Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 10:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6e3c441a300ebf660a7b7d08b56cdb0N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6e3c441a300ebf660a7b7d08b56cdb0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d6e3c441a300ebf660a7b7d08b56cdb0N.exe
-
Size
96KB
-
MD5
d6e3c441a300ebf660a7b7d08b56cdb0
-
SHA1
ebe0a4a1d078a9f1d4a2fc3bd21fec860ab4e178
-
SHA256
f87b392dd7394421ec525f87902852d78825662e9df77f2b8a30df7e1e91ae6d
-
SHA512
cc78122d6b1462df2a17fb18bf1a4c3f2b91c44e906e64e0816d6eb06a8c461605577ea61b5c4854e6f3bfcfdb9317ba8b1469ab3112b8ca729ba7b591e5137d
-
SSDEEP
1536:dLH9kEK/eqKCmGyUiHn0bQ2JuRM1E9XdmjJ5ZXxhFZ2LosBMu/HCmiDcg3MZRP3K:hH9kYDUiHn0hJueqFdmjbZXdSoa6miEo
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnepna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbphg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcinna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimhjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjpijpdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfcndce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Komhll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbcplpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlnjbedi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnphmkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkpmdbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbndfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnelok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbceggm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglklggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgamnded.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehicoel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knenkbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfkbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcggio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjbcakl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabhdinj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkple32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclbpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akepfpcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnepna32.exe -
Executes dropped EXE 64 IoCs
pid Process 3564 Cgjjdf32.exe 2928 Cikglnkj.exe 2916 Cpeohh32.exe 1212 Cglgjeci.exe 2116 Cjjcfabm.exe 1156 Cimcan32.exe 2040 Cpglnhad.exe 4916 Cgndoeag.exe 3720 Cjmpkqqj.exe 4072 Cmklglpn.exe 4688 Cceddf32.exe 2136 Cjomap32.exe 4740 Cmniml32.exe 1960 Cgcmjd32.exe 5100 Cidjbmcp.exe 3752 Dmpfbk32.exe 2672 Dcjnoece.exe 1664 Djdflp32.exe 4472 Dannij32.exe 3044 Dclkee32.exe 1556 Djfcaohp.exe 2680 Dapkni32.exe 1812 Dcogje32.exe 5000 Djhpgofm.exe 4360 Dabhdinj.exe 2328 Dhlpqc32.exe 1888 Dinmhkke.exe 2952 Daediilg.exe 4492 Dhomfc32.exe 1092 Djmibn32.exe 1844 Emlenj32.exe 8 Ehailbaa.exe 2896 Efdjgo32.exe 3268 Eibfck32.exe 1516 Emnbdioi.exe 2452 Edhjqc32.exe 4872 Ehcfaboo.exe 3952 Eidbij32.exe 2640 Ealkjh32.exe 4200 Edjgfcec.exe 4452 Efhcbodf.exe 1108 Eigonjcj.exe 3416 Embkoi32.exe 2060 Epagkd32.exe 2364 Ehhpla32.exe 4340 Ejflhm32.exe 1760 Emehdh32.exe 1860 Eaqdegaj.exe 4152 Ehjlaaig.exe 3476 Efmmmn32.exe 1168 Fmgejhgn.exe 1740 Fpeafcfa.exe 4372 Fhmigagd.exe 1176 Fkkeclfh.exe 3908 Fphnlcdo.exe 3640 Fhofmq32.exe 3204 Fmlneg32.exe 1032 Fpjjac32.exe 4264 Fhabbp32.exe 3116 Fkpool32.exe 4988 Fmnkkg32.exe 4504 Fajgkfio.exe 2484 Fhdohp32.exe 2128 Fggocmhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kofmfi32.dll Ocgbld32.exe File created C:\Windows\SysWOW64\Oemnpgle.dll Oifeab32.exe File created C:\Windows\SysWOW64\Ddfbhfmf.dll Aoofle32.exe File created C:\Windows\SysWOW64\Hpjmnjqn.exe Hmlpaoaj.exe File opened for modification C:\Windows\SysWOW64\Hlambk32.exe Hkpqkcpd.exe File opened for modification C:\Windows\SysWOW64\Fpdcag32.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Dnbjkgmg.dll Jgmjmjnb.exe File opened for modification C:\Windows\SysWOW64\Ljceqb32.exe Lgdidgjg.exe File created C:\Windows\SysWOW64\Qgaeof32.dll Aknbkjfh.exe File created C:\Windows\SysWOW64\Dgeaknci.dll Aokkahlo.exe File created C:\Windows\SysWOW64\Eaqdegaj.exe Emehdh32.exe File created C:\Windows\SysWOW64\Gmemic32.dll Ihnkel32.exe File created C:\Windows\SysWOW64\Fpbfpack.dll Jqdoem32.exe File created C:\Windows\SysWOW64\Ihqiqn32.dll Kaehljpj.exe File created C:\Windows\SysWOW64\Kejocggj.dll Lnbklm32.exe File created C:\Windows\SysWOW64\Omjpeo32.exe Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Bepmoh32.exe Blgifbil.exe File opened for modification C:\Windows\SysWOW64\Odmbaj32.exe Omcjep32.exe File created C:\Windows\SysWOW64\Ecpfpo32.dll Bdagpnbk.exe File created C:\Windows\SysWOW64\Hmkqgckn.dll Lfbped32.exe File created C:\Windows\SysWOW64\Gjecbd32.dll Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Eigonjcj.exe Efhcbodf.exe File created C:\Windows\SysWOW64\Ggnedlao.exe Gdoihpbk.exe File created C:\Windows\SysWOW64\Dckhejil.dll Ihphkl32.exe File created C:\Windows\SysWOW64\Mfhpakim.dll Lqpamb32.exe File created C:\Windows\SysWOW64\Eelche32.dll Kgkfnh32.exe File opened for modification C:\Windows\SysWOW64\Kngkqbgl.exe Kfpcoefj.exe File created C:\Windows\SysWOW64\Ibajgf32.dll Cgjjdf32.exe File opened for modification C:\Windows\SysWOW64\Qeodhjmo.exe Qoelkp32.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Cfipef32.exe File created C:\Windows\SysWOW64\Kkcfid32.exe Kiejmi32.exe File created C:\Windows\SysWOW64\Fmpbnihe.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Lklbdm32.exe Kdbjhbbd.exe File created C:\Windows\SysWOW64\Qeodhjmo.exe Qoelkp32.exe File created C:\Windows\SysWOW64\Eiokinbk.exe Ebdcld32.exe File created C:\Windows\SysWOW64\Ppjbmc32.exe Pmlfqh32.exe File created C:\Windows\SysWOW64\Egdeookg.dll Micoed32.exe File created C:\Windows\SysWOW64\Fpgfkbgm.dll Oiknlagg.exe File opened for modification C:\Windows\SysWOW64\Hienlpel.exe Hckeoeno.exe File created C:\Windows\SysWOW64\Lcggio32.exe Lmmolepp.exe File opened for modification C:\Windows\SysWOW64\Fnlmhc32.exe Fmkqpkla.exe File created C:\Windows\SysWOW64\Pijmiq32.dll Kpanan32.exe File created C:\Windows\SysWOW64\Nflnbh32.dll Ckbemgcp.exe File created C:\Windows\SysWOW64\Fhabbp32.exe Fpjjac32.exe File opened for modification C:\Windows\SysWOW64\Glgcbf32.exe Gihgfk32.exe File created C:\Windows\SysWOW64\Bnlhncgi.exe Boihcf32.exe File created C:\Windows\SysWOW64\Fhflnpoi.exe Fpodlbng.exe File created C:\Windows\SysWOW64\Bdlhkf32.dll Cocacl32.exe File opened for modification C:\Windows\SysWOW64\Dmohno32.exe Ddgplado.exe File created C:\Windows\SysWOW64\Qhhpop32.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Iemlnm32.dll Gkmdecbg.exe File created C:\Windows\SysWOW64\Fpdcag32.exe Fmfgek32.exe File created C:\Windows\SysWOW64\Bhkfkmmg.exe Bgkiaj32.exe File created C:\Windows\SysWOW64\Cpdgqmnb.exe Caageq32.exe File created C:\Windows\SysWOW64\Gijekg32.exe Ggkiol32.exe File created C:\Windows\SysWOW64\Hkdjfb32.exe Hlcjhkdp.exe File created C:\Windows\SysWOW64\Dglkaf32.dll Cjjcfabm.exe File created C:\Windows\SysWOW64\Hijjli32.dll Kbddfmgl.exe File created C:\Windows\SysWOW64\Mkohaj32.exe Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Eidbij32.exe Ehcfaboo.exe File opened for modification C:\Windows\SysWOW64\Micoed32.exe Mbighjdd.exe File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe Najceeoo.exe File created C:\Windows\SysWOW64\Ekhobd32.dll Akepfpcl.exe File created C:\Windows\SysWOW64\Embkoi32.exe Eigonjcj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 17208 17108 WerFault.exe 888 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgmeigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhhefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaagkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjcnoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimhjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcjep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfegk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hammhcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpcliao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijadbdoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaehljpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgncmim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdlffhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dngjff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkgpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baadiiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgplado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahlcaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhalefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqlefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okchnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhpla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpanan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhblllfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpqkcpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiiicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noeahkfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbocbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglklggl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlbkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcfmkff.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlfpdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ingpmmgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fechok32.dll" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Illfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imnbiq32.dll" Mnegbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjapmn.dll" Gacjadad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdnjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfendmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" Impliekg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdgqmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbodmjl.dll" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaohcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlpaoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkkgm32.dll" Inainbcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljilqnlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcqjon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hibjli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglkaf32.dll" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miofjepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaghgm32.dll" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfoqnae.dll" Lqbncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbplg32.dll" Gfeaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckdpoji.dll" Jlmfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chdialdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gilapgqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmfjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdfehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffkcnbje.dll" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmphblgf.dll" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" Gpecbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjoqdcl.dll" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edjgfcec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahcajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoofle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfendmoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdliame.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcggio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eidbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idkbkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbhqn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koaagkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Dgeenfog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Impliekg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3564 3668 d6e3c441a300ebf660a7b7d08b56cdb0N.exe 84 PID 3668 wrote to memory of 3564 3668 d6e3c441a300ebf660a7b7d08b56cdb0N.exe 84 PID 3668 wrote to memory of 3564 3668 d6e3c441a300ebf660a7b7d08b56cdb0N.exe 84 PID 3564 wrote to memory of 2928 3564 Cgjjdf32.exe 85 PID 3564 wrote to memory of 2928 3564 Cgjjdf32.exe 85 PID 3564 wrote to memory of 2928 3564 Cgjjdf32.exe 85 PID 2928 wrote to memory of 2916 2928 Cikglnkj.exe 86 PID 2928 wrote to memory of 2916 2928 Cikglnkj.exe 86 PID 2928 wrote to memory of 2916 2928 Cikglnkj.exe 86 PID 2916 wrote to memory of 1212 2916 Cpeohh32.exe 87 PID 2916 wrote to memory of 1212 2916 Cpeohh32.exe 87 PID 2916 wrote to memory of 1212 2916 Cpeohh32.exe 87 PID 1212 wrote to memory of 2116 1212 Cglgjeci.exe 88 PID 1212 wrote to memory of 2116 1212 Cglgjeci.exe 88 PID 1212 wrote to memory of 2116 1212 Cglgjeci.exe 88 PID 2116 wrote to memory of 1156 2116 Cjjcfabm.exe 89 PID 2116 wrote to memory of 1156 2116 Cjjcfabm.exe 89 PID 2116 wrote to memory of 1156 2116 Cjjcfabm.exe 89 PID 1156 wrote to memory of 2040 1156 Cimcan32.exe 90 PID 1156 wrote to memory of 2040 1156 Cimcan32.exe 90 PID 1156 wrote to memory of 2040 1156 Cimcan32.exe 90 PID 2040 wrote to memory of 4916 2040 Cpglnhad.exe 91 PID 2040 wrote to memory of 4916 2040 Cpglnhad.exe 91 PID 2040 wrote to memory of 4916 2040 Cpglnhad.exe 91 PID 4916 wrote to memory of 3720 4916 Cgndoeag.exe 92 PID 4916 wrote to memory of 3720 4916 Cgndoeag.exe 92 PID 4916 wrote to memory of 3720 4916 Cgndoeag.exe 92 PID 3720 wrote to memory of 4072 3720 Cjmpkqqj.exe 93 PID 3720 wrote to memory of 4072 3720 Cjmpkqqj.exe 93 PID 3720 wrote to memory of 4072 3720 Cjmpkqqj.exe 93 PID 4072 wrote to memory of 4688 4072 Cmklglpn.exe 94 PID 4072 wrote to memory of 4688 4072 Cmklglpn.exe 94 PID 4072 wrote to memory of 4688 4072 Cmklglpn.exe 94 PID 4688 wrote to memory of 2136 4688 Cceddf32.exe 95 PID 4688 wrote to memory of 2136 4688 Cceddf32.exe 95 PID 4688 wrote to memory of 2136 4688 Cceddf32.exe 95 PID 2136 wrote to memory of 4740 2136 Cjomap32.exe 96 PID 2136 wrote to memory of 4740 2136 Cjomap32.exe 96 PID 2136 wrote to memory of 4740 2136 Cjomap32.exe 96 PID 4740 wrote to memory of 1960 4740 Cmniml32.exe 97 PID 4740 wrote to memory of 1960 4740 Cmniml32.exe 97 PID 4740 wrote to memory of 1960 4740 Cmniml32.exe 97 PID 1960 wrote to memory of 5100 1960 Cgcmjd32.exe 98 PID 1960 wrote to memory of 5100 1960 Cgcmjd32.exe 98 PID 1960 wrote to memory of 5100 1960 Cgcmjd32.exe 98 PID 5100 wrote to memory of 3752 5100 Cidjbmcp.exe 99 PID 5100 wrote to memory of 3752 5100 Cidjbmcp.exe 99 PID 5100 wrote to memory of 3752 5100 Cidjbmcp.exe 99 PID 3752 wrote to memory of 2672 3752 Dmpfbk32.exe 100 PID 3752 wrote to memory of 2672 3752 Dmpfbk32.exe 100 PID 3752 wrote to memory of 2672 3752 Dmpfbk32.exe 100 PID 2672 wrote to memory of 1664 2672 Dcjnoece.exe 102 PID 2672 wrote to memory of 1664 2672 Dcjnoece.exe 102 PID 2672 wrote to memory of 1664 2672 Dcjnoece.exe 102 PID 1664 wrote to memory of 4472 1664 Djdflp32.exe 103 PID 1664 wrote to memory of 4472 1664 Djdflp32.exe 103 PID 1664 wrote to memory of 4472 1664 Djdflp32.exe 103 PID 4472 wrote to memory of 3044 4472 Dannij32.exe 104 PID 4472 wrote to memory of 3044 4472 Dannij32.exe 104 PID 4472 wrote to memory of 3044 4472 Dannij32.exe 104 PID 3044 wrote to memory of 1556 3044 Dclkee32.exe 105 PID 3044 wrote to memory of 1556 3044 Dclkee32.exe 105 PID 3044 wrote to memory of 1556 3044 Dclkee32.exe 105 PID 1556 wrote to memory of 2680 1556 Djfcaohp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6e3c441a300ebf660a7b7d08b56cdb0N.exe"C:\Users\Admin\AppData\Local\Temp\d6e3c441a300ebf660a7b7d08b56cdb0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Cimcan32.exeC:\Windows\system32\Cimcan32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Cjmpkqqj.exeC:\Windows\system32\Cjmpkqqj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Dcjnoece.exeC:\Windows\system32\Dcjnoece.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe23⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\Djhpgofm.exeC:\Windows\system32\Djhpgofm.exe25⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe27⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe28⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe29⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe30⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe31⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Emlenj32.exeC:\Windows\system32\Emlenj32.exe32⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe33⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe34⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe35⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe36⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe37⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe40⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4200 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe44⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe45⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe47⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe49⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe50⤵
- Executes dropped EXE
PID:4152 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe51⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Fmgejhgn.exeC:\Windows\system32\Fmgejhgn.exe52⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe53⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe54⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe55⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe56⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Fhofmq32.exeC:\Windows\system32\Fhofmq32.exe57⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe58⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe60⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe62⤵
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Fajgkfio.exeC:\Windows\system32\Fajgkfio.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe64⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fggocmhf.exeC:\Windows\system32\Fggocmhf.exe65⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe66⤵PID:4640
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe67⤵
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe68⤵PID:2524
-
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe69⤵PID:412
-
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe70⤵PID:3712
-
C:\Windows\SysWOW64\Gpaqbbld.exeC:\Windows\system32\Gpaqbbld.exe71⤵PID:2848
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe72⤵PID:1352
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:4760 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe74⤵PID:4520
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe75⤵PID:1264
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe76⤵
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe77⤵PID:4636
-
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe78⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe79⤵
- Modifies registry class
PID:4496 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe80⤵PID:3152
-
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe81⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe83⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe84⤵PID:3740
-
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe85⤵PID:3784
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe86⤵PID:232
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe87⤵PID:4408
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe88⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe89⤵PID:1976
-
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe90⤵PID:5136
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe91⤵PID:5180
-
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe92⤵
- Drops file in System32 directory
PID:5224 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe93⤵
- Modifies registry class
PID:5268 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe94⤵
- Modifies registry class
PID:5312 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe95⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe96⤵PID:5400
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe97⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\Iahlcaol.exeC:\Windows\system32\Iahlcaol.exe98⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\Iqklon32.exeC:\Windows\system32\Iqklon32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5536 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe100⤵PID:5580
-
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe101⤵PID:5624
-
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe102⤵PID:5660
-
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe103⤵PID:5712
-
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe104⤵PID:5756
-
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe105⤵PID:5800
-
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe106⤵PID:5844
-
C:\Windows\SysWOW64\Inainbcn.exeC:\Windows\system32\Inainbcn.exe107⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Ibmeoq32.exeC:\Windows\system32\Ibmeoq32.exe108⤵PID:5932
-
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe109⤵
- Modifies registry class
PID:5980 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe110⤵PID:6024
-
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe111⤵PID:6068
-
C:\Windows\SysWOW64\Indfca32.exeC:\Windows\system32\Indfca32.exe112⤵PID:6112
-
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe113⤵PID:5128
-
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5200 -
C:\Windows\SysWOW64\Jglklggl.exeC:\Windows\system32\Jglklggl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5276 -
C:\Windows\SysWOW64\Jjjghcfp.exeC:\Windows\system32\Jjjghcfp.exe116⤵PID:5332
-
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe117⤵PID:5408
-
C:\Windows\SysWOW64\Jqdoem32.exeC:\Windows\system32\Jqdoem32.exe118⤵
- Drops file in System32 directory
PID:5472 -
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe119⤵PID:5528
-
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe120⤵PID:5620
-
C:\Windows\SysWOW64\Jqglkmlj.exeC:\Windows\system32\Jqglkmlj.exe121⤵PID:5676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-