Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 08:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc3037611cd04567242455bb1445a0d0N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
dc3037611cd04567242455bb1445a0d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
dc3037611cd04567242455bb1445a0d0N.exe
-
Size
60KB
-
MD5
dc3037611cd04567242455bb1445a0d0
-
SHA1
9c682fa1688f2ceb014b6722a1b7f88833fb643d
-
SHA256
0a1c1484306e43f006c8aedd2a236f793de838d188b9747e0dc054e8bf3eefa6
-
SHA512
c8c86d486245a70d6f0685ea406110221d544baabf5eaa32caae9c9f2315a758f62cb2b66f56ff5814eeef9d1d88385b603c96785ade8bc426a61d6a1b18aea5
-
SSDEEP
1536:DyIF+4NTf/BbfbI4vZyM/gBUeANeviB86l1rs:+IDNThL84B5/gBUeAeiB86l1rs
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpchib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplicjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdaaaeqg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbalopbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpbpbecj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgiefen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfcabp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimbkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alcfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aonoao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahofoogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcniglmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okchnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfagf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlhgaqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjlopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmmaeap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmflbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgnemjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjpfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhccj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojdnid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkahilkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaagkcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejchhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmenca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckclhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcniglmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpdhboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmennnni.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjeljhd.exe -
Executes dropped EXE 64 IoCs
pid Process 764 Meamcg32.exe 4092 Mhoipb32.exe 1612 Mjneln32.exe 3596 Mniallpq.exe 3796 Miofjepg.exe 1216 Mlmbfqoj.exe 1388 Mnlnbl32.exe 2728 Majjng32.exe 4800 Miaboe32.exe 2748 Mlpokp32.exe 3876 Mjbogmdb.exe 1968 Mbighjdd.exe 4836 Mehcdfch.exe 1660 Mjellmbp.exe 4188 Maodigil.exe 3096 Mejpje32.exe 2960 Mhilfa32.exe 4320 Njghbl32.exe 4552 Nbnpcj32.exe 3016 Nlfelogp.exe 4572 Nbqmiinl.exe 2248 Nijeec32.exe 5016 Nliaao32.exe 2804 Nognnj32.exe 3052 Nimbkc32.exe 3336 Nlkngo32.exe 704 Nknobkje.exe 4064 Nojjcj32.exe 8 Niooqcad.exe 1712 Nkqkhk32.exe 1264 Nbgcih32.exe 616 Nefped32.exe 1012 Nlphbnoe.exe 3548 Okchnk32.exe 1160 Objpoh32.exe 3044 Oehlkc32.exe 2592 Ohghgodi.exe 2028 Okedcjcm.exe 4264 Oblmdhdo.exe 620 Oifeab32.exe 3588 Oldamm32.exe 4872 Oocmii32.exe 3864 Oihagaji.exe 1972 Olgncmim.exe 2684 Ooejohhq.exe 1716 Oadfkdgd.exe 3680 Olijhmgj.exe 3524 Oohgdhfn.exe 5020 Oafcqcea.exe 2916 Oeaoab32.exe 3328 Oimkbaed.exe 1068 Pkogiikb.exe 1812 Pahpfc32.exe 2044 Piphgq32.exe 876 Phbhcmjl.exe 5068 Pkadoiip.exe 4524 Pibdmp32.exe 3616 Poomegpf.exe 3492 Pamiaboj.exe 1208 Peieba32.exe 1936 Pidabppl.exe 1652 Phganm32.exe 1376 Pkenjh32.exe 2152 Pcmeke32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qofcff32.exe Qlggjk32.exe File created C:\Windows\SysWOW64\Kqdaadln.exe Kglmio32.exe File opened for modification C:\Windows\SysWOW64\Jilfifme.exe Jepjhg32.exe File created C:\Windows\SysWOW64\Mjodla32.exe Mgphpe32.exe File created C:\Windows\SysWOW64\Fcokoohi.dll Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Ogekbb32.exe Oakbehfe.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File opened for modification C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File created C:\Windows\SysWOW64\Hiikaj32.dll Nognnj32.exe File created C:\Windows\SysWOW64\Hmnmgnoh.exe Hkpqkcpd.exe File opened for modification C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kmkbfeab.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cnfaohbj.exe File created C:\Windows\SysWOW64\Dfiildio.exe Dnbakghm.exe File opened for modification C:\Windows\SysWOW64\Pahpfc32.exe Pkogiikb.exe File created C:\Windows\SysWOW64\Dpphjp32.exe Dmalne32.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Nhahaiec.exe File created C:\Windows\SysWOW64\Gmnala32.dll Pahilmoc.exe File created C:\Windows\SysWOW64\Lqkgbcff.exe Lknojl32.exe File created C:\Windows\SysWOW64\Hhbdbmfg.dll Pehngkcg.exe File created C:\Windows\SysWOW64\Hmdlmg32.exe Hemdlj32.exe File created C:\Windows\SysWOW64\Jedccfqg.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Ojenek32.dll Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Qmeigg32.exe Qjfmkk32.exe File opened for modification C:\Windows\SysWOW64\Glengm32.exe Gigaka32.exe File created C:\Windows\SysWOW64\Igpdfb32.exe Ipflihfq.exe File created C:\Windows\SysWOW64\Ciggeb32.dll Bffcpg32.exe File created C:\Windows\SysWOW64\Qhhpop32.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Dbkjdh32.dll Allpejfe.exe File opened for modification C:\Windows\SysWOW64\Ncabfkqo.exe Nabfjpak.exe File created C:\Windows\SysWOW64\Mmddqemj.dll Oodcdb32.exe File opened for modification C:\Windows\SysWOW64\Eeelnp32.exe Ebgpad32.exe File created C:\Windows\SysWOW64\Phbhcmjl.exe Piphgq32.exe File opened for modification C:\Windows\SysWOW64\Dlghoa32.exe Dmdhcddh.exe File opened for modification C:\Windows\SysWOW64\Iidphgcn.exe Igfclkdj.exe File created C:\Windows\SysWOW64\Enjgeopm.dll Ncqlkemc.exe File created C:\Windows\SysWOW64\Apaadpng.exe Amcehdod.exe File opened for modification C:\Windows\SysWOW64\Nlphbnoe.exe Nefped32.exe File created C:\Windows\SysWOW64\Oadfkdgd.exe Ooejohhq.exe File created C:\Windows\SysWOW64\Ddpapmqq.dll Dfiildio.exe File created C:\Windows\SysWOW64\Odcfhh32.dll Gjfnedho.exe File opened for modification C:\Windows\SysWOW64\Gingkqkd.exe Gdaociml.exe File opened for modification C:\Windows\SysWOW64\Jdmgfedl.exe Jlfpdh32.exe File opened for modification C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Bffcpg32.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Hmlephen.dll Cndeii32.exe File opened for modification C:\Windows\SysWOW64\Anclbkbp.exe Akepfpcl.exe File opened for modification C:\Windows\SysWOW64\Nliaao32.exe Nijeec32.exe File opened for modification C:\Windows\SysWOW64\Olgncmim.exe Oihagaji.exe File opened for modification C:\Windows\SysWOW64\Bljlfh32.exe Bjlpjm32.exe File created C:\Windows\SysWOW64\Cmhigf32.exe Cfnqklgh.exe File created C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Fnoimo32.dll Fbfcmhpg.exe File created C:\Windows\SysWOW64\Fealin32.exe Fngcmcfe.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Kgflcifg.exe File created C:\Windows\SysWOW64\Nfcabp32.exe Nmkmjjaa.exe File created C:\Windows\SysWOW64\Bhlkdj32.dll Pmcclm32.exe File created C:\Windows\SysWOW64\Mklbeh32.dll Bdickcpo.exe File created C:\Windows\SysWOW64\Mgphpe32.exe Moipoh32.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Pkogiikb.exe Oimkbaed.exe File created C:\Windows\SysWOW64\Lalbjhdj.dll Pkogiikb.exe File created C:\Windows\SysWOW64\Capqggce.dll Bkmmaeap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15284 15144 WerFault.exe 783 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcndbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adikdfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdojjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipflihfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeddnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljbeali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mniallpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olijhmgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcaofebg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikpjbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbakghm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcldb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmdhdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhahaiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bombmcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmojenc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlpaoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjimhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlphbnoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc3037611cd04567242455bb1445a0d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nognnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjdebfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmalne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" Npgmpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmbbejp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgipd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll" Nnojho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmenca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjibekmc.dll" Njfagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjblje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opqofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pocfpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdmgfedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnmfclj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmaffnce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmnbfhal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgncmim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfnlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfglfdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmoag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbjcljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll" Ppjbmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpfopn.dll" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnidloo.dll" Blqllqqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpaekqhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmgelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adndoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifeab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Bgelgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamiaboj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodogdmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iophkojl.dll" Kjccdkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooejohhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahjdc32.dll" Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipeeobbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcifkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moehgcil.dll" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anaomkdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iefgbh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 764 2580 dc3037611cd04567242455bb1445a0d0N.exe 84 PID 2580 wrote to memory of 764 2580 dc3037611cd04567242455bb1445a0d0N.exe 84 PID 2580 wrote to memory of 764 2580 dc3037611cd04567242455bb1445a0d0N.exe 84 PID 764 wrote to memory of 4092 764 Meamcg32.exe 85 PID 764 wrote to memory of 4092 764 Meamcg32.exe 85 PID 764 wrote to memory of 4092 764 Meamcg32.exe 85 PID 4092 wrote to memory of 1612 4092 Mhoipb32.exe 86 PID 4092 wrote to memory of 1612 4092 Mhoipb32.exe 86 PID 4092 wrote to memory of 1612 4092 Mhoipb32.exe 86 PID 1612 wrote to memory of 3596 1612 Mjneln32.exe 87 PID 1612 wrote to memory of 3596 1612 Mjneln32.exe 87 PID 1612 wrote to memory of 3596 1612 Mjneln32.exe 87 PID 3596 wrote to memory of 3796 3596 Mniallpq.exe 88 PID 3596 wrote to memory of 3796 3596 Mniallpq.exe 88 PID 3596 wrote to memory of 3796 3596 Mniallpq.exe 88 PID 3796 wrote to memory of 1216 3796 Miofjepg.exe 89 PID 3796 wrote to memory of 1216 3796 Miofjepg.exe 89 PID 3796 wrote to memory of 1216 3796 Miofjepg.exe 89 PID 1216 wrote to memory of 1388 1216 Mlmbfqoj.exe 90 PID 1216 wrote to memory of 1388 1216 Mlmbfqoj.exe 90 PID 1216 wrote to memory of 1388 1216 Mlmbfqoj.exe 90 PID 1388 wrote to memory of 2728 1388 Mnlnbl32.exe 91 PID 1388 wrote to memory of 2728 1388 Mnlnbl32.exe 91 PID 1388 wrote to memory of 2728 1388 Mnlnbl32.exe 91 PID 2728 wrote to memory of 4800 2728 Majjng32.exe 92 PID 2728 wrote to memory of 4800 2728 Majjng32.exe 92 PID 2728 wrote to memory of 4800 2728 Majjng32.exe 92 PID 4800 wrote to memory of 2748 4800 Miaboe32.exe 94 PID 4800 wrote to memory of 2748 4800 Miaboe32.exe 94 PID 4800 wrote to memory of 2748 4800 Miaboe32.exe 94 PID 2748 wrote to memory of 3876 2748 Mlpokp32.exe 95 PID 2748 wrote to memory of 3876 2748 Mlpokp32.exe 95 PID 2748 wrote to memory of 3876 2748 Mlpokp32.exe 95 PID 3876 wrote to memory of 1968 3876 Mjbogmdb.exe 96 PID 3876 wrote to memory of 1968 3876 Mjbogmdb.exe 96 PID 3876 wrote to memory of 1968 3876 Mjbogmdb.exe 96 PID 1968 wrote to memory of 4836 1968 Mbighjdd.exe 97 PID 1968 wrote to memory of 4836 1968 Mbighjdd.exe 97 PID 1968 wrote to memory of 4836 1968 Mbighjdd.exe 97 PID 4836 wrote to memory of 1660 4836 Mehcdfch.exe 98 PID 4836 wrote to memory of 1660 4836 Mehcdfch.exe 98 PID 4836 wrote to memory of 1660 4836 Mehcdfch.exe 98 PID 1660 wrote to memory of 4188 1660 Mjellmbp.exe 99 PID 1660 wrote to memory of 4188 1660 Mjellmbp.exe 99 PID 1660 wrote to memory of 4188 1660 Mjellmbp.exe 99 PID 4188 wrote to memory of 3096 4188 Maodigil.exe 101 PID 4188 wrote to memory of 3096 4188 Maodigil.exe 101 PID 4188 wrote to memory of 3096 4188 Maodigil.exe 101 PID 3096 wrote to memory of 2960 3096 Mejpje32.exe 102 PID 3096 wrote to memory of 2960 3096 Mejpje32.exe 102 PID 3096 wrote to memory of 2960 3096 Mejpje32.exe 102 PID 2960 wrote to memory of 4320 2960 Mhilfa32.exe 103 PID 2960 wrote to memory of 4320 2960 Mhilfa32.exe 103 PID 2960 wrote to memory of 4320 2960 Mhilfa32.exe 103 PID 4320 wrote to memory of 4552 4320 Njghbl32.exe 104 PID 4320 wrote to memory of 4552 4320 Njghbl32.exe 104 PID 4320 wrote to memory of 4552 4320 Njghbl32.exe 104 PID 4552 wrote to memory of 3016 4552 Nbnpcj32.exe 105 PID 4552 wrote to memory of 3016 4552 Nbnpcj32.exe 105 PID 4552 wrote to memory of 3016 4552 Nbnpcj32.exe 105 PID 3016 wrote to memory of 4572 3016 Nlfelogp.exe 106 PID 3016 wrote to memory of 4572 3016 Nlfelogp.exe 106 PID 3016 wrote to memory of 4572 3016 Nlfelogp.exe 106 PID 4572 wrote to memory of 2248 4572 Nbqmiinl.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc3037611cd04567242455bb1445a0d0N.exe"C:\Users\Admin\AppData\Local\Temp\dc3037611cd04567242455bb1445a0d0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Mnlnbl32.exeC:\Windows\system32\Mnlnbl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe24⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe27⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe28⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe29⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe30⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe31⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe32⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe36⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe38⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Okedcjcm.exeC:\Windows\system32\Okedcjcm.exe39⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3588 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe43⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3864 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Oadfkdgd.exeC:\Windows\system32\Oadfkdgd.exe47⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3680 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe49⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe50⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Oeaoab32.exeC:\Windows\system32\Oeaoab32.exe51⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3328 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe54⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe56⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe57⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe58⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Poomegpf.exeC:\Windows\system32\Poomegpf.exe59⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Pamiaboj.exeC:\Windows\system32\Pamiaboj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3492 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe61⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe62⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe63⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe64⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe65⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe66⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe67⤵PID:4868
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe68⤵PID:3956
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe69⤵PID:2696
-
C:\Windows\SysWOW64\Pocfpf32.exeC:\Windows\system32\Pocfpf32.exe70⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe71⤵PID:3976
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe73⤵PID:3140
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe74⤵
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe75⤵PID:4364
-
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe76⤵PID:4056
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe77⤵PID:1112
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe78⤵PID:2236
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe79⤵PID:3668
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe80⤵PID:1368
-
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe81⤵PID:4108
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe82⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:744 -
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe84⤵PID:4556
-
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe87⤵PID:4496
-
C:\Windows\SysWOW64\Akamff32.exeC:\Windows\system32\Akamff32.exe88⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe89⤵PID:1796
-
C:\Windows\SysWOW64\Afgacokc.exeC:\Windows\system32\Afgacokc.exe90⤵PID:1436
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe92⤵PID:3416
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe93⤵PID:4060
-
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe94⤵PID:1608
-
C:\Windows\SysWOW64\Ajdjin32.exeC:\Windows\system32\Ajdjin32.exe95⤵PID:1272
-
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe97⤵PID:1460
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe98⤵PID:5076
-
C:\Windows\SysWOW64\Ajggomog.exeC:\Windows\system32\Ajggomog.exe99⤵PID:1168
-
C:\Windows\SysWOW64\Akhcfe32.exeC:\Windows\system32\Akhcfe32.exe100⤵
- System Location Discovery: System Language Discovery
PID:5128 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe101⤵
- Modifies registry class
PID:5168 -
C:\Windows\SysWOW64\Bjicdmmd.exeC:\Windows\system32\Bjicdmmd.exe102⤵PID:5212
-
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe103⤵PID:5256
-
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe104⤵PID:5304
-
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe105⤵PID:5348
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe106⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe107⤵PID:5436
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5504 -
C:\Windows\SysWOW64\Bohibc32.exeC:\Windows\system32\Bohibc32.exe109⤵
- Modifies registry class
PID:5556 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe110⤵PID:5608
-
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe111⤵PID:5656
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe112⤵PID:5704
-
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe113⤵PID:5744
-
C:\Windows\SysWOW64\Bokehc32.exeC:\Windows\system32\Bokehc32.exe114⤵PID:5788
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe115⤵PID:5844
-
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe116⤵PID:5888
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe117⤵PID:5928
-
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe118⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe119⤵PID:6020
-
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe120⤵PID:6080
-
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe121⤵PID:6124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-