Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 06:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b63b9d62db62dd444bdf32f8810e6780N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
b63b9d62db62dd444bdf32f8810e6780N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
b63b9d62db62dd444bdf32f8810e6780N.exe
-
Size
63KB
-
MD5
b63b9d62db62dd444bdf32f8810e6780
-
SHA1
6bf72831aa3e3452471da87a1006d93a65b98dd9
-
SHA256
65c7a9ec2bc66b6b50fa4e24298e20441c4b38616eab41b0366648c5af327c18
-
SHA512
becc9db466d48a874886f6e756d6ef3be7ecccadd2b73dff71836d24cd7ea5f96686704ca0eac70b108c0bb7fa606b4effb793670032d0375aceb40849975bd6
-
SSDEEP
1536:YN+rSoc0z+Ewa5A4gdb7nZ+VFEn9rjDHE:ySSoB55qZoFk9DHE
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llimgb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfheof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfbkpab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcapicdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecikjoep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhikci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjidgkog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bipecnkd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfmpnql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgnjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpadhll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiffqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pffgom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdnjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpnhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amlogfel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Damfao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdiknlb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdlfjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidinqpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbchj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqcejcha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boenhgdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlgoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giljfddl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halaloif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keimof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgodpgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knchpiom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgpeha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdalog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgjopal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljbeali.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnlme32.exe -
Executes dropped EXE 64 IoCs
pid Process 2920 Afinioip.exe 4928 Alcfei32.exe 2208 Acmobchj.exe 2508 Afkknogn.exe 1160 Aleckinj.exe 2600 Aodogdmn.exe 2616 Bfngdn32.exe 4516 Bhldpj32.exe 952 Bkkple32.exe 3636 Bbdhiojo.exe 1688 Bhoqeibl.exe 4340 Bkmmaeap.exe 2148 Bcddcbab.exe 1460 Bjnmpl32.exe 1908 Bkoigdom.exe 4888 Bcfahbpo.exe 3572 Bfendmoc.exe 4952 Bmofagfp.exe 2844 Bombmcec.exe 2404 Bblnindg.exe 2880 Bheffh32.exe 1048 Bmabggdm.exe 1624 Bckkca32.exe 1860 Cfigpm32.exe 4968 Ckfphc32.exe 2400 Cobkhb32.exe 748 Cfldelik.exe 3156 Cmflbf32.exe 2852 Cbbdjm32.exe 1380 Cjjlkk32.exe 4412 Cmhigf32.exe 2196 Ccbadp32.exe 4316 Cfqmpl32.exe 696 Cmjemflb.exe 2612 Ckmehb32.exe 1144 Ccdnjp32.exe 2532 Cbgnemjj.exe 1704 Cjnffjkl.exe 2092 Cmmbbejp.exe 1912 Coknoaic.exe 4612 Ccgjopal.exe 2964 Djqblj32.exe 4892 Diccgfpd.exe 5096 Dkbocbog.exe 3512 Dcigeooj.exe 3556 Dfgcakon.exe 3268 Difpmfna.exe 1728 Dkdliame.exe 1116 Dckdjomg.exe 1528 Dbndfl32.exe 1508 Dihlbf32.exe 2024 Dmdhcddh.exe 4256 Dpbdopck.exe 924 Dflmlj32.exe 3300 Dikihe32.exe 3960 Dlieda32.exe 2028 Dpdaepai.exe 3812 Dfoiaj32.exe 4676 Dimenegi.exe 2004 Dpgnjo32.exe 2972 Ecbjkngo.exe 3428 Ejlbhh32.exe 1868 Emkndc32.exe 1776 Epikpo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ggahedjn.exe Gdcliikj.exe File created C:\Windows\SysWOW64\Hienlpel.exe Hgfapd32.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Amlogfel.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Cgfbbb32.exe Cpljehpo.exe File opened for modification C:\Windows\SysWOW64\Ibnjkbog.exe Hjfbjdnd.exe File opened for modification C:\Windows\SysWOW64\Odhifjkg.exe Nlmdbh32.exe File opened for modification C:\Windows\SysWOW64\Gpbpbecj.exe Gmdcfidg.exe File opened for modification C:\Windows\SysWOW64\Foclgq32.exe Fgmdec32.exe File created C:\Windows\SysWOW64\Dognaofl.dll Kamjda32.exe File opened for modification C:\Windows\SysWOW64\Ppgomnai.exe Pmhbqbae.exe File created C:\Windows\SysWOW64\Nohjfifo.dll Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Acmobchj.exe Alcfei32.exe File created C:\Windows\SysWOW64\Cmflbf32.exe Cfldelik.exe File opened for modification C:\Windows\SysWOW64\Gdcliikj.exe Glldgljg.exe File created C:\Windows\SysWOW64\Fngjep32.dll Mjkblhfo.exe File created C:\Windows\SysWOW64\Obnehj32.exe Oophlo32.exe File created C:\Windows\SysWOW64\Plbhknkl.dll Hienlpel.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Njfkmphe.exe File created C:\Windows\SysWOW64\Npgmpf32.exe Njjdho32.exe File created C:\Windows\SysWOW64\Eeclnmik.dll Lcclncbh.exe File opened for modification C:\Windows\SysWOW64\Dncpkjoc.exe Dgihop32.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Fcniglmb.exe File created C:\Windows\SysWOW64\Bjbmjjno.dll Klahfp32.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Cncnob32.exe File created C:\Windows\SysWOW64\Fajbjh32.exe Fbgbnkfm.exe File opened for modification C:\Windows\SysWOW64\Oophlo32.exe Omalpc32.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Kpjgaoqm.exe File created C:\Windows\SysWOW64\Ehpadhll.exe Edeeci32.exe File created C:\Windows\SysWOW64\Lhenai32.exe Legben32.exe File created C:\Windows\SysWOW64\Llimgb32.exe Ldbefe32.exe File created C:\Windows\SysWOW64\Dnbokg32.dll Hginecde.exe File opened for modification C:\Windows\SysWOW64\Ogcnmc32.exe Oplfkeob.exe File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe Ppolhcnm.exe File opened for modification C:\Windows\SysWOW64\Dnonkq32.exe Dolmodpi.exe File opened for modification C:\Windows\SysWOW64\Edoencdm.exe Eaaiahei.exe File created C:\Windows\SysWOW64\Mcifkf32.exe Mqkiok32.exe File created C:\Windows\SysWOW64\Opqofe32.exe Ombcji32.exe File created C:\Windows\SysWOW64\Lcccepbd.dll Afbgkl32.exe File created C:\Windows\SysWOW64\Nmaciefp.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Obcckehh.dll Iagqgn32.exe File opened for modification C:\Windows\SysWOW64\Hgapmj32.exe Hqghqpnl.exe File created C:\Windows\SysWOW64\Hnfdcegm.dll Gipdap32.exe File created C:\Windows\SysWOW64\Minqeaad.dll Lokdnjkg.exe File created C:\Windows\SysWOW64\Pdmdnadc.exe Panhbfep.exe File created C:\Windows\SysWOW64\Hejqldci.exe Hbldphde.exe File created C:\Windows\SysWOW64\Fboecfii.exe Fkemfl32.exe File created C:\Windows\SysWOW64\Glgjlm32.exe Gmdjapgb.exe File created C:\Windows\SysWOW64\Jphkkpbp.exe Jinboekc.exe File created C:\Windows\SysWOW64\Lcnfohmi.exe Lmdnbn32.exe File created C:\Windows\SysWOW64\Nblolm32.exe Momcpa32.exe File created C:\Windows\SysWOW64\Badjai32.dll Fgjhpcmo.exe File created C:\Windows\SysWOW64\Kpqfid32.dll Gkdpbpih.exe File created C:\Windows\SysWOW64\Gdgfnm32.dll Joekag32.exe File created C:\Windows\SysWOW64\Bhldpj32.exe Bfngdn32.exe File created C:\Windows\SysWOW64\Hgfapd32.exe Hlambk32.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Baiinofi.dll Ngndaccj.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe Cacckp32.exe File created C:\Windows\SysWOW64\Fqphic32.exe Famhmfkl.exe File opened for modification C:\Windows\SysWOW64\Jnpjlajn.exe Jhfbog32.exe File created C:\Windows\SysWOW64\Ckfphc32.exe Cfigpm32.exe File created C:\Windows\SysWOW64\Njinmf32.exe Ncofplba.exe File created C:\Windows\SysWOW64\Qfohjf32.dll Qaalblgi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6632 6292 WerFault.exe 1084 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afappe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdopjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfoad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcclncbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbplml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afockelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keimof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkdibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hienlpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpalgenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbcfhibj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njedbjej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnffjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnmdcjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gldglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omopjcjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgocgjgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelonkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmkoeqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejojljqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlgoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfbjdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqndhcdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnlom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfenglqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflhoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhpao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpedeiff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoiil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkefmjcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodeajbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppikbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icogcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfglfdkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnfmqng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohfbpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbgmjgl.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enpfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhbn32.dll" Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqomgid.dll" Gdjibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" Hcblpdgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npiiffqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdeeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll" Amikgpcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celipg32.dll" Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neqhhf32.dll" Dpdaepai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiadfmi.dll" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll" Ibbcfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Nmkmjjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll" Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niojoeel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkcigjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll" Ldbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Njmqnobn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpclce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll" Hoclopne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amlogfel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdmmeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edionhpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeaiij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lncjlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfmbd32.dll" Doojec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmefoohh.dll" Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpchk32.dll" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdnfdoa.dll" Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifjfmcq.dll" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keoaokpd.dll" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbocbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll" Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbijgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdopjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjimhnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhjimfo.dll" Ddifgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekjcaef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haidfpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnqgqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Dnpdegjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfgdpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihbip32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 2920 5072 b63b9d62db62dd444bdf32f8810e6780N.exe 83 PID 5072 wrote to memory of 2920 5072 b63b9d62db62dd444bdf32f8810e6780N.exe 83 PID 5072 wrote to memory of 2920 5072 b63b9d62db62dd444bdf32f8810e6780N.exe 83 PID 2920 wrote to memory of 4928 2920 Afinioip.exe 84 PID 2920 wrote to memory of 4928 2920 Afinioip.exe 84 PID 2920 wrote to memory of 4928 2920 Afinioip.exe 84 PID 4928 wrote to memory of 2208 4928 Alcfei32.exe 85 PID 4928 wrote to memory of 2208 4928 Alcfei32.exe 85 PID 4928 wrote to memory of 2208 4928 Alcfei32.exe 85 PID 2208 wrote to memory of 2508 2208 Acmobchj.exe 86 PID 2208 wrote to memory of 2508 2208 Acmobchj.exe 86 PID 2208 wrote to memory of 2508 2208 Acmobchj.exe 86 PID 2508 wrote to memory of 1160 2508 Afkknogn.exe 87 PID 2508 wrote to memory of 1160 2508 Afkknogn.exe 87 PID 2508 wrote to memory of 1160 2508 Afkknogn.exe 87 PID 1160 wrote to memory of 2600 1160 Aleckinj.exe 88 PID 1160 wrote to memory of 2600 1160 Aleckinj.exe 88 PID 1160 wrote to memory of 2600 1160 Aleckinj.exe 88 PID 2600 wrote to memory of 2616 2600 Aodogdmn.exe 89 PID 2600 wrote to memory of 2616 2600 Aodogdmn.exe 89 PID 2600 wrote to memory of 2616 2600 Aodogdmn.exe 89 PID 2616 wrote to memory of 4516 2616 Bfngdn32.exe 90 PID 2616 wrote to memory of 4516 2616 Bfngdn32.exe 90 PID 2616 wrote to memory of 4516 2616 Bfngdn32.exe 90 PID 4516 wrote to memory of 952 4516 Bhldpj32.exe 92 PID 4516 wrote to memory of 952 4516 Bhldpj32.exe 92 PID 4516 wrote to memory of 952 4516 Bhldpj32.exe 92 PID 952 wrote to memory of 3636 952 Bkkple32.exe 93 PID 952 wrote to memory of 3636 952 Bkkple32.exe 93 PID 952 wrote to memory of 3636 952 Bkkple32.exe 93 PID 3636 wrote to memory of 1688 3636 Bbdhiojo.exe 94 PID 3636 wrote to memory of 1688 3636 Bbdhiojo.exe 94 PID 3636 wrote to memory of 1688 3636 Bbdhiojo.exe 94 PID 1688 wrote to memory of 4340 1688 Bhoqeibl.exe 95 PID 1688 wrote to memory of 4340 1688 Bhoqeibl.exe 95 PID 1688 wrote to memory of 4340 1688 Bhoqeibl.exe 95 PID 4340 wrote to memory of 2148 4340 Bkmmaeap.exe 96 PID 4340 wrote to memory of 2148 4340 Bkmmaeap.exe 96 PID 4340 wrote to memory of 2148 4340 Bkmmaeap.exe 96 PID 2148 wrote to memory of 1460 2148 Bcddcbab.exe 97 PID 2148 wrote to memory of 1460 2148 Bcddcbab.exe 97 PID 2148 wrote to memory of 1460 2148 Bcddcbab.exe 97 PID 1460 wrote to memory of 1908 1460 Bjnmpl32.exe 99 PID 1460 wrote to memory of 1908 1460 Bjnmpl32.exe 99 PID 1460 wrote to memory of 1908 1460 Bjnmpl32.exe 99 PID 1908 wrote to memory of 4888 1908 Bkoigdom.exe 100 PID 1908 wrote to memory of 4888 1908 Bkoigdom.exe 100 PID 1908 wrote to memory of 4888 1908 Bkoigdom.exe 100 PID 4888 wrote to memory of 3572 4888 Bcfahbpo.exe 101 PID 4888 wrote to memory of 3572 4888 Bcfahbpo.exe 101 PID 4888 wrote to memory of 3572 4888 Bcfahbpo.exe 101 PID 3572 wrote to memory of 4952 3572 Bfendmoc.exe 102 PID 3572 wrote to memory of 4952 3572 Bfendmoc.exe 102 PID 3572 wrote to memory of 4952 3572 Bfendmoc.exe 102 PID 4952 wrote to memory of 2844 4952 Bmofagfp.exe 103 PID 4952 wrote to memory of 2844 4952 Bmofagfp.exe 103 PID 4952 wrote to memory of 2844 4952 Bmofagfp.exe 103 PID 2844 wrote to memory of 2404 2844 Bombmcec.exe 105 PID 2844 wrote to memory of 2404 2844 Bombmcec.exe 105 PID 2844 wrote to memory of 2404 2844 Bombmcec.exe 105 PID 2404 wrote to memory of 2880 2404 Bblnindg.exe 106 PID 2404 wrote to memory of 2880 2404 Bblnindg.exe 106 PID 2404 wrote to memory of 2880 2404 Bblnindg.exe 106 PID 2880 wrote to memory of 1048 2880 Bheffh32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\b63b9d62db62dd444bdf32f8810e6780N.exe"C:\Users\Admin\AppData\Local\Temp\b63b9d62db62dd444bdf32f8810e6780N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Alcfei32.exeC:\Windows\system32\Alcfei32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Acmobchj.exeC:\Windows\system32\Acmobchj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Bhldpj32.exeC:\Windows\system32\Bhldpj32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Bkkple32.exeC:\Windows\system32\Bkkple32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Bhoqeibl.exeC:\Windows\system32\Bhoqeibl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Bjnmpl32.exeC:\Windows\system32\Bjnmpl32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Bombmcec.exeC:\Windows\system32\Bombmcec.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe23⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe24⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe26⤵
- Executes dropped EXE
PID:4968 -
C:\Windows\SysWOW64\Cobkhb32.exeC:\Windows\system32\Cobkhb32.exe27⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe29⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Cbbdjm32.exeC:\Windows\system32\Cbbdjm32.exe30⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe31⤵
- Executes dropped EXE
PID:1380 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe33⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe34⤵
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Cmjemflb.exeC:\Windows\system32\Cmjemflb.exe35⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe36⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ccdnjp32.exeC:\Windows\system32\Ccdnjp32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe38⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe40⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe41⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe43⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe44⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:5096 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe46⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe47⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe48⤵
- Executes dropped EXE
PID:3268 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe49⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Dckdjomg.exeC:\Windows\system32\Dckdjomg.exe50⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe51⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Dihlbf32.exeC:\Windows\system32\Dihlbf32.exe52⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe53⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Dpbdopck.exeC:\Windows\system32\Dpbdopck.exe54⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Dflmlj32.exeC:\Windows\system32\Dflmlj32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe56⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe57⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Dpdaepai.exeC:\Windows\system32\Dpdaepai.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Dfoiaj32.exeC:\Windows\system32\Dfoiaj32.exe59⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe60⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Dpgnjo32.exeC:\Windows\system32\Dpgnjo32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ecbjkngo.exeC:\Windows\system32\Ecbjkngo.exe62⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Ejlbhh32.exeC:\Windows\system32\Ejlbhh32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Emkndc32.exeC:\Windows\system32\Emkndc32.exe64⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe65⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe66⤵PID:808
-
C:\Windows\SysWOW64\Efccmidp.exeC:\Windows\system32\Efccmidp.exe67⤵PID:1816
-
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe68⤵PID:3688
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe69⤵PID:4648
-
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe71⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe72⤵PID:4192
-
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe73⤵PID:4552
-
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe74⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe75⤵PID:4852
-
C:\Windows\SysWOW64\Eleepoob.exeC:\Windows\system32\Eleepoob.exe76⤵PID:4152
-
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe77⤵
- System Location Discovery: System Language Discovery
PID:5092 -
C:\Windows\SysWOW64\Efjimhnh.exeC:\Windows\system32\Efjimhnh.exe78⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe79⤵PID:4908
-
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe80⤵PID:3696
-
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe81⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Fikbocki.exeC:\Windows\system32\Fikbocki.exe82⤵PID:2680
-
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe83⤵PID:4448
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe84⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe85⤵
- Modifies registry class
PID:3404 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe86⤵PID:3476
-
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe87⤵
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:980 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe89⤵PID:1896
-
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe90⤵PID:1340
-
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe91⤵PID:888
-
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe92⤵PID:5056
-
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe93⤵PID:680
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe94⤵PID:1820
-
C:\Windows\SysWOW64\Fideeaco.exeC:\Windows\system32\Fideeaco.exe95⤵PID:4208
-
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe96⤵PID:4740
-
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe97⤵
- Modifies registry class
PID:4556 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe99⤵PID:3320
-
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe100⤵PID:5156
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe101⤵PID:5200
-
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe102⤵PID:5244
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe103⤵PID:5288
-
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe104⤵PID:5332
-
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe105⤵
- Drops file in System32 directory
PID:5376 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe106⤵PID:5420
-
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe108⤵PID:5500
-
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe109⤵PID:5540
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe110⤵PID:5584
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe111⤵PID:5624
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe112⤵PID:5668
-
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe113⤵
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe114⤵
- Drops file in System32 directory
PID:5756 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe116⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe117⤵PID:5884
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe118⤵PID:5928
-
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe119⤵PID:5976
-
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe120⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Hgfapd32.exeC:\Windows\system32\Hgfapd32.exe121⤵
- Drops file in System32 directory
PID:6064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-