Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 11:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dfc51d351180a7d656500408b8e0fdc0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
dfc51d351180a7d656500408b8e0fdc0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
dfc51d351180a7d656500408b8e0fdc0N.exe
-
Size
384KB
-
MD5
dfc51d351180a7d656500408b8e0fdc0
-
SHA1
6fc9d6e7ec32624b0e6311b91baa2e19aa94691c
-
SHA256
a6e4e8f5544ba11025cd30d103e505470b72c460eb1490942617fdd2c8e61574
-
SHA512
007bc023e41b9553ec69e47776689fa856ff483800e640cd304959b114b32bba1c8736fdcc1fa70d171a4bdf5ae724f1c023d4c03f8b8336114099e41f767128
-
SSDEEP
6144:8OCRLypPQ///NR5fLYG3eujPQ///NR5fuTFzAJxf4zh8J7iTO:8lN/NcZ7/NG+nf4SiTO
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhcdbik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlcncda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbklepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlobjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmichpde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfjniap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khchdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijedcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glpdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgekbpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdppog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihloglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdfnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnadkjab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deehepba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgfmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acobmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjeaicc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjanh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpdmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnhlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcojd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mipckchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkjefqh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degdkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpopim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpdka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioemcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikllkjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogimqdh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahaol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdqabaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfakaile.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mankojhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmbbapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpcegnek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckafienb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgaiqka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdjahii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckafienb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncakjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albmkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mllcaoil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilnma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanbhlfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbkpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfpdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecigap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjleilj.exe -
Executes dropped EXE 64 IoCs
pid Process 4696 Ldeoan32.exe 712 Lgckni32.exe 2348 Libgje32.exe 4504 Lmmcjclo.exe 1776 Lplpfo32.exe 232 Lbjlbj32.exe 4952 Lgfhcicp.exe 3868 Liddodbc.exe 4604 Lmpppc32.exe 1028 Mlbpkpag.exe 1712 Mpnllo32.exe 3776 Mclhhj32.exe 2840 Mghdiiam.exe 3872 Mekdde32.exe 5036 Mifqedpq.exe 3192 Mlemapod.exe 2924 Mpqian32.exe 4120 Mdlebm32.exe 2680 Mcoenjfa.exe 4068 Mgjanh32.exe 2320 Miimjd32.exe 5096 Mmdikbfg.exe 2344 Mlgjfo32.exe 3440 Mpcegnek.exe 4712 Mcabcido.exe 904 Mgmndh32.exe 2068 Mikjpc32.exe 2832 Mmgfqbdd.exe 4356 Mliflo32.exe 1856 Mdqnml32.exe 700 Mccoiibl.exe 2564 Mebked32.exe 4804 Mimgecji.exe 396 Mmicfb32.exe 3688 Mllcaoil.exe 1144 Mpgobm32.exe 2128 Mdckbljo.exe 3424 Mgagogib.exe 3920 Medgjd32.exe 1572 Mipckchf.exe 1824 Nlnpgngj.exe 392 Npjlhm32.exe 2588 Ndehhlgl.exe 3916 Ngdddg32.exe 3708 Nefdpdmj.exe 3864 Nibpqb32.exe 672 Nlqlmn32.exe 4392 Nplhmmmp.exe 3568 Ndhdnk32.exe 3564 Ngfqjg32.exe 5156 Neiaeckg.exe 5192 Nnpifalj.exe 5224 Nlcibn32.exe 5264 Npoeclkn.exe 5296 Ndjack32.exe 5336 Nghmpf32.exe 5368 Neknkcie.exe 5408 Njgjlban.exe 5444 Nnbelq32.exe 5480 Npabhl32.exe 5516 Ndlnikad.exe 5552 Ncondg32.exe 5584 Ngkjefqh.exe 5624 Nfnjqc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Igielk32.exe Ijedcg32.exe File created C:\Windows\SysWOW64\Cmagkhdm.dll Ndjack32.exe File opened for modification C:\Windows\SysWOW64\Ndlnikad.exe Npabhl32.exe File created C:\Windows\SysWOW64\Ophhikcc.exe Olllhl32.exe File opened for modification C:\Windows\SysWOW64\Deehepba.exe Dokphf32.exe File created C:\Windows\SysWOW64\Jhpggmid.exe Jqhpfpha.exe File opened for modification C:\Windows\SysWOW64\Acaocf32.exe Ajijjplo.exe File opened for modification C:\Windows\SysWOW64\Ljlfgk32.exe Lcbmjq32.exe File opened for modification C:\Windows\SysWOW64\Oelfaplo.exe Njfadgmi.exe File created C:\Windows\SysWOW64\Kkfgjanj.dll Npoeclkn.exe File opened for modification C:\Windows\SysWOW64\Mpgobm32.exe Mllcaoil.exe File created C:\Windows\SysWOW64\Efhjhbca.exe Ddinlf32.exe File created C:\Windows\SysWOW64\Hbofph32.exe Hpqjdm32.exe File created C:\Windows\SysWOW64\Mmicfb32.exe Mimgecji.exe File created C:\Windows\SysWOW64\Idnlpeko.exe Ikehgp32.exe File created C:\Windows\SysWOW64\Deqnipef.dll Kkgpoqma.exe File opened for modification C:\Windows\SysWOW64\Kkkijp32.exe Kdaamfao.exe File created C:\Windows\SysWOW64\Knlblk32.exe Kgbjoanp.exe File opened for modification C:\Windows\SysWOW64\Phhnoi32.exe Pmbjaq32.exe File created C:\Windows\SysWOW64\Qdfedioo.exe Qoimlbqh.exe File opened for modification C:\Windows\SysWOW64\Bdfnkg32.exe Bahaol32.exe File created C:\Windows\SysWOW64\Fajekole.exe Egdqnflp.exe File created C:\Windows\SysWOW64\Dhglncgm.exe Cfhpaghj.exe File created C:\Windows\SysWOW64\Bebdan32.dll Hmichpde.exe File created C:\Windows\SysWOW64\Kamjfejc.dll Ahkdkg32.exe File created C:\Windows\SysWOW64\Dmbhna32.exe Dhglncgm.exe File created C:\Windows\SysWOW64\Mlgjfo32.exe Mmdikbfg.exe File opened for modification C:\Windows\SysWOW64\Hnhdhm32.exe Hkjhlank.exe File created C:\Windows\SysWOW64\Edqhchhe.dll Gnbdbg32.exe File created C:\Windows\SysWOW64\Pmdkkk32.dll Kikgck32.exe File created C:\Windows\SysWOW64\Dhfidmli.dll Jnfjpi32.exe File created C:\Windows\SysWOW64\Miimjd32.exe Mgjanh32.exe File opened for modification C:\Windows\SysWOW64\Mdlebm32.exe Mpqian32.exe File opened for modification C:\Windows\SysWOW64\Bcjbid32.exe Blqiljch.exe File created C:\Windows\SysWOW64\Njokchca.exe Nebckadj.exe File created C:\Windows\SysWOW64\Kgfnmjfg.dll Aoelhafj.exe File created C:\Windows\SysWOW64\Okjcpd32.dll Bdfnkg32.exe File created C:\Windows\SysWOW64\Ngnpidgb.dll Dfcqmb32.exe File created C:\Windows\SysWOW64\Kpkpek32.exe Khchdn32.exe File created C:\Windows\SysWOW64\Nalgphlg.exe Nkbocn32.exe File created C:\Windows\SysWOW64\Ooiceeoj.exe Odcohlod.exe File created C:\Windows\SysWOW64\Cfmafjqj.exe Cdoejn32.exe File created C:\Windows\SysWOW64\Bogphc32.dll Cifmmppg.exe File opened for modification C:\Windows\SysWOW64\Mlabfc32.exe Mnmbmo32.exe File created C:\Windows\SysWOW64\Hkhkgegd.exe Hdnbjk32.exe File opened for modification C:\Windows\SysWOW64\Dojgql32.exe Dfbchfpo.exe File created C:\Windows\SysWOW64\Degechol.dll Jgekbpag.exe File created C:\Windows\SysWOW64\Dmeedamd.exe Ddnmbdla.exe File opened for modification C:\Windows\SysWOW64\Jgedhinl.exe Jdfhlnoh.exe File created C:\Windows\SysWOW64\Kffhpheh.dll Phqbde32.exe File created C:\Windows\SysWOW64\Jgedhinl.exe Jdfhlnoh.exe File created C:\Windows\SysWOW64\Chbaic32.dll Nmkkjddg.exe File created C:\Windows\SysWOW64\Chdphcip.exe Cdicgd32.exe File created C:\Windows\SysWOW64\Mcoenjfa.exe Mdlebm32.exe File opened for modification C:\Windows\SysWOW64\Benincgl.exe Babmme32.exe File opened for modification C:\Windows\SysWOW64\Kjccql32.exe Kdfjhe32.exe File created C:\Windows\SysWOW64\Pdchoj32.exe Paelbn32.exe File created C:\Windows\SysWOW64\Cqghnc32.dll Onlhbobl.exe File created C:\Windows\SysWOW64\Olfpce32.dll Opekckee.exe File opened for modification C:\Windows\SysWOW64\Ocfdefbf.exe Ophhikcc.exe File opened for modification C:\Windows\SysWOW64\Oohddahd.exe Oikllkjm.exe File created C:\Windows\SysWOW64\Lkfldp32.dll Cokeddhn.exe File created C:\Windows\SysWOW64\Npjlhm32.exe Nlnpgngj.exe File opened for modification C:\Windows\SysWOW64\Mcabcido.exe Mpcegnek.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5968 5784 WerFault.exe 797 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikllkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkeoaca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkpbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doakecbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecigap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbjaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfndgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcoenma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelneoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknipchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciadbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoiaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndligm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdckbljo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgkpnmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmlkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjdbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckafienb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbjblck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capinc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaffjpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poejki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpcpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppqmogc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmkhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlemapod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbobqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioemcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooiceeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njifaapk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddqci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilefjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngiqljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhajiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmgkfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfllpan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhkgegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgagogib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnadkjab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebked32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbelq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhlao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icakle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclhhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoelnh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dohkkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdlebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogiffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkndchhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdaod32.dll" Aaminc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdclejkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pelohn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqfdch32.dll" Pceogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplhmmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciadbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objoem32.dll" Ohaohqif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmggcqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pebpdapb.dll" Olhkcjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbedkhe.dll" Aonfgbmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omigkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfdkkhqb.dll" Pdmgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbanaoan.dll" Eknpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfedkdcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccddoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhccpo.dll" Icdhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbaic32.dll" Nmkkjddg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgkclc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlpmc32.dll" Ikijhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcggm32.dll" Mijlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panpjinh.dll" Pjjoho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabfdbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbbik32.dll" Kpoipjbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbchfpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dfc51d351180a7d656500408b8e0fdc0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphlmbpj.dll" Liddodbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igielk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emfeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbahc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epdaoo32.dll" Emcaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijceijng.dll" Gddqci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giddab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekahem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfjniap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbofph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamhhb32.dll" Oeehgodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibmdonk.dll" Pgkclc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnkie32.dll" Ggbmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pichhcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikbkdla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mekdde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Falaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbejcocp.dll" Knkckhog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhagcjo.dll" Fhjlnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgeqamke.dll" Cfgjfnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfqaikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngjoni32.dll" Hddijgbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnobdmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doadjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfpcp32.dll" Ekcekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmbhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoqif32.dll" Bjckekkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doiccf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjdbfic.dll" Dmlcncda.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1452 wrote to memory of 4696 1452 dfc51d351180a7d656500408b8e0fdc0N.exe 91 PID 1452 wrote to memory of 4696 1452 dfc51d351180a7d656500408b8e0fdc0N.exe 91 PID 1452 wrote to memory of 4696 1452 dfc51d351180a7d656500408b8e0fdc0N.exe 91 PID 4696 wrote to memory of 712 4696 Ldeoan32.exe 92 PID 4696 wrote to memory of 712 4696 Ldeoan32.exe 92 PID 4696 wrote to memory of 712 4696 Ldeoan32.exe 92 PID 712 wrote to memory of 2348 712 Lgckni32.exe 93 PID 712 wrote to memory of 2348 712 Lgckni32.exe 93 PID 712 wrote to memory of 2348 712 Lgckni32.exe 93 PID 2348 wrote to memory of 4504 2348 Libgje32.exe 94 PID 2348 wrote to memory of 4504 2348 Libgje32.exe 94 PID 2348 wrote to memory of 4504 2348 Libgje32.exe 94 PID 4504 wrote to memory of 1776 4504 Lmmcjclo.exe 95 PID 4504 wrote to memory of 1776 4504 Lmmcjclo.exe 95 PID 4504 wrote to memory of 1776 4504 Lmmcjclo.exe 95 PID 1776 wrote to memory of 232 1776 Lplpfo32.exe 96 PID 1776 wrote to memory of 232 1776 Lplpfo32.exe 96 PID 1776 wrote to memory of 232 1776 Lplpfo32.exe 96 PID 232 wrote to memory of 4952 232 Lbjlbj32.exe 97 PID 232 wrote to memory of 4952 232 Lbjlbj32.exe 97 PID 232 wrote to memory of 4952 232 Lbjlbj32.exe 97 PID 4952 wrote to memory of 3868 4952 Lgfhcicp.exe 98 PID 4952 wrote to memory of 3868 4952 Lgfhcicp.exe 98 PID 4952 wrote to memory of 3868 4952 Lgfhcicp.exe 98 PID 3868 wrote to memory of 4604 3868 Liddodbc.exe 99 PID 3868 wrote to memory of 4604 3868 Liddodbc.exe 99 PID 3868 wrote to memory of 4604 3868 Liddodbc.exe 99 PID 4604 wrote to memory of 1028 4604 Lmpppc32.exe 100 PID 4604 wrote to memory of 1028 4604 Lmpppc32.exe 100 PID 4604 wrote to memory of 1028 4604 Lmpppc32.exe 100 PID 1028 wrote to memory of 1712 1028 Mlbpkpag.exe 101 PID 1028 wrote to memory of 1712 1028 Mlbpkpag.exe 101 PID 1028 wrote to memory of 1712 1028 Mlbpkpag.exe 101 PID 1712 wrote to memory of 3776 1712 Mpnllo32.exe 102 PID 1712 wrote to memory of 3776 1712 Mpnllo32.exe 102 PID 1712 wrote to memory of 3776 1712 Mpnllo32.exe 102 PID 3776 wrote to memory of 2840 3776 Mclhhj32.exe 103 PID 3776 wrote to memory of 2840 3776 Mclhhj32.exe 103 PID 3776 wrote to memory of 2840 3776 Mclhhj32.exe 103 PID 2840 wrote to memory of 3872 2840 Mghdiiam.exe 104 PID 2840 wrote to memory of 3872 2840 Mghdiiam.exe 104 PID 2840 wrote to memory of 3872 2840 Mghdiiam.exe 104 PID 3872 wrote to memory of 5036 3872 Mekdde32.exe 105 PID 3872 wrote to memory of 5036 3872 Mekdde32.exe 105 PID 3872 wrote to memory of 5036 3872 Mekdde32.exe 105 PID 5036 wrote to memory of 3192 5036 Mifqedpq.exe 106 PID 5036 wrote to memory of 3192 5036 Mifqedpq.exe 106 PID 5036 wrote to memory of 3192 5036 Mifqedpq.exe 106 PID 3192 wrote to memory of 2924 3192 Mlemapod.exe 107 PID 3192 wrote to memory of 2924 3192 Mlemapod.exe 107 PID 3192 wrote to memory of 2924 3192 Mlemapod.exe 107 PID 2924 wrote to memory of 4120 2924 Mpqian32.exe 108 PID 2924 wrote to memory of 4120 2924 Mpqian32.exe 108 PID 2924 wrote to memory of 4120 2924 Mpqian32.exe 108 PID 4120 wrote to memory of 2680 4120 Mdlebm32.exe 109 PID 4120 wrote to memory of 2680 4120 Mdlebm32.exe 109 PID 4120 wrote to memory of 2680 4120 Mdlebm32.exe 109 PID 2680 wrote to memory of 4068 2680 Mcoenjfa.exe 110 PID 2680 wrote to memory of 4068 2680 Mcoenjfa.exe 110 PID 2680 wrote to memory of 4068 2680 Mcoenjfa.exe 110 PID 4068 wrote to memory of 2320 4068 Mgjanh32.exe 111 PID 4068 wrote to memory of 2320 4068 Mgjanh32.exe 111 PID 4068 wrote to memory of 2320 4068 Mgjanh32.exe 111 PID 2320 wrote to memory of 5096 2320 Miimjd32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc51d351180a7d656500408b8e0fdc0N.exe"C:\Users\Admin\AppData\Local\Temp\dfc51d351180a7d656500408b8e0fdc0N.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Ldeoan32.exeC:\Windows\system32\Ldeoan32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Lgckni32.exeC:\Windows\system32\Lgckni32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Libgje32.exeC:\Windows\system32\Libgje32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Lmmcjclo.exeC:\Windows\system32\Lmmcjclo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\Lplpfo32.exeC:\Windows\system32\Lplpfo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Lbjlbj32.exeC:\Windows\system32\Lbjlbj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Lgfhcicp.exeC:\Windows\system32\Lgfhcicp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Liddodbc.exeC:\Windows\system32\Liddodbc.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Lmpppc32.exeC:\Windows\system32\Lmpppc32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Mlbpkpag.exeC:\Windows\system32\Mlbpkpag.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Mpnllo32.exeC:\Windows\system32\Mpnllo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mclhhj32.exeC:\Windows\system32\Mclhhj32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Mghdiiam.exeC:\Windows\system32\Mghdiiam.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\Mifqedpq.exeC:\Windows\system32\Mifqedpq.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Mlemapod.exeC:\Windows\system32\Mlemapod.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Mpqian32.exeC:\Windows\system32\Mpqian32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Mdlebm32.exeC:\Windows\system32\Mdlebm32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\Mcoenjfa.exeC:\Windows\system32\Mcoenjfa.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mgjanh32.exeC:\Windows\system32\Mgjanh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Miimjd32.exeC:\Windows\system32\Miimjd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Mmdikbfg.exeC:\Windows\system32\Mmdikbfg.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe24⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Mpcegnek.exeC:\Windows\system32\Mpcegnek.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Mcabcido.exeC:\Windows\system32\Mcabcido.exe26⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\SysWOW64\Mgmndh32.exeC:\Windows\system32\Mgmndh32.exe27⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Mikjpc32.exeC:\Windows\system32\Mikjpc32.exe28⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe29⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Mliflo32.exeC:\Windows\system32\Mliflo32.exe30⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Mdqnml32.exeC:\Windows\system32\Mdqnml32.exe31⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Mccoiibl.exeC:\Windows\system32\Mccoiibl.exe32⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Mebked32.exeC:\Windows\system32\Mebked32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Mimgecji.exeC:\Windows\system32\Mimgecji.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4804 -
C:\Windows\SysWOW64\Mmicfb32.exeC:\Windows\system32\Mmicfb32.exe35⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Mllcaoil.exeC:\Windows\system32\Mllcaoil.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe37⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Mdckbljo.exeC:\Windows\system32\Mdckbljo.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Mgagogib.exeC:\Windows\system32\Mgagogib.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Windows\SysWOW64\Medgjd32.exeC:\Windows\system32\Medgjd32.exe40⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Mipckchf.exeC:\Windows\system32\Mipckchf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Nlnpgngj.exeC:\Windows\system32\Nlnpgngj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Npjlhm32.exeC:\Windows\system32\Npjlhm32.exe43⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ndehhlgl.exeC:\Windows\system32\Ndehhlgl.exe44⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe45⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Nefdpdmj.exeC:\Windows\system32\Nefdpdmj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\Nibpqb32.exeC:\Windows\system32\Nibpqb32.exe47⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Nlqlmn32.exeC:\Windows\system32\Nlqlmn32.exe48⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Nplhmmmp.exeC:\Windows\system32\Nplhmmmp.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4392 -
C:\Windows\SysWOW64\Ndhdnk32.exeC:\Windows\system32\Ndhdnk32.exe50⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Ngfqjg32.exeC:\Windows\system32\Ngfqjg32.exe51⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Neiaeckg.exeC:\Windows\system32\Neiaeckg.exe52⤵
- Executes dropped EXE
PID:5156 -
C:\Windows\SysWOW64\Nnpifalj.exeC:\Windows\system32\Nnpifalj.exe53⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\SysWOW64\Nlcibn32.exeC:\Windows\system32\Nlcibn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5224 -
C:\Windows\SysWOW64\Npoeclkn.exeC:\Windows\system32\Npoeclkn.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Ndjack32.exeC:\Windows\system32\Ndjack32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Nghmpf32.exeC:\Windows\system32\Nghmpf32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5336 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe58⤵
- Executes dropped EXE
PID:5368 -
C:\Windows\SysWOW64\Njgjlban.exeC:\Windows\system32\Njgjlban.exe59⤵
- Executes dropped EXE
PID:5408 -
C:\Windows\SysWOW64\Nnbelq32.exeC:\Windows\system32\Nnbelq32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\Npabhl32.exeC:\Windows\system32\Npabhl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Ndlnikad.exeC:\Windows\system32\Ndlnikad.exe62⤵
- Executes dropped EXE
PID:5516 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe63⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\Ngkjefqh.exeC:\Windows\system32\Ngkjefqh.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5584 -
C:\Windows\SysWOW64\Nfnjqc32.exeC:\Windows\system32\Nfnjqc32.exe65⤵
- Executes dropped EXE
PID:5624 -
C:\Windows\SysWOW64\Njifaapk.exeC:\Windows\system32\Njifaapk.exe66⤵
- System Location Discovery: System Language Discovery
PID:5660 -
C:\Windows\SysWOW64\Nlgbmmoo.exeC:\Windows\system32\Nlgbmmoo.exe67⤵PID:5696
-
C:\Windows\SysWOW64\Npconl32.exeC:\Windows\system32\Npconl32.exe68⤵PID:5728
-
C:\Windows\SysWOW64\Ncakjg32.exeC:\Windows\system32\Ncakjg32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Ngmgkfoe.exeC:\Windows\system32\Ngmgkfoe.exe70⤵
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe71⤵PID:5836
-
C:\Windows\SysWOW64\Ojlcgani.exeC:\Windows\system32\Ojlcgani.exe72⤵PID:5876
-
C:\Windows\SysWOW64\Oljocm32.exeC:\Windows\system32\Oljocm32.exe73⤵PID:5908
-
C:\Windows\SysWOW64\Opekckee.exeC:\Windows\system32\Opekckee.exe74⤵
- Drops file in System32 directory
PID:5948 -
C:\Windows\SysWOW64\Ocdgpgdi.exeC:\Windows\system32\Ocdgpgdi.exe75⤵PID:5984
-
C:\Windows\SysWOW64\Ogpcpe32.exeC:\Windows\system32\Ogpcpe32.exe76⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\Ofbdlbcm.exeC:\Windows\system32\Ofbdlbcm.exe77⤵PID:6056
-
C:\Windows\SysWOW64\Onilmpdo.exeC:\Windows\system32\Onilmpdo.exe78⤵PID:6088
-
C:\Windows\SysWOW64\Olllhl32.exeC:\Windows\system32\Olllhl32.exe79⤵
- Drops file in System32 directory
PID:6128 -
C:\Windows\SysWOW64\Ophhikcc.exeC:\Windows\system32\Ophhikcc.exe80⤵
- Drops file in System32 directory
PID:3948 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe81⤵PID:4872
-
C:\Windows\SysWOW64\Ogbpfe32.exeC:\Windows\system32\Ogbpfe32.exe82⤵PID:1684
-
C:\Windows\SysWOW64\Ofdqabaj.exeC:\Windows\system32\Ofdqabaj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3416 -
C:\Windows\SysWOW64\Onlhbobl.exeC:\Windows\system32\Onlhbobl.exe84⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Oloinlig.exeC:\Windows\system32\Oloinlig.exe85⤵PID:2360
-
C:\Windows\SysWOW64\Odfqoiii.exeC:\Windows\system32\Odfqoiii.exe86⤵PID:4940
-
C:\Windows\SysWOW64\Ochakf32.exeC:\Windows\system32\Ochakf32.exe87⤵PID:4884
-
C:\Windows\SysWOW64\Ogdmkdhm.exeC:\Windows\system32\Ogdmkdhm.exe88⤵PID:880
-
C:\Windows\SysWOW64\Ojbigpgq.exeC:\Windows\system32\Ojbigpgq.exe89⤵PID:5180
-
C:\Windows\SysWOW64\Onneho32.exeC:\Windows\system32\Onneho32.exe90⤵PID:5244
-
C:\Windows\SysWOW64\Olaeclgd.exeC:\Windows\system32\Olaeclgd.exe91⤵PID:5328
-
C:\Windows\SysWOW64\Odhmdigf.exeC:\Windows\system32\Odhmdigf.exe92⤵PID:1872
-
C:\Windows\SysWOW64\Ocknpf32.exeC:\Windows\system32\Ocknpf32.exe93⤵PID:2620
-
C:\Windows\SysWOW64\Ogfjadfj.exeC:\Windows\system32\Ogfjadfj.exe94⤵PID:5496
-
C:\Windows\SysWOW64\Ojefmpen.exeC:\Windows\system32\Ojefmpen.exe95⤵PID:5532
-
C:\Windows\SysWOW64\Onqbno32.exeC:\Windows\system32\Onqbno32.exe96⤵PID:5616
-
C:\Windows\SysWOW64\Oqonjjmk.exeC:\Windows\system32\Oqonjjmk.exe97⤵PID:5648
-
C:\Windows\SysWOW64\Odjjjh32.exeC:\Windows\system32\Odjjjh32.exe98⤵
- Modifies registry class
PID:5720 -
C:\Windows\SysWOW64\Ogiffd32.exeC:\Windows\system32\Ogiffd32.exe99⤵
- Modifies registry class
PID:5756 -
C:\Windows\SysWOW64\Pflfbqkb.exeC:\Windows\system32\Pflfbqkb.exe100⤵PID:5820
-
C:\Windows\SysWOW64\Pdmgph32.exeC:\Windows\system32\Pdmgph32.exe101⤵
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe102⤵
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Pjjoho32.exeC:\Windows\system32\Pjjoho32.exe103⤵
- Modifies registry class
PID:4228 -
C:\Windows\SysWOW64\Qfgfnoae.exeC:\Windows\system32\Qfgfnoae.exe104⤵PID:4584
-
C:\Windows\SysWOW64\Qmanji32.exeC:\Windows\system32\Qmanji32.exe105⤵PID:2120
-
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe106⤵PID:3208
-
C:\Windows\SysWOW64\Ammnfgnd.exeC:\Windows\system32\Ammnfgnd.exe107⤵PID:6116
-
C:\Windows\SysWOW64\Aaijgf32.exeC:\Windows\system32\Aaijgf32.exe108⤵PID:4572
-
C:\Windows\SysWOW64\Acgfca32.exeC:\Windows\system32\Acgfca32.exe109⤵PID:5900
-
C:\Windows\SysWOW64\Anmjpj32.exeC:\Windows\system32\Anmjpj32.exe110⤵PID:6000
-
C:\Windows\SysWOW64\Aefbmdmd.exeC:\Windows\system32\Aefbmdmd.exe111⤵PID:6084
-
C:\Windows\SysWOW64\Bjckekkk.exeC:\Windows\system32\Bjckekkk.exe112⤵
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\Beiobd32.exeC:\Windows\system32\Beiobd32.exe113⤵PID:4208
-
C:\Windows\SysWOW64\Bnadkjab.exeC:\Windows\system32\Bnadkjab.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Beklhd32.exeC:\Windows\system32\Beklhd32.exe115⤵PID:5352
-
C:\Windows\SysWOW64\Bjhdpk32.exeC:\Windows\system32\Bjhdpk32.exe116⤵PID:3572
-
C:\Windows\SysWOW64\Babmme32.exeC:\Windows\system32\Babmme32.exe117⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Benincgl.exeC:\Windows\system32\Benincgl.exe118⤵PID:4036
-
C:\Windows\SysWOW64\Bfoeel32.exeC:\Windows\system32\Bfoeel32.exe119⤵PID:5896
-
C:\Windows\SysWOW64\Bjjafjec.exeC:\Windows\system32\Bjjafjec.exe120⤵PID:6012
-
C:\Windows\SysWOW64\Badibd32.exeC:\Windows\system32\Badibd32.exe121⤵PID:5568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-