Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 15:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e75eff4e6a3a362a1fdfdb5380e78f10N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e75eff4e6a3a362a1fdfdb5380e78f10N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e75eff4e6a3a362a1fdfdb5380e78f10N.exe
-
Size
101KB
-
MD5
e75eff4e6a3a362a1fdfdb5380e78f10
-
SHA1
68f746db4670a7f88d442af8dab8826c8563907a
-
SHA256
f855cea92cb29200a07f35f604bd3b30f6a87d0725b63780bfaf799d608117d8
-
SHA512
18da8e071c47968f470e47a6d948b5bf3e51e1738bcf1fe8a06ac408116a5cb232bf8802a9c53f0e0707b11c8314ef5584dca8f63e50a2e6e06cbeed651cee47
-
SSDEEP
3072:891KtLyNv4HjakduXqbyu0sY7q5AnrHY4vDX:DxyNgOD853Anr44vDX
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefmgogl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donecfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flekihpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmghdpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oacmchcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgfmeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgngih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfhfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffhakjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgloiqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogefqeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibfbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnalmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehojiej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeiie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfhgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmckmcq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcqacfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnohnffc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndlacapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icqmncof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakjnnap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdbda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkffi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chinkndp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqfolqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocbfjmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffijdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfaqcclf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbhlm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajmmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohbjkgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okeklcen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnglcqio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anijjkbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebokodfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agiahlkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhhieao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbalaoda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdebfago.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfaijand.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglnnkid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcedmkmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmeqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqaiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mackfa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhammfci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbhhieao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhnjna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflfdbip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohaokbfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkelplc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbknhqbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnohnffc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedbcebd.exe -
Executes dropped EXE 64 IoCs
pid Process 3088 Cgklmacf.exe 2124 Ciihjmcj.exe 632 Cpcpfg32.exe 1620 Cgmhcaac.exe 4064 Cacmpj32.exe 4776 Ccdihbgg.exe 2864 Dmjmekgn.exe 1904 Ddcebe32.exe 1824 Dgbanq32.exe 5012 Dahfkimd.exe 892 Ddfbgelh.exe 4608 Dgdncplk.exe 1624 Dnngpj32.exe 4284 Dckoia32.exe 60 Djegekil.exe 4628 Dalofi32.exe 2120 Dcnlnaom.exe 3656 Daollh32.exe 4480 Ddmhhd32.exe 2136 Ejjaqk32.exe 556 Epdime32.exe 368 Egnajocq.exe 4384 Eaceghcg.exe 540 Ecdbop32.exe 5068 Ejojljqa.exe 4516 Eafbmgad.exe 4060 Egbken32.exe 1472 Eahobg32.exe 1168 Eqkondfl.exe 1116 Edfknb32.exe 4688 Egegjn32.exe 4592 Ejccgi32.exe 4916 Eajlhg32.exe 3228 Edihdb32.exe 4140 Fggdpnkf.exe 2060 Fnalmh32.exe 2828 Fcneeo32.exe 536 Fgiaemic.exe 3440 Fncibg32.exe 2836 Fqbeoc32.exe 436 Fglnkm32.exe 2424 Fkgillpj.exe 3288 Fnffhgon.exe 5096 Fdpnda32.exe 4460 Fcbnpnme.exe 2484 Fnhbmgmk.exe 336 Fqfojblo.exe 4224 Fcekfnkb.exe 1716 Fklcgk32.exe 1760 Fbfkceca.exe 4684 Gcghkm32.exe 1996 Gjaphgpl.exe 2012 Gbhhieao.exe 4736 Gcjdam32.exe 772 Ggepalof.exe 4324 Gnohnffc.exe 2804 Gqnejaff.exe 4556 Gggmgk32.exe 1916 Gqpapacd.exe 2436 Gcnnllcg.exe 3652 Gkefmjcj.exe 3768 Gbpnjdkg.exe 3600 Gdnjfojj.exe 2476 Gjkbnfha.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iggocbke.exe Hclccd32.exe File created C:\Windows\SysWOW64\Jcnbekok.exe Jobfdl32.exe File created C:\Windows\SysWOW64\Jqhdfhck.dll Adkelplc.exe File opened for modification C:\Windows\SysWOW64\Mpchbhjl.exe Mjfoja32.exe File created C:\Windows\SysWOW64\Ddfbgelh.exe Dahfkimd.exe File created C:\Windows\SysWOW64\Pqgpcnpb.dll Fbfkceca.exe File created C:\Windows\SysWOW64\Hkmlnimb.exe Hcedmkmp.exe File created C:\Windows\SysWOW64\Djkjkdck.dll Jckeokan.exe File created C:\Windows\SysWOW64\Lahbei32.exe Lknjhokg.exe File created C:\Windows\SysWOW64\Qemgmmip.dll Lndfchdj.exe File created C:\Windows\SysWOW64\Mdkabmjf.exe Loniiflo.exe File created C:\Windows\SysWOW64\Aoahkfnb.dll Fcodfa32.exe File opened for modification C:\Windows\SysWOW64\Fncibg32.exe Fgiaemic.exe File created C:\Windows\SysWOW64\Kaihqipl.dll Oacdmo32.exe File created C:\Windows\SysWOW64\Fiplni32.dll Cgklmacf.exe File created C:\Windows\SysWOW64\Fbfkceca.exe Fklcgk32.exe File opened for modification C:\Windows\SysWOW64\Bbpolb32.exe Bgjjoi32.exe File created C:\Windows\SysWOW64\Gadeee32.dll Fncibg32.exe File created C:\Windows\SysWOW64\Kpmmhc32.dll Obfhmd32.exe File created C:\Windows\SysWOW64\Hoclajjj.dll Alpnde32.exe File opened for modification C:\Windows\SysWOW64\Bimach32.exe Bbcignbo.exe File created C:\Windows\SysWOW64\Hgbfhc32.exe Hddilh32.exe File created C:\Windows\SysWOW64\Qjoenl32.dll Pdpmkhjl.exe File created C:\Windows\SysWOW64\Dpihbjmg.exe Dlnlak32.exe File created C:\Windows\SysWOW64\Lfmghdpl.exe Lapopm32.exe File opened for modification C:\Windows\SysWOW64\Opjgidfa.exe Oiqomj32.exe File created C:\Windows\SysWOW64\Fbkcnp32.dll Kopcbo32.exe File created C:\Windows\SysWOW64\Jgfdkj32.dll Dpgbgpbe.exe File created C:\Windows\SysWOW64\Pdnpeh32.exe Poagma32.exe File created C:\Windows\SysWOW64\Ljffccjh.exe Kggjghkd.exe File opened for modification C:\Windows\SysWOW64\Okailj32.exe Ohcmpn32.exe File created C:\Windows\SysWOW64\Dliffkod.dll Dfqdid32.exe File created C:\Windows\SysWOW64\Hfgloiqf.exe Hjpkjh32.exe File created C:\Windows\SysWOW64\Gjaphgpl.exe Gcghkm32.exe File opened for modification C:\Windows\SysWOW64\Ohcmpn32.exe Odgqopeb.exe File opened for modification C:\Windows\SysWOW64\Bbalaoda.exe Bboplo32.exe File created C:\Windows\SysWOW64\Lajhpbme.exe Lokldg32.exe File opened for modification C:\Windows\SysWOW64\Odaiodbp.exe Oacmchcl.exe File created C:\Windows\SysWOW64\Dnienqbi.exe Dgomaf32.exe File created C:\Windows\SysWOW64\Ckfaapfi.dll Gnohnffc.exe File created C:\Windows\SysWOW64\Hbdgec32.exe Hkjohi32.exe File created C:\Windows\SysWOW64\Dkakfgoq.dll Dpefaq32.exe File created C:\Windows\SysWOW64\Mknlef32.exe Mgbpdgap.exe File created C:\Windows\SysWOW64\Anijjkbj.exe Agobna32.exe File opened for modification C:\Windows\SysWOW64\Kplijk32.exe Kiaqnagj.exe File opened for modification C:\Windows\SysWOW64\Kggjghkd.exe Kanbjn32.exe File created C:\Windows\SysWOW64\Mffjnc32.exe Lplaaiqd.exe File created C:\Windows\SysWOW64\Dgaiffii.exe Dagajlal.exe File created C:\Windows\SysWOW64\Dibdeegc.exe Dbhlikpf.exe File opened for modification C:\Windows\SysWOW64\Hladlc32.exe Hjbhph32.exe File opened for modification C:\Windows\SysWOW64\Igieoleg.exe Imcqacfq.exe File created C:\Windows\SysWOW64\Ofnfbijk.dll Kdmlkfjb.exe File opened for modification C:\Windows\SysWOW64\Aijlgkjq.exe Qmckbjdl.exe File created C:\Windows\SysWOW64\Ohdbkh32.exe Oakjnnap.exe File created C:\Windows\SysWOW64\Agacalbb.dll Fibfbm32.exe File created C:\Windows\SysWOW64\Alpnde32.exe Aeffgkkp.exe File created C:\Windows\SysWOW64\Mhoimi32.dll Clmckmcq.exe File created C:\Windows\SysWOW64\Hgbhfhcl.dll Hgmebnpd.exe File created C:\Windows\SysWOW64\Bnicai32.exe Blkgen32.exe File created C:\Windows\SysWOW64\Fohhdm32.dll Cgmhcaac.exe File created C:\Windows\SysWOW64\Piifjomf.dll Blknpdho.exe File created C:\Windows\SysWOW64\Kncpqlhj.dll Ofhcdlgg.exe File created C:\Windows\SysWOW64\Cldjkl32.exe Chinkndp.exe File opened for modification C:\Windows\SysWOW64\Eieplhlf.exe Eblgon32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14412 15280 WerFault.exe 767 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmffnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjiloqjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqpapacd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckjlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfqdid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beobcdoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqbifpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajodef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moalil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeffgkkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmijnfgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgahikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfhfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnalmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcila32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgbgpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jflnafno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcpojk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffhakjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglgdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndlacapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqdmghnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidmcqeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaijand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggocbke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chinkndp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbknhqbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocbfjmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlhipbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglnnkid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpnjdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbkmqed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpeghpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gllajf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnngpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mohbjkgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qffoejkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbniai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhcdlgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnknim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdfho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odaiodbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdofpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahbei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alpnde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbqalle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjdam32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eljchpnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjcfcakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oogdfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajccgmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhfcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll" Cdebfago.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll" Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkhkced.dll" Fpoaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcnhngo.dll" Fgmllpng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fljedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjpkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll" Hkcbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll" Bfabmmhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eippgckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmagch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkpol32.dll" Lbhool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehjfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edcgnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkjkdck.dll" Jckeokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjgog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgmki32.dll" Qhddgofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll" Jejbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edngom32.dll" Hkjohi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hegmlnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkgmoncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll" Qbngeadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbhlikpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfemoei.dll" Efopjbjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcjdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgedjjki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blknpdho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnjfojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkcbnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoekde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpbkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjiloqjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edihdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjeibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfhlpnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgflobdk.dll" Defajqko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beefhclj.dll" Ehkcgkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhllni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iloajfml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgngih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhjjcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eldbbjof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjcdih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll" Fgiaemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leqkeajd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgahikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinndkag.dll" Dpihbjmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nccmog32.dll" Nipffmmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pknghk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcedmkmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijlgkjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfdojfm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 3088 2272 e75eff4e6a3a362a1fdfdb5380e78f10N.exe 90 PID 2272 wrote to memory of 3088 2272 e75eff4e6a3a362a1fdfdb5380e78f10N.exe 90 PID 2272 wrote to memory of 3088 2272 e75eff4e6a3a362a1fdfdb5380e78f10N.exe 90 PID 3088 wrote to memory of 2124 3088 Cgklmacf.exe 91 PID 3088 wrote to memory of 2124 3088 Cgklmacf.exe 91 PID 3088 wrote to memory of 2124 3088 Cgklmacf.exe 91 PID 2124 wrote to memory of 632 2124 Ciihjmcj.exe 92 PID 2124 wrote to memory of 632 2124 Ciihjmcj.exe 92 PID 2124 wrote to memory of 632 2124 Ciihjmcj.exe 92 PID 632 wrote to memory of 1620 632 Cpcpfg32.exe 93 PID 632 wrote to memory of 1620 632 Cpcpfg32.exe 93 PID 632 wrote to memory of 1620 632 Cpcpfg32.exe 93 PID 1620 wrote to memory of 4064 1620 Cgmhcaac.exe 94 PID 1620 wrote to memory of 4064 1620 Cgmhcaac.exe 94 PID 1620 wrote to memory of 4064 1620 Cgmhcaac.exe 94 PID 4064 wrote to memory of 4776 4064 Cacmpj32.exe 95 PID 4064 wrote to memory of 4776 4064 Cacmpj32.exe 95 PID 4064 wrote to memory of 4776 4064 Cacmpj32.exe 95 PID 4776 wrote to memory of 2864 4776 Ccdihbgg.exe 96 PID 4776 wrote to memory of 2864 4776 Ccdihbgg.exe 96 PID 4776 wrote to memory of 2864 4776 Ccdihbgg.exe 96 PID 2864 wrote to memory of 1904 2864 Dmjmekgn.exe 97 PID 2864 wrote to memory of 1904 2864 Dmjmekgn.exe 97 PID 2864 wrote to memory of 1904 2864 Dmjmekgn.exe 97 PID 1904 wrote to memory of 1824 1904 Ddcebe32.exe 98 PID 1904 wrote to memory of 1824 1904 Ddcebe32.exe 98 PID 1904 wrote to memory of 1824 1904 Ddcebe32.exe 98 PID 1824 wrote to memory of 5012 1824 Dgbanq32.exe 99 PID 1824 wrote to memory of 5012 1824 Dgbanq32.exe 99 PID 1824 wrote to memory of 5012 1824 Dgbanq32.exe 99 PID 5012 wrote to memory of 892 5012 Dahfkimd.exe 100 PID 5012 wrote to memory of 892 5012 Dahfkimd.exe 100 PID 5012 wrote to memory of 892 5012 Dahfkimd.exe 100 PID 892 wrote to memory of 4608 892 Ddfbgelh.exe 102 PID 892 wrote to memory of 4608 892 Ddfbgelh.exe 102 PID 892 wrote to memory of 4608 892 Ddfbgelh.exe 102 PID 4608 wrote to memory of 1624 4608 Dgdncplk.exe 103 PID 4608 wrote to memory of 1624 4608 Dgdncplk.exe 103 PID 4608 wrote to memory of 1624 4608 Dgdncplk.exe 103 PID 1624 wrote to memory of 4284 1624 Dnngpj32.exe 104 PID 1624 wrote to memory of 4284 1624 Dnngpj32.exe 104 PID 1624 wrote to memory of 4284 1624 Dnngpj32.exe 104 PID 4284 wrote to memory of 60 4284 Dckoia32.exe 105 PID 4284 wrote to memory of 60 4284 Dckoia32.exe 105 PID 4284 wrote to memory of 60 4284 Dckoia32.exe 105 PID 60 wrote to memory of 4628 60 Djegekil.exe 107 PID 60 wrote to memory of 4628 60 Djegekil.exe 107 PID 60 wrote to memory of 4628 60 Djegekil.exe 107 PID 4628 wrote to memory of 2120 4628 Dalofi32.exe 108 PID 4628 wrote to memory of 2120 4628 Dalofi32.exe 108 PID 4628 wrote to memory of 2120 4628 Dalofi32.exe 108 PID 2120 wrote to memory of 3656 2120 Dcnlnaom.exe 109 PID 2120 wrote to memory of 3656 2120 Dcnlnaom.exe 109 PID 2120 wrote to memory of 3656 2120 Dcnlnaom.exe 109 PID 3656 wrote to memory of 4480 3656 Daollh32.exe 110 PID 3656 wrote to memory of 4480 3656 Daollh32.exe 110 PID 3656 wrote to memory of 4480 3656 Daollh32.exe 110 PID 4480 wrote to memory of 2136 4480 Ddmhhd32.exe 111 PID 4480 wrote to memory of 2136 4480 Ddmhhd32.exe 111 PID 4480 wrote to memory of 2136 4480 Ddmhhd32.exe 111 PID 2136 wrote to memory of 556 2136 Ejjaqk32.exe 113 PID 2136 wrote to memory of 556 2136 Ejjaqk32.exe 113 PID 2136 wrote to memory of 556 2136 Ejjaqk32.exe 113 PID 556 wrote to memory of 368 556 Epdime32.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\e75eff4e6a3a362a1fdfdb5380e78f10N.exe"C:\Users\Admin\AppData\Local\Temp\e75eff4e6a3a362a1fdfdb5380e78f10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Cgklmacf.exeC:\Windows\system32\Cgklmacf.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Ciihjmcj.exeC:\Windows\system32\Ciihjmcj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Cpcpfg32.exeC:\Windows\system32\Cpcpfg32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Cgmhcaac.exeC:\Windows\system32\Cgmhcaac.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Cacmpj32.exeC:\Windows\system32\Cacmpj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Ccdihbgg.exeC:\Windows\system32\Ccdihbgg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Dmjmekgn.exeC:\Windows\system32\Dmjmekgn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ddcebe32.exeC:\Windows\system32\Ddcebe32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Dgbanq32.exeC:\Windows\system32\Dgbanq32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Dahfkimd.exeC:\Windows\system32\Dahfkimd.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Ddfbgelh.exeC:\Windows\system32\Ddfbgelh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Dgdncplk.exeC:\Windows\system32\Dgdncplk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\Dnngpj32.exeC:\Windows\system32\Dnngpj32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Dckoia32.exeC:\Windows\system32\Dckoia32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Djegekil.exeC:\Windows\system32\Djegekil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\Dalofi32.exeC:\Windows\system32\Dalofi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Dcnlnaom.exeC:\Windows\system32\Dcnlnaom.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Daollh32.exeC:\Windows\system32\Daollh32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Ddmhhd32.exeC:\Windows\system32\Ddmhhd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Ejjaqk32.exeC:\Windows\system32\Ejjaqk32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Epdime32.exeC:\Windows\system32\Epdime32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Egnajocq.exeC:\Windows\system32\Egnajocq.exe23⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Eaceghcg.exeC:\Windows\system32\Eaceghcg.exe24⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Ecdbop32.exeC:\Windows\system32\Ecdbop32.exe25⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ejojljqa.exeC:\Windows\system32\Ejojljqa.exe26⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Eafbmgad.exeC:\Windows\system32\Eafbmgad.exe27⤵
- Executes dropped EXE
PID:4516 -
C:\Windows\SysWOW64\Egbken32.exeC:\Windows\system32\Egbken32.exe28⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\Eahobg32.exeC:\Windows\system32\Eahobg32.exe29⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eqkondfl.exeC:\Windows\system32\Eqkondfl.exe30⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Edfknb32.exeC:\Windows\system32\Edfknb32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Egegjn32.exeC:\Windows\system32\Egegjn32.exe32⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Ejccgi32.exeC:\Windows\system32\Ejccgi32.exe33⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Eajlhg32.exeC:\Windows\system32\Eajlhg32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Edihdb32.exeC:\Windows\system32\Edihdb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Fggdpnkf.exeC:\Windows\system32\Fggdpnkf.exe36⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Fnalmh32.exeC:\Windows\system32\Fnalmh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Fcneeo32.exeC:\Windows\system32\Fcneeo32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Fgiaemic.exeC:\Windows\system32\Fgiaemic.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Fncibg32.exeC:\Windows\system32\Fncibg32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3440 -
C:\Windows\SysWOW64\Fqbeoc32.exeC:\Windows\system32\Fqbeoc32.exe41⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Fglnkm32.exeC:\Windows\system32\Fglnkm32.exe42⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Fkgillpj.exeC:\Windows\system32\Fkgillpj.exe43⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Fnffhgon.exeC:\Windows\system32\Fnffhgon.exe44⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Fdpnda32.exeC:\Windows\system32\Fdpnda32.exe45⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Fcbnpnme.exeC:\Windows\system32\Fcbnpnme.exe46⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fnhbmgmk.exeC:\Windows\system32\Fnhbmgmk.exe47⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fqfojblo.exeC:\Windows\system32\Fqfojblo.exe48⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Fcekfnkb.exeC:\Windows\system32\Fcekfnkb.exe49⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Fklcgk32.exeC:\Windows\system32\Fklcgk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Gcghkm32.exeC:\Windows\system32\Gcghkm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4684 -
C:\Windows\SysWOW64\Gjaphgpl.exeC:\Windows\system32\Gjaphgpl.exe53⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gbhhieao.exeC:\Windows\system32\Gbhhieao.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Gcjdam32.exeC:\Windows\system32\Gcjdam32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4736 -
C:\Windows\SysWOW64\Ggepalof.exeC:\Windows\system32\Ggepalof.exe56⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Gnohnffc.exeC:\Windows\system32\Gnohnffc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Gggmgk32.exeC:\Windows\system32\Gggmgk32.exe59⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Gqpapacd.exeC:\Windows\system32\Gqpapacd.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Gcnnllcg.exeC:\Windows\system32\Gcnnllcg.exe61⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Gkefmjcj.exeC:\Windows\system32\Gkefmjcj.exe62⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Gbpnjdkg.exeC:\Windows\system32\Gbpnjdkg.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\Gdnjfojj.exeC:\Windows\system32\Gdnjfojj.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Gjkbnfha.exeC:\Windows\system32\Gjkbnfha.exe65⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Hqdkkp32.exeC:\Windows\system32\Hqdkkp32.exe66⤵PID:4220
-
C:\Windows\SysWOW64\Hccggl32.exeC:\Windows\system32\Hccggl32.exe67⤵PID:3424
-
C:\Windows\SysWOW64\Hkjohi32.exeC:\Windows\system32\Hkjohi32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Hbdgec32.exeC:\Windows\system32\Hbdgec32.exe69⤵
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Hcedmkmp.exeC:\Windows\system32\Hcedmkmp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3256 -
C:\Windows\SysWOW64\Hkmlnimb.exeC:\Windows\system32\Hkmlnimb.exe71⤵PID:2064
-
C:\Windows\SysWOW64\Hbfdjc32.exeC:\Windows\system32\Hbfdjc32.exe72⤵PID:5136
-
C:\Windows\SysWOW64\Haidfpki.exeC:\Windows\system32\Haidfpki.exe73⤵PID:5176
-
C:\Windows\SysWOW64\Hgcmbj32.exeC:\Windows\system32\Hgcmbj32.exe74⤵PID:5216
-
C:\Windows\SysWOW64\Hnmeodjc.exeC:\Windows\system32\Hnmeodjc.exe75⤵PID:5256
-
C:\Windows\SysWOW64\Hegmlnbp.exeC:\Windows\system32\Hegmlnbp.exe76⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Hgeihiac.exeC:\Windows\system32\Hgeihiac.exe77⤵PID:5340
-
C:\Windows\SysWOW64\Hjdedepg.exeC:\Windows\system32\Hjdedepg.exe78⤵PID:5380
-
C:\Windows\SysWOW64\Hbknebqi.exeC:\Windows\system32\Hbknebqi.exe79⤵PID:5420
-
C:\Windows\SysWOW64\Hejjanpm.exeC:\Windows\system32\Hejjanpm.exe80⤵PID:5460
-
C:\Windows\SysWOW64\Hkcbnh32.exeC:\Windows\system32\Hkcbnh32.exe81⤵
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\Ibnjkbog.exeC:\Windows\system32\Ibnjkbog.exe82⤵
- Modifies registry class
PID:5544 -
C:\Windows\SysWOW64\Icogcjde.exeC:\Windows\system32\Icogcjde.exe83⤵PID:5588
-
C:\Windows\SysWOW64\Igjbci32.exeC:\Windows\system32\Igjbci32.exe84⤵PID:5632
-
C:\Windows\SysWOW64\Ijiopd32.exeC:\Windows\system32\Ijiopd32.exe85⤵PID:5676
-
C:\Windows\SysWOW64\Iabglnco.exeC:\Windows\system32\Iabglnco.exe86⤵PID:5720
-
C:\Windows\SysWOW64\Igmoih32.exeC:\Windows\system32\Igmoih32.exe87⤵PID:5764
-
C:\Windows\SysWOW64\Iccpniqp.exeC:\Windows\system32\Iccpniqp.exe88⤵PID:5808
-
C:\Windows\SysWOW64\Inidkb32.exeC:\Windows\system32\Inidkb32.exe89⤵PID:5852
-
C:\Windows\SysWOW64\Iagqgn32.exeC:\Windows\system32\Iagqgn32.exe90⤵PID:5896
-
C:\Windows\SysWOW64\Iecmhlhb.exeC:\Windows\system32\Iecmhlhb.exe91⤵PID:5940
-
C:\Windows\SysWOW64\Ihaidhgf.exeC:\Windows\system32\Ihaidhgf.exe92⤵PID:5988
-
C:\Windows\SysWOW64\Ilmedf32.exeC:\Windows\system32\Ilmedf32.exe93⤵
- System Location Discovery: System Language Discovery
PID:6028 -
C:\Windows\SysWOW64\Inkaqb32.exeC:\Windows\system32\Inkaqb32.exe94⤵PID:6072
-
C:\Windows\SysWOW64\Iajmmm32.exeC:\Windows\system32\Iajmmm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6116 -
C:\Windows\SysWOW64\Idhiii32.exeC:\Windows\system32\Idhiii32.exe96⤵PID:5144
-
C:\Windows\SysWOW64\Iloajfml.exeC:\Windows\system32\Iloajfml.exe97⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Jbijgp32.exeC:\Windows\system32\Jbijgp32.exe98⤵PID:5288
-
C:\Windows\SysWOW64\Jehfcl32.exeC:\Windows\system32\Jehfcl32.exe99⤵PID:5368
-
C:\Windows\SysWOW64\Jlanpfkj.exeC:\Windows\system32\Jlanpfkj.exe100⤵PID:5452
-
C:\Windows\SysWOW64\Jblflp32.exeC:\Windows\system32\Jblflp32.exe101⤵PID:5520
-
C:\Windows\SysWOW64\Jejbhk32.exeC:\Windows\system32\Jejbhk32.exe102⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Jdmcdhhe.exeC:\Windows\system32\Jdmcdhhe.exe103⤵PID:5668
-
C:\Windows\SysWOW64\Jnbgaa32.exeC:\Windows\system32\Jnbgaa32.exe104⤵PID:5732
-
C:\Windows\SysWOW64\Jjihfbno.exeC:\Windows\system32\Jjihfbno.exe105⤵PID:5792
-
C:\Windows\SysWOW64\Jbppgona.exeC:\Windows\system32\Jbppgona.exe106⤵PID:5864
-
C:\Windows\SysWOW64\Jhmhpfmi.exeC:\Windows\system32\Jhmhpfmi.exe107⤵PID:5924
-
C:\Windows\SysWOW64\Jogqlpde.exeC:\Windows\system32\Jogqlpde.exe108⤵PID:6000
-
C:\Windows\SysWOW64\Jaemilci.exeC:\Windows\system32\Jaemilci.exe109⤵PID:6060
-
C:\Windows\SysWOW64\Jlkafdco.exeC:\Windows\system32\Jlkafdco.exe110⤵PID:6140
-
C:\Windows\SysWOW64\Jjnaaa32.exeC:\Windows\system32\Jjnaaa32.exe111⤵PID:5188
-
C:\Windows\SysWOW64\Kahinkaf.exeC:\Windows\system32\Kahinkaf.exe112⤵PID:5320
-
C:\Windows\SysWOW64\Kdffjgpj.exeC:\Windows\system32\Kdffjgpj.exe113⤵PID:5404
-
C:\Windows\SysWOW64\Koljgppp.exeC:\Windows\system32\Koljgppp.exe114⤵PID:5536
-
C:\Windows\SysWOW64\Kbgfhnhi.exeC:\Windows\system32\Kbgfhnhi.exe115⤵PID:5664
-
C:\Windows\SysWOW64\Kkbkmqed.exeC:\Windows\system32\Kkbkmqed.exe116⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\Kehojiej.exeC:\Windows\system32\Kehojiej.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5880 -
C:\Windows\SysWOW64\Kopcbo32.exeC:\Windows\system32\Kopcbo32.exe118⤵
- Drops file in System32 directory
PID:5980 -
C:\Windows\SysWOW64\Kdmlkfjb.exeC:\Windows\system32\Kdmlkfjb.exe119⤵
- Drops file in System32 directory
PID:6108 -
C:\Windows\SysWOW64\Klddlckd.exeC:\Windows\system32\Klddlckd.exe120⤵PID:5228
-
C:\Windows\SysWOW64\Kbnlim32.exeC:\Windows\system32\Kbnlim32.exe121⤵PID:5428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-