Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe
-
Size
448KB
-
MD5
db668b75349c5e0d53859fa08d7c9315
-
SHA1
1370db87d8678ef0135cc50bff259169068e8fd7
-
SHA256
25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5
-
SHA512
1496a8e668ceb06cbdd946121ebac06cb9b72cd16f70cec01c212d7baa3402c266d17951fb8decd3077f006bb0e56579c1076e6c1473942eeac4ce0fe6f1cc65
-
SSDEEP
6144:MfxFjeqXbc8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloF:MZFCqA87g7/VycgE81l2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlppno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcicklnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmpfbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkndie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lmmolepp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cippgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkpoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmgiaig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ebkbbmqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cpcpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idieem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgpkonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccahbmn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqbbpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efdjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kdigadjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpioin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcghch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpleig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kbhmbdle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpkdjofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbnhoj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhcgaic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jocefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jebfng32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glhimp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nlqomd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmingjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdpelnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diffglam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbfpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blielbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikqqlgem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfnaicd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pocpfphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkmjaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qgnbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdjgo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejflhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppgomnai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiodpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokkgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeadd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caghhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oekiqccc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4124 Ngaionfl.exe 5060 Nomncpcg.exe 4724 Nlqomd32.exe 872 Ogfcjm32.exe 4588 Ooagno32.exe 3460 Olehhc32.exe 1168 Oofaiokl.exe 2104 Ohnebd32.exe 1288 Oohnonij.exe 3464 Ohqbhdpj.exe 3124 Ocffempp.exe 1604 Pedbahod.exe 3560 Pjpobg32.exe 4936 Ppjgoaoj.exe 1916 Pcicklnn.exe 3600 Pjbkgfej.exe 216 Phelcc32.exe 4912 Ppmcdq32.exe 5040 Poodpmca.exe 2264 Pgflqkdd.exe 1432 Pfillg32.exe 4336 Phhhhc32.exe 2204 Plcdiabk.exe 2004 Poaqemao.exe 2748 Pcmlfl32.exe 4780 Pjgebf32.exe 1252 Pleaoa32.exe 3816 Ppamophb.exe 1176 Pcpikkge.exe 4748 Pjjahe32.exe 3616 Pqcjepfo.exe 4592 Qgnbaj32.exe 3204 Qfpbmfdf.exe 4388 Qhonib32.exe 2892 Qqffjo32.exe 1440 Qcdbfk32.exe 2280 Qjnkcekm.exe 4504 Qlmgopjq.exe 2372 Aokcklid.exe 5024 Agbkmijg.exe 1452 Ajqgidij.exe 2960 Amodep32.exe 5104 Aompak32.exe 208 Agdhbi32.exe 1684 Ajcdnd32.exe 736 Amaqjp32.exe 1892 Aopmfk32.exe 1004 Aggegh32.exe 3840 Ajeadd32.exe 3876 Aqoiqn32.exe 4532 Acnemi32.exe 2452 Ajhniccb.exe 5052 Amfjeobf.exe 3496 Acpbbi32.exe 4760 Ajjjocap.exe 3824 Amhfkopc.exe 1648 Bogcgj32.exe 1952 Bfqkddfd.exe 3300 Biogppeg.exe 4852 Bqfoamfj.exe 5032 Bcelmhen.exe 3584 Bfchidda.exe 808 Bmmpfn32.exe 1480 Bcghch32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abmmgg32.dll Bgeaifia.exe File created C:\Windows\SysWOW64\Ppipkl32.dll Gmggfp32.exe File created C:\Windows\SysWOW64\Ebjkfjbc.dll Omcjep32.exe File opened for modification C:\Windows\SysWOW64\Amodep32.exe Ajqgidij.exe File opened for modification C:\Windows\SysWOW64\Amhfkopc.exe Ajjjocap.exe File created C:\Windows\SysWOW64\Kkjeomld.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Dfdpad32.exe Dokgdkeh.exe File created C:\Windows\SysWOW64\Njgigo32.dll Jlolpq32.exe File created C:\Windows\SysWOW64\Ceifibod.dll Qljcoj32.exe File opened for modification C:\Windows\SysWOW64\Kkjeomld.exe Kcbnnpka.exe File created C:\Windows\SysWOW64\Mgbefe32.exe Mqimikfj.exe File created C:\Windows\SysWOW64\Pakdbp32.exe Pjaleemj.exe File created C:\Windows\SysWOW64\Flhkmbmp.dll Omnjojpo.exe File opened for modification C:\Windows\SysWOW64\Afockelf.exe Acqgojmb.exe File created C:\Windows\SysWOW64\Mlkonq32.dll Fmlneg32.exe File created C:\Windows\SysWOW64\Jaddoaap.dll Fibojhim.exe File opened for modification C:\Windows\SysWOW64\Maodigil.exe Mjellmbp.exe File created C:\Windows\SysWOW64\Lqpamb32.exe Lnadagbm.exe File created C:\Windows\SysWOW64\Njfkmphe.exe Nfjola32.exe File created C:\Windows\SysWOW64\Kknombmk.dll Nefped32.exe File opened for modification C:\Windows\SysWOW64\Knooej32.exe Jgeghp32.exe File created C:\Windows\SysWOW64\Ehmjob32.dll Lqojclne.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Cnhgjaml.exe File created C:\Windows\SysWOW64\Njlmnj32.dll Ihkjno32.exe File opened for modification C:\Windows\SysWOW64\Gkaclqkk.exe Gegkpf32.exe File opened for modification C:\Windows\SysWOW64\Qpbnhl32.exe Qfjjpf32.exe File created C:\Windows\SysWOW64\Embccf32.dll Ehhpla32.exe File opened for modification C:\Windows\SysWOW64\Ikqqlgem.exe Ihbdplfi.exe File created C:\Windows\SysWOW64\Kjffdalb.exe Jnpfop32.exe File created C:\Windows\SysWOW64\Fpejkd32.dll Gfjkjo32.exe File created C:\Windows\SysWOW64\Lggejg32.exe Lqmmmmph.exe File created C:\Windows\SysWOW64\Abjmkf32.exe Amnebo32.exe File created C:\Windows\SysWOW64\Nlljlela.dll Efafgifc.exe File opened for modification C:\Windows\SysWOW64\Hedafk32.exe Glkmmefl.exe File created C:\Windows\SysWOW64\Bgaclkia.dll Hpqldc32.exe File created C:\Windows\SysWOW64\Jghpbk32.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Dolqpa32.dll Lggejg32.exe File opened for modification C:\Windows\SysWOW64\Pjbkgfej.exe Pcicklnn.exe File created C:\Windows\SysWOW64\Ipdbmgdb.dll Lplfcf32.exe File created C:\Windows\SysWOW64\Iblbgn32.dll Amkhmoap.exe File created C:\Windows\SysWOW64\Hpqldc32.exe Hekgfj32.exe File created C:\Windows\SysWOW64\Oqhoeb32.exe Obgohklm.exe File created C:\Windows\SysWOW64\Ifolfj32.dll 25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe File created C:\Windows\SysWOW64\Haffcnib.dll Bfedoc32.exe File created C:\Windows\SysWOW64\Ohkbbn32.exe Oaajed32.exe File created C:\Windows\SysWOW64\Jpfepf32.exe Jnhidk32.exe File created C:\Windows\SysWOW64\Fnbcgn32.exe Eghkjdoa.exe File opened for modification C:\Windows\SysWOW64\Djelgied.exe Dbndfl32.exe File opened for modification C:\Windows\SysWOW64\Jlhljhbg.exe Jjjpnlbd.exe File opened for modification C:\Windows\SysWOW64\Ooibkpmi.exe Njljch32.exe File created C:\Windows\SysWOW64\Bihjjl32.dll Acnemi32.exe File opened for modification C:\Windows\SysWOW64\Gpkchqdj.exe Gknkpjfb.exe File created C:\Windows\SysWOW64\Ibaeen32.exe Hlglidlo.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nmdgikhi.exe File opened for modification C:\Windows\SysWOW64\Hahokfag.exe Hpfbcn32.exe File created C:\Windows\SysWOW64\Bfllfd32.dll Kglmio32.exe File created C:\Windows\SysWOW64\Eanmnefk.dll Lnldla32.exe File opened for modification C:\Windows\SysWOW64\Efdjgo32.exe Epjajeqo.exe File created C:\Windows\SysWOW64\Pakllc32.exe Polppg32.exe File opened for modification C:\Windows\SysWOW64\Gbofcghl.exe Gbmingjo.exe File created C:\Windows\SysWOW64\Lkalplel.exe Lgepom32.exe File created C:\Windows\SysWOW64\Kbmimp32.dll Lqmmmmph.exe File opened for modification C:\Windows\SysWOW64\Oiccje32.exe Objkmkjj.exe File created C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7756 8168 WerFault.exe 883 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afinioip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemmac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqgojmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diffglam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnmjjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaefgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbfdekd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmonl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjnjcni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgjeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkqoohc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijpahho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poaqemao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcbodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjeomld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkbbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkiccep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhdjpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfbcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomncpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbiamhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epndknin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiccje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoimcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekiqccc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnnimak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anaomkdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjfdfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnqgqan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipecnkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bochmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohghgodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knalji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilphdlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpclce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmggfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iloidijb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hibafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oaqbkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmkigh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll" Mqimikfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhlclpe.dll" Jahqiaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfigmnlg.dll" Njgqhicg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgflqkdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooogokm.dll" Kofkbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgepom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjnam32.dll" Aggegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdmmbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmomj32.dll" Kjmmepfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oifppdpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inicaa32.dll" Dpckjfgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fjohde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hdpbon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aokkdnic.dll" Igjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kjffdalb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bbnkonbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aciihh32.dll" Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpihjd.dll" Dpnbog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Haoimcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Flinkojm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmiclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qaalblgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll" Bhpofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engdno32.dll" Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Codhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anaemfem.dll" Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npmknd32.dll" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganmcc32.dll" Hkeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbndfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmiogmig.dll" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamqij32.dll" Dmdonkgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cfqmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbff32.dll" Kpccmhdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbkfbcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebfih32.dll" Fajgkfio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoigp32.dll" Aggpfkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkaclqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gihpkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ihkjno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" Pjjfdfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgdemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmoekkn.dll" Cmipblaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emihhjna.dll" Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddalgo32.dll" Pdfehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fngcmcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pedbahod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfpdin32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 4124 748 25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe 83 PID 748 wrote to memory of 4124 748 25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe 83 PID 748 wrote to memory of 4124 748 25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe 83 PID 4124 wrote to memory of 5060 4124 Ngaionfl.exe 84 PID 4124 wrote to memory of 5060 4124 Ngaionfl.exe 84 PID 4124 wrote to memory of 5060 4124 Ngaionfl.exe 84 PID 5060 wrote to memory of 4724 5060 Nomncpcg.exe 85 PID 5060 wrote to memory of 4724 5060 Nomncpcg.exe 85 PID 5060 wrote to memory of 4724 5060 Nomncpcg.exe 85 PID 4724 wrote to memory of 872 4724 Nlqomd32.exe 86 PID 4724 wrote to memory of 872 4724 Nlqomd32.exe 86 PID 4724 wrote to memory of 872 4724 Nlqomd32.exe 86 PID 872 wrote to memory of 4588 872 Ogfcjm32.exe 87 PID 872 wrote to memory of 4588 872 Ogfcjm32.exe 87 PID 872 wrote to memory of 4588 872 Ogfcjm32.exe 87 PID 4588 wrote to memory of 3460 4588 Ooagno32.exe 88 PID 4588 wrote to memory of 3460 4588 Ooagno32.exe 88 PID 4588 wrote to memory of 3460 4588 Ooagno32.exe 88 PID 3460 wrote to memory of 1168 3460 Olehhc32.exe 89 PID 3460 wrote to memory of 1168 3460 Olehhc32.exe 89 PID 3460 wrote to memory of 1168 3460 Olehhc32.exe 89 PID 1168 wrote to memory of 2104 1168 Oofaiokl.exe 90 PID 1168 wrote to memory of 2104 1168 Oofaiokl.exe 90 PID 1168 wrote to memory of 2104 1168 Oofaiokl.exe 90 PID 2104 wrote to memory of 1288 2104 Ohnebd32.exe 91 PID 2104 wrote to memory of 1288 2104 Ohnebd32.exe 91 PID 2104 wrote to memory of 1288 2104 Ohnebd32.exe 91 PID 1288 wrote to memory of 3464 1288 Oohnonij.exe 92 PID 1288 wrote to memory of 3464 1288 Oohnonij.exe 92 PID 1288 wrote to memory of 3464 1288 Oohnonij.exe 92 PID 3464 wrote to memory of 3124 3464 Ohqbhdpj.exe 93 PID 3464 wrote to memory of 3124 3464 Ohqbhdpj.exe 93 PID 3464 wrote to memory of 3124 3464 Ohqbhdpj.exe 93 PID 3124 wrote to memory of 1604 3124 Ocffempp.exe 94 PID 3124 wrote to memory of 1604 3124 Ocffempp.exe 94 PID 3124 wrote to memory of 1604 3124 Ocffempp.exe 94 PID 1604 wrote to memory of 3560 1604 Pedbahod.exe 95 PID 1604 wrote to memory of 3560 1604 Pedbahod.exe 95 PID 1604 wrote to memory of 3560 1604 Pedbahod.exe 95 PID 3560 wrote to memory of 4936 3560 Pjpobg32.exe 96 PID 3560 wrote to memory of 4936 3560 Pjpobg32.exe 96 PID 3560 wrote to memory of 4936 3560 Pjpobg32.exe 96 PID 4936 wrote to memory of 1916 4936 Ppjgoaoj.exe 97 PID 4936 wrote to memory of 1916 4936 Ppjgoaoj.exe 97 PID 4936 wrote to memory of 1916 4936 Ppjgoaoj.exe 97 PID 1916 wrote to memory of 3600 1916 Pcicklnn.exe 98 PID 1916 wrote to memory of 3600 1916 Pcicklnn.exe 98 PID 1916 wrote to memory of 3600 1916 Pcicklnn.exe 98 PID 3600 wrote to memory of 216 3600 Pjbkgfej.exe 99 PID 3600 wrote to memory of 216 3600 Pjbkgfej.exe 99 PID 3600 wrote to memory of 216 3600 Pjbkgfej.exe 99 PID 216 wrote to memory of 4912 216 Phelcc32.exe 100 PID 216 wrote to memory of 4912 216 Phelcc32.exe 100 PID 216 wrote to memory of 4912 216 Phelcc32.exe 100 PID 4912 wrote to memory of 5040 4912 Ppmcdq32.exe 101 PID 4912 wrote to memory of 5040 4912 Ppmcdq32.exe 101 PID 4912 wrote to memory of 5040 4912 Ppmcdq32.exe 101 PID 5040 wrote to memory of 2264 5040 Poodpmca.exe 102 PID 5040 wrote to memory of 2264 5040 Poodpmca.exe 102 PID 5040 wrote to memory of 2264 5040 Poodpmca.exe 102 PID 2264 wrote to memory of 1432 2264 Pgflqkdd.exe 103 PID 2264 wrote to memory of 1432 2264 Pgflqkdd.exe 103 PID 2264 wrote to memory of 1432 2264 Pgflqkdd.exe 103 PID 1432 wrote to memory of 4336 1432 Pfillg32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe"C:\Users\Admin\AppData\Local\Temp\25177d6b00616eec05616e28faf39e8e807ad7087c39c0b2f9c059c98ae270e5.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Ngaionfl.exeC:\Windows\system32\Ngaionfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\Nomncpcg.exeC:\Windows\system32\Nomncpcg.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\Nlqomd32.exeC:\Windows\system32\Nlqomd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Ogfcjm32.exeC:\Windows\system32\Ogfcjm32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Ppjgoaoj.exeC:\Windows\system32\Ppjgoaoj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Phelcc32.exeC:\Windows\system32\Phelcc32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Pfillg32.exeC:\Windows\system32\Pfillg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe23⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe24⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Poaqemao.exeC:\Windows\system32\Poaqemao.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe26⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Pjgebf32.exeC:\Windows\system32\Pjgebf32.exe27⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe28⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ppamophb.exeC:\Windows\system32\Ppamophb.exe29⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe30⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe31⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\SysWOW64\Pqcjepfo.exeC:\Windows\system32\Pqcjepfo.exe32⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe34⤵
- Executes dropped EXE
PID:3204 -
C:\Windows\SysWOW64\Qhonib32.exeC:\Windows\system32\Qhonib32.exe35⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe36⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qcdbfk32.exeC:\Windows\system32\Qcdbfk32.exe37⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Qjnkcekm.exeC:\Windows\system32\Qjnkcekm.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Qlmgopjq.exeC:\Windows\system32\Qlmgopjq.exe39⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Aokcklid.exeC:\Windows\system32\Aokcklid.exe40⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:5024 -
C:\Windows\SysWOW64\Ajqgidij.exeC:\Windows\system32\Ajqgidij.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Aompak32.exeC:\Windows\system32\Aompak32.exe44⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe45⤵
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\Ajcdnd32.exeC:\Windows\system32\Ajcdnd32.exe46⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Amaqjp32.exeC:\Windows\system32\Amaqjp32.exe47⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Aopmfk32.exeC:\Windows\system32\Aopmfk32.exe48⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Ajeadd32.exeC:\Windows\system32\Ajeadd32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe51⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Acnemi32.exeC:\Windows\system32\Acnemi32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4532 -
C:\Windows\SysWOW64\Ajhniccb.exeC:\Windows\system32\Ajhniccb.exe53⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Amfjeobf.exeC:\Windows\system32\Amfjeobf.exe54⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Acpbbi32.exeC:\Windows\system32\Acpbbi32.exe55⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ajjjocap.exeC:\Windows\system32\Ajjjocap.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4760 -
C:\Windows\SysWOW64\Amhfkopc.exeC:\Windows\system32\Amhfkopc.exe57⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\Bogcgj32.exeC:\Windows\system32\Bogcgj32.exe58⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bfqkddfd.exeC:\Windows\system32\Bfqkddfd.exe59⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe60⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Bqfoamfj.exeC:\Windows\system32\Bqfoamfj.exe61⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe62⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Bfchidda.exeC:\Windows\system32\Bfchidda.exe63⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Bmmpfn32.exeC:\Windows\system32\Bmmpfn32.exe64⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Bcghch32.exeC:\Windows\system32\Bcghch32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Bfedoc32.exeC:\Windows\system32\Bfedoc32.exe66⤵
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Bidqko32.exeC:\Windows\system32\Bidqko32.exe67⤵PID:1944
-
C:\Windows\SysWOW64\Bqkill32.exeC:\Windows\system32\Bqkill32.exe68⤵PID:3660
-
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe69⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe70⤵PID:1120
-
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe71⤵
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe72⤵PID:1672
-
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe73⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Bihjfnmm.exeC:\Windows\system32\Bihjfnmm.exe74⤵PID:544
-
C:\Windows\SysWOW64\Cqpbglno.exeC:\Windows\system32\Cqpbglno.exe75⤵PID:836
-
C:\Windows\SysWOW64\Ccnncgmc.exeC:\Windows\system32\Ccnncgmc.exe76⤵PID:2944
-
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe77⤵PID:1060
-
C:\Windows\SysWOW64\Cikglnkj.exeC:\Windows\system32\Cikglnkj.exe78⤵PID:1504
-
C:\Windows\SysWOW64\Cabomkll.exeC:\Windows\system32\Cabomkll.exe79⤵PID:4180
-
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe80⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe81⤵PID:3504
-
C:\Windows\SysWOW64\Cmipblaq.exeC:\Windows\system32\Cmipblaq.exe82⤵
- Modifies registry class
PID:3428 -
C:\Windows\SysWOW64\Cpglnhad.exeC:\Windows\system32\Cpglnhad.exe83⤵PID:4196
-
C:\Windows\SysWOW64\Cgndoeag.exeC:\Windows\system32\Cgndoeag.exe84⤵PID:4296
-
C:\Windows\SysWOW64\Cippgm32.exeC:\Windows\system32\Cippgm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Cceddf32.exeC:\Windows\system32\Cceddf32.exe87⤵PID:3484
-
C:\Windows\SysWOW64\Cjomap32.exeC:\Windows\system32\Cjomap32.exe88⤵PID:2260
-
C:\Windows\SysWOW64\Cmniml32.exeC:\Windows\system32\Cmniml32.exe89⤵PID:1588
-
C:\Windows\SysWOW64\Cpleig32.exeC:\Windows\system32\Cpleig32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Cgcmjd32.exeC:\Windows\system32\Cgcmjd32.exe91⤵PID:5012
-
C:\Windows\SysWOW64\Cjaifp32.exeC:\Windows\system32\Cjaifp32.exe92⤵PID:4548
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe94⤵
- Modifies registry class
PID:4868 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe95⤵PID:3476
-
C:\Windows\SysWOW64\Diffglam.exeC:\Windows\system32\Diffglam.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:64 -
C:\Windows\SysWOW64\Dannij32.exeC:\Windows\system32\Dannij32.exe97⤵PID:3864
-
C:\Windows\SysWOW64\Dhhfedil.exeC:\Windows\system32\Dhhfedil.exe98⤵PID:2608
-
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe99⤵PID:4072
-
C:\Windows\SysWOW64\Dmdonkgc.exeC:\Windows\system32\Dmdonkgc.exe100⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe101⤵
- Modifies registry class
PID:4812 -
C:\Windows\SysWOW64\Dhjckcgi.exeC:\Windows\system32\Dhjckcgi.exe102⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe103⤵PID:1960
-
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Ddadpdmn.exeC:\Windows\system32\Ddadpdmn.exe105⤵PID:5124
-
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe106⤵PID:5164
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe107⤵PID:5204
-
C:\Windows\SysWOW64\Daediilg.exeC:\Windows\system32\Daediilg.exe108⤵PID:5244
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe109⤵PID:5304
-
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe110⤵PID:5392
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe111⤵
- Drops file in System32 directory
PID:5436 -
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Emnbdioi.exeC:\Windows\system32\Emnbdioi.exe113⤵PID:5528
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe114⤵PID:5568
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe115⤵PID:5600
-
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe116⤵PID:5648
-
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe117⤵PID:5692
-
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe118⤵
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\Embkoi32.exeC:\Windows\system32\Embkoi32.exe119⤵PID:5772
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe120⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-