Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 05:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe
-
Size
192KB
-
MD5
d6a6383e8545a0ac024fad55b64985d0
-
SHA1
45224685dc758c45d8de651e7d057a37759711e5
-
SHA256
b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34
-
SHA512
dc7bbc3f8a50dcc66dac79e258815a3d42097faeb6477e1e3a257d5eba1e233d094641ebdd411388246d4754ca073e18ed3003b6b079b2b06077cf6a4c32ff91
-
SSDEEP
3072:/S0+eiXvT0FRBm/fY6hxk3FQo7fnEBctcp/+wreVisp:/S8bDgHY6hxk3FF7fPtcsw6U2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eijdkcgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdekgjno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhmofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqmig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gckdgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbmdhfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbaii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihglhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dilapopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqennbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2304 Oiljam32.exe 2252 Oeckfndj.exe 2112 Okpcoe32.exe 2840 Obgkpb32.exe 2724 Oonldcih.exe 2620 Oehdan32.exe 2596 Ohfqmi32.exe 2168 Oanefo32.exe 768 Odmabj32.exe 2580 Ppcbgkka.exe 1896 Pgnjde32.exe 284 Ppfomk32.exe 1588 Pgpgjepk.exe 2816 Poklngnf.exe 2988 Piqpkpml.exe 1716 Phcpgm32.exe 408 Pegqpacp.exe 900 Phfmllbd.exe 2488 Pejmfqan.exe 1468 Qkffng32.exe 784 Qnebjc32.exe 1600 Qaqnkafa.exe 1788 Qfljkp32.exe 2028 Qododfek.exe 2004 Qackpado.exe 2500 Agpcihcf.exe 2248 Akkoig32.exe 2868 Abegfa32.exe 2420 Acfdnihk.exe 2276 Amohfo32.exe 2592 Adfqgl32.exe 2180 Ajcipc32.exe 2644 Aopahjll.exe 1612 Ackmih32.exe 1644 Aihfap32.exe 1692 Aobnniji.exe 1636 Abpjjeim.exe 1964 Akiobk32.exe 2804 Bcpgdhpp.exe 2976 Bimoloog.exe 2268 Bofgii32.exe 3032 Bnldjekl.exe 2784 Bbgqjdce.exe 1200 Befmfpbi.exe 3024 Biaign32.exe 1432 Bammlq32.exe 1976 Behilopf.exe 1496 Bgffhkoj.exe 2556 Bkbaii32.exe 2236 Bjebdfnn.exe 2740 Bmcnqama.exe 3012 Baojapfj.exe 2912 Bcmfmlen.exe 2704 Bgibnj32.exe 2568 Cjgoje32.exe 568 Caaggpdh.exe 2872 Cpdgbm32.exe 1184 Cgkocj32.exe 1780 Cjjkpe32.exe 2952 Cmhglq32.exe 2956 Cpfdhl32.exe 1836 Ccbphk32.exe 1408 Cfpldf32.exe 2232 Ciohqa32.exe -
Loads dropped DLL 64 IoCs
pid Process 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 2304 Oiljam32.exe 2304 Oiljam32.exe 2252 Oeckfndj.exe 2252 Oeckfndj.exe 2112 Okpcoe32.exe 2112 Okpcoe32.exe 2840 Obgkpb32.exe 2840 Obgkpb32.exe 2724 Oonldcih.exe 2724 Oonldcih.exe 2620 Oehdan32.exe 2620 Oehdan32.exe 2596 Ohfqmi32.exe 2596 Ohfqmi32.exe 2168 Oanefo32.exe 2168 Oanefo32.exe 768 Odmabj32.exe 768 Odmabj32.exe 2580 Ppcbgkka.exe 2580 Ppcbgkka.exe 1896 Pgnjde32.exe 1896 Pgnjde32.exe 284 Ppfomk32.exe 284 Ppfomk32.exe 1588 Pgpgjepk.exe 1588 Pgpgjepk.exe 2816 Poklngnf.exe 2816 Poklngnf.exe 2988 Piqpkpml.exe 2988 Piqpkpml.exe 1716 Phcpgm32.exe 1716 Phcpgm32.exe 408 Pegqpacp.exe 408 Pegqpacp.exe 900 Phfmllbd.exe 900 Phfmllbd.exe 2488 Pejmfqan.exe 2488 Pejmfqan.exe 1468 Qkffng32.exe 1468 Qkffng32.exe 784 Qnebjc32.exe 784 Qnebjc32.exe 1600 Qaqnkafa.exe 1600 Qaqnkafa.exe 1788 Qfljkp32.exe 1788 Qfljkp32.exe 2028 Qododfek.exe 2028 Qododfek.exe 2004 Qackpado.exe 2004 Qackpado.exe 2500 Agpcihcf.exe 2500 Agpcihcf.exe 2248 Akkoig32.exe 2248 Akkoig32.exe 2868 Abegfa32.exe 2868 Abegfa32.exe 2420 Acfdnihk.exe 2420 Acfdnihk.exe 2276 Amohfo32.exe 2276 Amohfo32.exe 2592 Adfqgl32.exe 2592 Adfqgl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gkcekfad.exe Ghdiokbq.exe File opened for modification C:\Windows\SysWOW64\Bniajoic.exe Bgoime32.exe File created C:\Windows\SysWOW64\Bghdmolf.dll Process not Found File created C:\Windows\SysWOW64\Cefhdnca.dll Kjahej32.exe File opened for modification C:\Windows\SysWOW64\Aiknnf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Objmgd32.exe Process not Found File created C:\Windows\SysWOW64\Fmfalg32.exe Process not Found File created C:\Windows\SysWOW64\Hfgjcq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Eeojcmfi.exe Ebqngb32.exe File created C:\Windows\SysWOW64\Dapaph32.dll Process not Found File created C:\Windows\SysWOW64\Edjdohaf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gphlgk32.exe Process not Found File created C:\Windows\SysWOW64\Qhilkege.exe Qejpoi32.exe File created C:\Windows\SysWOW64\Opaqpn32.exe Oighcd32.exe File created C:\Windows\SysWOW64\Akdafn32.exe Process not Found File created C:\Windows\SysWOW64\Cillnojb.dll Fdqnkoep.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bmenijcd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkcekfad.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Plcaioco.dll Nlnpgd32.exe File created C:\Windows\SysWOW64\Gfkmie32.exe Gcmamj32.exe File opened for modification C:\Windows\SysWOW64\Hkjkle32.exe Hhkopj32.exe File opened for modification C:\Windows\SysWOW64\Nffccejb.exe Nnokahip.exe File created C:\Windows\SysWOW64\Hgeckn32.dll Process not Found File created C:\Windows\SysWOW64\Lddkfl32.dll Process not Found File created C:\Windows\SysWOW64\Egonhf32.exe Ehlmljkm.exe File opened for modification C:\Windows\SysWOW64\Ojndpqpq.exe Process not Found File created C:\Windows\SysWOW64\Ciepkajj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ghenamai.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oeckfndj.exe Oiljam32.exe File opened for modification C:\Windows\SysWOW64\Pnfpjc32.exe Process not Found File created C:\Windows\SysWOW64\Jjijkmbi.exe Process not Found File created C:\Windows\SysWOW64\Qkelme32.exe Process not Found File created C:\Windows\SysWOW64\Oqagbp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jcoanb32.exe Process not Found File created C:\Windows\SysWOW64\Ingkdeak.exe Ijkocg32.exe File created C:\Windows\SysWOW64\Bccjfi32.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Cdakffdn.dll Occjjnap.exe File opened for modification C:\Windows\SysWOW64\Dammoahg.exe Process not Found File created C:\Windows\SysWOW64\Ebmjlg32.dll Idgglb32.exe File opened for modification C:\Windows\SysWOW64\Mmkafhnb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Elejqm32.exe Process not Found File created C:\Windows\SysWOW64\Qejpoi32.exe Pblcbn32.exe File created C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Hqkmplen.exe Hnmacpfj.exe File opened for modification C:\Windows\SysWOW64\Abbhje32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Djmknb32.exe Process not Found File created C:\Windows\SysWOW64\Papank32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjjpjgjj.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Ligfakaa.exe Process not Found File created C:\Windows\SysWOW64\Dlbloflp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Chjjde32.exe Process not Found File created C:\Windows\SysWOW64\Jcqoqi32.dll Process not Found File created C:\Windows\SysWOW64\Olalpdbc.exe Process not Found File created C:\Windows\SysWOW64\Kjaglbok.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oklmhcdf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Process not Found File created C:\Windows\SysWOW64\Gfjkqg32.dll Process not Found File created C:\Windows\SysWOW64\Dmkcil32.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Ifbphh32.exe File opened for modification C:\Windows\SysWOW64\Lkggmldl.exe Lgkkmm32.exe File opened for modification C:\Windows\SysWOW64\Nhbciaki.exe Nfdfmfle.exe File created C:\Windows\SysWOW64\Lmnhgjmp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aadakl32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3340 4120 Process not Found 2411 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaigib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfibhjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqjaeeog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemdncoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpphdpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnlocgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigndekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liipnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffccejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinfgd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giacpp32.dll" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnifdmnc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imdbjp32.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjoipcl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijfeeok.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmdkjmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacehe32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmjhgbh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdeao32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fplllkdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Popgboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhbkpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgnjde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfknedh.dll" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nplkbo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deollamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcdcl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbidn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlckjo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahjmjal.dll" Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Bgcbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnlpnk32.dll" Gdcjpncm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piieicgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifemminl.dll" Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofgekcjh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfbnp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffhohhi.dll" Fdiqpigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lofifi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 592 wrote to memory of 2304 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 30 PID 592 wrote to memory of 2304 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 30 PID 592 wrote to memory of 2304 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 30 PID 592 wrote to memory of 2304 592 b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe 30 PID 2304 wrote to memory of 2252 2304 Oiljam32.exe 31 PID 2304 wrote to memory of 2252 2304 Oiljam32.exe 31 PID 2304 wrote to memory of 2252 2304 Oiljam32.exe 31 PID 2304 wrote to memory of 2252 2304 Oiljam32.exe 31 PID 2252 wrote to memory of 2112 2252 Oeckfndj.exe 32 PID 2252 wrote to memory of 2112 2252 Oeckfndj.exe 32 PID 2252 wrote to memory of 2112 2252 Oeckfndj.exe 32 PID 2252 wrote to memory of 2112 2252 Oeckfndj.exe 32 PID 2112 wrote to memory of 2840 2112 Okpcoe32.exe 33 PID 2112 wrote to memory of 2840 2112 Okpcoe32.exe 33 PID 2112 wrote to memory of 2840 2112 Okpcoe32.exe 33 PID 2112 wrote to memory of 2840 2112 Okpcoe32.exe 33 PID 2840 wrote to memory of 2724 2840 Obgkpb32.exe 34 PID 2840 wrote to memory of 2724 2840 Obgkpb32.exe 34 PID 2840 wrote to memory of 2724 2840 Obgkpb32.exe 34 PID 2840 wrote to memory of 2724 2840 Obgkpb32.exe 34 PID 2724 wrote to memory of 2620 2724 Oonldcih.exe 35 PID 2724 wrote to memory of 2620 2724 Oonldcih.exe 35 PID 2724 wrote to memory of 2620 2724 Oonldcih.exe 35 PID 2724 wrote to memory of 2620 2724 Oonldcih.exe 35 PID 2620 wrote to memory of 2596 2620 Oehdan32.exe 36 PID 2620 wrote to memory of 2596 2620 Oehdan32.exe 36 PID 2620 wrote to memory of 2596 2620 Oehdan32.exe 36 PID 2620 wrote to memory of 2596 2620 Oehdan32.exe 36 PID 2596 wrote to memory of 2168 2596 Ohfqmi32.exe 37 PID 2596 wrote to memory of 2168 2596 Ohfqmi32.exe 37 PID 2596 wrote to memory of 2168 2596 Ohfqmi32.exe 37 PID 2596 wrote to memory of 2168 2596 Ohfqmi32.exe 37 PID 2168 wrote to memory of 768 2168 Oanefo32.exe 38 PID 2168 wrote to memory of 768 2168 Oanefo32.exe 38 PID 2168 wrote to memory of 768 2168 Oanefo32.exe 38 PID 2168 wrote to memory of 768 2168 Oanefo32.exe 38 PID 768 wrote to memory of 2580 768 Odmabj32.exe 39 PID 768 wrote to memory of 2580 768 Odmabj32.exe 39 PID 768 wrote to memory of 2580 768 Odmabj32.exe 39 PID 768 wrote to memory of 2580 768 Odmabj32.exe 39 PID 2580 wrote to memory of 1896 2580 Ppcbgkka.exe 40 PID 2580 wrote to memory of 1896 2580 Ppcbgkka.exe 40 PID 2580 wrote to memory of 1896 2580 Ppcbgkka.exe 40 PID 2580 wrote to memory of 1896 2580 Ppcbgkka.exe 40 PID 1896 wrote to memory of 284 1896 Pgnjde32.exe 41 PID 1896 wrote to memory of 284 1896 Pgnjde32.exe 41 PID 1896 wrote to memory of 284 1896 Pgnjde32.exe 41 PID 1896 wrote to memory of 284 1896 Pgnjde32.exe 41 PID 284 wrote to memory of 1588 284 Ppfomk32.exe 42 PID 284 wrote to memory of 1588 284 Ppfomk32.exe 42 PID 284 wrote to memory of 1588 284 Ppfomk32.exe 42 PID 284 wrote to memory of 1588 284 Ppfomk32.exe 42 PID 1588 wrote to memory of 2816 1588 Pgpgjepk.exe 43 PID 1588 wrote to memory of 2816 1588 Pgpgjepk.exe 43 PID 1588 wrote to memory of 2816 1588 Pgpgjepk.exe 43 PID 1588 wrote to memory of 2816 1588 Pgpgjepk.exe 43 PID 2816 wrote to memory of 2988 2816 Poklngnf.exe 44 PID 2816 wrote to memory of 2988 2816 Poklngnf.exe 44 PID 2816 wrote to memory of 2988 2816 Poklngnf.exe 44 PID 2816 wrote to memory of 2988 2816 Poklngnf.exe 44 PID 2988 wrote to memory of 1716 2988 Piqpkpml.exe 45 PID 2988 wrote to memory of 1716 2988 Piqpkpml.exe 45 PID 2988 wrote to memory of 1716 2988 Piqpkpml.exe 45 PID 2988 wrote to memory of 1716 2988 Piqpkpml.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe"C:\Users\Admin\AppData\Local\Temp\b15cc35072b867f838d18e616b700ac13bfff3f3cd796786d515570fba500c34N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2420 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe33⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe34⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe35⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe36⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe37⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe38⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe39⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe40⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe41⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe42⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe43⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe44⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe45⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe46⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe47⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe48⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe49⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe51⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe53⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe57⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe58⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe59⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe60⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe62⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe63⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe64⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe65⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2052 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe67⤵PID:1516
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe68⤵PID:1664
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe69⤵PID:2264
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe70⤵PID:748
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe71⤵PID:3020
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe72⤵PID:2756
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe73⤵PID:2408
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe74⤵PID:676
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe75⤵PID:2148
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe76⤵PID:1260
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe77⤵PID:1196
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe78⤵PID:2116
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe79⤵PID:2372
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe80⤵PID:1396
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe81⤵PID:2024
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe82⤵PID:2256
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe83⤵PID:1424
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe84⤵PID:2940
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe85⤵PID:1812
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe86⤵PID:1920
-
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe87⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe88⤵PID:2876
-
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe89⤵PID:2708
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe90⤵PID:2528
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe91⤵PID:1512
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe92⤵PID:1948
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe93⤵PID:1412
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe94⤵PID:1092
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe95⤵PID:2204
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe96⤵PID:1732
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe97⤵PID:892
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe98⤵PID:1828
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe99⤵PID:2716
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe100⤵PID:2896
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe101⤵PID:692
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe102⤵PID:2340
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe105⤵PID:380
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe107⤵PID:348
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe108⤵PID:2768
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe109⤵PID:2364
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe110⤵PID:2424
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe111⤵PID:2628
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe112⤵PID:1648
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe113⤵PID:588
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe114⤵PID:1880
-
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe115⤵PID:2996
-
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe117⤵PID:1464
-
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe118⤵PID:2772
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe120⤵PID:2904
-
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe121⤵
- Modifies registry class
PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-