Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 07:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c1f66b0e268cf011d7480da74276290N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
7c1f66b0e268cf011d7480da74276290N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
7c1f66b0e268cf011d7480da74276290N.exe
-
Size
88KB
-
MD5
7c1f66b0e268cf011d7480da74276290
-
SHA1
5d615c59f1bd69a3bf183c4ae45db946b5e62894
-
SHA256
d6155e1609ac248608154224d281ef400e8ac50a7069fb519be7c819736a2569
-
SHA512
1fea0bc634a6586810aeea4caf347ecda850400d822072ef17d4de7345d59886d7f2abd2e590fed00d091692dd02704f3f3f5a61c34a4285ea37412953ec16a3
-
SSDEEP
1536:LGnWpXs4KGZUB8oAYUcL/CCnxoHz59muL6W9Cnouy8L:SnWpccUmHnc2CxYDmf8aoutL
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcjhkdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhloj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpdcag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbjena32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpfgmnfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fideeaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chqogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfjfecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmdhcddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eclmamod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjdho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofkgcobj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphgeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opnbae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dikihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbcmakpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cggimh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpjmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhand32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pddhbipj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekodjiol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmeede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdcliikj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncofplba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gifkpknp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpggamqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiokinbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhnfo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdojjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megljppl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddligq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Domdjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpmld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhpimhp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqegecm.exe -
Executes dropped EXE 64 IoCs
pid Process 1588 Dfgcakon.exe 2112 Difpmfna.exe 1052 Dpphjp32.exe 3480 Dbndfl32.exe 3500 Djelgied.exe 1688 Dmdhcddh.exe 4056 Dpbdopck.exe 1972 Dbqqkkbo.exe 5096 Djhimica.exe 4628 Dikihe32.exe 2500 Dpdaepai.exe 3604 Dbcmakpl.exe 2668 Dfoiaj32.exe 732 Dmhand32.exe 2300 Dpgnjo32.exe 812 Ebejfk32.exe 1788 Ejlbhh32.exe 1540 Emkndc32.exe 5056 Epikpo32.exe 2908 Ebhglj32.exe 4636 Eiaoid32.exe 3284 Ecgcfm32.exe 1480 Ejalcgkg.exe 4240 Epndknin.exe 2480 Efhlhh32.exe 4644 Eifhdd32.exe 1644 Eclmamod.exe 1700 Efjimhnh.exe 1044 Eiieicml.exe 2332 Emdajb32.exe 2392 Fcniglmb.exe 2576 Ffmfchle.exe 2776 Fmfnpa32.exe 748 Fpejlmcf.exe 3204 Fdqfll32.exe 1188 Ffobhg32.exe 4420 Fjjnifbl.exe 4280 Fmikeaap.exe 4996 Fpggamqc.exe 4772 Fbfcmhpg.exe 768 Ffaong32.exe 4108 Fipkjb32.exe 4316 Fdepgkgj.exe 4780 Ffclcgfn.exe 1728 Fibhpbea.exe 1428 Flqdlnde.exe 4512 Fplpll32.exe 4064 Fffhifdk.exe 2388 Fideeaco.exe 2324 Glcaambb.exe 3244 Gdjibj32.exe 2276 Gfheof32.exe 4236 Gmbmkpie.exe 3472 Glengm32.exe 440 Gbofcghl.exe 4548 Gfkbde32.exe 3776 Gmdjapgb.exe 4040 Glgjlm32.exe 4052 Gdobnj32.exe 3556 Gfmojenc.exe 1380 Gikkfqmf.exe 4560 Gljgbllj.exe 1968 Gpecbk32.exe 4744 Gfokoelp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Jfdaia32.dll Glipgf32.exe File opened for modification C:\Windows\SysWOW64\Ojajin32.exe Ogcnmc32.exe File opened for modification C:\Windows\SysWOW64\Aaenbd32.exe Aogbfi32.exe File created C:\Windows\SysWOW64\Gcgplk32.dll Ahaceo32.exe File created C:\Windows\SysWOW64\Hllbndih.dll Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Ojgjndno.exe Ohhnbhok.exe File created C:\Windows\SysWOW64\Pqindg32.dll Bheplb32.exe File created C:\Windows\SysWOW64\Jofalmmp.exe Jmeede32.exe File created C:\Windows\SysWOW64\Cdbcfp32.dll Jjafok32.exe File opened for modification C:\Windows\SysWOW64\Dmcain32.exe Ddligq32.exe File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe Dijbno32.exe File created C:\Windows\SysWOW64\Ebejfk32.exe Dpgnjo32.exe File opened for modification C:\Windows\SysWOW64\Cfkmkf32.exe Coadnlnb.exe File opened for modification C:\Windows\SysWOW64\Efpomccg.exe Ebdcld32.exe File opened for modification C:\Windows\SysWOW64\Keimof32.exe Koodbl32.exe File created C:\Windows\SysWOW64\Mlcdqdie.dll Qfmmplad.exe File created C:\Windows\SysWOW64\Ichqihli.dll Akblfj32.exe File created C:\Windows\SysWOW64\Ijcjmmil.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Dmmcnn32.dll Lgqfdnah.exe File opened for modification C:\Windows\SysWOW64\Njkkbehl.exe Nenbjo32.exe File created C:\Windows\SysWOW64\Joahqn32.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Ekoglqie.dll Kncaec32.exe File opened for modification C:\Windows\SysWOW64\Pknqoc32.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Aooold32.dll Lopmii32.exe File opened for modification C:\Windows\SysWOW64\Pjpfjl32.exe Phajna32.exe File created C:\Windows\SysWOW64\Dllfqd32.dll Dgcihgaj.exe File created C:\Windows\SysWOW64\Glienb32.dll Epndknin.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Alpbecod.exe File created C:\Windows\SysWOW64\Pghaae32.dll Cdlqqcnl.exe File created C:\Windows\SysWOW64\Eiloco32.exe Dfnbgc32.exe File created C:\Windows\SysWOW64\Nlljlela.dll Emkndc32.exe File created C:\Windows\SysWOW64\Ldipha32.exe Lqndhcdc.exe File created C:\Windows\SysWOW64\Cponen32.exe Cnaaib32.exe File opened for modification C:\Windows\SysWOW64\Hplicjok.exe Hlambk32.exe File created C:\Windows\SysWOW64\Ifaciolc.dll Efpomccg.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Ojajin32.exe File created C:\Windows\SysWOW64\Pjinodke.dll Akepfpcl.exe File created C:\Windows\SysWOW64\Pecellgl.exe Pknqoc32.exe File created C:\Windows\SysWOW64\Aahbbkaq.exe Aeaanjkl.exe File opened for modification C:\Windows\SysWOW64\Bphgeo32.exe Bklomh32.exe File created C:\Windows\SysWOW64\Hhoneioi.dll Jgkdbacp.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Cnahdi32.exe File created C:\Windows\SysWOW64\Cboeai32.dll Dngjff32.exe File opened for modification C:\Windows\SysWOW64\Eiloco32.exe Dfnbgc32.exe File created C:\Windows\SysWOW64\Jgeghp32.exe Jlobkg32.exe File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Glkmmefl.exe File created C:\Windows\SysWOW64\Koodbl32.exe Klahfp32.exe File created C:\Windows\SysWOW64\Aolblopj.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Ijcjmmil.exe Iciaqc32.exe File created C:\Windows\SysWOW64\Ilafiihp.exe Innfnl32.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jcphab32.exe File opened for modification C:\Windows\SysWOW64\Jjoiil32.exe Jgpmmp32.exe File created C:\Windows\SysWOW64\Ogigdpmb.dll Hfcnpn32.exe File opened for modification C:\Windows\SysWOW64\Mqkiok32.exe Mmpmnl32.exe File created C:\Windows\SysWOW64\Gfokoelp.exe Gpecbk32.exe File opened for modification C:\Windows\SysWOW64\Iknmla32.exe Igbalblk.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Doaneiop.exe File created C:\Windows\SysWOW64\Lqojclne.exe Ljeafb32.exe File opened for modification C:\Windows\SysWOW64\Omnjojpo.exe Nagiji32.exe File opened for modification C:\Windows\SysWOW64\Paiogf32.exe Pjpfjl32.exe File created C:\Windows\SysWOW64\Mbibld32.dll Clgbmp32.exe File created C:\Windows\SysWOW64\Onahgf32.dll Adkqoohc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11756 11496 WerFault.exe 622 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgphpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkqoohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdaepb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihgfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacoqnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknqoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgabcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehkajig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpbin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolblopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napjdpcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhdgpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoheakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaanjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpoihnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfcfmlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclgmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekaapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofkbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inqbclob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmdgikhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingpmmgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilafiihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjnifbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkconn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnjojpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Madjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coohhlpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgmpf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" Hdokdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll" Dojqjdbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdobnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfgcakon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkkceedp.dll" Eclmamod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcoaglhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmpjmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blafme32.dll" Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqc32.dll" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bobabg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhafck32.dll" Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll" Dfnbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgflaec.dll" Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbihneaj.dll" Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkconn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiiggoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hiiggoaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Glkmmefl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdepgkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhpog32.dll" Neqopnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjhgbi.dll" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmkkmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejlbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amlogfel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjhloj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmfhkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekkfckg.dll" Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geibhp32.dll" Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jejechjg.dll" Fpejlmcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingpmmgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fimhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojajin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paiogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eehicoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjem32.dll" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mmpmnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbcfp32.dll" Jjafok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golneb32.dll" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhknodl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3616 wrote to memory of 1588 3616 7c1f66b0e268cf011d7480da74276290N.exe 86 PID 3616 wrote to memory of 1588 3616 7c1f66b0e268cf011d7480da74276290N.exe 86 PID 3616 wrote to memory of 1588 3616 7c1f66b0e268cf011d7480da74276290N.exe 86 PID 1588 wrote to memory of 2112 1588 Dfgcakon.exe 87 PID 1588 wrote to memory of 2112 1588 Dfgcakon.exe 87 PID 1588 wrote to memory of 2112 1588 Dfgcakon.exe 87 PID 2112 wrote to memory of 1052 2112 Difpmfna.exe 88 PID 2112 wrote to memory of 1052 2112 Difpmfna.exe 88 PID 2112 wrote to memory of 1052 2112 Difpmfna.exe 88 PID 1052 wrote to memory of 3480 1052 Dpphjp32.exe 89 PID 1052 wrote to memory of 3480 1052 Dpphjp32.exe 89 PID 1052 wrote to memory of 3480 1052 Dpphjp32.exe 89 PID 3480 wrote to memory of 3500 3480 Dbndfl32.exe 90 PID 3480 wrote to memory of 3500 3480 Dbndfl32.exe 90 PID 3480 wrote to memory of 3500 3480 Dbndfl32.exe 90 PID 3500 wrote to memory of 1688 3500 Djelgied.exe 91 PID 3500 wrote to memory of 1688 3500 Djelgied.exe 91 PID 3500 wrote to memory of 1688 3500 Djelgied.exe 91 PID 1688 wrote to memory of 4056 1688 Dmdhcddh.exe 92 PID 1688 wrote to memory of 4056 1688 Dmdhcddh.exe 92 PID 1688 wrote to memory of 4056 1688 Dmdhcddh.exe 92 PID 4056 wrote to memory of 1972 4056 Dpbdopck.exe 93 PID 4056 wrote to memory of 1972 4056 Dpbdopck.exe 93 PID 4056 wrote to memory of 1972 4056 Dpbdopck.exe 93 PID 1972 wrote to memory of 5096 1972 Dbqqkkbo.exe 94 PID 1972 wrote to memory of 5096 1972 Dbqqkkbo.exe 94 PID 1972 wrote to memory of 5096 1972 Dbqqkkbo.exe 94 PID 5096 wrote to memory of 4628 5096 Djhimica.exe 95 PID 5096 wrote to memory of 4628 5096 Djhimica.exe 95 PID 5096 wrote to memory of 4628 5096 Djhimica.exe 95 PID 4628 wrote to memory of 2500 4628 Dikihe32.exe 97 PID 4628 wrote to memory of 2500 4628 Dikihe32.exe 97 PID 4628 wrote to memory of 2500 4628 Dikihe32.exe 97 PID 2500 wrote to memory of 3604 2500 Dpdaepai.exe 98 PID 2500 wrote to memory of 3604 2500 Dpdaepai.exe 98 PID 2500 wrote to memory of 3604 2500 Dpdaepai.exe 98 PID 3604 wrote to memory of 2668 3604 Dbcmakpl.exe 99 PID 3604 wrote to memory of 2668 3604 Dbcmakpl.exe 99 PID 3604 wrote to memory of 2668 3604 Dbcmakpl.exe 99 PID 2668 wrote to memory of 732 2668 Dfoiaj32.exe 100 PID 2668 wrote to memory of 732 2668 Dfoiaj32.exe 100 PID 2668 wrote to memory of 732 2668 Dfoiaj32.exe 100 PID 732 wrote to memory of 2300 732 Dmhand32.exe 102 PID 732 wrote to memory of 2300 732 Dmhand32.exe 102 PID 732 wrote to memory of 2300 732 Dmhand32.exe 102 PID 2300 wrote to memory of 812 2300 Dpgnjo32.exe 103 PID 2300 wrote to memory of 812 2300 Dpgnjo32.exe 103 PID 2300 wrote to memory of 812 2300 Dpgnjo32.exe 103 PID 812 wrote to memory of 1788 812 Ebejfk32.exe 104 PID 812 wrote to memory of 1788 812 Ebejfk32.exe 104 PID 812 wrote to memory of 1788 812 Ebejfk32.exe 104 PID 1788 wrote to memory of 1540 1788 Ejlbhh32.exe 105 PID 1788 wrote to memory of 1540 1788 Ejlbhh32.exe 105 PID 1788 wrote to memory of 1540 1788 Ejlbhh32.exe 105 PID 1540 wrote to memory of 5056 1540 Emkndc32.exe 106 PID 1540 wrote to memory of 5056 1540 Emkndc32.exe 106 PID 1540 wrote to memory of 5056 1540 Emkndc32.exe 106 PID 5056 wrote to memory of 2908 5056 Epikpo32.exe 107 PID 5056 wrote to memory of 2908 5056 Epikpo32.exe 107 PID 5056 wrote to memory of 2908 5056 Epikpo32.exe 107 PID 2908 wrote to memory of 4636 2908 Ebhglj32.exe 108 PID 2908 wrote to memory of 4636 2908 Ebhglj32.exe 108 PID 2908 wrote to memory of 4636 2908 Ebhglj32.exe 108 PID 4636 wrote to memory of 3284 4636 Eiaoid32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c1f66b0e268cf011d7480da74276290N.exe"C:\Users\Admin\AppData\Local\Temp\7c1f66b0e268cf011d7480da74276290N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Dbcmakpl.exeC:\Windows\system32\Dbcmakpl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Dmhand32.exeC:\Windows\system32\Dmhand32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe23⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe24⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4240 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe26⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe27⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe29⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe30⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Emdajb32.exeC:\Windows\system32\Emdajb32.exe31⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe32⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe34⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fpejlmcf.exeC:\Windows\system32\Fpejlmcf.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3204 -
C:\Windows\SysWOW64\Ffobhg32.exeC:\Windows\system32\Ffobhg32.exe37⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe39⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe41⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe45⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe46⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe48⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe49⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe51⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe52⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe53⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:4236 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe55⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe56⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe57⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe58⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe59⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4052 -
C:\Windows\SysWOW64\Gfmojenc.exeC:\Windows\system32\Gfmojenc.exe61⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe62⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe63⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe65⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe66⤵PID:4668
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe67⤵
- Modifies registry class
PID:2104 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe69⤵PID:856
-
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe70⤵PID:1756
-
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe71⤵PID:2696
-
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe72⤵PID:2116
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe74⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe75⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe76⤵PID:3016
-
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe77⤵PID:5004
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe78⤵PID:2456
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Hlcjhkdp.exeC:\Windows\system32\Hlcjhkdp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4428 -
C:\Windows\SysWOW64\Hdjbiheb.exeC:\Windows\system32\Hdjbiheb.exe81⤵PID:2784
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe82⤵PID:5068
-
C:\Windows\SysWOW64\Hginecde.exeC:\Windows\system32\Hginecde.exe83⤵PID:876
-
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe84⤵PID:4164
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe85⤵PID:4984
-
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe86⤵PID:4400
-
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe87⤵
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe88⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Hgmgqc32.exeC:\Windows\system32\Hgmgqc32.exe90⤵PID:4028
-
C:\Windows\SysWOW64\Hildmn32.exeC:\Windows\system32\Hildmn32.exe91⤵PID:5048
-
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe93⤵PID:1504
-
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe94⤵PID:3116
-
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe95⤵PID:4160
-
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe96⤵PID:4352
-
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe98⤵PID:5136
-
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe99⤵PID:5176
-
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe100⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5264 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe102⤵PID:5308
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe103⤵
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe104⤵PID:5396
-
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe105⤵
- Drops file in System32 directory
PID:5440 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe106⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe107⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe108⤵
- System Location Discovery: System Language Discovery
PID:5564 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe109⤵PID:5612
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Ijegcm32.exeC:\Windows\system32\Ijegcm32.exe111⤵PID:5700
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe112⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe113⤵PID:5788
-
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe114⤵PID:5836
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe115⤵PID:5880
-
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe116⤵PID:5924
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe117⤵PID:5960
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe118⤵PID:6008
-
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe119⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe120⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\Jnelok32.exeC:\Windows\system32\Jnelok32.exe121⤵PID:6136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-