Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 15:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5e740c86471a6832b496d08d929dbc0N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
c5e740c86471a6832b496d08d929dbc0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
c5e740c86471a6832b496d08d929dbc0N.exe
-
Size
1.2MB
-
MD5
c5e740c86471a6832b496d08d929dbc0
-
SHA1
0438ed1a9be827fafae2f6e9831204af39193855
-
SHA256
f38065e63bb2a07f11915b8dedcd39503db806b54ce859d75bfa7fcdad2b7f2d
-
SHA512
3d4421c0ac619c1282b6c76d3470f73ddf39ad1eeb9bbd2d166ae53ba9f35b27d9825188931c5a2dfd215246afcc4942abe541a9f57baaef2572eed4d2d50892
-
SSDEEP
24576:yuxoPh2kkkkK4kXkkkkkkkke50+YNpsKv2EvZHp3oW6:yAKLXZM
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miomdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgfapd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klcekpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apodoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lggldm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakacjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eidlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdoihpbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpmld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqhdbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaniq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaefgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhmigagd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jqlefl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bahkih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nghekkmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojajin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhoqeibl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Impliekg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagaoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgelek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeokal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhfppabl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcndbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffceip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjedffig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emkndc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epikpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqpbglno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlpokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkphhgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oghppm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmaffnce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" c5e740c86471a6832b496d08d929dbc0N.exe -
Executes dropped EXE 64 IoCs
pid Process 1960 Lhncdi32.exe 5084 Loglacfo.exe 4948 Mbedga32.exe 4796 Miomdk32.exe 4036 Molelb32.exe 3492 Mefmimif.exe 3592 Mplafeil.exe 4032 Nohehq32.exe 5036 Nhpiafnm.exe 1224 Ncfmno32.exe 3016 Ngdfdmdi.exe 4060 Ncjginjn.exe 1232 Olckbd32.exe 820 Oghppm32.exe 3768 Opemca32.exe 3888 Ogpepl32.exe 1940 Pcicklnn.exe 4384 Pjbkgfej.exe 1816 Ppmcdq32.exe 2096 Pjehmfch.exe 1944 Poaqemao.exe 4500 Qoifflkg.exe 1844 Qgpogili.exe 2084 Qlmgopjq.exe 548 Amcmpodi.exe 3896 Aflaie32.exe 2184 Aqaffn32.exe 1840 Ajjjocap.exe 552 Bgnkhg32.exe 4372 Bifmqo32.exe 3524 Bppfmigl.exe 4428 Bfjnjcni.exe 1684 Cqpbglno.exe 3380 Cgjjdf32.exe 2420 Cjhfpa32.exe 1592 Cabomkll.exe 4684 Ccqkigkp.exe 3220 Cfogeb32.exe 4556 Cippgm32.exe 4964 Caghhk32.exe 3444 Cgqqdeod.exe 3204 Cjomap32.exe 4064 Cpleig32.exe 4932 Cgcmjd32.exe 2280 Cjaifp32.exe 1304 Dakacjdb.exe 2456 Dfhjkabi.exe 1900 Diffglam.exe 4832 Dannij32.exe 3556 Dclkee32.exe 3208 Dfjgaq32.exe 2308 Dmdonkgc.exe 1252 Dpckjfgg.exe 4776 Dfmcfp32.exe 1452 Dikpbl32.exe 2492 Dpehof32.exe 4476 Dhlpqc32.exe 2288 Dinmhkke.exe 3224 Dpgeee32.exe 428 Dfamapjo.exe 2796 Eipinkib.exe 2520 Eagaoh32.exe 724 Edemkd32.exe 740 Eibfck32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Knfeeimj.exe Kdmqmc32.exe File created C:\Windows\SysWOW64\Gidnkkpc.exe Gfeaopqo.exe File opened for modification C:\Windows\SysWOW64\Hipmfjee.exe Hfaajnfb.exe File opened for modification C:\Windows\SysWOW64\Edjgfcec.exe Ealkjh32.exe File opened for modification C:\Windows\SysWOW64\Pabblb32.exe Papfgbmg.exe File created C:\Windows\SysWOW64\Igajal32.exe Iojbpo32.exe File created C:\Windows\SysWOW64\Jngbjd32.exe Jgmjmjnb.exe File opened for modification C:\Windows\SysWOW64\Cponen32.exe Cammjakm.exe File opened for modification C:\Windows\SysWOW64\Cnjdpaki.exe Cpfcfmlp.exe File opened for modification C:\Windows\SysWOW64\Cgjjdf32.exe Cqpbglno.exe File opened for modification C:\Windows\SysWOW64\Oekiqccc.exe Okedcjcm.exe File created C:\Windows\SysWOW64\Cjgpfk32.exe Ckfphc32.exe File created C:\Windows\SysWOW64\Figfoijn.dll Mgbefe32.exe File opened for modification C:\Windows\SysWOW64\Ljaoeini.exe Lcggio32.exe File created C:\Windows\SysWOW64\Bjeehbgh.dll Aekddhcb.exe File opened for modification C:\Windows\SysWOW64\Dbndfl32.exe Dblgpl32.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pfoann32.exe File opened for modification C:\Windows\SysWOW64\Jqlefl32.exe Jkomneim.exe File created C:\Windows\SysWOW64\Oaabap32.dll Iliinc32.exe File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe Nglhld32.exe File created C:\Windows\SysWOW64\Gpfjma32.exe Gnhnaf32.exe File created C:\Windows\SysWOW64\Efcagd32.dll Mgehfkop.exe File created C:\Windows\SysWOW64\Cffpglpg.dll Licfngjd.exe File created C:\Windows\SysWOW64\Bdinlh32.dll Fbjmhh32.exe File created C:\Windows\SysWOW64\Dnjfibml.dll Bemqih32.exe File opened for modification C:\Windows\SysWOW64\Omdppiif.exe Ofkgcobj.exe File created C:\Windows\SysWOW64\Mgbefe32.exe Mokmdh32.exe File created C:\Windows\SysWOW64\Ibmlia32.dll Bnoddcef.exe File opened for modification C:\Windows\SysWOW64\Filiii32.exe Efmmmn32.exe File created C:\Windows\SysWOW64\Dcdepb32.dll Fhflnpoi.exe File created C:\Windows\SysWOW64\Hhknpmma.exe Hpdfnolo.exe File created C:\Windows\SysWOW64\Ddnfmqng.exe Dndnpf32.exe File created C:\Windows\SysWOW64\Hkpmpo32.dll Oanfen32.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe Bhbcfbjk.exe File created C:\Windows\SysWOW64\Nfmifiap.dll Fligqhga.exe File created C:\Windows\SysWOW64\Occomh32.dll Ealkjh32.exe File created C:\Windows\SysWOW64\Epaobqhf.dll Ggnedlao.exe File created C:\Windows\SysWOW64\Jqhafffk.exe Jjoiil32.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Njkkbehl.exe File opened for modification C:\Windows\SysWOW64\Afinioip.exe Ackbmcjl.exe File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe Ljeafb32.exe File created C:\Windows\SysWOW64\Ccqkigkp.exe Cabomkll.exe File opened for modification C:\Windows\SysWOW64\Ejdocm32.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Gmimai32.exe Gfodeohd.exe File opened for modification C:\Windows\SysWOW64\Djjebh32.exe Dpdaepai.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Hnfjbdmk.exe Hjjnae32.exe File opened for modification C:\Windows\SysWOW64\Mnhkbfme.exe Mepfiq32.exe File created C:\Windows\SysWOW64\Mqafhl32.exe Ljhnlb32.exe File opened for modification C:\Windows\SysWOW64\Dpehof32.exe Dikpbl32.exe File opened for modification C:\Windows\SysWOW64\Dkfadkgf.exe Ddligq32.exe File created C:\Windows\SysWOW64\Nglhld32.exe Nncccnol.exe File opened for modification C:\Windows\SysWOW64\Kelkaj32.exe Kjffdalb.exe File created C:\Windows\SysWOW64\Pdkjmfeo.dll Ahgjejhd.exe File created C:\Windows\SysWOW64\Neqopnhb.exe Njkkbehl.exe File created C:\Windows\SysWOW64\Oonnoglh.dll Lnldla32.exe File created C:\Windows\SysWOW64\Fmdmqp32.dll Lbkkgl32.exe File created C:\Windows\SysWOW64\Bhcjqinf.exe Bbiado32.exe File created C:\Windows\SysWOW64\Hilpobpd.dll Mnmmboed.exe File created C:\Windows\SysWOW64\Gdbpil32.dll Caghhk32.exe File created C:\Windows\SysWOW64\Henjapmn.dll Gnhnaf32.exe File created C:\Windows\SysWOW64\Ghbjikdh.dll Omegjomb.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File opened for modification C:\Windows\SysWOW64\Njiegl32.exe Nhkikq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1556 764 WerFault.exe 699 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdmein32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmkkjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmqlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngndaccj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefmimif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnfjbdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdfnolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhkbfme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkhapk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeafb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apodoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpocngo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqiipljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdaociml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfepf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkphhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpiafnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpleig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emkndc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoadlfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikmbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflaie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehcfaboo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfeeimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkadoiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qepkbpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbkdkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlkge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmikeaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiiggoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqaffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edopabqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omegjomb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgpfk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occomh32.dll" Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqfngd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmlddqem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjkfjbc.dll" Ojdnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoideh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipoheakj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll" Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpnoh32.dll" Mplafeil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhpiafnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeehkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpank32.dll" Bhkmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gemdebha.dll" Kfpcoefj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjodaqj.dll" Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpmpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljhnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofkgcobj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omdppiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Caghhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjiligp.dll" Fmnkkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghoqak32.dll" Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll" Dmadco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafnnj32.dll" Kkjeomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dannij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpdfnolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcnfohmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cponen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knodgg32.dll" Miomdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehhpla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" Dblgpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmiclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nonlon32.dll" Nbqmiinl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcggio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bdickcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpaekqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nolgijpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekddhcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achhaode.dll" Fdffbake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfapoa32.dll" Bohibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klcekpdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icnklbmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplbgk32.dll" Lajagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifba32.dll" Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoobdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Coohhlpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iojbpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milcqamo.dll" Kdmqmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfandnla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 1960 540 c5e740c86471a6832b496d08d929dbc0N.exe 83 PID 540 wrote to memory of 1960 540 c5e740c86471a6832b496d08d929dbc0N.exe 83 PID 540 wrote to memory of 1960 540 c5e740c86471a6832b496d08d929dbc0N.exe 83 PID 1960 wrote to memory of 5084 1960 Lhncdi32.exe 84 PID 1960 wrote to memory of 5084 1960 Lhncdi32.exe 84 PID 1960 wrote to memory of 5084 1960 Lhncdi32.exe 84 PID 5084 wrote to memory of 4948 5084 Loglacfo.exe 86 PID 5084 wrote to memory of 4948 5084 Loglacfo.exe 86 PID 5084 wrote to memory of 4948 5084 Loglacfo.exe 86 PID 4948 wrote to memory of 4796 4948 Mbedga32.exe 87 PID 4948 wrote to memory of 4796 4948 Mbedga32.exe 87 PID 4948 wrote to memory of 4796 4948 Mbedga32.exe 87 PID 4796 wrote to memory of 4036 4796 Miomdk32.exe 88 PID 4796 wrote to memory of 4036 4796 Miomdk32.exe 88 PID 4796 wrote to memory of 4036 4796 Miomdk32.exe 88 PID 4036 wrote to memory of 3492 4036 Molelb32.exe 90 PID 4036 wrote to memory of 3492 4036 Molelb32.exe 90 PID 4036 wrote to memory of 3492 4036 Molelb32.exe 90 PID 3492 wrote to memory of 3592 3492 Mefmimif.exe 91 PID 3492 wrote to memory of 3592 3492 Mefmimif.exe 91 PID 3492 wrote to memory of 3592 3492 Mefmimif.exe 91 PID 3592 wrote to memory of 4032 3592 Mplafeil.exe 93 PID 3592 wrote to memory of 4032 3592 Mplafeil.exe 93 PID 3592 wrote to memory of 4032 3592 Mplafeil.exe 93 PID 4032 wrote to memory of 5036 4032 Nohehq32.exe 94 PID 4032 wrote to memory of 5036 4032 Nohehq32.exe 94 PID 4032 wrote to memory of 5036 4032 Nohehq32.exe 94 PID 5036 wrote to memory of 1224 5036 Nhpiafnm.exe 95 PID 5036 wrote to memory of 1224 5036 Nhpiafnm.exe 95 PID 5036 wrote to memory of 1224 5036 Nhpiafnm.exe 95 PID 1224 wrote to memory of 3016 1224 Ncfmno32.exe 96 PID 1224 wrote to memory of 3016 1224 Ncfmno32.exe 96 PID 1224 wrote to memory of 3016 1224 Ncfmno32.exe 96 PID 3016 wrote to memory of 4060 3016 Ngdfdmdi.exe 97 PID 3016 wrote to memory of 4060 3016 Ngdfdmdi.exe 97 PID 3016 wrote to memory of 4060 3016 Ngdfdmdi.exe 97 PID 4060 wrote to memory of 1232 4060 Ncjginjn.exe 98 PID 4060 wrote to memory of 1232 4060 Ncjginjn.exe 98 PID 4060 wrote to memory of 1232 4060 Ncjginjn.exe 98 PID 1232 wrote to memory of 820 1232 Olckbd32.exe 99 PID 1232 wrote to memory of 820 1232 Olckbd32.exe 99 PID 1232 wrote to memory of 820 1232 Olckbd32.exe 99 PID 820 wrote to memory of 3768 820 Oghppm32.exe 100 PID 820 wrote to memory of 3768 820 Oghppm32.exe 100 PID 820 wrote to memory of 3768 820 Oghppm32.exe 100 PID 3768 wrote to memory of 3888 3768 Opemca32.exe 101 PID 3768 wrote to memory of 3888 3768 Opemca32.exe 101 PID 3768 wrote to memory of 3888 3768 Opemca32.exe 101 PID 3888 wrote to memory of 1940 3888 Ogpepl32.exe 102 PID 3888 wrote to memory of 1940 3888 Ogpepl32.exe 102 PID 3888 wrote to memory of 1940 3888 Ogpepl32.exe 102 PID 1940 wrote to memory of 4384 1940 Pcicklnn.exe 103 PID 1940 wrote to memory of 4384 1940 Pcicklnn.exe 103 PID 1940 wrote to memory of 4384 1940 Pcicklnn.exe 103 PID 4384 wrote to memory of 1816 4384 Pjbkgfej.exe 104 PID 4384 wrote to memory of 1816 4384 Pjbkgfej.exe 104 PID 4384 wrote to memory of 1816 4384 Pjbkgfej.exe 104 PID 1816 wrote to memory of 2096 1816 Ppmcdq32.exe 105 PID 1816 wrote to memory of 2096 1816 Ppmcdq32.exe 105 PID 1816 wrote to memory of 2096 1816 Ppmcdq32.exe 105 PID 2096 wrote to memory of 1944 2096 Pjehmfch.exe 106 PID 2096 wrote to memory of 1944 2096 Pjehmfch.exe 106 PID 2096 wrote to memory of 1944 2096 Pjehmfch.exe 106 PID 1944 wrote to memory of 4500 1944 Poaqemao.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5e740c86471a6832b496d08d929dbc0N.exe"C:\Users\Admin\AppData\Local\Temp\c5e740c86471a6832b496d08d929dbc0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Lhncdi32.exeC:\Windows\system32\Lhncdi32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Loglacfo.exeC:\Windows\system32\Loglacfo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Molelb32.exeC:\Windows\system32\Molelb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Mefmimif.exeC:\Windows\system32\Mefmimif.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Mplafeil.exeC:\Windows\system32\Mplafeil.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Nohehq32.exeC:\Windows\system32\Nohehq32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Nhpiafnm.exeC:\Windows\system32\Nhpiafnm.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Ngdfdmdi.exeC:\Windows\system32\Ngdfdmdi.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ncjginjn.exeC:\Windows\system32\Ncjginjn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe23⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Qgpogili.exeC:\Windows\system32\Qgpogili.exe24⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe25⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Amcmpodi.exeC:\Windows\system32\Amcmpodi.exe26⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe29⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Bgnkhg32.exeC:\Windows\system32\Bgnkhg32.exe30⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe31⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe32⤵
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe33⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Cgjjdf32.exeC:\Windows\system32\Cgjjdf32.exe35⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Cjhfpa32.exeC:\Windows\system32\Cjhfpa32.exe36⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe38⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Cfogeb32.exeC:\Windows\system32\Cfogeb32.exe39⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe40⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe42⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe43⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4064 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe45⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe46⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe48⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe49⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe51⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Dfjgaq32.exeC:\Windows\system32\Dfjgaq32.exe52⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe53⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe54⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe55⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe57⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe58⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe59⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe60⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Dfamapjo.exeC:\Windows\system32\Dfamapjo.exe61⤵
- Executes dropped EXE
PID:428 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe62⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe64⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe65⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe66⤵PID:1860
-
C:\Windows\SysWOW64\Ehcfaboo.exeC:\Windows\system32\Ehcfaboo.exe67⤵
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe68⤵PID:1604
-
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe70⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe71⤵PID:3532
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe72⤵PID:4756
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe73⤵
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe74⤵PID:1432
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe75⤵PID:4844
-
C:\Windows\SysWOW64\Edopabqn.exeC:\Windows\system32\Edopabqn.exe76⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe77⤵
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe78⤵PID:4772
-
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe79⤵PID:4880
-
C:\Windows\SysWOW64\Fhmigagd.exeC:\Windows\system32\Fhmigagd.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4208 -
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe81⤵PID:1084
-
C:\Windows\SysWOW64\Fphnlcdo.exeC:\Windows\system32\Fphnlcdo.exe82⤵PID:1100
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe83⤵PID:320
-
C:\Windows\SysWOW64\Fknbil32.exeC:\Windows\system32\Fknbil32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe85⤵PID:4988
-
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe86⤵
- Modifies registry class
PID:5136 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe87⤵PID:5180
-
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe88⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe89⤵PID:5264
-
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe90⤵
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe91⤵PID:5352
-
C:\Windows\SysWOW64\Fpodlbng.exeC:\Windows\system32\Fpodlbng.exe92⤵PID:5392
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe93⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe94⤵PID:5480
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe95⤵PID:5524
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe96⤵PID:5568
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe97⤵PID:5612
-
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe98⤵PID:5656
-
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe99⤵PID:5700
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5748 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe101⤵
- Drops file in System32 directory
PID:5792 -
C:\Windows\SysWOW64\Gnhnaf32.exeC:\Windows\system32\Gnhnaf32.exe102⤵
- Drops file in System32 directory
PID:5836 -
C:\Windows\SysWOW64\Gpfjma32.exeC:\Windows\system32\Gpfjma32.exe103⤵PID:5880
-
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe104⤵PID:5924
-
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe105⤵PID:5968
-
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6012 -
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Ghpocngo.exeC:\Windows\system32\Ghpocngo.exe108⤵
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Windows\SysWOW64\Gknkpjfb.exeC:\Windows\system32\Gknkpjfb.exe109⤵PID:5124
-
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe110⤵PID:3908
-
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe113⤵PID:1756
-
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe114⤵PID:5196
-
C:\Windows\SysWOW64\Hpmpnp32.exeC:\Windows\system32\Hpmpnp32.exe115⤵
- Modifies registry class
PID:5424 -
C:\Windows\SysWOW64\Hhdhon32.exeC:\Windows\system32\Hhdhon32.exe116⤵PID:5488
-
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe117⤵PID:4236
-
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5620 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe119⤵PID:5684
-
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe120⤵PID:5756
-
C:\Windows\SysWOW64\Hgiepjga.exeC:\Windows\system32\Hgiepjga.exe121⤵PID:5824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-