Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 12:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d349b335718fd5b0683fb4df77a2dd60N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d349b335718fd5b0683fb4df77a2dd60N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d349b335718fd5b0683fb4df77a2dd60N.exe
-
Size
256KB
-
MD5
d349b335718fd5b0683fb4df77a2dd60
-
SHA1
089f27b4178c39f9f477e3821db59a955ed0c9e6
-
SHA256
88bc333f044a4603bec52e8da3d38e963bbe14f520dfc5ee9ebd24dd0afbd141
-
SHA512
c16351d7772b79a217f4aeea4443d052ca9ef55f2905409e61d9a6ed9bba6505357b71310b4d8ad7a189d0375bc9701c3dff77dce6f76364fa7d15969584c71f
-
SSDEEP
6144:QVQum0ggzL2V4cpC0L4AY7YWT63cpC0L4:NPGL2/p9i7drp9
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdiaoike.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homanp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homanp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmaknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbolmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbchkfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhbdgia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llnggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfkec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbppkjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeobe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgjjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elijijpb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghjfkgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbgcjcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hokdhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfgjjj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jioadaon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckidhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbgnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlmjmkjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eceokcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgiegak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipknonbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpnclkbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clfdllpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caeijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnffcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnpimkfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baicdncn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcbikkqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfonbdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnjjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmkfknid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfdlqmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhckqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echkqcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnackeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbihnnnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomhgbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lefkpq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbebk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baccne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoheb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjeee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcogecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gooemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdllaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mikjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqknlbmp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdqgphem.exe -
Executes dropped EXE 64 IoCs
pid Process 3980 Anbklj32.exe 4596 Bdocda32.exe 4820 Bjikaked.exe 2184 Baccne32.exe 3328 Bhmlkpdn.exe 1820 Bjkhgkca.exe 1908 Bbbphh32.exe 2528 Blkdqnjd.exe 3936 Bdfiephp.exe 4012 Bajjodfi.exe 2656 Blonlm32.exe 4508 Bbifhgnl.exe 3260 Chfoqnlc.exe 4160 Copgnh32.exe 3900 Cblcngli.exe 784 Cejojb32.exe 2428 Chhkfn32.exe 3668 Cldggmbj.exe 2624 Ckghbi32.exe 3832 Cobcchan.exe 2928 Caapocpa.exe 3396 Cellpb32.exe 2044 Cdolkope.exe 1184 Chkhln32.exe 1992 Clfdllpg.exe 3508 Ckidhi32.exe 1688 Coephhok.exe 4932 Cacmecno.exe 4460 Cacmecno.exe 1808 Ceoheb32.exe 3860 Cdaiaonb.exe 3232 Chmeamfk.exe 2256 Cliabl32.exe 4640 Cogmng32.exe 1236 Cbbiofea.exe 1916 Caeijc32.exe 1656 Ceaekade.exe 3700 Cddefn32.exe 1224 Chpagmdi.exe 2588 Cknnchcl.exe 972 Coijcg32.exe 2608 Dbefdfco.exe 1328 Dahfpb32.exe 5000 Decbqabb.exe 2416 Ddfbln32.exe 5020 Dlmjmkjo.exe 456 Dkpjih32.exe 3604 Dolfigic.exe 440 Dajbebhf.exe 4636 Defofa32.exe 4920 Ddhoangj.exe 3088 Dhdkbl32.exe 924 Dkbgnh32.exe 5104 Doncofgp.exe 1084 Dbjooe32.exe 3768 Damokbfd.exe 2944 Ddklgmeg.exe 3696 Dhfhhl32.exe 4668 Dlbchkfj.exe 2732 Doqpdf32.exe 3160 Dclleemf.exe 1840 Daolqa32.exe 2536 Dejhapmj.exe 4832 Dhidmlln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cfmamdkm.exe Cdoeaili.exe File opened for modification C:\Windows\SysWOW64\Eolopd32.exe Ekqcpfbg.exe File created C:\Windows\SysWOW64\Goabba32.exe Gmceff32.exe File created C:\Windows\SysWOW64\Jppgjm32.exe Jmaknb32.exe File created C:\Windows\SysWOW64\Aejmjd32.dll Jbqplhkf.exe File created C:\Windows\SysWOW64\Finkejjm.dll Jcbikkqf.exe File created C:\Windows\SysWOW64\Beklnn32.exe Bappnpkh.exe File created C:\Windows\SysWOW64\Jmhaoqij.exe Jeainchg.exe File opened for modification C:\Windows\SysWOW64\Pgbicm32.exe Pfcmij32.exe File created C:\Windows\SysWOW64\Eolopd32.exe Ekqcpfbg.exe File opened for modification C:\Windows\SysWOW64\Ghgiegak.exe Gdlnei32.exe File opened for modification C:\Windows\SysWOW64\Jmhaoqij.exe Jeainchg.exe File created C:\Windows\SysWOW64\Chhdlhfe.exe Ceihplga.exe File created C:\Windows\SysWOW64\Gmhlfh32.dll Anbklj32.exe File opened for modification C:\Windows\SysWOW64\Eccbed32.exe Ekljdf32.exe File created C:\Windows\SysWOW64\Jijhib32.exe Jfllmg32.exe File created C:\Windows\SysWOW64\Coijcg32.exe Cknnchcl.exe File created C:\Windows\SysWOW64\Ioomce32.dll Edbbhlop.exe File created C:\Windows\SysWOW64\Ngkjlpkj.exe Nnbebk32.exe File opened for modification C:\Windows\SysWOW64\Babmco32.exe Bncqgd32.exe File opened for modification C:\Windows\SysWOW64\Bdocda32.exe Anbklj32.exe File created C:\Windows\SysWOW64\Ddhoangj.exe Defofa32.exe File created C:\Windows\SysWOW64\Gbkdcnla.exe Gomhgbmn.exe File created C:\Windows\SysWOW64\Gkcilcba.exe Glqipf32.exe File opened for modification C:\Windows\SysWOW64\Mccooc32.exe Mmgfgl32.exe File created C:\Windows\SysWOW64\Ebbnpfad.dll Mmkpbl32.exe File created C:\Windows\SysWOW64\Bepeinol.exe Bnfmmc32.exe File opened for modification C:\Windows\SysWOW64\Deckfkof.exe Dagoel32.exe File opened for modification C:\Windows\SysWOW64\Baccne32.exe Bjikaked.exe File created C:\Windows\SysWOW64\Cobcchan.exe Ckghbi32.exe File created C:\Windows\SysWOW64\Bhmlkpdn.exe Baccne32.exe File created C:\Windows\SysWOW64\Defofa32.exe Dajbebhf.exe File created C:\Windows\SysWOW64\Fdgdjimg.exe Ffddnm32.exe File opened for modification C:\Windows\SysWOW64\Kbaicf32.exe Kdnigifi.exe File created C:\Windows\SysWOW64\Dlgmcj32.exe Dhkackjk.exe File created C:\Windows\SysWOW64\Ejhekdhb.dll Homanp32.exe File created C:\Windows\SysWOW64\Ahhhlohd.dll Cdaiaonb.exe File opened for modification C:\Windows\SysWOW64\Hiqllfiq.exe Hfbppkjm.exe File created C:\Windows\SysWOW64\Pfcmij32.exe Pdapabjo.exe File created C:\Windows\SysWOW64\Jbhfcmeh.dll Ccjlfi32.exe File created C:\Windows\SysWOW64\Jjhikp32.dll Deckfkof.exe File created C:\Windows\SysWOW64\Bdfiephp.exe Blkdqnjd.exe File opened for modification C:\Windows\SysWOW64\Blonlm32.exe Bajjodfi.exe File opened for modification C:\Windows\SysWOW64\Bcqipk32.exe Babmco32.exe File opened for modification C:\Windows\SysWOW64\Jmaknb32.exe Jejcmd32.exe File created C:\Windows\SysWOW64\Lbmhod32.exe Llbpbjlj.exe File created C:\Windows\SysWOW64\Bglepipb.exe Bcqipk32.exe File created C:\Windows\SysWOW64\Nodiig32.dll Dffdcccb.exe File created C:\Windows\SysWOW64\Knhmhgei.dll Eddomlmm.exe File created C:\Windows\SysWOW64\Kpppakpc.exe Kmadepao.exe File created C:\Windows\SysWOW64\Gljogg32.dll Kikappdq.exe File created C:\Windows\SysWOW64\Eojbkemc.exe Elkfnino.exe File created C:\Windows\SysWOW64\Ffddnm32.exe Fbihnnnd.exe File created C:\Windows\SysWOW64\Gfkjolpe.exe Gcmnbpaa.exe File opened for modification C:\Windows\SysWOW64\Imhhhc32.exe Ieapgf32.exe File opened for modification C:\Windows\SysWOW64\Klgqflfg.exe Kihdjqfc.exe File opened for modification C:\Windows\SysWOW64\Leabdaje.exe Lfoaid32.exe File created C:\Windows\SysWOW64\Blkdqnjd.exe Bbbphh32.exe File created C:\Windows\SysWOW64\Cldggmbj.exe Chhkfn32.exe File created C:\Windows\SysWOW64\Edgkcl32.exe Eedkgodp.exe File created C:\Windows\SysWOW64\Nbidpq32.dll Ibbckj32.exe File created C:\Windows\SysWOW64\Cppakkqf.dll Kfhkhe32.exe File created C:\Windows\SysWOW64\Hmkpbinn.dll Cdoeaili.exe File created C:\Windows\SysWOW64\Dnbdfk32.dll Cepnqkai.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9976 9788 WerFault.exe 442 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cliabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojplhkdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihdjqfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdlqmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncgqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblcngli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegmqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkajnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdfakod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbdpmlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmhod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjajeni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgjhkjbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbpoofo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkjolpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceaekade.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiefge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgddka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcodf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjemgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elijijpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipknonbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leabdaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcogecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoeaili.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gooemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogifmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndinalo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabfjmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmcqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkdqnjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecqepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcplfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglepipb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doicia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d349b335718fd5b0683fb4df77a2dd60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdllaihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjalepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhbdgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabfhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjlid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkackjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbebk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beeodm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Damokbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldeohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbpbjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqcpfbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbchkfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iioimd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnigifi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgihbljp.dll" Edihhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faoegofo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jckcklfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgccib32.dll" Ehpjnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilpaoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdfoekj.dll" Ckidhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ledojqhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbdpmlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofgmml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cejojb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdllaihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fclelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqobne32.dll" Llnggk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npcodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdlnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimgkfjk.dll" Kpeilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjlkk32.dll" Lbjlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgfbo32.dll" Bglepipb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajjodfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkackjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdjimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajjodfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeainchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibbckj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jppgjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmpo32.dll" Eacelapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqllfiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caeijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbpgekii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgddka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejjfgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdoclbla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdoclbla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdolkope.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpmjd32.dll" Fbihnnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjagmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnknfhg.dll" Ddjemgal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnbebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjflhj32.dll" Ajanffhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndinalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbikkqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfeobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llljak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalpdh32.dll" Gbbkdmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbdgildf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dagoel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hihble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbipp32.dll" Kbjcbgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmlbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfllmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaocpk32.dll" Ngkjlpkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfcmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjikaked.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbkdmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dagoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnamhjg.dll" Pgbicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkfhcdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 448 wrote to memory of 3980 448 d349b335718fd5b0683fb4df77a2dd60N.exe 83 PID 448 wrote to memory of 3980 448 d349b335718fd5b0683fb4df77a2dd60N.exe 83 PID 448 wrote to memory of 3980 448 d349b335718fd5b0683fb4df77a2dd60N.exe 83 PID 3980 wrote to memory of 4596 3980 Anbklj32.exe 84 PID 3980 wrote to memory of 4596 3980 Anbklj32.exe 84 PID 3980 wrote to memory of 4596 3980 Anbklj32.exe 84 PID 4596 wrote to memory of 4820 4596 Bdocda32.exe 85 PID 4596 wrote to memory of 4820 4596 Bdocda32.exe 85 PID 4596 wrote to memory of 4820 4596 Bdocda32.exe 85 PID 4820 wrote to memory of 2184 4820 Bjikaked.exe 86 PID 4820 wrote to memory of 2184 4820 Bjikaked.exe 86 PID 4820 wrote to memory of 2184 4820 Bjikaked.exe 86 PID 2184 wrote to memory of 3328 2184 Baccne32.exe 87 PID 2184 wrote to memory of 3328 2184 Baccne32.exe 87 PID 2184 wrote to memory of 3328 2184 Baccne32.exe 87 PID 3328 wrote to memory of 1820 3328 Bhmlkpdn.exe 89 PID 3328 wrote to memory of 1820 3328 Bhmlkpdn.exe 89 PID 3328 wrote to memory of 1820 3328 Bhmlkpdn.exe 89 PID 1820 wrote to memory of 1908 1820 Bjkhgkca.exe 90 PID 1820 wrote to memory of 1908 1820 Bjkhgkca.exe 90 PID 1820 wrote to memory of 1908 1820 Bjkhgkca.exe 90 PID 1908 wrote to memory of 2528 1908 Bbbphh32.exe 91 PID 1908 wrote to memory of 2528 1908 Bbbphh32.exe 91 PID 1908 wrote to memory of 2528 1908 Bbbphh32.exe 91 PID 2528 wrote to memory of 3936 2528 Blkdqnjd.exe 92 PID 2528 wrote to memory of 3936 2528 Blkdqnjd.exe 92 PID 2528 wrote to memory of 3936 2528 Blkdqnjd.exe 92 PID 3936 wrote to memory of 4012 3936 Bdfiephp.exe 94 PID 3936 wrote to memory of 4012 3936 Bdfiephp.exe 94 PID 3936 wrote to memory of 4012 3936 Bdfiephp.exe 94 PID 4012 wrote to memory of 2656 4012 Bajjodfi.exe 95 PID 4012 wrote to memory of 2656 4012 Bajjodfi.exe 95 PID 4012 wrote to memory of 2656 4012 Bajjodfi.exe 95 PID 2656 wrote to memory of 4508 2656 Blonlm32.exe 96 PID 2656 wrote to memory of 4508 2656 Blonlm32.exe 96 PID 2656 wrote to memory of 4508 2656 Blonlm32.exe 96 PID 4508 wrote to memory of 3260 4508 Bbifhgnl.exe 98 PID 4508 wrote to memory of 3260 4508 Bbifhgnl.exe 98 PID 4508 wrote to memory of 3260 4508 Bbifhgnl.exe 98 PID 3260 wrote to memory of 4160 3260 Chfoqnlc.exe 99 PID 3260 wrote to memory of 4160 3260 Chfoqnlc.exe 99 PID 3260 wrote to memory of 4160 3260 Chfoqnlc.exe 99 PID 4160 wrote to memory of 3900 4160 Copgnh32.exe 100 PID 4160 wrote to memory of 3900 4160 Copgnh32.exe 100 PID 4160 wrote to memory of 3900 4160 Copgnh32.exe 100 PID 3900 wrote to memory of 784 3900 Cblcngli.exe 101 PID 3900 wrote to memory of 784 3900 Cblcngli.exe 101 PID 3900 wrote to memory of 784 3900 Cblcngli.exe 101 PID 784 wrote to memory of 2428 784 Cejojb32.exe 102 PID 784 wrote to memory of 2428 784 Cejojb32.exe 102 PID 784 wrote to memory of 2428 784 Cejojb32.exe 102 PID 2428 wrote to memory of 3668 2428 Chhkfn32.exe 103 PID 2428 wrote to memory of 3668 2428 Chhkfn32.exe 103 PID 2428 wrote to memory of 3668 2428 Chhkfn32.exe 103 PID 3668 wrote to memory of 2624 3668 Cldggmbj.exe 104 PID 3668 wrote to memory of 2624 3668 Cldggmbj.exe 104 PID 3668 wrote to memory of 2624 3668 Cldggmbj.exe 104 PID 2624 wrote to memory of 3832 2624 Ckghbi32.exe 105 PID 2624 wrote to memory of 3832 2624 Ckghbi32.exe 105 PID 2624 wrote to memory of 3832 2624 Ckghbi32.exe 105 PID 3832 wrote to memory of 2928 3832 Cobcchan.exe 106 PID 3832 wrote to memory of 2928 3832 Cobcchan.exe 106 PID 3832 wrote to memory of 2928 3832 Cobcchan.exe 106 PID 2928 wrote to memory of 3396 2928 Caapocpa.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d349b335718fd5b0683fb4df77a2dd60N.exe"C:\Users\Admin\AppData\Local\Temp\d349b335718fd5b0683fb4df77a2dd60N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Anbklj32.exeC:\Windows\system32\Anbklj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\Bdocda32.exeC:\Windows\system32\Bdocda32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Bjikaked.exeC:\Windows\system32\Bjikaked.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Baccne32.exeC:\Windows\system32\Baccne32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Bhmlkpdn.exeC:\Windows\system32\Bhmlkpdn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\Bjkhgkca.exeC:\Windows\system32\Bjkhgkca.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Bbbphh32.exeC:\Windows\system32\Bbbphh32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Blkdqnjd.exeC:\Windows\system32\Blkdqnjd.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Bajjodfi.exeC:\Windows\system32\Bajjodfi.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Blonlm32.exeC:\Windows\system32\Blonlm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bbifhgnl.exeC:\Windows\system32\Bbifhgnl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Chfoqnlc.exeC:\Windows\system32\Chfoqnlc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\Cblcngli.exeC:\Windows\system32\Cblcngli.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\Cejojb32.exeC:\Windows\system32\Cejojb32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cldggmbj.exeC:\Windows\system32\Cldggmbj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Cellpb32.exeC:\Windows\system32\Cellpb32.exe23⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Chkhln32.exeC:\Windows\system32\Chkhln32.exe25⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Clfdllpg.exeC:\Windows\system32\Clfdllpg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe28⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Cdaiaonb.exeC:\Windows\system32\Cdaiaonb.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe33⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Cliabl32.exeC:\Windows\system32\Cliabl32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Cogmng32.exeC:\Windows\system32\Cogmng32.exe35⤵
- Executes dropped EXE
PID:4640 -
C:\Windows\SysWOW64\Cbbiofea.exeC:\Windows\system32\Cbbiofea.exe36⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Cddefn32.exeC:\Windows\system32\Cddefn32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:3700 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe40⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Coijcg32.exeC:\Windows\system32\Coijcg32.exe42⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Dbefdfco.exeC:\Windows\system32\Dbefdfco.exe43⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe44⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe45⤵
- Executes dropped EXE
PID:5000 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Dkpjih32.exeC:\Windows\system32\Dkpjih32.exe48⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe49⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636 -
C:\Windows\SysWOW64\Ddhoangj.exeC:\Windows\system32\Ddhoangj.exe52⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe53⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Dkbgnh32.exeC:\Windows\system32\Dkbgnh32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe55⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Dbjooe32.exeC:\Windows\system32\Dbjooe32.exe56⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe58⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe59⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Doqpdf32.exeC:\Windows\system32\Doqpdf32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Dclleemf.exeC:\Windows\system32\Dclleemf.exe62⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe63⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Dejhapmj.exeC:\Windows\system32\Dejhapmj.exe64⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe65⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe66⤵PID:1532
-
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe67⤵PID:1700
-
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe68⤵PID:4288
-
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5008 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe70⤵PID:4728
-
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe71⤵PID:4280
-
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe72⤵
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe73⤵
- Modifies registry class
PID:4468 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe74⤵
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Elijijpb.exeC:\Windows\system32\Elijijpb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Ekljdf32.exeC:\Windows\system32\Ekljdf32.exe76⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe77⤵PID:3500
-
C:\Windows\SysWOW64\Eafbaqni.exeC:\Windows\system32\Eafbaqni.exe78⤵PID:3968
-
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe79⤵
- Drops file in System32 directory
PID:4776 -
C:\Windows\SysWOW64\Ehpjnk32.exeC:\Windows\system32\Ehpjnk32.exe80⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe81⤵
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Eojbkemc.exeC:\Windows\system32\Eojbkemc.exe82⤵PID:4608
-
C:\Windows\SysWOW64\Eceokcel.exeC:\Windows\system32\Eceokcel.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3264 -
C:\Windows\SysWOW64\Eedkgodp.exeC:\Windows\system32\Eedkgodp.exe84⤵
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe85⤵PID:4976
-
C:\Windows\SysWOW64\Ehbgcjcc.exeC:\Windows\system32\Ehbgcjcc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4384 -
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe88⤵PID:1780
-
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3144 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe90⤵PID:824
-
C:\Windows\SysWOW64\Edihhk32.exeC:\Windows\system32\Edihhk32.exe91⤵
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe92⤵PID:3152
-
C:\Windows\SysWOW64\Eooled32.exeC:\Windows\system32\Eooled32.exe93⤵PID:4856
-
C:\Windows\SysWOW64\Eamhbp32.exeC:\Windows\system32\Eamhbp32.exe94⤵PID:1124
-
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe95⤵PID:3788
-
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe96⤵PID:4812
-
C:\Windows\SysWOW64\Ekemke32.exeC:\Windows\system32\Ekemke32.exe97⤵PID:3120
-
C:\Windows\SysWOW64\Fclelb32.exeC:\Windows\system32\Fclelb32.exe98⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe99⤵
- Modifies registry class
PID:3432 -
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1012 -
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe102⤵PID:5052
-
C:\Windows\SysWOW64\Fdpnij32.exeC:\Windows\system32\Fdpnij32.exe103⤵PID:1284
-
C:\Windows\SysWOW64\Flgfjh32.exeC:\Windows\system32\Flgfjh32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe105⤵PID:5204
-
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe106⤵PID:5252
-
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe107⤵PID:5296
-
C:\Windows\SysWOW64\Fdbkoj32.exeC:\Windows\system32\Fdbkoj32.exe108⤵
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Windows\SysWOW64\Fhngoiif.exeC:\Windows\system32\Fhngoiif.exe109⤵PID:5388
-
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe111⤵PID:5488
-
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe112⤵
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Ffbghmhp.exeC:\Windows\system32\Ffbghmhp.exe113⤵PID:5576
-
C:\Windows\SysWOW64\Fhpceh32.exeC:\Windows\system32\Fhpceh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5636 -
C:\Windows\SysWOW64\Fkopad32.exeC:\Windows\system32\Fkopad32.exe115⤵PID:5684
-
C:\Windows\SysWOW64\Fcfhba32.exeC:\Windows\system32\Fcfhba32.exe116⤵PID:5732
-
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe118⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Fdgdjimg.exeC:\Windows\system32\Fdgdjimg.exe119⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Flnlkgnj.exeC:\Windows\system32\Flnlkgnj.exe120⤵PID:5916
-
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe121⤵PID:5972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-