Analysis
-
max time kernel
149s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 01:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe
-
Size
1.9MB
-
MD5
873eb298d9966267aba4c4c4dfce8453
-
SHA1
67d467621fa6ffc2f6fcd55ac2da15bf714e2e92
-
SHA256
a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d
-
SHA512
05258dafebfc516a678bad3b23467bd415f1701251f29bc240a99216315ac61d297e86a2b7b964fc15ac2eb61625d17640a6439eff5670d34fc91034bf4293a9
-
SSDEEP
24576:9NIVyeNIVy2jUpsQUNIVyeNIVy2jUMB1NIVyeNIVy2jUpsQUNIVyeNIVy2jUO:4yjcbLyjPqyjcbLyjH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigdcll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabcopmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldkeeig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kahinkaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhnjna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkcndeen.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihmedma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcidopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhkflnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fganqbgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpmdbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfadkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edplhjhi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmchoan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpdhboj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmqdemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhpao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekimjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piceflpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnnianm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pffgom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lehhqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klahfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcggio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncqlkemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncchae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nofefp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkkmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doaneiop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjdikqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqikob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inqbclob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikpjbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kngkqbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjidgkog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eahobg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkgillpj.exe -
Executes dropped EXE 64 IoCs
pid Process 3684 Dlieda32.exe 3200 Djjebh32.exe 3988 Dpgnjo32.exe 4032 Ecefqnel.exe 2400 Eleepoob.exe 4468 Flinkojm.exe 2700 Fjjnifbl.exe 3856 Flqdlnde.exe 4244 Fffhifdk.exe 4160 Gjdaodja.exe 1692 Glengm32.exe 4432 Gpcfmkff.exe 392 Gikkfqmf.exe 3956 Gpecbk32.exe 768 Gkkgpc32.exe 5076 Glldgljg.exe 1752 Gdcliikj.exe 4292 Ggahedjn.exe 3696 Hloqml32.exe 4908 Hdehni32.exe 3820 Hgdejd32.exe 3036 Hibafp32.exe 4876 Hlambk32.exe 3384 Hdhedh32.exe 1552 Hgfapd32.exe 2260 Hienlpel.exe 4708 Hpofii32.exe 208 Hcmbee32.exe 3168 Hkdjfb32.exe 4000 Hmbfbn32.exe 2084 Hpabni32.exe 3780 Hgkkkcbc.exe 1908 Hlhccj32.exe 2956 Hcblpdgg.exe 1900 Hkicaahi.exe 4524 Iljpij32.exe 1048 Idahjg32.exe 5052 Ikkpgafg.exe 4312 Injmcmej.exe 4064 Idcepgmg.exe 4692 Igbalblk.exe 1940 Ijqmhnko.exe 2204 Ipjedh32.exe 1724 Iciaqc32.exe 2304 Ikpjbq32.exe 4860 Innfnl32.exe 1440 Idhnkf32.exe 3980 Iggjga32.exe 4544 Inqbclob.exe 1916 Ipoopgnf.exe 4288 Igigla32.exe 2268 Jjgchm32.exe 3048 Jpaleglc.exe 1416 Jcphab32.exe 4564 Jkgpbp32.exe 4384 Jlhljhbg.exe 1984 Jcbdgb32.exe 1420 Jkimho32.exe 2120 Jlkipgpe.exe 1400 Jdaaaeqg.exe 2768 Jgpmmp32.exe 388 Jlmfeg32.exe 2512 Jddnfd32.exe 1536 Jknfcofa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fkhpfbce.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Amlkko32.dll Kdbjhbbd.exe File created C:\Windows\SysWOW64\Poimpapp.exe Phodcg32.exe File created C:\Windows\SysWOW64\Oclknk32.dll Fiodpl32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Iidphgcn.exe File created C:\Windows\SysWOW64\Mqimikfj.exe Mjodla32.exe File opened for modification C:\Windows\SysWOW64\Emanjldl.exe Enpmld32.exe File created C:\Windows\SysWOW64\Hkmlnimb.exe Hebcao32.exe File created C:\Windows\SysWOW64\Komhll32.exe Jnlkedai.exe File created C:\Windows\SysWOW64\Kofdhd32.exe Khlklj32.exe File opened for modification C:\Windows\SysWOW64\Mbgeqmjp.exe Mpeiie32.exe File created C:\Windows\SysWOW64\Kdfepi32.dll Dcffnbee.exe File opened for modification C:\Windows\SysWOW64\Kgninn32.exe Kdpmbc32.exe File opened for modification C:\Windows\SysWOW64\Aojefobm.exe Aafemk32.exe File created C:\Windows\SysWOW64\Bejceb32.dll Fnffhgon.exe File created C:\Windows\SysWOW64\Pbcncibp.exe Oikjkc32.exe File created C:\Windows\SysWOW64\Akpbem32.dll Hjfbjdnd.exe File opened for modification C:\Windows\SysWOW64\Mkocol32.exe Mddkbbfg.exe File opened for modification C:\Windows\SysWOW64\Okailj32.exe Odgqopeb.exe File created C:\Windows\SysWOW64\Ibkgme32.dll Omgcpokp.exe File created C:\Windows\SysWOW64\Jeeobqbq.dll Dfiildio.exe File created C:\Windows\SysWOW64\Mlljnf32.exe Mbgeqmjp.exe File created C:\Windows\SysWOW64\Ohgohiia.dll Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Hejjanpm.exe Hjdedepg.exe File created C:\Windows\SysWOW64\Mfbjdgmg.dll Deqcbpld.exe File created C:\Windows\SysWOW64\Mfcjqc32.dll Kegpifod.exe File created C:\Windows\SysWOW64\Ebggoi32.dll Bhmbqm32.exe File opened for modification C:\Windows\SysWOW64\Fqikob32.exe Fcekfnkb.exe File created C:\Windows\SysWOW64\Ibgmaqfl.exe Ihaidhgf.exe File opened for modification C:\Windows\SysWOW64\Poimpapp.exe Phodcg32.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Imgicgca.exe File created C:\Windows\SysWOW64\Ibingd32.dll Fmhdkknd.exe File created C:\Windows\SysWOW64\Fpnkah32.dll Nmfmde32.exe File created C:\Windows\SysWOW64\Dnljkk32.exe Dknnoofg.exe File created C:\Windows\SysWOW64\Ekqckmfb.exe Ecikjoep.exe File opened for modification C:\Windows\SysWOW64\Mhnjna32.exe Madbagif.exe File opened for modification C:\Windows\SysWOW64\Llngbabj.exe Ledoegkm.exe File created C:\Windows\SysWOW64\Aeopfl32.exe Qcncodki.exe File created C:\Windows\SysWOW64\Fnipgg32.dll Mebcop32.exe File opened for modification C:\Windows\SysWOW64\Nnbnhedj.exe Nghekkmn.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Nmgjia32.exe File created C:\Windows\SysWOW64\Coadnlnb.exe Chglab32.exe File created C:\Windows\SysWOW64\Adhdjpjf.exe Amnlme32.exe File created C:\Windows\SysWOW64\Cgogbi32.dll Ljbnfleo.exe File created C:\Windows\SysWOW64\Kfkklk32.dll Gqkhda32.exe File created C:\Windows\SysWOW64\Lhpnlclc.exe Laffpi32.exe File created C:\Windows\SysWOW64\Hmbfbn32.exe Hkdjfb32.exe File opened for modification C:\Windows\SysWOW64\Jdaaaeqg.exe Jlkipgpe.exe File created C:\Windows\SysWOW64\Oilmjcon.dll Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Omegjomb.exe Oldjcg32.exe File opened for modification C:\Windows\SysWOW64\Kabcopmg.exe Kocgbend.exe File opened for modification C:\Windows\SysWOW64\Lhdggb32.exe Lbhool32.exe File created C:\Windows\SysWOW64\Lmdemd32.exe Ljfhqh32.exe File created C:\Windows\SysWOW64\Hdnacn32.dll Paoollik.exe File created C:\Windows\SysWOW64\Heegad32.exe Hnlodjpa.exe File created C:\Windows\SysWOW64\Dpifjj32.dll Mjlalkmd.exe File created C:\Windows\SysWOW64\Dmehgibj.dll Ihaidhgf.exe File created C:\Windows\SysWOW64\Obpkcc32.exe Odljjo32.exe File created C:\Windows\SysWOW64\Kajimagp.dll Amnlme32.exe File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Edplhjhi.exe File created C:\Windows\SysWOW64\Apjfbb32.dll Lchfib32.exe File created C:\Windows\SysWOW64\Fdpnda32.exe Fnffhgon.exe File opened for modification C:\Windows\SysWOW64\Ndnnianm.exe Ncmaai32.exe File created C:\Windows\SysWOW64\Ngidlo32.dll Lckiihok.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggepalof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgmaqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeopfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooclapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jldbpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdedepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiildio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kegpifod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkdibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbean32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajfdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqgojmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glengm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opeiadfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncnob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohqnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmhpfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqpjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odalmibl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akccap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomkcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llodgnja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmfllhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklnconj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhefhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojefobm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaqhjggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhomdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcekfnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheienli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalmimfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfhqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihmedma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feenjgfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefjnno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcliikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgjijmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doaneiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofkgcobj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akihcfid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkipgpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaaaeqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhdbm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alinebli.dll" Lbhool32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdnebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgqopeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idahjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmgabcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojqcnhkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebfign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehjdl32.dll" Lcggio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll" Bpjmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eahobg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefjnno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogjdmbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backpf32.dll" Hdehni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcblpdgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfejnf32.dll" Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmohno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjjlc32.dll" Fpbflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oblhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngihj32.dll" Moefdljc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjjbjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll" Ejojljqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmaoahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll" Jldkeeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obpkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojaijla.dll" Qejfkmem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckfid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknfcofa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgklkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll" Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpalgenf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcjldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejljgqdp.dll" Jdfjld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joekag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll" Nmjfodne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oophlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ilqoobdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cildom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklnconj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll" Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plpodked.dll" Mlljnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfepdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcekfnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll" Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaqcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icachjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfjld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhkcb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 3684 3044 a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe 85 PID 3044 wrote to memory of 3684 3044 a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe 85 PID 3044 wrote to memory of 3684 3044 a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe 85 PID 3684 wrote to memory of 3200 3684 Dlieda32.exe 86 PID 3684 wrote to memory of 3200 3684 Dlieda32.exe 86 PID 3684 wrote to memory of 3200 3684 Dlieda32.exe 86 PID 3200 wrote to memory of 3988 3200 Djjebh32.exe 88 PID 3200 wrote to memory of 3988 3200 Djjebh32.exe 88 PID 3200 wrote to memory of 3988 3200 Djjebh32.exe 88 PID 3988 wrote to memory of 4032 3988 Dpgnjo32.exe 90 PID 3988 wrote to memory of 4032 3988 Dpgnjo32.exe 90 PID 3988 wrote to memory of 4032 3988 Dpgnjo32.exe 90 PID 4032 wrote to memory of 2400 4032 Ecefqnel.exe 91 PID 4032 wrote to memory of 2400 4032 Ecefqnel.exe 91 PID 4032 wrote to memory of 2400 4032 Ecefqnel.exe 91 PID 2400 wrote to memory of 4468 2400 Eleepoob.exe 93 PID 2400 wrote to memory of 4468 2400 Eleepoob.exe 93 PID 2400 wrote to memory of 4468 2400 Eleepoob.exe 93 PID 4468 wrote to memory of 2700 4468 Flinkojm.exe 94 PID 4468 wrote to memory of 2700 4468 Flinkojm.exe 94 PID 4468 wrote to memory of 2700 4468 Flinkojm.exe 94 PID 2700 wrote to memory of 3856 2700 Fjjnifbl.exe 95 PID 2700 wrote to memory of 3856 2700 Fjjnifbl.exe 95 PID 2700 wrote to memory of 3856 2700 Fjjnifbl.exe 95 PID 3856 wrote to memory of 4244 3856 Flqdlnde.exe 96 PID 3856 wrote to memory of 4244 3856 Flqdlnde.exe 96 PID 3856 wrote to memory of 4244 3856 Flqdlnde.exe 96 PID 4244 wrote to memory of 4160 4244 Fffhifdk.exe 97 PID 4244 wrote to memory of 4160 4244 Fffhifdk.exe 97 PID 4244 wrote to memory of 4160 4244 Fffhifdk.exe 97 PID 4160 wrote to memory of 1692 4160 Gjdaodja.exe 98 PID 4160 wrote to memory of 1692 4160 Gjdaodja.exe 98 PID 4160 wrote to memory of 1692 4160 Gjdaodja.exe 98 PID 1692 wrote to memory of 4432 1692 Glengm32.exe 99 PID 1692 wrote to memory of 4432 1692 Glengm32.exe 99 PID 1692 wrote to memory of 4432 1692 Glengm32.exe 99 PID 4432 wrote to memory of 392 4432 Gpcfmkff.exe 100 PID 4432 wrote to memory of 392 4432 Gpcfmkff.exe 100 PID 4432 wrote to memory of 392 4432 Gpcfmkff.exe 100 PID 392 wrote to memory of 3956 392 Gikkfqmf.exe 101 PID 392 wrote to memory of 3956 392 Gikkfqmf.exe 101 PID 392 wrote to memory of 3956 392 Gikkfqmf.exe 101 PID 3956 wrote to memory of 768 3956 Gpecbk32.exe 102 PID 3956 wrote to memory of 768 3956 Gpecbk32.exe 102 PID 3956 wrote to memory of 768 3956 Gpecbk32.exe 102 PID 768 wrote to memory of 5076 768 Gkkgpc32.exe 103 PID 768 wrote to memory of 5076 768 Gkkgpc32.exe 103 PID 768 wrote to memory of 5076 768 Gkkgpc32.exe 103 PID 5076 wrote to memory of 1752 5076 Glldgljg.exe 104 PID 5076 wrote to memory of 1752 5076 Glldgljg.exe 104 PID 5076 wrote to memory of 1752 5076 Glldgljg.exe 104 PID 1752 wrote to memory of 4292 1752 Gdcliikj.exe 105 PID 1752 wrote to memory of 4292 1752 Gdcliikj.exe 105 PID 1752 wrote to memory of 4292 1752 Gdcliikj.exe 105 PID 4292 wrote to memory of 3696 4292 Ggahedjn.exe 106 PID 4292 wrote to memory of 3696 4292 Ggahedjn.exe 106 PID 4292 wrote to memory of 3696 4292 Ggahedjn.exe 106 PID 3696 wrote to memory of 4908 3696 Hloqml32.exe 107 PID 3696 wrote to memory of 4908 3696 Hloqml32.exe 107 PID 3696 wrote to memory of 4908 3696 Hloqml32.exe 107 PID 4908 wrote to memory of 3820 4908 Hdehni32.exe 108 PID 4908 wrote to memory of 3820 4908 Hdehni32.exe 108 PID 4908 wrote to memory of 3820 4908 Hdehni32.exe 108 PID 3820 wrote to memory of 3036 3820 Hgdejd32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe"C:\Users\Admin\AppData\Local\Temp\a7b516204638570546299e5de0ce1e04ca3b9258955b7bb3e03209cc29ecc41d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe23⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe25⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe26⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe27⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe29⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3168 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe31⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe32⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe33⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Hlhccj32.exeC:\Windows\system32\Hlhccj32.exe34⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe36⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe37⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Idahjg32.exeC:\Windows\system32\Idahjg32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Ikkpgafg.exeC:\Windows\system32\Ikkpgafg.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe40⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe41⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe42⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe43⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Iciaqc32.exeC:\Windows\system32\Iciaqc32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ikpjbq32.exeC:\Windows\system32\Ikpjbq32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Innfnl32.exeC:\Windows\system32\Innfnl32.exe47⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe48⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe49⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe51⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe52⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe53⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe55⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe56⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe57⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Jcbdgb32.exeC:\Windows\system32\Jcbdgb32.exe58⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe59⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe62⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Jddnfd32.exeC:\Windows\system32\Jddnfd32.exe64⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe66⤵PID:4596
-
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe67⤵
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe68⤵PID:3564
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe69⤵PID:1020
-
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe70⤵PID:3108
-
C:\Windows\SysWOW64\Kggcnoic.exeC:\Windows\system32\Kggcnoic.exe71⤵PID:3460
-
C:\Windows\SysWOW64\Kjepjkhf.exeC:\Windows\system32\Kjepjkhf.exe72⤵PID:3444
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe73⤵PID:2908
-
C:\Windows\SysWOW64\Kcndbp32.exeC:\Windows\system32\Kcndbp32.exe74⤵PID:3816
-
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe75⤵PID:888
-
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe76⤵PID:1956
-
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe77⤵PID:3196
-
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4676 -
C:\Windows\SysWOW64\Kmieae32.exeC:\Windows\system32\Kmieae32.exe79⤵PID:2236
-
C:\Windows\SysWOW64\Kdpmbc32.exeC:\Windows\system32\Kdpmbc32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\SysWOW64\Kgninn32.exeC:\Windows\system32\Kgninn32.exe81⤵PID:5180
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe82⤵PID:5224
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5264 -
C:\Windows\SysWOW64\Lgqfdnah.exeC:\Windows\system32\Lgqfdnah.exe84⤵PID:5308
-
C:\Windows\SysWOW64\Lnjnqh32.exeC:\Windows\system32\Lnjnqh32.exe85⤵PID:5352
-
C:\Windows\SysWOW64\Lqikmc32.exeC:\Windows\system32\Lqikmc32.exe86⤵PID:5396
-
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Lknojl32.exeC:\Windows\system32\Lknojl32.exe88⤵PID:5484
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe89⤵PID:5528
-
C:\Windows\SysWOW64\Ldgccb32.exeC:\Windows\system32\Ldgccb32.exe90⤵PID:5572
-
C:\Windows\SysWOW64\Lgepom32.exeC:\Windows\system32\Lgepom32.exe91⤵PID:5616
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe92⤵PID:5660
-
C:\Windows\SysWOW64\Lqndhcdc.exeC:\Windows\system32\Lqndhcdc.exe93⤵PID:5704
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe94⤵PID:5748
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5792 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe96⤵PID:5832
-
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe97⤵PID:5872
-
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe98⤵
- System Location Discovery: System Language Discovery
PID:5912 -
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe99⤵
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5992 -
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe101⤵PID:6032
-
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe102⤵PID:6072
-
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe103⤵PID:6112
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe104⤵PID:4772
-
C:\Windows\SysWOW64\Mccfdmmo.exeC:\Windows\system32\Mccfdmmo.exe105⤵PID:1760
-
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe106⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1504 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe108⤵
- Drops file in System32 directory
PID:5124 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe109⤵PID:5168
-
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe110⤵PID:5240
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe111⤵PID:5304
-
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe112⤵PID:5388
-
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe113⤵PID:1356
-
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5520 -
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe115⤵PID:5584
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe116⤵PID:816
-
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe117⤵PID:5696
-
C:\Windows\SysWOW64\Mmbanbmg.exeC:\Windows\system32\Mmbanbmg.exe118⤵PID:5740
-
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe119⤵PID:3128
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe120⤵
- Drops file in System32 directory
PID:5860 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe121⤵PID:5908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-