Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2024, 12:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe
-
Size
123KB
-
MD5
bec34d516eec5e684cf7c4606aded0d0
-
SHA1
08f9bcdbf41a08816d1583a92d96c5bdb500930d
-
SHA256
da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2b
-
SHA512
a9d07e37ae85ebc8b7da4a4bf67fc8455864886d4f4be680da4d7d89ab76cd8d1506a80347bddb1363d96803c41eb26c8919c9bb9c9a843cb334a01b467c7e66
-
SSDEEP
3072:LxmA3OP7Jwb/xY4Vx/9kuKLLRYSa9rR85DEn5k7r8:K7mb/xzd9kHL4rQD85k/8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clpppmqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppelkeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmdbooik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagngjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcijce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpnpqakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaefne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fidbgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blkgen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidbgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifnbph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dipgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpoiho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfkgp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclnfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moglpedd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nolekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oinbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqbfaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehgejep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeffgkkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elolco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifcben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qffoejkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnbekok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiodha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhgcbfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omaeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Podkmgop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpgmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfkamk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeffnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icpecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbmfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjpfqpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jabiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfddci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbdkhe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkjlqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dabhomea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Diamko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbgqdb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apddce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcicjbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dimcppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpodkdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcoepkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjlcmdbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgejkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nofoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciiaogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijedehgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eblgon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkgoke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbbdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnienqbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhfknjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmhccpci.exe -
Executes dropped EXE 64 IoCs
pid Process 2616 Mekdffee.exe 2160 Mhiabbdi.exe 2896 Mcoepkdo.exe 4708 Memalfcb.exe 4836 Mkjjdmaj.exe 1116 Mdbnmbhj.exe 1784 Mlifnphl.exe 964 Mafofggd.exe 4712 Mhpgca32.exe 3212 Mkocol32.exe 2720 Nkapelka.exe 4304 Ndidna32.exe 1172 Ncjdki32.exe 2892 Nkeipk32.exe 2208 Nlefjnno.exe 3876 Nbbnbemf.exe 3704 Nofoki32.exe 4780 Nbdkhe32.exe 3244 Ocdgahag.exe 1396 Odedipge.exe 3616 Obidcdfo.exe 832 Okailj32.exe 1336 Ochamg32.exe 1432 Obkahddl.exe 3332 Odjmdocp.exe 4268 Omaeem32.exe 4624 Okceaikl.exe 3564 Ocknbglo.exe 756 Obnnnc32.exe 936 Odljjo32.exe 4964 Ohhfknjf.exe 2488 Omcbkl32.exe 4856 Ooangh32.exe 3652 Obpkcc32.exe 3352 Oflfdbip.exe 4380 Pdngpo32.exe 3928 Pmeoqlpl.exe 2128 Podkmgop.exe 3688 Pcpgmf32.exe 2784 Pbbgicnd.exe 2772 Pdqcenmg.exe 3916 Pilpfm32.exe 2216 Pkklbh32.exe 4100 Pcbdcf32.exe 3712 Pbddobla.exe 2016 Pecpknke.exe 4672 Piolkm32.exe 3448 Pkmhgh32.exe 1064 Poidhg32.exe 2952 Pbgqdb32.exe 4760 Pfbmdabh.exe 2224 Peempn32.exe 5108 Pmmeak32.exe 432 Pkoemhao.exe 4832 Pokanf32.exe 5008 Pcfmneaa.exe 2744 Pfeijqqe.exe 1516 Pehjfm32.exe 3104 Piceflpi.exe 1164 Pmoagk32.exe 3000 Pkabbgol.exe 1080 Pbljoafi.exe 4776 Qejfkmem.exe 2780 Qifbll32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lhogamih.exe Laeoec32.exe File created C:\Windows\SysWOW64\Nggjog32.exe Najagp32.exe File created C:\Windows\SysWOW64\Abkejc32.dll Cnlpgibd.exe File created C:\Windows\SysWOW64\Ohhfknjf.exe Odljjo32.exe File opened for modification C:\Windows\SysWOW64\Pcfmneaa.exe Pokanf32.exe File created C:\Windows\SysWOW64\Aijlgkjq.exe Aeopfl32.exe File created C:\Windows\SysWOW64\Ofaqkhem.dll Apddce32.exe File created C:\Windows\SysWOW64\Abcaho32.dll Knifging.exe File created C:\Windows\SysWOW64\Kanbjn32.exe Kifjip32.exe File opened for modification C:\Windows\SysWOW64\Oacmchcl.exe Okiefn32.exe File opened for modification C:\Windows\SysWOW64\Eohhie32.exe Ehnpmkbg.exe File created C:\Windows\SysWOW64\Bggnijof.exe Bqnemp32.exe File opened for modification C:\Windows\SysWOW64\Piceflpi.exe Pehjfm32.exe File created C:\Windows\SysWOW64\Qmckbjdl.exe Qihoak32.exe File created C:\Windows\SysWOW64\Gdokakcj.dll Aimhmkgn.exe File created C:\Windows\SysWOW64\Jaepkejo.dll Ciiaogon.exe File created C:\Windows\SysWOW64\Dfkclp32.dll Bihancje.exe File created C:\Windows\SysWOW64\Hfbbdj32.exe Hpejlc32.exe File created C:\Windows\SysWOW64\Gdgpdifp.dll Hpejlc32.exe File created C:\Windows\SysWOW64\Jgobcb32.dll Lfmnbjcg.exe File created C:\Windows\SysWOW64\Aokcjngj.exe Aeeomegd.exe File opened for modification C:\Windows\SysWOW64\Clpppmqn.exe Ceehcc32.exe File opened for modification C:\Windows\SysWOW64\Dlnlak32.exe Dfqdid32.exe File opened for modification C:\Windows\SysWOW64\Hofmaq32.exe Hhleefhe.exe File opened for modification C:\Windows\SysWOW64\Bbeobhlp.exe Blkgen32.exe File opened for modification C:\Windows\SysWOW64\Lfodmdni.exe Likcdpop.exe File created C:\Windows\SysWOW64\Mfkcibdl.exe Mfhgcbfo.exe File opened for modification C:\Windows\SysWOW64\Aimhmkgn.exe Aealll32.exe File opened for modification C:\Windows\SysWOW64\Dmbiackg.exe Digmqe32.exe File created C:\Windows\SysWOW64\Kejeebpl.exe Knpmhh32.exe File created C:\Windows\SysWOW64\Pnfdnnbo.exe Pgllad32.exe File created C:\Windows\SysWOW64\Agaoca32.exe Afpbkicl.exe File created C:\Windows\SysWOW64\Gebimmco.exe Gohapb32.exe File created C:\Windows\SysWOW64\Ibkonk32.dll Adbkmo32.exe File opened for modification C:\Windows\SysWOW64\Leedqa32.exe Lokldg32.exe File created C:\Windows\SysWOW64\Lmqiec32.exe Lhdqml32.exe File opened for modification C:\Windows\SysWOW64\Moglpedd.exe Mgpcohcb.exe File created C:\Windows\SysWOW64\Agmehamp.exe Afkipi32.exe File created C:\Windows\SysWOW64\Dcgpmj32.dll Cnpibh32.exe File created C:\Windows\SysWOW64\Gdojoeki.dll Okailj32.exe File created C:\Windows\SysWOW64\Oijflc32.dll Podkmgop.exe File created C:\Windows\SysWOW64\Headnoed.dll Bflagg32.exe File created C:\Windows\SysWOW64\Kaflio32.exe Kiodha32.exe File opened for modification C:\Windows\SysWOW64\Aqbfaa32.exe Ajhndgjj.exe File created C:\Windows\SysWOW64\Cgnqqq32.dll Cnhlgc32.exe File created C:\Windows\SysWOW64\Ddhhbngi.exe Dgdgijhp.exe File created C:\Windows\SysWOW64\Jepbodhg.exe Jaefne32.exe File created C:\Windows\SysWOW64\Mqhali32.dll Lhogamih.exe File created C:\Windows\SysWOW64\Dojlhg32.exe Dimcppgm.exe File opened for modification C:\Windows\SysWOW64\Dfemdcba.exe Dpkehi32.exe File created C:\Windows\SysWOW64\Mlifnphl.exe Mdbnmbhj.exe File created C:\Windows\SysWOW64\Neiiibnn.dll Cbmlmmjd.exe File created C:\Windows\SysWOW64\Nkgoke32.exe Ndmgnkja.exe File created C:\Windows\SysWOW64\Nojgmmgl.dll Oknnanhj.exe File created C:\Windows\SysWOW64\Okiefn32.exe Ndomiddc.exe File created C:\Windows\SysWOW64\Apleaenp.dll Ehhpge32.exe File opened for modification C:\Windows\SysWOW64\Obidcdfo.exe Odedipge.exe File created C:\Windows\SysWOW64\Qppkhfec.exe Qmanljfo.exe File opened for modification C:\Windows\SysWOW64\Abemep32.exe Apgqie32.exe File created C:\Windows\SysWOW64\Edjgidik.dll Bmimdg32.exe File opened for modification C:\Windows\SysWOW64\Kaihonhl.exe Kiaqnagj.exe File created C:\Windows\SysWOW64\Pnenchoc.exe Pkgaglpp.exe File created C:\Windows\SysWOW64\Cinpdl32.exe Cnhlgc32.exe File created C:\Windows\SysWOW64\Paajfjdm.dll Omaeem32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12576 12480 WerFault.exe 604 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcddkggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqpclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgdnelk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anffje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoknh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfqfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knifging.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmjomlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdflaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okceaikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjcmbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhcpeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgihanii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbmfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpghfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceoppmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceehcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebeapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplaaiqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkeipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbmlmmjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkjlqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffoejkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailabddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlicflic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomkkagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miklkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhmqlmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmanljfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcncodki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lennpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkeifga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbfpeec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaelcgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhafcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddokabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjmdocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhfknjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdphnmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaihonhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lagepl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffijdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpodkdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhgie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndomiddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndblcdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnboma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeijqqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfddci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgomaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obidcdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odljjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbmpjkqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnijof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnpqakp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhfoocaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdngpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll" Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elolco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bichcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgffka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablgll32.dll" Kfcdaehf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbgndoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmiiidk.dll" Ljncnhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkfal32.dll" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll" Dgomaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflmkg32.dll" Pcpgmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcgfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afkipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Efopjbjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lagepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqbfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bndblcdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll" Pmmeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abgjkpll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjjcmbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ankgpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeeomegd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnppkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhckhgq.dll" Kmhccpci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmccbngq.dll" Alkeifga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqpclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjemle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcpojk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbhhlccb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dabhomea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnienqbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpckjlje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jabiie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbkbj32.dll" Hcfcmnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbmge32.dll" Lagepl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhafcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndomiddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Piceflpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aimhmkgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eohhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaflio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgaiffii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdphnmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkkbg32.dll" Cdebfago.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll" Cpnpqakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkdiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcogflc.dll" Onhhmpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbihmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcoblg32.dll" Jqofippg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakojnlp.dll" Nhcbidcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehhpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obpkcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjmqdci.dll" Amoknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoahkfnb.dll" Fgjpfqpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jikjmbmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnjgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eblgon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 2616 1220 da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe 89 PID 1220 wrote to memory of 2616 1220 da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe 89 PID 1220 wrote to memory of 2616 1220 da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe 89 PID 2616 wrote to memory of 2160 2616 Mekdffee.exe 90 PID 2616 wrote to memory of 2160 2616 Mekdffee.exe 90 PID 2616 wrote to memory of 2160 2616 Mekdffee.exe 90 PID 2160 wrote to memory of 2896 2160 Mhiabbdi.exe 91 PID 2160 wrote to memory of 2896 2160 Mhiabbdi.exe 91 PID 2160 wrote to memory of 2896 2160 Mhiabbdi.exe 91 PID 2896 wrote to memory of 4708 2896 Mcoepkdo.exe 92 PID 2896 wrote to memory of 4708 2896 Mcoepkdo.exe 92 PID 2896 wrote to memory of 4708 2896 Mcoepkdo.exe 92 PID 4708 wrote to memory of 4836 4708 Memalfcb.exe 93 PID 4708 wrote to memory of 4836 4708 Memalfcb.exe 93 PID 4708 wrote to memory of 4836 4708 Memalfcb.exe 93 PID 4836 wrote to memory of 1116 4836 Mkjjdmaj.exe 94 PID 4836 wrote to memory of 1116 4836 Mkjjdmaj.exe 94 PID 4836 wrote to memory of 1116 4836 Mkjjdmaj.exe 94 PID 1116 wrote to memory of 1784 1116 Mdbnmbhj.exe 95 PID 1116 wrote to memory of 1784 1116 Mdbnmbhj.exe 95 PID 1116 wrote to memory of 1784 1116 Mdbnmbhj.exe 95 PID 1784 wrote to memory of 964 1784 Mlifnphl.exe 96 PID 1784 wrote to memory of 964 1784 Mlifnphl.exe 96 PID 1784 wrote to memory of 964 1784 Mlifnphl.exe 96 PID 964 wrote to memory of 4712 964 Mafofggd.exe 97 PID 964 wrote to memory of 4712 964 Mafofggd.exe 97 PID 964 wrote to memory of 4712 964 Mafofggd.exe 97 PID 4712 wrote to memory of 3212 4712 Mhpgca32.exe 98 PID 4712 wrote to memory of 3212 4712 Mhpgca32.exe 98 PID 4712 wrote to memory of 3212 4712 Mhpgca32.exe 98 PID 3212 wrote to memory of 2720 3212 Mkocol32.exe 99 PID 3212 wrote to memory of 2720 3212 Mkocol32.exe 99 PID 3212 wrote to memory of 2720 3212 Mkocol32.exe 99 PID 2720 wrote to memory of 4304 2720 Nkapelka.exe 100 PID 2720 wrote to memory of 4304 2720 Nkapelka.exe 100 PID 2720 wrote to memory of 4304 2720 Nkapelka.exe 100 PID 4304 wrote to memory of 1172 4304 Ndidna32.exe 101 PID 4304 wrote to memory of 1172 4304 Ndidna32.exe 101 PID 4304 wrote to memory of 1172 4304 Ndidna32.exe 101 PID 1172 wrote to memory of 2892 1172 Ncjdki32.exe 102 PID 1172 wrote to memory of 2892 1172 Ncjdki32.exe 102 PID 1172 wrote to memory of 2892 1172 Ncjdki32.exe 102 PID 2892 wrote to memory of 2208 2892 Nkeipk32.exe 103 PID 2892 wrote to memory of 2208 2892 Nkeipk32.exe 103 PID 2892 wrote to memory of 2208 2892 Nkeipk32.exe 103 PID 2208 wrote to memory of 3876 2208 Nlefjnno.exe 104 PID 2208 wrote to memory of 3876 2208 Nlefjnno.exe 104 PID 2208 wrote to memory of 3876 2208 Nlefjnno.exe 104 PID 3876 wrote to memory of 3704 3876 Nbbnbemf.exe 105 PID 3876 wrote to memory of 3704 3876 Nbbnbemf.exe 105 PID 3876 wrote to memory of 3704 3876 Nbbnbemf.exe 105 PID 3704 wrote to memory of 4780 3704 Nofoki32.exe 106 PID 3704 wrote to memory of 4780 3704 Nofoki32.exe 106 PID 3704 wrote to memory of 4780 3704 Nofoki32.exe 106 PID 4780 wrote to memory of 3244 4780 Nbdkhe32.exe 107 PID 4780 wrote to memory of 3244 4780 Nbdkhe32.exe 107 PID 4780 wrote to memory of 3244 4780 Nbdkhe32.exe 107 PID 3244 wrote to memory of 1396 3244 Ocdgahag.exe 108 PID 3244 wrote to memory of 1396 3244 Ocdgahag.exe 108 PID 3244 wrote to memory of 1396 3244 Ocdgahag.exe 108 PID 1396 wrote to memory of 3616 1396 Odedipge.exe 109 PID 1396 wrote to memory of 3616 1396 Odedipge.exe 109 PID 1396 wrote to memory of 3616 1396 Odedipge.exe 109 PID 3616 wrote to memory of 832 3616 Obidcdfo.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe"C:\Users\Admin\AppData\Local\Temp\da2588361e6b13e573f15e12f2cda8ae54d6fdc36fc9e384ca411e1df46fff2bN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Mekdffee.exeC:\Windows\system32\Mekdffee.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mhiabbdi.exeC:\Windows\system32\Mhiabbdi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Mcoepkdo.exeC:\Windows\system32\Mcoepkdo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Memalfcb.exeC:\Windows\system32\Memalfcb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Mkjjdmaj.exeC:\Windows\system32\Mkjjdmaj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Mdbnmbhj.exeC:\Windows\system32\Mdbnmbhj.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Mlifnphl.exeC:\Windows\system32\Mlifnphl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Mafofggd.exeC:\Windows\system32\Mafofggd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Mhpgca32.exeC:\Windows\system32\Mhpgca32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\Mkocol32.exeC:\Windows\system32\Mkocol32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Nkapelka.exeC:\Windows\system32\Nkapelka.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ndidna32.exeC:\Windows\system32\Ndidna32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Ncjdki32.exeC:\Windows\system32\Ncjdki32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Nkeipk32.exeC:\Windows\system32\Nkeipk32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Nlefjnno.exeC:\Windows\system32\Nlefjnno.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Nbbnbemf.exeC:\Windows\system32\Nbbnbemf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\Nofoki32.exeC:\Windows\system32\Nofoki32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Nbdkhe32.exeC:\Windows\system32\Nbdkhe32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Ocdgahag.exeC:\Windows\system32\Ocdgahag.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Odedipge.exeC:\Windows\system32\Odedipge.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Obidcdfo.exeC:\Windows\system32\Obidcdfo.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Okailj32.exeC:\Windows\system32\Okailj32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe24⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Obkahddl.exeC:\Windows\system32\Obkahddl.exe25⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Odjmdocp.exeC:\Windows\system32\Odjmdocp.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\Omaeem32.exeC:\Windows\system32\Omaeem32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4268 -
C:\Windows\SysWOW64\Okceaikl.exeC:\Windows\system32\Okceaikl.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\Ocknbglo.exeC:\Windows\system32\Ocknbglo.exe29⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Obnnnc32.exeC:\Windows\system32\Obnnnc32.exe30⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Odljjo32.exeC:\Windows\system32\Odljjo32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Ohhfknjf.exeC:\Windows\system32\Ohhfknjf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\Omcbkl32.exeC:\Windows\system32\Omcbkl32.exe33⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ooangh32.exeC:\Windows\system32\Ooangh32.exe34⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Obpkcc32.exeC:\Windows\system32\Obpkcc32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\Oflfdbip.exeC:\Windows\system32\Oflfdbip.exe36⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Pdngpo32.exeC:\Windows\system32\Pdngpo32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Pmeoqlpl.exeC:\Windows\system32\Pmeoqlpl.exe38⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Podkmgop.exeC:\Windows\system32\Podkmgop.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Pcpgmf32.exeC:\Windows\system32\Pcpgmf32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Pbbgicnd.exeC:\Windows\system32\Pbbgicnd.exe41⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Pdqcenmg.exeC:\Windows\system32\Pdqcenmg.exe42⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Pilpfm32.exeC:\Windows\system32\Pilpfm32.exe43⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pkklbh32.exeC:\Windows\system32\Pkklbh32.exe44⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Pcbdcf32.exeC:\Windows\system32\Pcbdcf32.exe45⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe46⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\SysWOW64\Pecpknke.exeC:\Windows\system32\Pecpknke.exe47⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe48⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Pkmhgh32.exeC:\Windows\system32\Pkmhgh32.exe49⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Poidhg32.exeC:\Windows\system32\Poidhg32.exe50⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Pbgqdb32.exeC:\Windows\system32\Pbgqdb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Pfbmdabh.exeC:\Windows\system32\Pfbmdabh.exe52⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Peempn32.exeC:\Windows\system32\Peempn32.exe53⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Pkoemhao.exeC:\Windows\system32\Pkoemhao.exe55⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Pokanf32.exeC:\Windows\system32\Pokanf32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4832 -
C:\Windows\SysWOW64\Pcfmneaa.exeC:\Windows\system32\Pcfmneaa.exe57⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Pfeijqqe.exeC:\Windows\system32\Pfeijqqe.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Pehjfm32.exeC:\Windows\system32\Pehjfm32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Piceflpi.exeC:\Windows\system32\Piceflpi.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3104 -
C:\Windows\SysWOW64\Pmoagk32.exeC:\Windows\system32\Pmoagk32.exe61⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Pkabbgol.exeC:\Windows\system32\Pkabbgol.exe62⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Pcijce32.exeC:\Windows\system32\Pcijce32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Pbljoafi.exeC:\Windows\system32\Pbljoafi.exe64⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Qejfkmem.exeC:\Windows\system32\Qejfkmem.exe65⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Qifbll32.exeC:\Windows\system32\Qifbll32.exe66⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Qppkhfec.exeC:\Windows\system32\Qppkhfec.exe68⤵PID:4120
-
C:\Windows\SysWOW64\Qckfid32.exeC:\Windows\system32\Qckfid32.exe69⤵PID:1320
-
C:\Windows\SysWOW64\Qbngeadf.exeC:\Windows\system32\Qbngeadf.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Qfjcep32.exeC:\Windows\system32\Qfjcep32.exe71⤵PID:5136
-
C:\Windows\SysWOW64\Qihoak32.exeC:\Windows\system32\Qihoak32.exe72⤵
- Drops file in System32 directory
PID:5168 -
C:\Windows\SysWOW64\Qmckbjdl.exeC:\Windows\system32\Qmckbjdl.exe73⤵PID:5208
-
C:\Windows\SysWOW64\Qkfkng32.exeC:\Windows\system32\Qkfkng32.exe74⤵PID:5248
-
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe75⤵
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Windows\SysWOW64\Abpcja32.exeC:\Windows\system32\Abpcja32.exe76⤵PID:5328
-
C:\Windows\SysWOW64\Aeopfl32.exeC:\Windows\system32\Aeopfl32.exe77⤵
- Drops file in System32 directory
PID:5372 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe78⤵
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Akihcfid.exeC:\Windows\system32\Akihcfid.exe79⤵PID:5448
-
C:\Windows\SysWOW64\Apddce32.exeC:\Windows\system32\Apddce32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Acppddig.exeC:\Windows\system32\Acppddig.exe81⤵PID:5528
-
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe82⤵PID:5568
-
C:\Windows\SysWOW64\Aealll32.exeC:\Windows\system32\Aealll32.exe83⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Aimhmkgn.exeC:\Windows\system32\Aimhmkgn.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:5648 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5688 -
C:\Windows\SysWOW64\Apgqie32.exeC:\Windows\system32\Apgqie32.exe86⤵
- Drops file in System32 directory
PID:5728 -
C:\Windows\SysWOW64\Abemep32.exeC:\Windows\system32\Abemep32.exe87⤵PID:5768
-
C:\Windows\SysWOW64\Afqifo32.exeC:\Windows\system32\Afqifo32.exe88⤵PID:5808
-
C:\Windows\SysWOW64\Aioebj32.exeC:\Windows\system32\Aioebj32.exe89⤵PID:5848
-
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe90⤵PID:5888
-
C:\Windows\SysWOW64\Apimodmh.exeC:\Windows\system32\Apimodmh.exe91⤵PID:5928
-
C:\Windows\SysWOW64\Abgjkpll.exeC:\Windows\system32\Abgjkpll.exe92⤵
- Modifies registry class
PID:5972 -
C:\Windows\SysWOW64\Aeffgkkp.exeC:\Windows\system32\Aeffgkkp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6020 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe94⤵PID:6060
-
C:\Windows\SysWOW64\Alpnde32.exeC:\Windows\system32\Alpnde32.exe95⤵PID:6100
-
C:\Windows\SysWOW64\Apkjddke.exeC:\Windows\system32\Apkjddke.exe96⤵PID:6140
-
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe97⤵PID:3620
-
C:\Windows\SysWOW64\Amoknh32.exeC:\Windows\system32\Amoknh32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4740 -
C:\Windows\SysWOW64\Bifkcioc.exeC:\Windows\system32\Bifkcioc.exe100⤵PID:5164
-
C:\Windows\SysWOW64\Bboplo32.exeC:\Windows\system32\Bboplo32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe102⤵PID:5300
-
C:\Windows\SysWOW64\Bikeni32.exeC:\Windows\system32\Bikeni32.exe103⤵PID:5360
-
C:\Windows\SysWOW64\Bcpika32.exeC:\Windows\system32\Bcpika32.exe104⤵PID:5416
-
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe105⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Bcbeqaia.exeC:\Windows\system32\Bcbeqaia.exe106⤵PID:5556
-
C:\Windows\SysWOW64\Bedbhi32.exeC:\Windows\system32\Bedbhi32.exe107⤵PID:5616
-
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe108⤵
- Modifies registry class
PID:5684 -
C:\Windows\SysWOW64\Cefoni32.exeC:\Windows\system32\Cefoni32.exe109⤵PID:3440
-
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe110⤵PID:5804
-
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3884 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5900 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe113⤵PID:5992
-
C:\Windows\SysWOW64\Ciiaogon.exeC:\Windows\system32\Ciiaogon.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6068 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe115⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe116⤵PID:4072
-
C:\Windows\SysWOW64\Dpgbgpbe.exeC:\Windows\system32\Dpgbgpbe.exe117⤵PID:5152
-
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5124 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe119⤵PID:5368
-
C:\Windows\SysWOW64\Dgdgijhp.exeC:\Windows\system32\Dgdgijhp.exe120⤵
- Drops file in System32 directory
PID:5460 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe121⤵PID:5604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-