Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 17:14
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe
-
Size
88KB
-
MD5
0e94732c395e1eca486b7c5a619b4b86
-
SHA1
0bd96661f1f96056fb3d217b0b6f0831713c9c44
-
SHA256
07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5
-
SHA512
079d620b0b6963538e75aba497134b872ed23a43572b0e39201b36ee83123ac1bd4bdc0f21fedaf892645c8d159d9e0ded77f6cd588459e2c2c5889eaa7ccc3e
-
SSDEEP
1536:tYS6iWfAMhS+4nV4ZtPEPm2q2w1zMkPGDEjj1dnouy8L:zfCV4nwPEO2ozVPLVloutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcaiqhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oijjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccdmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmcmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddmdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflplbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miehak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bleeioil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpdgbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgefefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgmodel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnkgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjglkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kopokehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamgmofp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcdjoaee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgmeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlfacfpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancefgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Depbfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeehln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcfpel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjdjklek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjfgqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipokcdjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaffbqaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ommfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgaiobjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfogake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbemfbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dljkcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idknoi32.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/files/0x00230000000122f8-14.dat UPX behavioral1/files/0x000a000000012247-13.dat UPX behavioral1/files/0x00080000000126c7-34.dat UPX behavioral1/files/0x00090000000139d6-46.dat UPX behavioral1/files/0x0006000000014e3d-64.dat UPX behavioral1/files/0x0006000000014fe1-72.dat UPX behavioral1/files/0x0006000000015364-93.dat UPX behavioral1/files/0x00060000000155d9-106.dat UPX behavioral1/files/0x000600000001560a-119.dat UPX behavioral1/files/0x0006000000015a98-128.dat UPX behavioral1/files/0x0006000000015a98-131.dat UPX behavioral1/files/0x0006000000015c23-137.dat UPX behavioral1/files/0x0006000000015c3c-150.dat UPX behavioral1/files/0x0006000000015c3c-156.dat UPX behavioral1/files/0x0006000000015c3c-157.dat UPX behavioral1/files/0x0006000000015c3c-153.dat UPX behavioral1/files/0x001a000000012300-162.dat UPX behavioral1/files/0x001a000000012300-171.dat UPX behavioral1/files/0x0006000000015c69-178.dat UPX behavioral1/files/0x0006000000015c69-176.dat UPX behavioral1/files/0x0006000000015c69-184.dat UPX behavioral1/files/0x0006000000015d88-209.dat UPX behavioral1/files/0x0006000000015d88-206.dat UPX behavioral1/files/0x0006000000015e5b-228.dat UPX behavioral1/files/0x0006000000015ec0-246.dat UPX behavioral1/files/0x0006000000016cf0-337.dat UPX behavioral1/files/0x0006000000016d36-359.dat UPX behavioral1/files/0x000600000001704f-402.dat UPX behavioral1/files/0x000500000001868c-416.dat UPX behavioral1/files/0x00050000000186a0-427.dat UPX behavioral1/files/0x0006000000018ae8-438.dat UPX behavioral1/files/0x0006000000018b33-448.dat UPX behavioral1/files/0x0006000000018b96-479.dat UPX behavioral1/files/0x00050000000192f4-498.dat UPX behavioral1/files/0x0005000000019333-512.dat UPX behavioral1/files/0x00050000000193b0-535.dat UPX behavioral1/files/0x00050000000194a4-566.dat UPX behavioral1/files/0x00040000000194d8-578.dat UPX behavioral1/files/0x00050000000194f2-603.dat UPX behavioral1/files/0x000500000001950c-613.dat UPX behavioral1/files/0x00050000000194ee-593.dat UPX behavioral1/files/0x0005000000019473-557.dat UPX behavioral1/files/0x000500000001946b-546.dat UPX behavioral1/files/0x0005000000019377-523.dat UPX behavioral1/files/0x0005000000019547-626.dat UPX behavioral1/files/0x0006000000018d06-488.dat UPX behavioral1/files/0x0006000000018b6a-469.dat UPX behavioral1/files/0x0006000000018b42-458.dat UPX behavioral1/files/0x0006000000016d89-390.dat UPX behavioral1/files/0x0006000000016d55-381.dat UPX behavioral1/files/0x0006000000016d4a-371.dat UPX behavioral1/files/0x0006000000016d11-348.dat UPX behavioral1/files/0x0006000000016ccf-325.dat UPX behavioral1/files/0x0006000000016c90-316.dat UPX behavioral1/files/0x0006000000016c1a-306.dat UPX behavioral1/files/0x0006000000016b96-296.dat UPX behavioral1/files/0x00060000000167db-286.dat UPX behavioral1/files/0x00060000000165ae-269.dat UPX behavioral1/files/0x0006000000016332-265.dat UPX behavioral1/files/0x000600000001604b-255.dat UPX behavioral1/files/0x0006000000015e7c-238.dat UPX behavioral1/files/0x0006000000015e02-217.dat UPX behavioral1/files/0x0006000000015d88-211.dat UPX behavioral1/files/0x0006000000015c87-196.dat UPX -
Executes dropped EXE 64 IoCs
pid Process 2056 Idknoi32.exe 2448 Idmkdh32.exe 2620 Jkgcab32.exe 2612 Jcbhee32.exe 2388 Jlklnjoh.exe 2412 Jgqpkc32.exe 2476 Jcgapdeb.exe 1672 Jhdihkcj.exe 1656 Jfhjbobc.exe 2340 Kopokehd.exe 2688 Kglcogeo.exe 2016 Kbaglpee.exe 2172 Kgnpeg32.exe 944 Kqfdnljm.exe 1588 Kjoifb32.exe 3012 Kddmdk32.exe 772 Kjaelaok.exe 3016 Kgefefnd.exe 1732 Ljfogake.exe 1184 Lobgoh32.exe 1680 Lflplbpi.exe 1952 Lmfhil32.exe 1752 Lbcpac32.exe 2604 Lbemfbdk.exe 2800 Lnlnlc32.exe 2140 Mjcoqdoc.exe 1448 Mamgmofp.exe 2064 Mfjoeeeh.exe 2512 Mpbdnk32.exe 2660 Mikhgqbi.exe 2456 Mbcmpfhi.exe 2384 Mpgmijgc.exe 2680 Nlnnnk32.exe 2244 Nfcbldmm.exe 2020 Nlpkdkkd.exe 2600 Namclbil.exe 1372 Noacef32.exe 1928 Nkhdkgnj.exe 2040 Nemhhpmp.exe 636 Noemqe32.exe 1948 Odbeilbg.exe 1252 Oklnff32.exe 472 Oaffbqaa.exe 2296 Ogcnkgoh.exe 1564 Ommfga32.exe 808 Ocjophem.exe 2808 Oidglb32.exe 2960 Oghhfg32.exe 1956 Ohidmoaa.exe 2868 Opplolac.exe 2872 Oaaifdhb.exe 2676 Pcaepg32.exe 2516 Phnnho32.exe 2268 Pafbadcm.exe 2636 Pkofjijm.exe 2772 Pdgkco32.exe 1064 Pjcckf32.exe 2572 Pdihiook.exe 1384 Pkcpei32.exe 1648 Pdldnomh.exe 2184 Aibcba32.exe 1540 Anolkh32.exe 936 Aeidgbaf.exe 1712 Aoohekal.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 2056 Idknoi32.exe 2056 Idknoi32.exe 2448 Idmkdh32.exe 2448 Idmkdh32.exe 2620 Jkgcab32.exe 2620 Jkgcab32.exe 2612 Jcbhee32.exe 2612 Jcbhee32.exe 2388 Jlklnjoh.exe 2388 Jlklnjoh.exe 2412 Jgqpkc32.exe 2412 Jgqpkc32.exe 2476 Jcgapdeb.exe 2476 Jcgapdeb.exe 1672 Jhdihkcj.exe 1672 Jhdihkcj.exe 1656 Jfhjbobc.exe 1656 Jfhjbobc.exe 2340 Kopokehd.exe 2340 Kopokehd.exe 2688 Kglcogeo.exe 2688 Kglcogeo.exe 2016 Kbaglpee.exe 2016 Kbaglpee.exe 2172 Kgnpeg32.exe 2172 Kgnpeg32.exe 944 Kqfdnljm.exe 944 Kqfdnljm.exe 1588 Kjoifb32.exe 1588 Kjoifb32.exe 3012 Kddmdk32.exe 3012 Kddmdk32.exe 772 Kjaelaok.exe 772 Kjaelaok.exe 3016 Kgefefnd.exe 3016 Kgefefnd.exe 1732 Ljfogake.exe 1732 Ljfogake.exe 1184 Lobgoh32.exe 1184 Lobgoh32.exe 1680 Lflplbpi.exe 1680 Lflplbpi.exe 1952 Lmfhil32.exe 1952 Lmfhil32.exe 1752 Lbcpac32.exe 1752 Lbcpac32.exe 2604 Lbemfbdk.exe 2604 Lbemfbdk.exe 2800 Lnlnlc32.exe 2800 Lnlnlc32.exe 2140 Mjcoqdoc.exe 2140 Mjcoqdoc.exe 1448 Mamgmofp.exe 1448 Mamgmofp.exe 2064 Mfjoeeeh.exe 2064 Mfjoeeeh.exe 2512 Mpbdnk32.exe 2512 Mpbdnk32.exe 2660 Mikhgqbi.exe 2660 Mikhgqbi.exe 2456 Mbcmpfhi.exe 2456 Mbcmpfhi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Omcifpnp.exe Ogiaif32.exe File created C:\Windows\SysWOW64\Figicd32.dll Pdgkco32.exe File created C:\Windows\SysWOW64\Ednbncmb.exe Endjaief.exe File created C:\Windows\SysWOW64\Depbfhpe.exe Dmdnbecj.exe File created C:\Windows\SysWOW64\Gfgbgqka.dll Elqaca32.exe File opened for modification C:\Windows\SysWOW64\Lmfhil32.exe Lflplbpi.exe File created C:\Windows\SysWOW64\Jilhjm32.dll Ancefgfd.exe File created C:\Windows\SysWOW64\Kfeoelgo.dll Bleeioil.exe File created C:\Windows\SysWOW64\Cpmjhk32.exe Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Jcgapdeb.exe Jgqpkc32.exe File created C:\Windows\SysWOW64\Aoohekal.exe Aeidgbaf.exe File opened for modification C:\Windows\SysWOW64\Dmgkgeah.exe Depbfhpe.exe File created C:\Windows\SysWOW64\Afgmodel.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Elooehob.dll Kcdjoaee.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Ijehdl32.exe Ijclol32.exe File opened for modification C:\Windows\SysWOW64\Jliaac32.exe Jkhejkcq.exe File created C:\Windows\SysWOW64\Bmmhbd32.dll Pldebkhj.exe File created C:\Windows\SysWOW64\Fdiogq32.exe Fnofjfhk.exe File created C:\Windows\SysWOW64\Gkfnfjpg.dll Bffpki32.exe File created C:\Windows\SysWOW64\Jcbhee32.exe Jkgcab32.exe File created C:\Windows\SysWOW64\Gqoehocg.dll Depbfhpe.exe File created C:\Windows\SysWOW64\Ogiaif32.exe Oehdan32.exe File created C:\Windows\SysWOW64\Ipokcdjn.exe Ibhndp32.exe File created C:\Windows\SysWOW64\Lmoogf32.dll Nmnclmoj.exe File opened for modification C:\Windows\SysWOW64\Kjaelaok.exe Kddmdk32.exe File opened for modification C:\Windows\SysWOW64\Pdgkco32.exe Pkofjijm.exe File created C:\Windows\SysWOW64\Jhlmmfef.exe Jhjphfgi.exe File created C:\Windows\SysWOW64\Kqfdnljm.exe Kgnpeg32.exe File created C:\Windows\SysWOW64\Kbnclf32.dll Jofejpmc.exe File created C:\Windows\SysWOW64\Lkdhoc32.exe Lomgjb32.exe File created C:\Windows\SysWOW64\Qabkpdke.dll Ednbncmb.exe File created C:\Windows\SysWOW64\Kaoojkgd.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Jofejpmc.exe Jhlmmfef.exe File created C:\Windows\SysWOW64\Hbqmnm32.dll Ekjgpm32.exe File created C:\Windows\SysWOW64\Dfcemimp.dll Gfmgelil.exe File created C:\Windows\SysWOW64\Pcdhbgoc.dll Cjlheehe.exe File created C:\Windows\SysWOW64\Coglpp32.dll Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Kbaglpee.exe Kglcogeo.exe File opened for modification C:\Windows\SysWOW64\Lnlnlc32.exe Lbemfbdk.exe File created C:\Windows\SysWOW64\Doohmk32.dll Fjlmpfhg.exe File created C:\Windows\SysWOW64\Anllfndp.dll Jlklnjoh.exe File created C:\Windows\SysWOW64\Fgbbce32.dll Pjcckf32.exe File opened for modification C:\Windows\SysWOW64\Omcifpnp.exe Ogiaif32.exe File created C:\Windows\SysWOW64\Kcmcoblm.exe Jkbojpna.exe File created C:\Windows\SysWOW64\Mdkqhhpm.dll Kokjdb32.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fjhcegll.exe File created C:\Windows\SysWOW64\Hcabof32.dll 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe File opened for modification C:\Windows\SysWOW64\Kjoifb32.exe Kqfdnljm.exe File opened for modification C:\Windows\SysWOW64\Nlpkdkkd.exe Nfcbldmm.exe File opened for modification C:\Windows\SysWOW64\Famope32.exe Fdiogq32.exe File created C:\Windows\SysWOW64\Ghjggnbo.dll Jgaiobjn.exe File created C:\Windows\SysWOW64\Eihgfd32.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Mfjoeeeh.exe Mamgmofp.exe File created C:\Windows\SysWOW64\Lkfddc32.exe Lcomce32.exe File created C:\Windows\SysWOW64\Hibjbgbh.exe Hipmmg32.exe File created C:\Windows\SysWOW64\Kfpifm32.exe Kcamjb32.exe File opened for modification C:\Windows\SysWOW64\Anneqafn.exe Afgmodel.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Gcbabpcf.exe File created C:\Windows\SysWOW64\Chlikc32.dll Kglcogeo.exe File created C:\Windows\SysWOW64\Dcfpel32.exe Dljkcb32.exe File created C:\Windows\SysWOW64\Onejdijo.dll Dcfpel32.exe File opened for modification C:\Windows\SysWOW64\Blchcpko.exe Bffpki32.exe File created C:\Windows\SysWOW64\Leoggnnm.dll Fdnolfon.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojklfdgh.dll" Kqfdnljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgqde32.dll" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmgkgeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpbbn32.dll" Jhlmmfef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhdihkcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odbeilbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iikifegp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbaglpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdihiook.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggogki32.dll" Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgoboc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acnjnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijclol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjfgqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgeao32.dll" Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloiniaa.dll" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmjncbj.dll" Nfghdcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiedd32.dll" Olgmcmgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbnpkmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iedfqeka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lqcmmjko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfdfhli.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenjme32.dll" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linfkk32.dll" Nemhhpmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijklknbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjfgqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhbd32.dll" Pldebkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Helgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epojbfko.dll" Aqhhanig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopjqipp.dll" Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfeoelgo.dll" Bleeioil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndmecgba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2056 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 28 PID 2700 wrote to memory of 2056 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 28 PID 2700 wrote to memory of 2056 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 28 PID 2700 wrote to memory of 2056 2700 07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe 28 PID 2056 wrote to memory of 2448 2056 Idknoi32.exe 29 PID 2056 wrote to memory of 2448 2056 Idknoi32.exe 29 PID 2056 wrote to memory of 2448 2056 Idknoi32.exe 29 PID 2056 wrote to memory of 2448 2056 Idknoi32.exe 29 PID 2448 wrote to memory of 2620 2448 Idmkdh32.exe 30 PID 2448 wrote to memory of 2620 2448 Idmkdh32.exe 30 PID 2448 wrote to memory of 2620 2448 Idmkdh32.exe 30 PID 2448 wrote to memory of 2620 2448 Idmkdh32.exe 30 PID 2620 wrote to memory of 2612 2620 Jkgcab32.exe 31 PID 2620 wrote to memory of 2612 2620 Jkgcab32.exe 31 PID 2620 wrote to memory of 2612 2620 Jkgcab32.exe 31 PID 2620 wrote to memory of 2612 2620 Jkgcab32.exe 31 PID 2612 wrote to memory of 2388 2612 Jcbhee32.exe 32 PID 2612 wrote to memory of 2388 2612 Jcbhee32.exe 32 PID 2612 wrote to memory of 2388 2612 Jcbhee32.exe 32 PID 2612 wrote to memory of 2388 2612 Jcbhee32.exe 32 PID 2388 wrote to memory of 2412 2388 Jlklnjoh.exe 33 PID 2388 wrote to memory of 2412 2388 Jlklnjoh.exe 33 PID 2388 wrote to memory of 2412 2388 Jlklnjoh.exe 33 PID 2388 wrote to memory of 2412 2388 Jlklnjoh.exe 33 PID 2412 wrote to memory of 2476 2412 Jgqpkc32.exe 34 PID 2412 wrote to memory of 2476 2412 Jgqpkc32.exe 34 PID 2412 wrote to memory of 2476 2412 Jgqpkc32.exe 34 PID 2412 wrote to memory of 2476 2412 Jgqpkc32.exe 34 PID 2476 wrote to memory of 1672 2476 Jcgapdeb.exe 35 PID 2476 wrote to memory of 1672 2476 Jcgapdeb.exe 35 PID 2476 wrote to memory of 1672 2476 Jcgapdeb.exe 35 PID 2476 wrote to memory of 1672 2476 Jcgapdeb.exe 35 PID 1672 wrote to memory of 1656 1672 Jhdihkcj.exe 36 PID 1672 wrote to memory of 1656 1672 Jhdihkcj.exe 36 PID 1672 wrote to memory of 1656 1672 Jhdihkcj.exe 36 PID 1672 wrote to memory of 1656 1672 Jhdihkcj.exe 36 PID 1656 wrote to memory of 2340 1656 Jfhjbobc.exe 37 PID 1656 wrote to memory of 2340 1656 Jfhjbobc.exe 37 PID 1656 wrote to memory of 2340 1656 Jfhjbobc.exe 37 PID 1656 wrote to memory of 2340 1656 Jfhjbobc.exe 37 PID 2340 wrote to memory of 2688 2340 Kopokehd.exe 38 PID 2340 wrote to memory of 2688 2340 Kopokehd.exe 38 PID 2340 wrote to memory of 2688 2340 Kopokehd.exe 38 PID 2340 wrote to memory of 2688 2340 Kopokehd.exe 38 PID 2688 wrote to memory of 2016 2688 Kglcogeo.exe 39 PID 2688 wrote to memory of 2016 2688 Kglcogeo.exe 39 PID 2688 wrote to memory of 2016 2688 Kglcogeo.exe 39 PID 2688 wrote to memory of 2016 2688 Kglcogeo.exe 39 PID 2016 wrote to memory of 2172 2016 Kbaglpee.exe 40 PID 2016 wrote to memory of 2172 2016 Kbaglpee.exe 40 PID 2016 wrote to memory of 2172 2016 Kbaglpee.exe 40 PID 2016 wrote to memory of 2172 2016 Kbaglpee.exe 40 PID 2172 wrote to memory of 944 2172 Kgnpeg32.exe 41 PID 2172 wrote to memory of 944 2172 Kgnpeg32.exe 41 PID 2172 wrote to memory of 944 2172 Kgnpeg32.exe 41 PID 2172 wrote to memory of 944 2172 Kgnpeg32.exe 41 PID 944 wrote to memory of 1588 944 Kqfdnljm.exe 42 PID 944 wrote to memory of 1588 944 Kqfdnljm.exe 42 PID 944 wrote to memory of 1588 944 Kqfdnljm.exe 42 PID 944 wrote to memory of 1588 944 Kqfdnljm.exe 42 PID 1588 wrote to memory of 3012 1588 Kjoifb32.exe 43 PID 1588 wrote to memory of 3012 1588 Kjoifb32.exe 43 PID 1588 wrote to memory of 3012 1588 Kjoifb32.exe 43 PID 1588 wrote to memory of 3012 1588 Kjoifb32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe"C:\Users\Admin\AppData\Local\Temp\07a8d38379a8a192df5edca402568d6c927550268933f6e5ab7e82d397aa1ce5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Jfhjbobc.exeC:\Windows\system32\Jfhjbobc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Kddmdk32.exeC:\Windows\system32\Kddmdk32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1184 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe33⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe36⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe37⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe38⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe41⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe43⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe47⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe48⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe49⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe51⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe52⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe53⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe55⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe56⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe61⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe62⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Aibcba32.exeC:\Windows\system32\Aibcba32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe64⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe66⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe68⤵PID:1836
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe69⤵PID:1304
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe70⤵PID:1960
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe72⤵PID:1700
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe73⤵PID:1704
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe75⤵PID:3056
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe76⤵PID:608
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe77⤵PID:2308
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe78⤵PID:2444
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe79⤵PID:2844
-
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe80⤵PID:2392
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe83⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe86⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe87⤵PID:1244
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe88⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe89⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe90⤵PID:2060
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe91⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe92⤵PID:2884
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe93⤵PID:1536
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe94⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe95⤵PID:2148
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe96⤵PID:2836
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe97⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe98⤵PID:2608
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe99⤵PID:1920
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe101⤵PID:2704
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe104⤵PID:1688
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe105⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe106⤵PID:3008
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe111⤵PID:1740
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe112⤵PID:2628
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe113⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe114⤵PID:2404
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe115⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe116⤵PID:1748
-
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe117⤵
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe121⤵
- Drops file in System32 directory
PID:2292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-