote to memory of 3692 2984 Pgihanii.exe 103 PID 3692 wrote to memory of 4324 3692 Pjgemi32.exe 104 PID 3692 wrote to memory of 4324 3692 Pjgemi32.exe 104 PID 3692 wrote to memory of 4324 3692 Pjgemi32.exe 104 PID 4324 wrote to memory of 1960 4324 Phiekaql.exe 105 PID 4324 wrote to memory of 1960 4324 Phiekaql.exe 105 PID 4324 wrote to memory of 1960 4324 Phiekaql.exe 105 PID 1960 wrote to memory of 2800 1960 Paaidf32.exe 106 PID 1960 wrote to memory of 2800 1960 Paaidf32.exe 106 PID 1960 wrote to memory of 2800 1960 Paaidf32.exe 106 PID 2800 wrote to memory of 1332 2800 Pnhjig32.exe 107 PID 2800 wrote to memory of 1332 2800 Pnhjig32.exe 107 PID 2800 wrote to memory of 1332 2800 Pnhjig32.exe 107 PID 1332 wrote to memory of 2516 1332 Ppffec32.exe 108 PID 1332 wrote to memory of 2516 1332 Ppffec32.exe 108 PID 1332 wrote to memory of 2516 1332 Ppffec32.exe 108 PID 2516 wrote to memory of 4716 2516 Pnjgog32.exe 109 PID 2516 wrote to memory of 4716 2516 Pnjgog32.exe 109 PID 2516 wrote to memory of 4716 2516 Pnjgog32.exe 109 PID 4716 wrote to memory of 4468 4716 Pddokabk.exe 110 PID 4716 wrote to memory of 4468 4716 Pddokabk.exe 110 PID 4716 wrote to memory of 4468 4716 Pddokabk.exe 110 PID 4468 wrote to memory of 3688 4468 Qpkppbho.exe 111 PID 4468 wrote to memory of 3688 4468 Qpkppbho.exe 111 PID 4468 wrote to memory of 3688 4468 Qpkppbho.exe 111 PID 3688 wrote to memory of 3736 3688 Qkqdnkge.exe 112 PID 3688 wrote to memory of 3736 3688 Qkqdnkge.exe 112 PID 3688 wrote to memory of 3736 3688 Qkqdnkge.exe 112 PID 3736 wrote to memory of 1216 3736 Qdihfq32.exe 113 PID 3736 wrote to memory of 1216 3736 Qdihfq32.exe 113 PID 3736 wrote to memory of 1216 3736 Qdihfq32.exe 113 PID 1216 wrote to memory of 2228 1216 Qjeaog32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1ce46a294aa753f37a2439866120bd0N.exe"C:\Users\Admin\AppData\Local\Temp\d1ce46a294aa753f37a2439866120bd0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ogmiepcf.exeC:\Windows\system32\Ogmiepcf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Odaiodbp.exeC:\Windows\system32\Odaiodbp.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Odcfdc32.exeC:\Windows\system32\Odcfdc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Omlkmign.exeC:\Windows\system32\Omlkmign.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Odfcjc32.exeC:\Windows\system32\Odfcjc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\Okpkgm32.exeC:\Windows\system32\Okpkgm32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Odhppclh.exeC:\Windows\system32\Odhppclh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Oalpigkb.exeC:\Windows\system32\Oalpigkb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Pgihanii.exeC:\Windows\system32\Pgihanii.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Pjgemi32.exeC:\Windows\system32\Pjgemi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Pnhjig32.exeC:\Windows\system32\Pnhjig32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ppffec32.exeC:\Windows\system32\Ppffec32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Pnjgog32.exeC:\Windows\system32\Pnjgog32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Qpkppbho.exeC:\Windows\system32\Qpkppbho.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Qdihfq32.exeC:\Windows\system32\Qdihfq32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Qjeaog32.exeC:\Windows\system32\Qjeaog32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Aqpika32.exeC:\Windows\system32\Aqpika32.exe23⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Akenij32.exeC:\Windows\system32\Akenij32.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:452 -
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe25⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Aglnnkid.exeC:\Windows\system32\Aglnnkid.exe26⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Adpogp32.exeC:\Windows\system32\Adpogp32.exe27⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Anhcpeon.exeC:\Windows\system32\Anhcpeon.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Aqfolqna.exeC:\Windows\system32\Aqfolqna.exe29⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe30⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe31⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Addhbo32.exeC:\Windows\system32\Addhbo32.exe32⤵
- Executes dropped EXE
PID:3740 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe33⤵
- Executes dropped EXE
PID:4008 -
C:\Windows\SysWOW64\Anmmkd32.exeC:\Windows\system32\Anmmkd32.exe34⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe35⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe36⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404 -
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Bnaffdfc.exeC:\Windows\system32\Bnaffdfc.exe39⤵
- Executes dropped EXE
PID:4144 -
C:\Windows\SysWOW64\Bqpbboeg.exeC:\Windows\system32\Bqpbboeg.exe40⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Bgjjoi32.exeC:\Windows\system32\Bgjjoi32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Bndblcdq.exeC:\Windows\system32\Bndblcdq.exe42⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe43⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Biigildg.exeC:\Windows\system32\Biigildg.exe44⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Bkhceh32.exeC:\Windows\system32\Bkhceh32.exe45⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Bdphnmjk.exeC:\Windows\system32\Bdphnmjk.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\Bilcol32.exeC:\Windows\system32\Bilcol32.exe47⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Cbdhgaid.exeC:\Windows\system32\Cbdhgaid.exe48⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe49⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Cgaqphgl.exeC:\Windows\system32\Cgaqphgl.exe50⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Cnkilbni.exeC:\Windows\system32\Cnkilbni.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\Ceeaim32.exeC:\Windows\system32\Ceeaim32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Ckoifgmb.exeC:\Windows\system32\Ckoifgmb.exe53⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Cnmebblf.exeC:\Windows\system32\Cnmebblf.exe54⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Calbnnkj.exeC:\Windows\system32\Calbnnkj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3520 -
C:\Windows\SysWOW64\Cgejkh32.exeC:\Windows\system32\Cgejkh32.exe56⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\Cnpbgajc.exeC:\Windows\system32\Cnpbgajc.exe57⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Canocm32.exeC:\Windows\system32\Canocm32.exe58⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ciefek32.exeC:\Windows\system32\Ciefek32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Cjfclcpg.exeC:\Windows\system32\Cjfclcpg.exe60⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Cigcjj32.exeC:\Windows\system32\Cigcjj32.exe63⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Dndlba32.exeC:\Windows\system32\Dndlba32.exe64⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Dendok32.exeC:\Windows\system32\Dendok32.exe65⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Daeddlco.exeC:\Windows\system32\Daeddlco.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Deqqek32.exeC:\Windows\system32\Deqqek32.exe67⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Dilmeida.exeC:\Windows\system32\Dilmeida.exe68⤵
- Modifies registry class
PID:3584 -
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe69⤵
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe70⤵PID:208
-
C:\Windows\SysWOW64\Dgaiffii.exeC:\Windows\system32\Dgaiffii.exe71⤵PID:3988
-
C:\Windows\SysWOW64\Dbgndoho.exeC:\Windows\system32\Dbgndoho.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:500 -
C:\Windows\SysWOW64\Dhcfleff.exeC:\Windows\system32\Dhcfleff.exe73⤵PID:1848
-
C:\Windows\SysWOW64\Dehgejep.exeC:\Windows\system32\Dehgejep.exe74⤵PID:4876
-
C:\Windows\SysWOW64\Elaobdmm.exeC:\Windows\system32\Elaobdmm.exe75⤵PID:440
-
C:\Windows\SysWOW64\Ehhpge32.exeC:\Windows\system32\Ehhpge32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3400 -
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3240 -
C:\Windows\SysWOW64\Eihlahjd.exeC:\Windows\system32\Eihlahjd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Ejiiippb.exeC:\Windows\system32\Ejiiippb.exe79⤵PID:3352
-
C:\Windows\SysWOW64\Enedio32.exeC:\Windows\system32\Enedio32.exe80⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Eeailhme.exeC:\Windows\system32\Eeailhme.exe82⤵PID:5152
-
C:\Windows\SysWOW64\Elkbhbeb.exeC:\Windows\system32\Elkbhbeb.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Ebejem32.exeC:\Windows\system32\Ebejem32.exe84⤵PID:5272
-
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe85⤵PID:5316
-
C:\Windows\SysWOW64\Fefcgh32.exeC:\Windows\system32\Fefcgh32.exe86⤵
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Windows\SysWOW64\Fbjcplhj.exeC:\Windows\system32\Fbjcplhj.exe87⤵PID:5404
-
C:\Windows\SysWOW64\Ficlmf32.exeC:\Windows\system32\Ficlmf32.exe88⤵PID:5448
-
C:\Windows\SysWOW64\Faopah32.exeC:\Windows\system32\Faopah32.exe89⤵
- Drops file in System32 directory
PID:5492 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe91⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Windows\SysWOW64\Fbnmkk32.exeC:\Windows\system32\Fbnmkk32.exe92⤵PID:5624
-
C:\Windows\SysWOW64\Faamghko.exeC:\Windows\system32\Faamghko.exe93⤵PID:5668
-
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe94⤵PID:5716
-
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe95⤵PID:5764
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe96⤵PID:5808
-
C:\Windows\SysWOW64\Glkkop32.exeC:\Windows\system32\Glkkop32.exe97⤵PID:5852
-
C:\Windows\SysWOW64\Ghbkdald.exeC:\Windows\system32\Ghbkdald.exe98⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\Giahndcf.exeC:\Windows\system32\Giahndcf.exe99⤵
- System Location Discovery: System Language Discovery
PID:5944 -
C:\Windows\SysWOW64\Gehice32.exeC:\Windows\system32\Gehice32.exe100⤵PID:5992
-
C:\Windows\SysWOW64\Glbapoqh.exeC:\Windows\system32\Glbapoqh.exe101⤵
- Modifies registry class
PID:6036 -
C:\Windows\SysWOW64\Goamlkpk.exeC:\Windows\system32\Goamlkpk.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Gaoihfoo.exeC:\Windows\system32\Gaoihfoo.exe103⤵
- Modifies registry class
PID:6124 -
C:\Windows\SysWOW64\Hocjaj32.exeC:\Windows\system32\Hocjaj32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Hembndee.exeC:\Windows\system32\Hembndee.exe105⤵PID:5220
-
C:\Windows\SysWOW64\Hhlnjpdi.exeC:\Windows\system32\Hhlnjpdi.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5308 -
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe107⤵PID:5372
-
C:\Windows\SysWOW64\Himgjbii.exeC:\Windows\system32\Himgjbii.exe108⤵PID:5436
-
C:\Windows\SysWOW64\Hojpbigq.exeC:\Windows\system32\Hojpbigq.exe109⤵PID:5532
-
C:\Windows\SysWOW64\Hlnqln32.exeC:\Windows\system32\Hlnqln32.exe110⤵PID:5572
-
C:\Windows\SysWOW64\Hkaqgjme.exeC:\Windows\system32\Hkaqgjme.exe111⤵
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Ilqmam32.exeC:\Windows\system32\Ilqmam32.exe112⤵PID:5724
-
C:\Windows\SysWOW64\Ilcjgm32.exeC:\Windows\system32\Ilcjgm32.exe113⤵PID:4624
-
C:\Windows\SysWOW64\Iapbodql.exeC:\Windows\system32\Iapbodql.exe114⤵
- Modifies registry class
PID:3232 -
C:\Windows\SysWOW64\Ikhghi32.exeC:\Windows\system32\Ikhghi32.exe115⤵PID:5840
-
C:\Windows\SysWOW64\Ijigfaol.exeC:\Windows\system32\Ijigfaol.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\Iadljc32.exeC:\Windows\system32\Iadljc32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6072 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Jkomhhae.exeC:\Windows\system32\Jkomhhae.exe120⤵PID:5200
-
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe121⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Jfgnka32.exeC:\Windows\system32\Jfgnka32.exe122⤵
- System Location Discovery: System Language Discovery
PID:5440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-