Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 23:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe
-
Size
1.3MB
-
MD5
cb784a07060c225773ba40b22695fba0
-
SHA1
c36427b1a181decfa7def993ebe8b450ecac8032
-
SHA256
05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cde
-
SHA512
648952134fe868096ec33465525483e5143d83ee1ad97d4ffc17664322de8baff0993ebbe6c3e005f146a23bad092a9f5041f4184cbc47538b96870f63db9caf
-
SSDEEP
6144:4DtEueqELCE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymL2G:4+ueaAbaz22cWfVaw0HBHY8r8ABjMn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddqbbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onmahojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flbhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmcldhfp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkkij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfjeckpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqpclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmmkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlobmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdaokfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfpled32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Benjkijd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdaajd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqddqj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnllhpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oacmchcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njceqili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haobnpkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boaeioej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecdkdj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpibdam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anmmkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmedi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfjeckpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egdqph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inagpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdofpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifcnjpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkigbfja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecjpfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaahmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjabdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehnpmkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jcaeea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbeobhlp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbnopbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enfjdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdlcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Addhbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcjimda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieoapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjldocde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hadcce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfbmgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommjnlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ommjnlnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjdncio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idjdqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngodlgka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dipgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Defheg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdffah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hladlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmjcgb32.exe -
Executes dropped EXE 64 IoCs
pid Process 4468 Oloipmfd.exe 4804 Ochamg32.exe 2028 Pfncia32.exe 2204 Pbddobla.exe 4704 Piolkm32.exe 2560 Qmanljfo.exe 3684 Aijlgkjq.exe 3120 Abcppq32.exe 1916 Aecialmb.exe 888 Acgfec32.exe 548 Albkieqj.exe 1684 Bclppboi.exe 904 Bfjllnnm.exe 4300 Bihhhi32.exe 2772 Blgddd32.exe 3732 Bbalaoda.exe 380 Beoimjce.exe 5076 Bmfqngcg.exe 1540 Bpemkcck.exe 2516 Bbcignbo.exe 440 Beaecjab.exe 4244 Bmimdg32.exe 4404 Bpgjpb32.exe 1264 Bbefln32.exe 2064 Bipnihgi.exe 2056 Blnjecfl.exe 4460 Cdebfago.exe 1984 Cfcoblfb.exe 3032 Cffkhl32.exe 2468 Cidgdg32.exe 4856 Clbdpc32.exe 1564 Cdjlap32.exe 432 Cfhhml32.exe 3040 Cmbpjfij.exe 3300 Cpqlfa32.exe 2952 Cfjeckpj.exe 1056 Clgmkbna.exe 3424 Cdnelpod.exe 2568 Cfmahknh.exe 3928 Ciknefmk.exe 2896 Clijablo.exe 2844 Ddqbbo32.exe 2040 Dfonnk32.exe 324 Dinjjf32.exe 4952 Ddcogo32.exe 4996 Dfakcj32.exe 3700 Dipgpf32.exe 688 Dpjompqc.exe 2608 Dbhlikpf.exe 1784 Defheg32.exe 5152 Dmnpfd32.exe 5192 Dpllbp32.exe 5232 Dgfdojfm.exe 5272 Didqkeeq.exe 5312 Dlcmgqdd.exe 5352 Dcmedk32.exe 5392 Dghadidj.exe 5432 Dmbiackg.exe 5472 Epaemojk.exe 5512 Ecoaijio.exe 5552 Eennefib.exe 5592 Emeffcid.exe 5632 Epcbbohh.exe 5672 Egmjpi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dcihengm.dll Iqbpahpc.exe File created C:\Windows\SysWOW64\Limpiomm.exe Likcdpop.exe File opened for modification C:\Windows\SysWOW64\Ochamg32.exe Oloipmfd.exe File opened for modification C:\Windows\SysWOW64\Lajhpbme.exe Leqkeajd.exe File created C:\Windows\SysWOW64\Igadaq32.dll Agaoca32.exe File created C:\Windows\SysWOW64\Deagoa32.exe Cnebmgjj.exe File opened for modification C:\Windows\SysWOW64\Iadljc32.exe Ikjcmi32.exe File created C:\Windows\SysWOW64\Olomcacj.dll Ldkfno32.exe File created C:\Windows\SysWOW64\Fcibchgq.exe Fjanjb32.exe File created C:\Windows\SysWOW64\Gnmbao32.exe Gffkpa32.exe File opened for modification C:\Windows\SysWOW64\Pfncia32.exe Ochamg32.exe File created C:\Windows\SysWOW64\Iqpclh32.exe Inagpm32.exe File created C:\Windows\SysWOW64\Bilflj32.dll Dlobmd32.exe File created C:\Windows\SysWOW64\Komoed32.exe Kicfijal.exe File created C:\Windows\SysWOW64\Fjphoi32.exe Fagcfc32.exe File created C:\Windows\SysWOW64\Fnjmea32.exe Fgqehgco.exe File opened for modification C:\Windows\SysWOW64\Gmfkjl32.exe Gjhonp32.exe File created C:\Windows\SysWOW64\Ccgajg32.dll Gmfkjl32.exe File created C:\Windows\SysWOW64\Jhejgl32.exe Jchaoe32.exe File created C:\Windows\SysWOW64\Deejpjgc.exe Dlmegd32.exe File created C:\Windows\SysWOW64\Dmphjfab.exe Dkokbn32.exe File opened for modification C:\Windows\SysWOW64\Ekahhn32.exe Ecjpfp32.exe File created C:\Windows\SysWOW64\Kjmole32.dll Pbddobla.exe File opened for modification C:\Windows\SysWOW64\Ecdkdj32.exe Eljchpnl.exe File opened for modification C:\Windows\SysWOW64\Fdhail32.exe Flaiho32.exe File opened for modification C:\Windows\SysWOW64\Ikjcmi32.exe Ihlgan32.exe File opened for modification C:\Windows\SysWOW64\Cllkcbnl.exe Ccdgjm32.exe File created C:\Windows\SysWOW64\Qgjgeo32.dll Joikdk32.exe File created C:\Windows\SysWOW64\Kaonaekb.exe Jdkmgali.exe File created C:\Windows\SysWOW64\Ldblon32.exe Loecgfjf.exe File opened for modification C:\Windows\SysWOW64\Bbalaoda.exe Blgddd32.exe File created C:\Windows\SysWOW64\Bflajb32.dll Gfemmb32.exe File created C:\Windows\SysWOW64\Glabolja.exe Gjcfcakn.exe File created C:\Windows\SysWOW64\Aocafeff.dll Ndmpddfe.exe File opened for modification C:\Windows\SysWOW64\Qnamofdf.exe Qajlje32.exe File opened for modification C:\Windows\SysWOW64\Gedohfmp.exe Glkkop32.exe File created C:\Windows\SysWOW64\Ejhikgob.dll Didjqoae.exe File created C:\Windows\SysWOW64\Kmmmnp32.exe Kjlcmdbb.exe File created C:\Windows\SysWOW64\Cqmldgdc.dll Kfbmgo32.exe File opened for modification C:\Windows\SysWOW64\Fdobhm32.exe Fhhaclqc.exe File opened for modification C:\Windows\SysWOW64\Aikijjon.exe Aofemaog.exe File created C:\Windows\SysWOW64\Gnlenp32.exe Gfemmb32.exe File created C:\Windows\SysWOW64\Aepeonfe.dll Oeopnmoa.exe File opened for modification C:\Windows\SysWOW64\Pllppnnm.exe Pkkdhe32.exe File opened for modification C:\Windows\SysWOW64\Abjkmqni.exe Aploae32.exe File opened for modification C:\Windows\SysWOW64\Kjdqhjpf.exe Kmppneal.exe File opened for modification C:\Windows\SysWOW64\Cddjofbj.exe Cnjbbl32.exe File created C:\Windows\SysWOW64\Pckakb32.dll Alelkf32.exe File opened for modification C:\Windows\SysWOW64\Emdjjo32.exe Eggbbhkj.exe File created C:\Windows\SysWOW64\Mnmmmbll.exe Mgceqh32.exe File opened for modification C:\Windows\SysWOW64\Dndlba32.exe Ckcbaf32.exe File created C:\Windows\SysWOW64\Bkpdml32.dll Haafnf32.exe File created C:\Windows\SysWOW64\Bfjllnnm.exe Bclppboi.exe File opened for modification C:\Windows\SysWOW64\Bbcignbo.exe Bpemkcck.exe File opened for modification C:\Windows\SysWOW64\Hgebnc32.exe Hdffah32.exe File created C:\Windows\SysWOW64\Gccnfmnd.dll Ifoijonj.exe File created C:\Windows\SysWOW64\Jebdkl32.dll Bbbblhnc.exe File opened for modification C:\Windows\SysWOW64\Hgdlcm32.exe Hhckeeam.exe File created C:\Windows\SysWOW64\Olbpjb32.dll Hhpaki32.exe File created C:\Windows\SysWOW64\Nbibeo32.exe Niqnli32.exe File created C:\Windows\SysWOW64\Kdinpc32.dll Jmffnq32.exe File opened for modification C:\Windows\SysWOW64\Ojkkah32.exe Omgjhc32.exe File created C:\Windows\SysWOW64\Pbpckclh.dll Akbjidbf.exe File created C:\Windows\SysWOW64\Jekpljgg.exe Jkeloa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8752 9108 WerFault.exe 867 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnjecfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mankaked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhkoaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbpbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhojqcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbgcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkijc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akopoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpfqiha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbpjfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdffah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndejcemn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agnkck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjgfgbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohcmjic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdeneij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjkmqni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcaidlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndcnafd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcoblfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfholhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giddddad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhgfaha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngodlgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbphn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnabladg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhpogij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihdnloc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdgjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommjnlnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjemle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqfolqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flgadake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnahbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdobhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbnchlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojohp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeffcid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkqdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihlahjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollgiplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acmomgoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgicmpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afboah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijgjpaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppafpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkokbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkldlgok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgeqcnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljchpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppamjcpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaiac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjcmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboqnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmobi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kciaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfoflccp.dll" Fjanjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eennefib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokbiohj.dll" Bplhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpenp32.dll" Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldblon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bkglkapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibdpo32.dll" Ckcbaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldpoinjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbddobla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Limpiomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapppp32.dll" Jddnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llpofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokkjn32.dll" Ppafpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdqhfcem.dll" Hobcgdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjgeo32.dll" Joikdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeodqocd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kggjghkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epplai32.dll" Iadljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmfaafej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpjhlche.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjkhghe.dll" Cjaiac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghbkdald.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmapb32.dll" Djmbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhoimi32.dll" Cgagjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmpcc32.dll" Cfgace32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjdfgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnefhfih.dll" Jojboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfigmch.dll" Nejbaqgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdgjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkidnm.dll" Emdjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onbpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaqejcep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmafn32.dll" Lajhpbme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdlflki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfndbnlp.dll" Kmpido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqqkagjo.dll" Nmkkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijhgmeo.dll" Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmifcjif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Painhneh.dll" Gjebiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgdlcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kicfijal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Komoed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnhbbmim.dll" Ccdgjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ochamg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnahbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hqddqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ophjdehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejcaidlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Canocm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Himgjbii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppajem32.dll" Ppgeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hklpaeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oihkgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knemellp.dll" Pjlnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqdlmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgmmdep.dll" Jhhgmlli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egccmi32.dll" Npnqcpmc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4468 4224 05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe 89 PID 4224 wrote to memory of 4468 4224 05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe 89 PID 4224 wrote to memory of 4468 4224 05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe 89 PID 4468 wrote to memory of 4804 4468 Oloipmfd.exe 90 PID 4468 wrote to memory of 4804 4468 Oloipmfd.exe 90 PID 4468 wrote to memory of 4804 4468 Oloipmfd.exe 90 PID 4804 wrote to memory of 2028 4804 Ochamg32.exe 91 PID 4804 wrote to memory of 2028 4804 Ochamg32.exe 91 PID 4804 wrote to memory of 2028 4804 Ochamg32.exe 91 PID 2028 wrote to memory of 2204 2028 Pfncia32.exe 92 PID 2028 wrote to memory of 2204 2028 Pfncia32.exe 92 PID 2028 wrote to memory of 2204 2028 Pfncia32.exe 92 PID 2204 wrote to memory of 4704 2204 Pbddobla.exe 93 PID 2204 wrote to memory of 4704 2204 Pbddobla.exe 93 PID 2204 wrote to memory of 4704 2204 Pbddobla.exe 93 PID 4704 wrote to memory of 2560 4704 Piolkm32.exe 94 PID 4704 wrote to memory of 2560 4704 Piolkm32.exe 94 PID 4704 wrote to memory of 2560 4704 Piolkm32.exe 94 PID 2560 wrote to memory of 3684 2560 Qmanljfo.exe 95 PID 2560 wrote to memory of 3684 2560 Qmanljfo.exe 95 PID 2560 wrote to memory of 3684 2560 Qmanljfo.exe 95 PID 3684 wrote to memory of 3120 3684 Aijlgkjq.exe 96 PID 3684 wrote to memory of 3120 3684 Aijlgkjq.exe 96 PID 3684 wrote to memory of 3120 3684 Aijlgkjq.exe 96 PID 3120 wrote to memory of 1916 3120 Abcppq32.exe 97 PID 3120 wrote to memory of 1916 3120 Abcppq32.exe 97 PID 3120 wrote to memory of 1916 3120 Abcppq32.exe 97 PID 1916 wrote to memory of 888 1916 Aecialmb.exe 98 PID 1916 wrote to memory of 888 1916 Aecialmb.exe 98 PID 1916 wrote to memory of 888 1916 Aecialmb.exe 98 PID 888 wrote to memory of 548 888 Acgfec32.exe 99 PID 888 wrote to memory of 548 888 Acgfec32.exe 99 PID 888 wrote to memory of 548 888 Acgfec32.exe 99 PID 548 wrote to memory of 1684 548 Albkieqj.exe 100 PID 548 wrote to memory of 1684 548 Albkieqj.exe 100 PID 548 wrote to memory of 1684 548 Albkieqj.exe 100 PID 1684 wrote to memory of 904 1684 Bclppboi.exe 101 PID 1684 wrote to memory of 904 1684 Bclppboi.exe 101 PID 1684 wrote to memory of 904 1684 Bclppboi.exe 101 PID 904 wrote to memory of 4300 904 Bfjllnnm.exe 102 PID 904 wrote to memory of 4300 904 Bfjllnnm.exe 102 PID 904 wrote to memory of 4300 904 Bfjllnnm.exe 102 PID 4300 wrote to memory of 2772 4300 Bihhhi32.exe 103 PID 4300 wrote to memory of 2772 4300 Bihhhi32.exe 103 PID 4300 wrote to memory of 2772 4300 Bihhhi32.exe 103 PID 2772 wrote to memory of 3732 2772 Blgddd32.exe 104 PID 2772 wrote to memory of 3732 2772 Blgddd32.exe 104 PID 2772 wrote to memory of 3732 2772 Blgddd32.exe 104 PID 3732 wrote to memory of 380 3732 Bbalaoda.exe 105 PID 3732 wrote to memory of 380 3732 Bbalaoda.exe 105 PID 3732 wrote to memory of 380 3732 Bbalaoda.exe 105 PID 380 wrote to memory of 5076 380 Beoimjce.exe 106 PID 380 wrote to memory of 5076 380 Beoimjce.exe 106 PID 380 wrote to memory of 5076 380 Beoimjce.exe 106 PID 5076 wrote to memory of 1540 5076 Bmfqngcg.exe 107 PID 5076 wrote to memory of 1540 5076 Bmfqngcg.exe 107 PID 5076 wrote to memory of 1540 5076 Bmfqngcg.exe 107 PID 1540 wrote to memory of 2516 1540 Bpemkcck.exe 108 PID 1540 wrote to memory of 2516 1540 Bpemkcck.exe 108 PID 1540 wrote to memory of 2516 1540 Bpemkcck.exe 108 PID 2516 wrote to memory of 440 2516 Bbcignbo.exe 109 PID 2516 wrote to memory of 440 2516 Bbcignbo.exe 109 PID 2516 wrote to memory of 440 2516 Bbcignbo.exe 109 PID 440 wrote to memory of 4244 440 Beaecjab.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe"C:\Users\Admin\AppData\Local\Temp\05a23dde82dee501b21c7f7aa748ff0720f5fefa55c5e45b4f3e3835a6159cdeN.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Oloipmfd.exeC:\Windows\system32\Oloipmfd.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\Ochamg32.exeC:\Windows\system32\Ochamg32.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Pbddobla.exeC:\Windows\system32\Pbddobla.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Piolkm32.exeC:\Windows\system32\Piolkm32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\Qmanljfo.exeC:\Windows\system32\Qmanljfo.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Aijlgkjq.exeC:\Windows\system32\Aijlgkjq.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Abcppq32.exeC:\Windows\system32\Abcppq32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\Aecialmb.exeC:\Windows\system32\Aecialmb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Acgfec32.exeC:\Windows\system32\Acgfec32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\Albkieqj.exeC:\Windows\system32\Albkieqj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Bclppboi.exeC:\Windows\system32\Bclppboi.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Bfjllnnm.exeC:\Windows\system32\Bfjllnnm.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Bihhhi32.exeC:\Windows\system32\Bihhhi32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\Blgddd32.exeC:\Windows\system32\Blgddd32.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Bbalaoda.exeC:\Windows\system32\Bbalaoda.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\Beoimjce.exeC:\Windows\system32\Beoimjce.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Bmfqngcg.exeC:\Windows\system32\Bmfqngcg.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Bpemkcck.exeC:\Windows\system32\Bpemkcck.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Bbcignbo.exeC:\Windows\system32\Bbcignbo.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Beaecjab.exeC:\Windows\system32\Beaecjab.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\Bmimdg32.exeC:\Windows\system32\Bmimdg32.exe23⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe24⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\Bbefln32.exeC:\Windows\system32\Bbefln32.exe25⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Bipnihgi.exeC:\Windows\system32\Bipnihgi.exe26⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Blnjecfl.exeC:\Windows\system32\Blnjecfl.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Cdebfago.exeC:\Windows\system32\Cdebfago.exe28⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Cfcoblfb.exeC:\Windows\system32\Cfcoblfb.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Cffkhl32.exeC:\Windows\system32\Cffkhl32.exe30⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Cidgdg32.exeC:\Windows\system32\Cidgdg32.exe31⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe32⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Cdjlap32.exeC:\Windows\system32\Cdjlap32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Cfhhml32.exeC:\Windows\system32\Cfhhml32.exe34⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Cmbpjfij.exeC:\Windows\system32\Cmbpjfij.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Cpqlfa32.exeC:\Windows\system32\Cpqlfa32.exe36⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Cfjeckpj.exeC:\Windows\system32\Cfjeckpj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Clgmkbna.exeC:\Windows\system32\Clgmkbna.exe38⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Cdnelpod.exeC:\Windows\system32\Cdnelpod.exe39⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\Cfmahknh.exeC:\Windows\system32\Cfmahknh.exe40⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ciknefmk.exeC:\Windows\system32\Ciknefmk.exe41⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Clijablo.exeC:\Windows\system32\Clijablo.exe42⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Dfonnk32.exeC:\Windows\system32\Dfonnk32.exe44⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Dinjjf32.exeC:\Windows\system32\Dinjjf32.exe45⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Dllffa32.exeC:\Windows\system32\Dllffa32.exe46⤵PID:3892
-
C:\Windows\SysWOW64\Ddcogo32.exeC:\Windows\system32\Ddcogo32.exe47⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Dfakcj32.exeC:\Windows\system32\Dfakcj32.exe48⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Dipgpf32.exeC:\Windows\system32\Dipgpf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Dpjompqc.exeC:\Windows\system32\Dpjompqc.exe50⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Dbhlikpf.exeC:\Windows\system32\Dbhlikpf.exe51⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Defheg32.exeC:\Windows\system32\Defheg32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Dmnpfd32.exeC:\Windows\system32\Dmnpfd32.exe53⤵
- Executes dropped EXE
PID:5152 -
C:\Windows\SysWOW64\Dpllbp32.exeC:\Windows\system32\Dpllbp32.exe54⤵
- Executes dropped EXE
PID:5192 -
C:\Windows\SysWOW64\Dgfdojfm.exeC:\Windows\system32\Dgfdojfm.exe55⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\Didqkeeq.exeC:\Windows\system32\Didqkeeq.exe56⤵
- Executes dropped EXE
PID:5272 -
C:\Windows\SysWOW64\Dlcmgqdd.exeC:\Windows\system32\Dlcmgqdd.exe57⤵
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\Dcmedk32.exeC:\Windows\system32\Dcmedk32.exe58⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\Dghadidj.exeC:\Windows\system32\Dghadidj.exe59⤵
- Executes dropped EXE
PID:5392 -
C:\Windows\SysWOW64\Dmbiackg.exeC:\Windows\system32\Dmbiackg.exe60⤵
- Executes dropped EXE
PID:5432 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe61⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\Ecoaijio.exeC:\Windows\system32\Ecoaijio.exe62⤵
- Executes dropped EXE
PID:5512 -
C:\Windows\SysWOW64\Eennefib.exeC:\Windows\system32\Eennefib.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5552 -
C:\Windows\SysWOW64\Emeffcid.exeC:\Windows\system32\Emeffcid.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Windows\SysWOW64\Epcbbohh.exeC:\Windows\system32\Epcbbohh.exe65⤵
- Executes dropped EXE
PID:5632 -
C:\Windows\SysWOW64\Egmjpi32.exeC:\Windows\system32\Egmjpi32.exe66⤵
- Executes dropped EXE
PID:5672 -
C:\Windows\SysWOW64\Eilfldoi.exeC:\Windows\system32\Eilfldoi.exe67⤵PID:5712
-
C:\Windows\SysWOW64\Eljchpnl.exeC:\Windows\system32\Eljchpnl.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Ecdkdj32.exeC:\Windows\system32\Ecdkdj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5792 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe70⤵PID:5832
-
C:\Windows\SysWOW64\Ellpmolj.exeC:\Windows\system32\Ellpmolj.exe71⤵PID:5872
-
C:\Windows\SysWOW64\Edcgnmml.exeC:\Windows\system32\Edcgnmml.exe72⤵PID:5912
-
C:\Windows\SysWOW64\Egbdjhlp.exeC:\Windows\system32\Egbdjhlp.exe73⤵PID:5952
-
C:\Windows\SysWOW64\Eippgckc.exeC:\Windows\system32\Eippgckc.exe74⤵PID:5992
-
C:\Windows\SysWOW64\Elolco32.exeC:\Windows\system32\Elolco32.exe75⤵PID:6032
-
C:\Windows\SysWOW64\Edfddl32.exeC:\Windows\system32\Edfddl32.exe76⤵PID:6072
-
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6112 -
C:\Windows\SysWOW64\Eibmlc32.exeC:\Windows\system32\Eibmlc32.exe78⤵PID:4008
-
C:\Windows\SysWOW64\Flaiho32.exeC:\Windows\system32\Flaiho32.exe79⤵
- Drops file in System32 directory
PID:4872 -
C:\Windows\SysWOW64\Fdhail32.exeC:\Windows\system32\Fdhail32.exe80⤵PID:4984
-
C:\Windows\SysWOW64\Feimadoe.exeC:\Windows\system32\Feimadoe.exe81⤵PID:4216
-
C:\Windows\SysWOW64\Fnqebaog.exeC:\Windows\system32\Fnqebaog.exe82⤵PID:4252
-
C:\Windows\SysWOW64\Fpoaom32.exeC:\Windows\system32\Fpoaom32.exe83⤵PID:1724
-
C:\Windows\SysWOW64\Fgijkgeh.exeC:\Windows\system32\Fgijkgeh.exe84⤵PID:4456
-
C:\Windows\SysWOW64\Fjgfgbek.exeC:\Windows\system32\Fjgfgbek.exe85⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Flfbcndo.exeC:\Windows\system32\Flfbcndo.exe86⤵PID:5296
-
C:\Windows\SysWOW64\Fdmjdkda.exeC:\Windows\system32\Fdmjdkda.exe87⤵PID:5380
-
C:\Windows\SysWOW64\Fgkfqgce.exeC:\Windows\system32\Fgkfqgce.exe88⤵PID:5468
-
C:\Windows\SysWOW64\Fjjcmbci.exeC:\Windows\system32\Fjjcmbci.exe89⤵PID:5548
-
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe90⤵PID:5640
-
C:\Windows\SysWOW64\Fcbgfhii.exeC:\Windows\system32\Fcbgfhii.exe91⤵PID:5740
-
C:\Windows\SysWOW64\Ffpcbchm.exeC:\Windows\system32\Ffpcbchm.exe92⤵PID:1920
-
C:\Windows\SysWOW64\Fnglcqio.exeC:\Windows\system32\Fnglcqio.exe93⤵PID:5868
-
C:\Windows\SysWOW64\Fpfholhc.exeC:\Windows\system32\Fpfholhc.exe94⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\Fgpplf32.exeC:\Windows\system32\Fgpplf32.exe95⤵PID:6028
-
C:\Windows\SysWOW64\Gnjhhpgl.exeC:\Windows\system32\Gnjhhpgl.exe96⤵PID:6104
-
C:\Windows\SysWOW64\Gphddlfp.exeC:\Windows\system32\Gphddlfp.exe97⤵PID:3428
-
C:\Windows\SysWOW64\Gcgqag32.exeC:\Windows\system32\Gcgqag32.exe98⤵PID:1312
-
C:\Windows\SysWOW64\Gfemmb32.exeC:\Windows\system32\Gfemmb32.exe99⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Gnlenp32.exeC:\Windows\system32\Gnlenp32.exe100⤵PID:5144
-
C:\Windows\SysWOW64\Gqkajk32.exeC:\Windows\system32\Gqkajk32.exe101⤵PID:6188
-
C:\Windows\SysWOW64\Gcimfg32.exeC:\Windows\system32\Gcimfg32.exe102⤵PID:6220
-
C:\Windows\SysWOW64\Gjcfcakn.exeC:\Windows\system32\Gjcfcakn.exe103⤵
- Drops file in System32 directory
PID:6260 -
C:\Windows\SysWOW64\Glabolja.exeC:\Windows\system32\Glabolja.exe104⤵PID:6300
-
C:\Windows\SysWOW64\Gdhjpjjd.exeC:\Windows\system32\Gdhjpjjd.exe105⤵PID:6340
-
C:\Windows\SysWOW64\Gggfme32.exeC:\Windows\system32\Gggfme32.exe106⤵PID:6380
-
C:\Windows\SysWOW64\Gjebiq32.exeC:\Windows\system32\Gjebiq32.exe107⤵
- Modifies registry class
PID:6420 -
C:\Windows\SysWOW64\Gmdoel32.exeC:\Windows\system32\Gmdoel32.exe108⤵PID:6460
-
C:\Windows\SysWOW64\Gdkffi32.exeC:\Windows\system32\Gdkffi32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6500 -
C:\Windows\SysWOW64\Ggicbe32.exeC:\Windows\system32\Ggicbe32.exe110⤵PID:6540
-
C:\Windows\SysWOW64\Gjhonp32.exeC:\Windows\system32\Gjhonp32.exe111⤵
- Drops file in System32 directory
PID:6580 -
C:\Windows\SysWOW64\Gmfkjl32.exeC:\Windows\system32\Gmfkjl32.exe112⤵
- Drops file in System32 directory
PID:6620 -
C:\Windows\SysWOW64\Gdmcki32.exeC:\Windows\system32\Gdmcki32.exe113⤵PID:6660
-
C:\Windows\SysWOW64\Gglpgd32.exeC:\Windows\system32\Gglpgd32.exe114⤵
- System Location Discovery: System Language Discovery
PID:6700 -
C:\Windows\SysWOW64\Hjjldpdf.exeC:\Windows\system32\Hjjldpdf.exe115⤵PID:6740
-
C:\Windows\SysWOW64\Hqddqj32.exeC:\Windows\system32\Hqddqj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6780 -
C:\Windows\SysWOW64\Hcbpme32.exeC:\Windows\system32\Hcbpme32.exe117⤵PID:6820
-
C:\Windows\SysWOW64\Hjlhipbc.exeC:\Windows\system32\Hjlhipbc.exe118⤵PID:6860
-
C:\Windows\SysWOW64\Hmkeekag.exeC:\Windows\system32\Hmkeekag.exe119⤵PID:6900
-
C:\Windows\SysWOW64\Hdbmfhbi.exeC:\Windows\system32\Hdbmfhbi.exe120⤵PID:6940
-
C:\Windows\SysWOW64\Hgpibdam.exeC:\Windows\system32\Hgpibdam.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-