Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 21:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b6a348e37350806a04fe7cb8d24296f0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b6a348e37350806a04fe7cb8d24296f0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b6a348e37350806a04fe7cb8d24296f0N.exe
-
Size
384KB
-
MD5
b6a348e37350806a04fe7cb8d24296f0
-
SHA1
70108f1e958aa0ef48cff4e905306d21c04a9839
-
SHA256
56b6c0afd32336dd412f44dbcbb3a7877aba0b47df2708d929d0d575c1a6a3bb
-
SHA512
300a416943e284804cbb42f1f4f25f32c8d94a78a29e97ec1a169219c0ae2b09af38bebb700d1597310f19eba49bda42675a19057561f3be1e4292dbf1e2a2b7
-
SSDEEP
6144:U1rwQgLgwd2egU68SeNpgdyuH1lZfRo0V8JcgE+ezpg12:UNPgLtd2egv87g7/VycgE82
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Abbfalpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkqbpgan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijnbfom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gacfhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimhif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfegiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jqahll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjacfqhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamnkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcoddeok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ndamdhdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbbnnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okidki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdigim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Falphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qohlbkcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbfbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbacjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pahecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phidpklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qihpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nggfkhab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acglcpmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkepfhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligeee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emeeknda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khdpihnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncddjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfqfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppjcef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pfglnm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edjcmhpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcjil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcmbbkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgoola32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcncoqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aodlni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knfaln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgbcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Miqhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gphmopna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iknjcfod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Manngc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbjpfch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" b6a348e37350806a04fe7cb8d24296f0N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oglpfh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenooeca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dheggigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jknbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlnonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qfphie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhmjhidq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mnkdok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfnlmen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deadkccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fchjadaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lbkqckhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Neofljiq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehicnmje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oejombkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fagpbecf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekpiii32.exe -
Executes dropped EXE 64 IoCs
pid Process 3880 Kdqbacdl.exe 2200 Kmifjh32.exe 5412 Kbfobo32.exe 5592 Kkmgcm32.exe 2192 Kmkcohij.exe 2088 Kibddi32.exe 6052 Kpllacfk.exe 5880 Kbjhmoeo.exe 2964 Lpoifc32.exe 5900 Lkdmdl32.exe 5992 Laneqekk.exe 1760 Lkfjik32.exe 5812 Lmefeg32.exe 3240 Lgmknl32.exe 3496 Lpeoganq.exe 3940 Lcdkcmmd.exe 3756 Lphlmaln.exe 1720 Mgbdilck.exe 2656 Mpjhba32.exe 1028 Mgdqokah.exe 3956 Mnnile32.exe 5744 Majeldan.exe 5376 Mdhahppa.exe 2424 Mdjnno32.exe 4416 Manngc32.exe 3460 Mgkgpj32.exe 2104 Maqkmckf.exe 5432 Ngncejim.exe 2688 Npfhno32.exe 316 Ncddjk32.exe 4604 Nnjhgcog.exe 5756 Nddqdn32.exe 3584 Npkaiolh.exe 1196 Ncinejkl.exe 2236 Ngdjfi32.exe 5392 Nkpffgkn.exe 2896 Najncack.exe 1100 Nqmnon32.exe 1232 Nggfkhab.exe 5748 Njebgdpf.exe 1992 Nalkiaah.exe 2148 Ocngpi32.exe 3312 Okeoag32.exe 3692 Ojhomcnc.exe 3428 Oqagjneq.exe 3580 Odmcjl32.exe 3568 Oglpfh32.exe 2248 Onehcbdj.exe 4532 Ocbqkica.exe 744 Okihmfcc.exe 1584 Onheiabg.exe 5272 Oqfaem32.exe 4572 Odbmeljd.exe 5680 Ogpiagih.exe 5596 Ojoenbhl.exe 6016 Oqinjm32.exe 1648 Ogbfggge.exe 5640 Ojabcbfi.exe 6108 Pbhjdpgk.exe 5840 Pciglhmi.exe 812 Pbjgjo32.exe 1468 Pclcagkg.exe 624 Pggobf32.exe 4496 Pbmcpo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhmbhehd.exe Neofljiq.exe File opened for modification C:\Windows\SysWOW64\Ikepde32.exe Idkggkbo.exe File created C:\Windows\SysWOW64\Phidpklh.exe Pejhdpme.exe File opened for modification C:\Windows\SysWOW64\Akcdjb32.exe Aeilmhei.exe File opened for modification C:\Windows\SysWOW64\Ioomdqko.exe Iiedgg32.exe File created C:\Windows\SysWOW64\Onddfjob.dll Falphk32.exe File created C:\Windows\SysWOW64\Nceldolc.dll Ehclna32.exe File created C:\Windows\SysWOW64\Fjmhek32.exe Fdcpiqdm.exe File opened for modification C:\Windows\SysWOW64\Nbnfpihc.exe Njfnok32.exe File created C:\Windows\SysWOW64\Cckmeo32.dll Ngfpabng.exe File created C:\Windows\SysWOW64\Ggnoodmh.dll Empkpn32.exe File created C:\Windows\SysWOW64\Lpmkafma.exe Liccel32.exe File opened for modification C:\Windows\SysWOW64\Bgbjpfch.exe Bokbohbf.exe File created C:\Windows\SysWOW64\Khgbnl32.dll Olonom32.exe File created C:\Windows\SysWOW64\Ebidkbcg.dll Okeoag32.exe File created C:\Windows\SysWOW64\Iolidk32.exe Idgefb32.exe File opened for modification C:\Windows\SysWOW64\Boieii32.exe Bmjimm32.exe File created C:\Windows\SysWOW64\Cagbbffb.dll Polflfim.exe File opened for modification C:\Windows\SysWOW64\Majeldan.exe Mnnile32.exe File opened for modification C:\Windows\SysWOW64\Ikegnk32.exe Idkoaaek.exe File opened for modification C:\Windows\SysWOW64\Nlcncoqg.exe Miebgcac.exe File created C:\Windows\SysWOW64\Aeilmhei.exe Anodpn32.exe File created C:\Windows\SysWOW64\Dmdejj32.exe Dihijk32.exe File created C:\Windows\SysWOW64\Hccpbe32.dll Mefjpa32.exe File opened for modification C:\Windows\SysWOW64\Deadkccl.exe Dbbhogdh.exe File created C:\Windows\SysWOW64\Gdbjok32.exe Gbdmcp32.exe File created C:\Windows\SysWOW64\Boipqloc.dll Mppancml.exe File created C:\Windows\SysWOW64\Halbdban.exe Hkbjgh32.exe File created C:\Windows\SysWOW64\Lkdmdl32.exe Lpoifc32.exe File opened for modification C:\Windows\SysWOW64\Kbbdgcdo.exe Kkhlki32.exe File opened for modification C:\Windows\SysWOW64\Fkbhkqkp.exe Fajcbk32.exe File created C:\Windows\SysWOW64\Fepcfiig.dll Manjffaa.exe File created C:\Windows\SysWOW64\Iigfippg.dll Bdjijcpd.exe File created C:\Windows\SysWOW64\Bgnbgg32.dll Ghildk32.exe File created C:\Windows\SysWOW64\Alcclnlm.exe Afikpd32.exe File opened for modification C:\Windows\SysWOW64\Hkbjgh32.exe Hpmfjo32.exe File created C:\Windows\SysWOW64\Ikepde32.exe Idkggkbo.exe File opened for modification C:\Windows\SysWOW64\Lnkkgmde.exe Kgqckc32.exe File created C:\Windows\SysWOW64\Bkchfajj.dll Nlcncoqg.exe File created C:\Windows\SysWOW64\Kffiam32.dll Ibpokede.exe File opened for modification C:\Windows\SysWOW64\Mpikmdbc.exe Mfqfdo32.exe File opened for modification C:\Windows\SysWOW64\Cepdjo32.exe Cjjpmfnm.exe File created C:\Windows\SysWOW64\Lkfjik32.exe Laneqekk.exe File created C:\Windows\SysWOW64\Lmabeq32.exe Lblnhhpq.exe File opened for modification C:\Windows\SysWOW64\Oiinngei.exe Ogjbakff.exe File created C:\Windows\SysWOW64\Jneiepfm.exe Jhipmi32.exe File opened for modification C:\Windows\SysWOW64\Jqkkbk32.exe Jjacfqhl.exe File created C:\Windows\SysWOW64\Pefniq32.exe Pbgbme32.exe File created C:\Windows\SysWOW64\Dhqhfehd.dll Agoojcoe.exe File created C:\Windows\SysWOW64\Gacfhi32.exe Ggnbkq32.exe File opened for modification C:\Windows\SysWOW64\Onbdcl32.exe Opodjh32.exe File created C:\Windows\SysWOW64\Lfjeepae.dll Iahbpp32.exe File created C:\Windows\SysWOW64\Fclcld32.exe Fkelkf32.exe File created C:\Windows\SysWOW64\Hofjnbcj.exe Hmgnagdf.exe File created C:\Windows\SysWOW64\Hmealgfi.exe Hdnikjeg.exe File created C:\Windows\SysWOW64\Hhfkalhk.exe Halbdban.exe File created C:\Windows\SysWOW64\Epfkdk32.dll Kmmijacl.exe File created C:\Windows\SysWOW64\Egjehg32.dll Bgngom32.exe File created C:\Windows\SysWOW64\Ljqnnlhk.dll Glnkkhla.exe File created C:\Windows\SysWOW64\Mlbhhefe.exe Miclljga.exe File opened for modification C:\Windows\SysWOW64\Pjgkoe32.exe Pcmbbkam.exe File opened for modification C:\Windows\SysWOW64\Nnjhgcog.exe Ncddjk32.exe File opened for modification C:\Windows\SysWOW64\Nalkiaah.exe Njebgdpf.exe File created C:\Windows\SysWOW64\Caoihc32.dll Kfngbhpd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5808 4400 WerFault.exe 907 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhlcgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqjoik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeopma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepbngpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdffbmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gobngopc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinofhik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppdqepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anomfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oligob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdjqeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbiaffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmefeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfleg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liepjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpllf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbghcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnoqhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgcmdqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbecllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggphfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajafcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehclna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpphgfkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higgid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpfbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmknkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifekiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmkqjic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niodmbih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmknl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppliqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkmcifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famgbafh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmmkcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlqdcjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngncejim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ballnhaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfphie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmmnokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnkikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olldea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhnjkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblkhdna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlmaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbdcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpkilbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmimaeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plnqjane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknejgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfleildl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgpok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiedgg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaigajaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgafei32.dll" Ekecdikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lehnocqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgmqef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abplio32.dll" Jjacfqhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcagnd32.dll" Cbghcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pololf32.dll" Pmhjkfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plegkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jqkkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppklna32.dll" Neqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbbhogdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jdbdbpoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiifnioh.dll" Noenop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fibegg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mbimdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnhqb32.dll" Nbnfpihc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjncml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hncjcijn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jiqmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijhppbpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jhmjhidq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbdei32.dll" Akeaobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhjpb32.dll" Clfjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjhpl32.dll" Doiidh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lpmkafma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agaaih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pciglhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdgjnimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbkqckhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fjhnjkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdmiifpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdjlp32.dll" Mfccjojq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhjfa32.dll" Kdkqni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jioogafg.dll" Magceg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cogchkjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkdac32.dll" Jglgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgini32.dll" Inaoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jqkkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkpke32.dll" Aakcgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkhlki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qofpmken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pbamknoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdiimhb.dll" Eajafcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gfkpho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfaqhf32.dll" Dfomce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkbacgi.dll" Mlkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpbiddl.dll" Pcjemk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Poccgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ehgeipcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehdjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhpqb32.dll" Jocpdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fagpbecf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfkpho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gklblega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Monhoagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhahoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kockkapc.dll" Gpojiafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpccidan.dll" Bchldcbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndamdhdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opodjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgpdelig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcoak32.dll" Pcflalge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lhmiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgkmfdkn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5504 wrote to memory of 3880 5504 b6a348e37350806a04fe7cb8d24296f0N.exe 87 PID 5504 wrote to memory of 3880 5504 b6a348e37350806a04fe7cb8d24296f0N.exe 87 PID 5504 wrote to memory of 3880 5504 b6a348e37350806a04fe7cb8d24296f0N.exe 87 PID 3880 wrote to memory of 2200 3880 Kdqbacdl.exe 88 PID 3880 wrote to memory of 2200 3880 Kdqbacdl.exe 88 PID 3880 wrote to memory of 2200 3880 Kdqbacdl.exe 88 PID 2200 wrote to memory of 5412 2200 Kmifjh32.exe 89 PID 2200 wrote to memory of 5412 2200 Kmifjh32.exe 89 PID 2200 wrote to memory of 5412 2200 Kmifjh32.exe 89 PID 5412 wrote to memory of 5592 5412 Kbfobo32.exe 90 PID 5412 wrote to memory of 5592 5412 Kbfobo32.exe 90 PID 5412 wrote to memory of 5592 5412 Kbfobo32.exe 90 PID 5592 wrote to memory of 2192 5592 Kkmgcm32.exe 91 PID 5592 wrote to memory of 2192 5592 Kkmgcm32.exe 91 PID 5592 wrote to memory of 2192 5592 Kkmgcm32.exe 91 PID 2192 wrote to memory of 2088 2192 Kmkcohij.exe 92 PID 2192 wrote to memory of 2088 2192 Kmkcohij.exe 92 PID 2192 wrote to memory of 2088 2192 Kmkcohij.exe 92 PID 2088 wrote to memory of 6052 2088 Kibddi32.exe 93 PID 2088 wrote to memory of 6052 2088 Kibddi32.exe 93 PID 2088 wrote to memory of 6052 2088 Kibddi32.exe 93 PID 6052 wrote to memory of 5880 6052 Kpllacfk.exe 94 PID 6052 wrote to memory of 5880 6052 Kpllacfk.exe 94 PID 6052 wrote to memory of 5880 6052 Kpllacfk.exe 94 PID 5880 wrote to memory of 2964 5880 Kbjhmoeo.exe 95 PID 5880 wrote to memory of 2964 5880 Kbjhmoeo.exe 95 PID 5880 wrote to memory of 2964 5880 Kbjhmoeo.exe 95 PID 2964 wrote to memory of 5900 2964 Lpoifc32.exe 96 PID 2964 wrote to memory of 5900 2964 Lpoifc32.exe 96 PID 2964 wrote to memory of 5900 2964 Lpoifc32.exe 96 PID 5900 wrote to memory of 5992 5900 Lkdmdl32.exe 97 PID 5900 wrote to memory of 5992 5900 Lkdmdl32.exe 97 PID 5900 wrote to memory of 5992 5900 Lkdmdl32.exe 97 PID 5992 wrote to memory of 1760 5992 Laneqekk.exe 98 PID 5992 wrote to memory of 1760 5992 Laneqekk.exe 98 PID 5992 wrote to memory of 1760 5992 Laneqekk.exe 98 PID 1760 wrote to memory of 5812 1760 Lkfjik32.exe 99 PID 1760 wrote to memory of 5812 1760 Lkfjik32.exe 99 PID 1760 wrote to memory of 5812 1760 Lkfjik32.exe 99 PID 5812 wrote to memory of 3240 5812 Lmefeg32.exe 100 PID 5812 wrote to memory of 3240 5812 Lmefeg32.exe 100 PID 5812 wrote to memory of 3240 5812 Lmefeg32.exe 100 PID 3240 wrote to memory of 3496 3240 Lgmknl32.exe 102 PID 3240 wrote to memory of 3496 3240 Lgmknl32.exe 102 PID 3240 wrote to memory of 3496 3240 Lgmknl32.exe 102 PID 3496 wrote to memory of 3940 3496 Lpeoganq.exe 103 PID 3496 wrote to memory of 3940 3496 Lpeoganq.exe 103 PID 3496 wrote to memory of 3940 3496 Lpeoganq.exe 103 PID 3940 wrote to memory of 3756 3940 Lcdkcmmd.exe 104 PID 3940 wrote to memory of 3756 3940 Lcdkcmmd.exe 104 PID 3940 wrote to memory of 3756 3940 Lcdkcmmd.exe 104 PID 3756 wrote to memory of 1720 3756 Lphlmaln.exe 105 PID 3756 wrote to memory of 1720 3756 Lphlmaln.exe 105 PID 3756 wrote to memory of 1720 3756 Lphlmaln.exe 105 PID 1720 wrote to memory of 2656 1720 Mgbdilck.exe 106 PID 1720 wrote to memory of 2656 1720 Mgbdilck.exe 106 PID 1720 wrote to memory of 2656 1720 Mgbdilck.exe 106 PID 2656 wrote to memory of 1028 2656 Mpjhba32.exe 107 PID 2656 wrote to memory of 1028 2656 Mpjhba32.exe 107 PID 2656 wrote to memory of 1028 2656 Mpjhba32.exe 107 PID 1028 wrote to memory of 3956 1028 Mgdqokah.exe 108 PID 1028 wrote to memory of 3956 1028 Mgdqokah.exe 108 PID 1028 wrote to memory of 3956 1028 Mgdqokah.exe 108 PID 3956 wrote to memory of 5744 3956 Mnnile32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a348e37350806a04fe7cb8d24296f0N.exe"C:\Users\Admin\AppData\Local\Temp\b6a348e37350806a04fe7cb8d24296f0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5504 -
C:\Windows\SysWOW64\Kdqbacdl.exeC:\Windows\system32\Kdqbacdl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\Kmifjh32.exeC:\Windows\system32\Kmifjh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Kbfobo32.exeC:\Windows\system32\Kbfobo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5412 -
C:\Windows\SysWOW64\Kkmgcm32.exeC:\Windows\system32\Kkmgcm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5592 -
C:\Windows\SysWOW64\Kmkcohij.exeC:\Windows\system32\Kmkcohij.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kibddi32.exeC:\Windows\system32\Kibddi32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Kpllacfk.exeC:\Windows\system32\Kpllacfk.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6052 -
C:\Windows\SysWOW64\Kbjhmoeo.exeC:\Windows\system32\Kbjhmoeo.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5880 -
C:\Windows\SysWOW64\Lpoifc32.exeC:\Windows\system32\Lpoifc32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lkdmdl32.exeC:\Windows\system32\Lkdmdl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5900 -
C:\Windows\SysWOW64\Laneqekk.exeC:\Windows\system32\Laneqekk.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5992 -
C:\Windows\SysWOW64\Lkfjik32.exeC:\Windows\system32\Lkfjik32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Lmefeg32.exeC:\Windows\system32\Lmefeg32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\SysWOW64\Lgmknl32.exeC:\Windows\system32\Lgmknl32.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\Lpeoganq.exeC:\Windows\system32\Lpeoganq.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Lcdkcmmd.exeC:\Windows\system32\Lcdkcmmd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Lphlmaln.exeC:\Windows\system32\Lphlmaln.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Mgbdilck.exeC:\Windows\system32\Mgbdilck.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mpjhba32.exeC:\Windows\system32\Mpjhba32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mgdqokah.exeC:\Windows\system32\Mgdqokah.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Mnnile32.exeC:\Windows\system32\Mnnile32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Majeldan.exeC:\Windows\system32\Majeldan.exe23⤵
- Executes dropped EXE
PID:5744 -
C:\Windows\SysWOW64\Mdhahppa.exeC:\Windows\system32\Mdhahppa.exe24⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\Mdjnno32.exeC:\Windows\system32\Mdjnno32.exe25⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Manngc32.exeC:\Windows\system32\Manngc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Mgkgpj32.exeC:\Windows\system32\Mgkgpj32.exe27⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Maqkmckf.exeC:\Windows\system32\Maqkmckf.exe28⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Ngncejim.exeC:\Windows\system32\Ngncejim.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Windows\SysWOW64\Npfhno32.exeC:\Windows\system32\Npfhno32.exe30⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ncddjk32.exeC:\Windows\system32\Ncddjk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Nnjhgcog.exeC:\Windows\system32\Nnjhgcog.exe32⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Nddqdn32.exeC:\Windows\system32\Nddqdn32.exe33⤵
- Executes dropped EXE
PID:5756 -
C:\Windows\SysWOW64\Npkaiolh.exeC:\Windows\system32\Npkaiolh.exe34⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Ncinejkl.exeC:\Windows\system32\Ncinejkl.exe35⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ngdjfi32.exeC:\Windows\system32\Ngdjfi32.exe36⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Nkpffgkn.exeC:\Windows\system32\Nkpffgkn.exe37⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\Najncack.exeC:\Windows\system32\Najncack.exe38⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nqmnon32.exeC:\Windows\system32\Nqmnon32.exe39⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nggfkhab.exeC:\Windows\system32\Nggfkhab.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Njebgdpf.exeC:\Windows\system32\Njebgdpf.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\Nalkiaah.exeC:\Windows\system32\Nalkiaah.exe42⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ocngpi32.exeC:\Windows\system32\Ocngpi32.exe43⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Okeoag32.exeC:\Windows\system32\Okeoag32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Ojhomcnc.exeC:\Windows\system32\Ojhomcnc.exe45⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Oqagjneq.exeC:\Windows\system32\Oqagjneq.exe46⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Odmcjl32.exeC:\Windows\system32\Odmcjl32.exe47⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Oglpfh32.exeC:\Windows\system32\Oglpfh32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Onehcbdj.exeC:\Windows\system32\Onehcbdj.exe49⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ocbqkica.exeC:\Windows\system32\Ocbqkica.exe50⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\Okihmfcc.exeC:\Windows\system32\Okihmfcc.exe51⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Onheiabg.exeC:\Windows\system32\Onheiabg.exe52⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Oqfaem32.exeC:\Windows\system32\Oqfaem32.exe53⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Odbmeljd.exeC:\Windows\system32\Odbmeljd.exe54⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Ogpiagih.exeC:\Windows\system32\Ogpiagih.exe55⤵
- Executes dropped EXE
PID:5680 -
C:\Windows\SysWOW64\Ojoenbhl.exeC:\Windows\system32\Ojoenbhl.exe56⤵
- Executes dropped EXE
PID:5596 -
C:\Windows\SysWOW64\Oqinjm32.exeC:\Windows\system32\Oqinjm32.exe57⤵
- Executes dropped EXE
PID:6016 -
C:\Windows\SysWOW64\Ogbfggge.exeC:\Windows\system32\Ogbfggge.exe58⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Ojabcbfi.exeC:\Windows\system32\Ojabcbfi.exe59⤵
- Executes dropped EXE
PID:5640 -
C:\Windows\SysWOW64\Pbhjdpgk.exeC:\Windows\system32\Pbhjdpgk.exe60⤵
- Executes dropped EXE
PID:6108 -
C:\Windows\SysWOW64\Pciglhmi.exeC:\Windows\system32\Pciglhmi.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5840 -
C:\Windows\SysWOW64\Pbjgjo32.exeC:\Windows\system32\Pbjgjo32.exe62⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Pclcagkg.exeC:\Windows\system32\Pclcagkg.exe63⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Pggobf32.exeC:\Windows\system32\Pggobf32.exe64⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Pbmcpo32.exeC:\Windows\system32\Pbmcpo32.exe65⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Pgjlhfam.exeC:\Windows\system32\Pgjlhfam.exe66⤵PID:2668
-
C:\Windows\SysWOW64\Pjhhdapa.exeC:\Windows\system32\Pjhhdapa.exe67⤵PID:4456
-
C:\Windows\SysWOW64\Pncddp32.exeC:\Windows\system32\Pncddp32.exe68⤵PID:5104
-
C:\Windows\SysWOW64\Pdnmajpg.exeC:\Windows\system32\Pdnmajpg.exe69⤵PID:1292
-
C:\Windows\SysWOW64\Pglimeok.exeC:\Windows\system32\Pglimeok.exe70⤵PID:5004
-
C:\Windows\SysWOW64\Pkgend32.exeC:\Windows\system32\Pkgend32.exe71⤵PID:2792
-
C:\Windows\SysWOW64\Pbamknoq.exeC:\Windows\system32\Pbamknoq.exe72⤵
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Pccibf32.exeC:\Windows\system32\Pccibf32.exe73⤵PID:5320
-
C:\Windows\SysWOW64\Pkjacdea.exeC:\Windows\system32\Pkjacdea.exe74⤵PID:3276
-
C:\Windows\SysWOW64\Qqgjlkch.exeC:\Windows\system32\Qqgjlkch.exe75⤵PID:4624
-
C:\Windows\SysWOW64\Qgqbhe32.exeC:\Windows\system32\Qgqbhe32.exe76⤵PID:4736
-
C:\Windows\SysWOW64\Qjoodp32.exeC:\Windows\system32\Qjoodp32.exe77⤵PID:5000
-
C:\Windows\SysWOW64\Qaigajaf.exeC:\Windows\system32\Qaigajaf.exe78⤵
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Qkokoc32.exeC:\Windows\system32\Qkokoc32.exe79⤵PID:5356
-
C:\Windows\SysWOW64\Aakcgj32.exeC:\Windows\system32\Aakcgj32.exe80⤵
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Acjpce32.exeC:\Windows\system32\Acjpce32.exe81⤵PID:3204
-
C:\Windows\SysWOW64\Anodpn32.exeC:\Windows\system32\Anodpn32.exe82⤵
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Aeilmhei.exeC:\Windows\system32\Aeilmhei.exe83⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Akcdjb32.exeC:\Windows\system32\Akcdjb32.exe84⤵PID:916
-
C:\Windows\SysWOW64\Abmmfm32.exeC:\Windows\system32\Abmmfm32.exe85⤵PID:3904
-
C:\Windows\SysWOW64\Acoineja.exeC:\Windows\system32\Acoineja.exe86⤵PID:1448
-
C:\Windows\SysWOW64\Akeaobkc.exeC:\Windows\system32\Akeaobkc.exe87⤵
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Aabigiik.exeC:\Windows\system32\Aabigiik.exe88⤵PID:964
-
C:\Windows\SysWOW64\Alhnebia.exeC:\Windows\system32\Alhnebia.exe89⤵PID:4324
-
C:\Windows\SysWOW64\Ajknpo32.exeC:\Windows\system32\Ajknpo32.exe90⤵PID:6000
-
C:\Windows\SysWOW64\Abbfalpn.exeC:\Windows\system32\Abbfalpn.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5944 -
C:\Windows\SysWOW64\Aepbngpa.exeC:\Windows\system32\Aepbngpa.exe92⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Agoojcoe.exeC:\Windows\system32\Agoojcoe.exe93⤵
- Drops file in System32 directory
PID:3572 -
C:\Windows\SysWOW64\Bjmkfnni.exeC:\Windows\system32\Bjmkfnni.exe94⤵PID:2120
-
C:\Windows\SysWOW64\Bbdbglnk.exeC:\Windows\system32\Bbdbglnk.exe95⤵PID:3660
-
C:\Windows\SysWOW64\Bebocgmo.exeC:\Windows\system32\Bebocgmo.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Bceood32.exeC:\Windows\system32\Bceood32.exe97⤵PID:4608
-
C:\Windows\SysWOW64\Blmgpa32.exeC:\Windows\system32\Blmgpa32.exe98⤵PID:4292
-
C:\Windows\SysWOW64\Bnkclm32.exeC:\Windows\system32\Bnkclm32.exe99⤵
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Baiphhcc.exeC:\Windows\system32\Baiphhcc.exe100⤵PID:2932
-
C:\Windows\SysWOW64\Bchldcbg.exeC:\Windows\system32\Bchldcbg.exe101⤵
- Modifies registry class
PID:4308 -
C:\Windows\SysWOW64\Bhcheb32.exeC:\Windows\system32\Bhcheb32.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Bjbdan32.exeC:\Windows\system32\Bjbdan32.exe103⤵PID:2892
-
C:\Windows\SysWOW64\Bnmpalbm.exeC:\Windows\system32\Bnmpalbm.exe104⤵PID:2484
-
C:\Windows\SysWOW64\Ballnhaq.exeC:\Windows\system32\Ballnhaq.exe105⤵
- System Location Discovery: System Language Discovery
PID:4316 -
C:\Windows\SysWOW64\Bdjijcpd.exeC:\Windows\system32\Bdjijcpd.exe106⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Blaqkqaf.exeC:\Windows\system32\Blaqkqaf.exe107⤵PID:3848
-
C:\Windows\SysWOW64\Bnpmglpj.exeC:\Windows\system32\Bnpmglpj.exe108⤵PID:2832
-
C:\Windows\SysWOW64\Banicgon.exeC:\Windows\system32\Banicgon.exe109⤵PID:4212
-
C:\Windows\SysWOW64\Bejedfgg.exeC:\Windows\system32\Bejedfgg.exe110⤵PID:4296
-
C:\Windows\SysWOW64\Bjfnlmen.exeC:\Windows\system32\Bjfnlmen.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3852 -
C:\Windows\SysWOW64\Bhjneadh.exeC:\Windows\system32\Bhjneadh.exe112⤵PID:2452
-
C:\Windows\SysWOW64\Clfjfp32.exeC:\Windows\system32\Clfjfp32.exe113⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Cbpbcjdn.exeC:\Windows\system32\Cbpbcjdn.exe114⤵PID:3524
-
C:\Windows\SysWOW64\Cenooeca.exeC:\Windows\system32\Cenooeca.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6088 -
C:\Windows\SysWOW64\Cdaojb32.exeC:\Windows\system32\Cdaojb32.exe116⤵PID:1168
-
C:\Windows\SysWOW64\Clhglpkn.exeC:\Windows\system32\Clhglpkn.exe117⤵PID:5448
-
C:\Windows\SysWOW64\Cogchkjb.exeC:\Windows\system32\Cogchkjb.exe118⤵
- Modifies registry class
PID:5664 -
C:\Windows\SysWOW64\Ceqkde32.exeC:\Windows\system32\Ceqkde32.exe119⤵PID:3352
-
C:\Windows\SysWOW64\Cdckpbhi.exeC:\Windows\system32\Cdckpbhi.exe120⤵PID:4760
-
C:\Windows\SysWOW64\Clkcaoil.exeC:\Windows\system32\Clkcaoil.exe121⤵PID:5820
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-