Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 08:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17b9a8389a981ac4d7c5f6a0e2af3e80N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
17b9a8389a981ac4d7c5f6a0e2af3e80N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
17b9a8389a981ac4d7c5f6a0e2af3e80N.exe
-
Size
156KB
-
MD5
17b9a8389a981ac4d7c5f6a0e2af3e80
-
SHA1
ba9b5f43701e53626929049233642b63cf2ac219
-
SHA256
757bbd1e20fd7ca3af035a0e8a0708fdbebe0fb69aa665946156b592ec9071dd
-
SHA512
64b0c4d3abf2ef3b0d0a88b9b035fdfad1a44313981ba5f4f1a8df9d71fa0c9f82dfca3fc5acf728bff8702ad729d902238e54abee3d8da4122149f015fecdd8
-
SSDEEP
3072:uCy4IML/sY0ULAg74EgkTRG5J9IDlRxyhTbhgu+tAcrbFAJc+RsUiM:tgu/s3KF73TRG5sDshsrtMsC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfanlpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhefhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnoiqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cigcjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghbkdald.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglcqio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infqklol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgdnelk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipilmgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dolinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjgemi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapbodql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgncff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbmdeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehafq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meadlo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhjjcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbqalle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmebnpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcgnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnnimbaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jglaepim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpidk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplckbmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbqalle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegchl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Labkempb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghbkdald.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnqebaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcgjhega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeffnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkogqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmeiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adnilfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpeghpe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhopgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelhcd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najagp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgjdibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dagajlal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dojlhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmopmalc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnbekok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ancjef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbkcek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhqqlmba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfmeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbmfhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbpij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjhonp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhiphi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hommhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iooimi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjabdo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lelajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhgjll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqiehnml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifnkeb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlikg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1724 Aecialmb.exe 2652 Amkabind.exe 1448 Aiabhj32.exe 3868 Abjfqpji.exe 2052 Aidomjaf.exe 3848 Bcicjbal.exe 348 Bmagch32.exe 1332 Bclppboi.exe 4676 Bihhhi32.exe 2508 Bcnleb32.exe 692 Beoimjce.exe 4088 Bpemkcck.exe 2288 Bfoegm32.exe 4384 Bbefln32.exe 1228 Bmkjig32.exe 1980 Cdebfago.exe 3656 Cmmgof32.exe 1352 Cplckbmc.exe 1512 Cdgolq32.exe 4304 Cehlcikj.exe 2336 Cidgdg32.exe 4792 Clbdpc32.exe 2512 Cpnpqakp.exe 2684 Cbmlmmjd.exe 3596 Cfhhml32.exe 388 Cekhihig.exe 3216 Cmbpjfij.exe 4400 Cleqfb32.exe 3156 Cpqlfa32.exe 2500 Cboibm32.exe 4984 Cfjeckpj.exe 2356 Cemeoh32.exe 3872 Cmdmpe32.exe 5048 Clgmkbna.exe 3624 Cpcila32.exe 4184 Cbaehl32.exe 1840 Cfmahknh.exe 4552 Cepadh32.exe 4640 Cmgjee32.exe 3548 Clijablo.exe 4388 Dpefaq32.exe 4736 Dbcbnlcl.exe 2184 Debnjgcp.exe 1664 Dmifkecb.exe 3424 Dllffa32.exe 1108 Ddcogo32.exe 3412 Dbfoclai.exe 3920 Dedkogqm.exe 1624 Dipgpf32.exe 640 Dlncla32.exe 2164 Ddekmo32.exe 3380 Dbhlikpf.exe 3468 Defheg32.exe 4864 Dibdeegc.exe 5136 Dlqpaafg.exe 5176 Dpllbp32.exe 5216 Ddhhbngi.exe 5264 Dgfdojfm.exe 5296 Deidjf32.exe 5336 Dmplkd32.exe 5376 Dlcmgqdd.exe 5416 Ddjehneg.exe 5464 Dcmedk32.exe 5496 Dghadidj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lofllk32.dll Adnilfnl.exe File created C:\Windows\SysWOW64\Kcphpdil.exe Jcmkjeko.exe File created C:\Windows\SysWOW64\Edakimoo.exe Eljchpnl.exe File created C:\Windows\SysWOW64\Gibpcnbo.dll Bbklli32.exe File opened for modification C:\Windows\SysWOW64\Fekclnif.exe Fcmgpbjc.exe File opened for modification C:\Windows\SysWOW64\Lglcag32.exe Labkempb.exe File created C:\Windows\SysWOW64\Bfoegm32.exe Bpemkcck.exe File opened for modification C:\Windows\SysWOW64\Loniiflo.exe Lfgahikm.exe File created C:\Windows\SysWOW64\Fnqebaog.exe Feimadoe.exe File opened for modification C:\Windows\SysWOW64\Hnhdjn32.exe Hjlhipbc.exe File created C:\Windows\SysWOW64\Loiong32.exe Lfbgmj32.exe File opened for modification C:\Windows\SysWOW64\Dlnlak32.exe Dhbqalle.exe File created C:\Windows\SysWOW64\Hqkefo32.dll Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Qjcdih32.exe Qhbhapha.exe File opened for modification C:\Windows\SysWOW64\Gchflq32.exe Gpjjpe32.exe File opened for modification C:\Windows\SysWOW64\Icmbcg32.exe Ikejbjip.exe File opened for modification C:\Windows\SysWOW64\Mgngih32.exe Mdokmm32.exe File created C:\Windows\SysWOW64\Lfijgnnj.dll Cmmgof32.exe File created C:\Windows\SysWOW64\Ifgknd32.dll Icqmncof.exe File opened for modification C:\Windows\SysWOW64\Iqdmghnp.exe Infqklol.exe File created C:\Windows\SysWOW64\Aeglbeea.exe Afdkfh32.exe File opened for modification C:\Windows\SysWOW64\Qkakhakq.exe Phbolflm.exe File opened for modification C:\Windows\SysWOW64\Cjfclcpg.exe Cjdfgc32.exe File created C:\Windows\SysWOW64\Cfbknl32.dll Jgcooaah.exe File created C:\Windows\SysWOW64\Qkchna32.exe Qhekaejj.exe File created C:\Windows\SysWOW64\Lokldg32.exe Lfddci32.exe File opened for modification C:\Windows\SysWOW64\Aokcjngj.exe Akogio32.exe File created C:\Windows\SysWOW64\Dhnmaeif.dll Bnbmqjjo.exe File created C:\Windows\SysWOW64\Gpmpcc32.dll Cnbfgh32.exe File created C:\Windows\SysWOW64\Elhfbp32.exe Eiijfd32.exe File opened for modification C:\Windows\SysWOW64\Gloejmld.exe Gfemmb32.exe File created C:\Windows\SysWOW64\Eoekde32.exe Eemgkpef.exe File created C:\Windows\SysWOW64\Befogbik.dll Cfmahknh.exe File created C:\Windows\SysWOW64\Knifging.exe Kccbjq32.exe File opened for modification C:\Windows\SysWOW64\Hchihhng.exe Hommhi32.exe File created C:\Windows\SysWOW64\Lpgalc32.exe Ljjicl32.exe File opened for modification C:\Windows\SysWOW64\Eljchpnl.exe Emgblc32.exe File created C:\Windows\SysWOW64\Anfmeldl.exe Akhaipei.exe File created C:\Windows\SysWOW64\Gjcfcakn.exe Ggdigekj.exe File created C:\Windows\SysWOW64\Jelhcd32.exe Jmdqbg32.exe File created C:\Windows\SysWOW64\Mhoimi32.dll Cpipkl32.exe File created C:\Windows\SysWOW64\Nplkhf32.exe Nhafcd32.exe File opened for modification C:\Windows\SysWOW64\Bnoiqd32.exe Ajaqjfbp.exe File opened for modification C:\Windows\SysWOW64\Clmckmcq.exe Ciogobcm.exe File created C:\Windows\SysWOW64\Iefedcmk.exe Hakidd32.exe File opened for modification C:\Windows\SysWOW64\Iqgjmg32.exe Imknli32.exe File opened for modification C:\Windows\SysWOW64\Gpjjpe32.exe Ghcbohpp.exe File opened for modification C:\Windows\SysWOW64\Eeddfe32.exe Egbdjhlp.exe File created C:\Windows\SysWOW64\Fgncff32.exe Fpckjlje.exe File created C:\Windows\SysWOW64\Jgekdq32.exe Jegohe32.exe File created C:\Windows\SysWOW64\Bpaikm32.exe Bkfmjnii.exe File opened for modification C:\Windows\SysWOW64\Doqbifpl.exe Dhgjll32.exe File opened for modification C:\Windows\SysWOW64\Glqkefff.exe Giboijgb.exe File created C:\Windows\SysWOW64\Imcqacfq.exe Ifihdi32.exe File created C:\Windows\SysWOW64\Lmdbooik.exe Kppbejka.exe File created C:\Windows\SysWOW64\Dgagnd32.dll Ijgjpaao.exe File opened for modification C:\Windows\SysWOW64\Laglkb32.exe Loiong32.exe File created C:\Windows\SysWOW64\Jmopmalc.exe Jgbhdkml.exe File created C:\Windows\SysWOW64\Lbhppocd.dll Lmmokgne.exe File opened for modification C:\Windows\SysWOW64\Hdbmfhbi.exe Hqfqfj32.exe File opened for modification C:\Windows\SysWOW64\Kmppneal.exe Kffhakjp.exe File opened for modification C:\Windows\SysWOW64\Minipm32.exe Mmghklif.exe File opened for modification C:\Windows\SysWOW64\Eegqldqg.exe Ecidpiad.exe File opened for modification C:\Windows\SysWOW64\Flfbcndo.exe Fcmnkh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14324 14180 WerFault.exe 702 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mginniij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlhaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojjcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciogobcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefedcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhgmlli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcldhfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmebnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnpqakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjnlha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnbfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijgjpip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phpbffnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbmfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecialmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgolq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deidjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqmggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfkjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgngih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicqja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbqalle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehlcikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmahknh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlqpaafg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhoinbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhjjcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqiehnml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hleneo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddekmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgfod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgedjjki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dagajlal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbldhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibfbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjjpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodjcnca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghadidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffceq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Focakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcphpdil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debnjgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgebnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icefib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdllffpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljleil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmedk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdokmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oediim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akogio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbefln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccbjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deagoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgblc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eincadmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjebpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdbpjmi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dngobghg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icjkef32.dll" Lfddci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onhhmpoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flghognq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeeolh32.dll" Mhppik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjade32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhiphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdodbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckoifgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agccao32.dll" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll" Cmbpjfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmlgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnilfnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnefieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgibqj32.dll" Dhgjll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehhpge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqbpahpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jegohe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohpiphlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laibqedm.dll" Akfdcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmihlcf.dll" Bihancje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headnoed.dll" Bflagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flopmh32.dll" Fhiphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dagajlal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipdih32.dll" Fdhail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mehafq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhghiic.dll" Nefmgogl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcnleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkehhpn.dll" Hnhdjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnapgjdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmopmalc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll" Ddekmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eebgqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcngafol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldhdlnli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noehac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcnhngo.dll" Fgmllpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabmnd32.dll" Ciqmjkno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Focakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjhlcmm.dll" Ddjehneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgngih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okneldkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnbfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bicbje32.dll" Lcealh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egbdjhlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didhmpdm.dll" Inhmqlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjghqbi.dll" Jgedjjki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkabind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbgom32.dll" Jmpgghoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmeff32.dll" Eojeodga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgemahmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbkdald.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecdkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjcmbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmglk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlqpaafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eljchpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfkhfmdm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 492 wrote to memory of 1724 492 17b9a8389a981ac4d7c5f6a0e2af3e80N.exe 91 PID 492 wrote to memory of 1724 492 17b9a8389a981ac4d7c5f6a0e2af3e80N.exe 91 PID 492 wrote to memory of 1724 492 17b9a8389a981ac4d7c5f6a0e2af3e80N.exe 91 PID 1724 wrote to memory of 2652 1724 Aecialmb.exe 92 PID 1724 wrote to memory of 2652 1724 Aecialmb.exe 92 PID 1724 wrote to memory of 2652 1724 Aecialmb.exe 92 PID 2652 wrote to memory of 1448 2652 Amkabind.exe 93 PID 2652 wrote to memory of 1448 2652 Amkabind.exe 93 PID 2652 wrote to memory of 1448 2652 Amkabind.exe 93 PID 1448 wrote to memory of 3868 1448 Aiabhj32.exe 94 PID 1448 wrote to memory of 3868 1448 Aiabhj32.exe 94 PID 1448 wrote to memory of 3868 1448 Aiabhj32.exe 94 PID 3868 wrote to memory of 2052 3868 Abjfqpji.exe 95 PID 3868 wrote to memory of 2052 3868 Abjfqpji.exe 95 PID 3868 wrote to memory of 2052 3868 Abjfqpji.exe 95 PID 2052 wrote to memory of 3848 2052 Aidomjaf.exe 96 PID 2052 wrote to memory of 3848 2052 Aidomjaf.exe 96 PID 2052 wrote to memory of 3848 2052 Aidomjaf.exe 96 PID 3848 wrote to memory of 348 3848 Bcicjbal.exe 97 PID 3848 wrote to memory of 348 3848 Bcicjbal.exe 97 PID 3848 wrote to memory of 348 3848 Bcicjbal.exe 97 PID 348 wrote to memory of 1332 348 Bmagch32.exe 98 PID 348 wrote to memory of 1332 348 Bmagch32.exe 98 PID 348 wrote to memory of 1332 348 Bmagch32.exe 98 PID 1332 wrote to memory of 4676 1332 Bclppboi.exe 99 PID 1332 wrote to memory of 4676 1332 Bclppboi.exe 99 PID 1332 wrote to memory of 4676 1332 Bclppboi.exe 99 PID 4676 wrote to memory of 2508 4676 Bihhhi32.exe 100 PID 4676 wrote to memory of 2508 4676 Bihhhi32.exe 100 PID 4676 wrote to memory of 2508 4676 Bihhhi32.exe 100 PID 2508 wrote to memory of 692 2508 Bcnleb32.exe 101 PID 2508 wrote to memory of 692 2508 Bcnleb32.exe 101 PID 2508 wrote to memory of 692 2508 Bcnleb32.exe 101 PID 692 wrote to memory of 4088 692 Beoimjce.exe 102 PID 692 wrote to memory of 4088 692 Beoimjce.exe 102 PID 692 wrote to memory of 4088 692 Beoimjce.exe 102 PID 4088 wrote to memory of 2288 4088 Bpemkcck.exe 103 PID 4088 wrote to memory of 2288 4088 Bpemkcck.exe 103 PID 4088 wrote to memory of 2288 4088 Bpemkcck.exe 103 PID 2288 wrote to memory of 4384 2288 Bfoegm32.exe 105 PID 2288 wrote to memory of 4384 2288 Bfoegm32.exe 105 PID 2288 wrote to memory of 4384 2288 Bfoegm32.exe 105 PID 4384 wrote to memory of 1228 4384 Bbefln32.exe 107 PID 4384 wrote to memory of 1228 4384 Bbefln32.exe 107 PID 4384 wrote to memory of 1228 4384 Bbefln32.exe 107 PID 1228 wrote to memory of 1980 1228 Bmkjig32.exe 108 PID 1228 wrote to memory of 1980 1228 Bmkjig32.exe 108 PID 1228 wrote to memory of 1980 1228 Bmkjig32.exe 108 PID 1980 wrote to memory of 3656 1980 Cdebfago.exe 110 PID 1980 wrote to memory of 3656 1980 Cdebfago.exe 110 PID 1980 wrote to memory of 3656 1980 Cdebfago.exe 110 PID 3656 wrote to memory of 1352 3656 Cmmgof32.exe 111 PID 3656 wrote to memory of 1352 3656 Cmmgof32.exe 111 PID 3656 wrote to memory of 1352 3656 Cmmgof32.exe 111 PID 1352 wrote to memory of 1512 1352 Cplckbmc.exe 112 PID 1352 wrote to memory of 1512 1352 Cplckbmc.exe 112 PID 1352 wrote to memory of 1512 1352 Cplckbmc.exe 112 PID 1512 wrote to memory of 4304 1512 Cdgolq32.exe 113 PID 1512 wrote to memory of 4304 1512 Cdgolq32.exe 113 PID 1512 wrote to memory of 4304 1512 Cdgolq32.exe 113 PID 4304 wrote to memory of 2336 4304 Cehlcikj.exe 114 PID 4304 wrote to memory of 2336 4304 Cehlcikj.exe 114 PID 4304 wrote to memory of 2336 4304 Cehlcikj.exe 114 PID 2336 wrote to memory of 4792 2336 Cidgdg32.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b9a8389a981ac4d7c5f6a0e2af3e80N.exe"C:\Users\Admin\AppData\Local\Temp\17b9a8389a981ac4d7c5f6a0e2af3e80N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Amkabind.exeC:\Windows\system32\Amkabind.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Aiabhj32.exeC:\Windows\system32\Aiabhj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Abjfqpji.exeC:\Windows\system32\Abjfqpji.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\Aidomjaf.exeC:\Windows\system32\Aidomjaf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Bcicjbal.exeC:\Windows\system32\Bcicjbal.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\Bmagch32.exeC:\Windows\system32\Bmagch32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Bcnleb32.exeC:\Windows\system32\Bcnleb32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Bfoegm32.exeC:\Windows\system32\Bfoegm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Bmkjig32.exeC:\Windows\system32\Bmkjig32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Cmmgof32.exeC:\Windows\system32\Cmmgof32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Cplckbmc.exeC:\Windows\system32\Cplckbmc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Cdgolq32.exeC:\Windows\system32\Cdgolq32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Cehlcikj.exeC:\Windows\system32\Cehlcikj.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe23⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Cpnpqakp.exeC:\Windows\system32\Cpnpqakp.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Cbmlmmjd.exeC:\Windows\system32\Cbmlmmjd.exe25⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe26⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Cekhihig.exeC:\Windows\system32\Cekhihig.exe27⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Cleqfb32.exeC:\Windows\system32\Cleqfb32.exe29⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe30⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Cboibm32.exeC:\Windows\system32\Cboibm32.exe31⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe32⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Cemeoh32.exeC:\Windows\system32\Cemeoh32.exe33⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cmdmpe32.exeC:\Windows\system32\Cmdmpe32.exe34⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe35⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Cpcila32.exeC:\Windows\system32\Cpcila32.exe36⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Cbaehl32.exeC:\Windows\system32\Cbaehl32.exe37⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Cepadh32.exeC:\Windows\system32\Cepadh32.exe39⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Cmgjee32.exeC:\Windows\system32\Cmgjee32.exe40⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe41⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Dpefaq32.exeC:\Windows\system32\Dpefaq32.exe42⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Dbcbnlcl.exeC:\Windows\system32\Dbcbnlcl.exe43⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Debnjgcp.exeC:\Windows\system32\Debnjgcp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Dmifkecb.exeC:\Windows\system32\Dmifkecb.exe45⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe46⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe47⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Dbfoclai.exeC:\Windows\system32\Dbfoclai.exe48⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Dedkogqm.exeC:\Windows\system32\Dedkogqm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe50⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Dlncla32.exeC:\Windows\system32\Dlncla32.exe51⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Ddekmo32.exeC:\Windows\system32\Ddekmo32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe53⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe54⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Dibdeegc.exeC:\Windows\system32\Dibdeegc.exe55⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Dlqpaafg.exeC:\Windows\system32\Dlqpaafg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe57⤵
- Executes dropped EXE
PID:5176 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe58⤵
- Executes dropped EXE
PID:5216 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe59⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\SysWOW64\Deidjf32.exeC:\Windows\system32\Deidjf32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Windows\SysWOW64\Dmplkd32.exeC:\Windows\system32\Dmplkd32.exe61⤵
- Executes dropped EXE
PID:5336 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe62⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\Ddjehneg.exeC:\Windows\system32\Ddjehneg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5464 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\Digmqe32.exeC:\Windows\system32\Digmqe32.exe66⤵PID:5536
-
C:\Windows\SysWOW64\Eleimp32.exeC:\Windows\system32\Eleimp32.exe67⤵PID:5584
-
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe68⤵PID:5616
-
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe69⤵PID:5660
-
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe70⤵PID:5696
-
C:\Windows\SysWOW64\Eiijfd32.exeC:\Windows\system32\Eiijfd32.exe71⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Elhfbp32.exeC:\Windows\system32\Elhfbp32.exe72⤵PID:5784
-
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe73⤵PID:5816
-
C:\Windows\SysWOW64\Ecanojgl.exeC:\Windows\system32\Ecanojgl.exe74⤵PID:5856
-
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe75⤵
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\Eepkkefp.exeC:\Windows\system32\Eepkkefp.exe76⤵PID:5936
-
C:\Windows\SysWOW64\Emgblc32.exeC:\Windows\system32\Emgblc32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:6016 -
C:\Windows\SysWOW64\Edakimoo.exeC:\Windows\system32\Edakimoo.exe79⤵PID:6056
-
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe80⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe81⤵
- Modifies registry class
PID:6136 -
C:\Windows\SysWOW64\Eincadmf.exeC:\Windows\system32\Eincadmf.exe82⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe83⤵PID:2768
-
C:\Windows\SysWOW64\Ephlnn32.exeC:\Windows\system32\Ephlnn32.exe84⤵PID:4468
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:5248 -
C:\Windows\SysWOW64\Eeddfe32.exeC:\Windows\system32\Eeddfe32.exe87⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\Enllgbcl.exeC:\Windows\system32\Enllgbcl.exe88⤵PID:2504
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe89⤵PID:5472
-
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe90⤵PID:5520
-
C:\Windows\SysWOW64\Ecidpiad.exeC:\Windows\system32\Ecidpiad.exe91⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Eegqldqg.exeC:\Windows\system32\Eegqldqg.exe92⤵PID:5256
-
C:\Windows\SysWOW64\Fnnimbaj.exeC:\Windows\system32\Fnnimbaj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Fpmeimpn.exeC:\Windows\system32\Fpmeimpn.exe94⤵PID:5800
-
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe95⤵
- Modifies registry class
PID:5880 -
C:\Windows\SysWOW64\Fgfmeg32.exeC:\Windows\system32\Fgfmeg32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5952 -
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe97⤵
- Drops file in System32 directory
PID:5668 -
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6084 -
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe99⤵PID:4320
-
C:\Windows\SysWOW64\Fcmnkh32.exeC:\Windows\system32\Fcmnkh32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe101⤵PID:5292
-
C:\Windows\SysWOW64\Fcpkph32.exeC:\Windows\system32\Fcpkph32.exe102⤵PID:5412
-
C:\Windows\SysWOW64\Ffnglc32.exeC:\Windows\system32\Ffnglc32.exe103⤵PID:1064
-
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe104⤵
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Flhoinbl.exeC:\Windows\system32\Flhoinbl.exe105⤵
- System Location Discovery: System Language Discovery
PID:5680 -
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe106⤵
- Drops file in System32 directory
PID:5384 -
C:\Windows\SysWOW64\Fgncff32.exeC:\Windows\system32\Fgncff32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5192 -
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Fljlom32.exeC:\Windows\system32\Fljlom32.exe109⤵PID:5320
-
C:\Windows\SysWOW64\Fdadpk32.exeC:\Windows\system32\Fdadpk32.exe110⤵PID:4352
-
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe111⤵PID:5824
-
C:\Windows\SysWOW64\Gjnlha32.exeC:\Windows\system32\Gjnlha32.exe112⤵
- System Location Discovery: System Language Discovery
PID:6064 -
C:\Windows\SysWOW64\Glmhdm32.exeC:\Windows\system32\Glmhdm32.exe113⤵PID:5368
-
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe114⤵PID:5612
-
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe115⤵PID:5752
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe116⤵
- Drops file in System32 directory
PID:5888 -
C:\Windows\SysWOW64\Gloejmld.exeC:\Windows\system32\Gloejmld.exe117⤵PID:6044
-
C:\Windows\SysWOW64\Gdfmkjlg.exeC:\Windows\system32\Gdfmkjlg.exe118⤵PID:5864
-
C:\Windows\SysWOW64\Ggdigekj.exeC:\Windows\system32\Ggdigekj.exe119⤵
- Drops file in System32 directory
PID:6104 -
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe120⤵PID:5648
-
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe121⤵PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-