Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 22:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe
-
Size
2.5MB
-
MD5
f3c7f5fe7d7643f83592bd8a42e7b743
-
SHA1
12b732bac67f17261c1da339c4d6bb9667475c33
-
SHA256
5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a
-
SHA512
b8921daa8f797edb5c7fb77cd595d99d25b825b44feeac22b3de7c3bf9961447a9a6c3fb31bf71278926d209c681cd0611db52da2dde0ed783fdd868a2e0a73b
-
SSDEEP
6144:zf+8iE6/e6UK+42GTQMJSZO5JVuvw0HBHOnehl:bdkY660JVaw0HBHOehl
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfeaopqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglfplgk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbofcghl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlieda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealkjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcjlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afkknogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpool32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbjggof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodjhkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fineoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncabfkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjaqpbkh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olijhmgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koodbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmcbime.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ennqfenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmpqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpdblmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adikdfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheibpje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcngpjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjicdmmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjmjdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhnlb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nafjjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljgbllj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbmkpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plejdkmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcnqpo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfaefkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkadfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlgfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfefkkqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbocbog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikpjbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqpfjnba.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1468 Hbmcbime.exe 3668 Hhgloc32.exe 1804 Hoadkn32.exe 332 Ighhln32.exe 1424 Ibnligoc.exe 3024 Jodjhkkj.exe 1344 Jeqbpb32.exe 1956 Joffnk32.exe 3752 Jfpojead.exe 2608 Klmpiiai.exe 2152 Kefdbo32.exe 2988 Lbjelc32.exe 4516 Mimpolee.exe 2288 Mhgfkg32.exe 4812 Npchgdcd.exe 3636 Npgabc32.exe 2964 Npjnhc32.exe 364 Oidofh32.exe 3624 Oepifi32.exe 4724 Ojnblg32.exe 2252 Phcomcng.exe 3508 Phjenbhp.exe 732 Qgnbaj32.exe 764 Acgolj32.exe 3164 Aqkpeopg.exe 1576 Aijnep32.exe 4468 Biogppeg.exe 3728 Bjaqpbkh.exe 532 Bifmqo32.exe 3236 Cflkpblf.exe 4304 Cmklglpn.exe 1088 Cidjbmcp.exe 3780 Djfcaohp.exe 4508 Dapkni32.exe 4444 Dfmcfp32.exe 2580 Dfoplpla.exe 3916 Dmihij32.exe 2088 Ddcqedkk.exe 1428 Djmibn32.exe 1908 Edemkd32.exe 4932 Eplnpeol.exe 3764 Ealkjh32.exe 4116 Edjgfcec.exe 1764 Eigonjcj.exe 380 Eiildjag.exe 2668 Efmmmn32.exe 3920 Fpeafcfa.exe 4348 Fineoi32.exe 2348 Fdcjlb32.exe 2040 Fhabbp32.exe 624 Fkpool32.exe 1012 Fpmggb32.exe 4416 Falcae32.exe 1536 Ggilil32.exe 2420 Gmcdffmq.exe 1768 Ghhhcomg.exe 2416 Gdoihpbk.exe 2684 Gilapgqb.exe 536 Gdafnpqh.exe 5076 Gklnjj32.exe 1912 Gphgbafl.exe 1944 Gahcmd32.exe 2848 Hkpheidp.exe 4500 Hajpbckl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mchppmij.exe Mnkggfkb.exe File created C:\Windows\SysWOW64\Nmocfo32.dll Pmblagmf.exe File created C:\Windows\SysWOW64\Qfmmplad.exe Qpcecb32.exe File created C:\Windows\SysWOW64\Qmgelf32.exe Qfmmplad.exe File opened for modification C:\Windows\SysWOW64\Oaompd32.exe Oidhlb32.exe File opened for modification C:\Windows\SysWOW64\Efjimhnh.exe Eleepoob.exe File opened for modification C:\Windows\SysWOW64\Okkdic32.exe Oeokal32.exe File opened for modification C:\Windows\SysWOW64\Bdickcpo.exe Bnoknihb.exe File created C:\Windows\SysWOW64\Chiigadc.exe Cbpajgmf.exe File opened for modification C:\Windows\SysWOW64\Dbnmke32.exe Dkceokii.exe File created C:\Windows\SysWOW64\Gfeaopqo.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Gojiiafp.exe Gmimai32.exe File created C:\Windows\SysWOW64\Kjonng32.dll Plejdkmm.exe File opened for modification C:\Windows\SysWOW64\Phajna32.exe Pjmjdm32.exe File opened for modification C:\Windows\SysWOW64\Dokgdkeh.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Dhhdcojj.dll Gfokoelp.exe File created C:\Windows\SysWOW64\Hibjli32.exe Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Afpjel32.exe Qdaniq32.exe File created C:\Windows\SysWOW64\Dpiplm32.exe Cogddd32.exe File created C:\Windows\SysWOW64\Ebdcld32.exe Dngjff32.exe File created C:\Windows\SysWOW64\Pmmnjnld.dll Nhahaiec.exe File created C:\Windows\SysWOW64\Bmjkic32.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Ahenokjf.exe Achegd32.exe File created C:\Windows\SysWOW64\Jecffa32.dll Mngegmbc.exe File opened for modification C:\Windows\SysWOW64\Niakfbpa.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Galdglpd.dll Glgcbf32.exe File created C:\Windows\SysWOW64\Ieidhh32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Folnlh32.dll Mjcngpjh.exe File created C:\Windows\SysWOW64\Biogppeg.exe Aijnep32.exe File created C:\Windows\SysWOW64\Mpeaedjn.dll Haoimcgg.exe File created C:\Windows\SysWOW64\Niakfbpa.exe Nbgcih32.exe File created C:\Windows\SysWOW64\Gbobfjdp.dll Pchlpfjb.exe File created C:\Windows\SysWOW64\Hplicjok.exe Hibafp32.exe File opened for modification C:\Windows\SysWOW64\Efblbbqd.exe Eiokinbk.exe File created C:\Windows\SysWOW64\Nflnbh32.dll Ckbemgcp.exe File opened for modification C:\Windows\SysWOW64\Cogddd32.exe Chnlgjlb.exe File opened for modification C:\Windows\SysWOW64\Haoimcgg.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ofhknodl.exe File created C:\Windows\SysWOW64\Liabph32.dll Lfeljd32.exe File created C:\Windows\SysWOW64\Bnffda32.dll Dkbocbog.exe File created C:\Windows\SysWOW64\Epllglpf.dll Ecbjkngo.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bpdnjple.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Egjogddi.dll Pahpfc32.exe File created C:\Windows\SysWOW64\Mimpolee.exe Lbjelc32.exe File created C:\Windows\SysWOW64\Ddcqedkk.exe Dmihij32.exe File opened for modification C:\Windows\SysWOW64\Efmmmn32.exe Eiildjag.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kghjhemo.exe File opened for modification C:\Windows\SysWOW64\Lkofdbkj.exe Leenhhdn.exe File created C:\Windows\SysWOW64\Mhelik32.dll Kjeiodek.exe File created C:\Windows\SysWOW64\Mgdbei32.dll Jodjhkkj.exe File created C:\Windows\SysWOW64\Ccmbmpbk.dll Ohcegi32.exe File created C:\Windows\SysWOW64\Dmennnni.exe Dflfac32.exe File created C:\Windows\SysWOW64\Dngjff32.exe Dmennnni.exe File created C:\Windows\SysWOW64\Ofpnmakg.dll Enpmld32.exe File opened for modification C:\Windows\SysWOW64\Gfeaopqo.exe Fpkibf32.exe File created C:\Windows\SysWOW64\Oemnpgle.dll Ohiemobf.exe File created C:\Windows\SysWOW64\Fjbhpb32.dll Kenggi32.exe File opened for modification C:\Windows\SysWOW64\Dmhand32.exe Dfoiaj32.exe File created C:\Windows\SysWOW64\Kncaec32.exe Kgiiiidd.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Lfeljd32.exe File created C:\Windows\SysWOW64\Gkjdipap.dll Lomqcjie.exe File opened for modification C:\Windows\SysWOW64\Jnmijq32.exe Jkomneim.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11240 11020 WerFault.exe 575 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeiodek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodjhkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joffnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnblg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcobaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akepfpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejeiocj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahenokjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjaqpbkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhndljll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbddfmgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiemobf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghhhcomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqikmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niakfbpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njkkbehl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmpiiai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akamff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjoeojc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oldjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoadkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjnhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoplpla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelkaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcphab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjpnlbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcomcng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkofdbkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efccmidp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghocf32.dll" Nlnkmnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjnjq32.dll" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghoqak32.dll" Omgcpokp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnoddcef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npiiffqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bifmqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opkpck32.dll" Hibafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jgnqgqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Gmimai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkoqgjn.dll" Gjdaodja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmpolgoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gilapgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpnmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdafpj32.dll" Kcbnnpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmgjia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meebmkdh.dll" Leenhhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Innfnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bllbaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlbkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neoieenp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojcjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kncaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll" Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmped32.dll" Knbbep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagnlg32.dll" Nhmeapmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klplbbaq.dll" Omegjomb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhmabfb.dll" Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kclgmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ineedcfb.dll" Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdnhmdp.dll" Oidofh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eplnpeol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkpheidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebjcajjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjjbjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbgcih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhahaiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chnbbqpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll" Jniood32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll" Ahofoogd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jodjhkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gphgbafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpkgebb.dll" Lldopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbkcpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eleepoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekpedip.dll" Fimodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqkgbcff.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1468 1264 5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe 83 PID 1264 wrote to memory of 1468 1264 5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe 83 PID 1264 wrote to memory of 1468 1264 5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe 83 PID 1468 wrote to memory of 3668 1468 Hbmcbime.exe 84 PID 1468 wrote to memory of 3668 1468 Hbmcbime.exe 84 PID 1468 wrote to memory of 3668 1468 Hbmcbime.exe 84 PID 3668 wrote to memory of 1804 3668 Hhgloc32.exe 85 PID 3668 wrote to memory of 1804 3668 Hhgloc32.exe 85 PID 3668 wrote to memory of 1804 3668 Hhgloc32.exe 85 PID 1804 wrote to memory of 332 1804 Hoadkn32.exe 86 PID 1804 wrote to memory of 332 1804 Hoadkn32.exe 86 PID 1804 wrote to memory of 332 1804 Hoadkn32.exe 86 PID 332 wrote to memory of 1424 332 Ighhln32.exe 87 PID 332 wrote to memory of 1424 332 Ighhln32.exe 87 PID 332 wrote to memory of 1424 332 Ighhln32.exe 87 PID 1424 wrote to memory of 3024 1424 Ibnligoc.exe 88 PID 1424 wrote to memory of 3024 1424 Ibnligoc.exe 88 PID 1424 wrote to memory of 3024 1424 Ibnligoc.exe 88 PID 3024 wrote to memory of 1344 3024 Jodjhkkj.exe 89 PID 3024 wrote to memory of 1344 3024 Jodjhkkj.exe 89 PID 3024 wrote to memory of 1344 3024 Jodjhkkj.exe 89 PID 1344 wrote to memory of 1956 1344 Jeqbpb32.exe 90 PID 1344 wrote to memory of 1956 1344 Jeqbpb32.exe 90 PID 1344 wrote to memory of 1956 1344 Jeqbpb32.exe 90 PID 1956 wrote to memory of 3752 1956 Joffnk32.exe 91 PID 1956 wrote to memory of 3752 1956 Joffnk32.exe 91 PID 1956 wrote to memory of 3752 1956 Joffnk32.exe 91 PID 3752 wrote to memory of 2608 3752 Jfpojead.exe 92 PID 3752 wrote to memory of 2608 3752 Jfpojead.exe 92 PID 3752 wrote to memory of 2608 3752 Jfpojead.exe 92 PID 2608 wrote to memory of 2152 2608 Klmpiiai.exe 93 PID 2608 wrote to memory of 2152 2608 Klmpiiai.exe 93 PID 2608 wrote to memory of 2152 2608 Klmpiiai.exe 93 PID 2152 wrote to memory of 2988 2152 Kefdbo32.exe 94 PID 2152 wrote to memory of 2988 2152 Kefdbo32.exe 94 PID 2152 wrote to memory of 2988 2152 Kefdbo32.exe 94 PID 2988 wrote to memory of 4516 2988 Lbjelc32.exe 95 PID 2988 wrote to memory of 4516 2988 Lbjelc32.exe 95 PID 2988 wrote to memory of 4516 2988 Lbjelc32.exe 95 PID 4516 wrote to memory of 2288 4516 Mimpolee.exe 96 PID 4516 wrote to memory of 2288 4516 Mimpolee.exe 96 PID 4516 wrote to memory of 2288 4516 Mimpolee.exe 96 PID 2288 wrote to memory of 4812 2288 Mhgfkg32.exe 97 PID 2288 wrote to memory of 4812 2288 Mhgfkg32.exe 97 PID 2288 wrote to memory of 4812 2288 Mhgfkg32.exe 97 PID 4812 wrote to memory of 3636 4812 Npchgdcd.exe 98 PID 4812 wrote to memory of 3636 4812 Npchgdcd.exe 98 PID 4812 wrote to memory of 3636 4812 Npchgdcd.exe 98 PID 3636 wrote to memory of 2964 3636 Npgabc32.exe 99 PID 3636 wrote to memory of 2964 3636 Npgabc32.exe 99 PID 3636 wrote to memory of 2964 3636 Npgabc32.exe 99 PID 2964 wrote to memory of 364 2964 Npjnhc32.exe 100 PID 2964 wrote to memory of 364 2964 Npjnhc32.exe 100 PID 2964 wrote to memory of 364 2964 Npjnhc32.exe 100 PID 364 wrote to memory of 3624 364 Oidofh32.exe 101 PID 364 wrote to memory of 3624 364 Oidofh32.exe 101 PID 364 wrote to memory of 3624 364 Oidofh32.exe 101 PID 3624 wrote to memory of 4724 3624 Oepifi32.exe 102 PID 3624 wrote to memory of 4724 3624 Oepifi32.exe 102 PID 3624 wrote to memory of 4724 3624 Oepifi32.exe 102 PID 4724 wrote to memory of 2252 4724 Ojnblg32.exe 103 PID 4724 wrote to memory of 2252 4724 Ojnblg32.exe 103 PID 4724 wrote to memory of 2252 4724 Ojnblg32.exe 103 PID 2252 wrote to memory of 3508 2252 Phcomcng.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe"C:\Users\Admin\AppData\Local\Temp\5e3daf62f396b30097ee164c22db9e437d09c316c3ca3b25030dac2c5e43e61a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Jodjhkkj.exeC:\Windows\system32\Jodjhkkj.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Joffnk32.exeC:\Windows\system32\Joffnk32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Mimpolee.exeC:\Windows\system32\Mimpolee.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Npchgdcd.exeC:\Windows\system32\Npchgdcd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Npjnhc32.exeC:\Windows\system32\Npjnhc32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe23⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Qgnbaj32.exeC:\Windows\system32\Qgnbaj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe25⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Aqkpeopg.exeC:\Windows\system32\Aqkpeopg.exe26⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Biogppeg.exeC:\Windows\system32\Biogppeg.exe28⤵
- Executes dropped EXE
PID:4468 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3728 -
C:\Windows\SysWOW64\Bifmqo32.exeC:\Windows\system32\Bifmqo32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe31⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe32⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\Cidjbmcp.exeC:\Windows\system32\Cidjbmcp.exe33⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Djfcaohp.exeC:\Windows\system32\Djfcaohp.exe34⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Dapkni32.exeC:\Windows\system32\Dapkni32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe36⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\Dfoplpla.exeC:\Windows\system32\Dfoplpla.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Dmihij32.exeC:\Windows\system32\Dmihij32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3916 -
C:\Windows\SysWOW64\Ddcqedkk.exeC:\Windows\system32\Ddcqedkk.exe39⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Djmibn32.exeC:\Windows\system32\Djmibn32.exe40⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe41⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4932 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3764 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe44⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe45⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380 -
C:\Windows\SysWOW64\Efmmmn32.exeC:\Windows\system32\Efmmmn32.exe47⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Fpeafcfa.exeC:\Windows\system32\Fpeafcfa.exe48⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe51⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fkpool32.exeC:\Windows\system32\Fkpool32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe53⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4416 -
C:\Windows\SysWOW64\Ggilil32.exeC:\Windows\system32\Ggilil32.exe55⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Gmcdffmq.exeC:\Windows\system32\Gmcdffmq.exe56⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe58⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe60⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Gklnjj32.exeC:\Windows\system32\Gklnjj32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5076 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe63⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe65⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Hkbdki32.exeC:\Windows\system32\Hkbdki32.exe66⤵PID:2672
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe67⤵
- Drops file in System32 directory
PID:3720 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe68⤵
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe69⤵PID:1268
-
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe70⤵PID:2108
-
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe71⤵PID:1272
-
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe72⤵PID:1308
-
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe73⤵PID:2272
-
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe74⤵PID:2436
-
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe75⤵PID:2676
-
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe76⤵PID:116
-
C:\Windows\SysWOW64\Iqmidndd.exeC:\Windows\system32\Iqmidndd.exe77⤵PID:2388
-
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:212 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe79⤵PID:1816
-
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe80⤵PID:4980
-
C:\Windows\SysWOW64\Jhijqj32.exeC:\Windows\system32\Jhijqj32.exe81⤵PID:4588
-
C:\Windows\SysWOW64\Jnfcia32.exeC:\Windows\system32\Jnfcia32.exe82⤵PID:3740
-
C:\Windows\SysWOW64\Jhlgfj32.exeC:\Windows\system32\Jhlgfj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Jhndljll.exeC:\Windows\system32\Jhndljll.exe84⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe85⤵
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe86⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe87⤵PID:3064
-
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe88⤵PID:4824
-
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe89⤵PID:2960
-
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe90⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe91⤵
- Drops file in System32 directory
PID:4892 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe92⤵
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe94⤵PID:2472
-
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe95⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe97⤵PID:2924
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe98⤵PID:1840
-
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe99⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe100⤵PID:3588
-
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe102⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe103⤵
- Modifies registry class
PID:5144 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe104⤵PID:5196
-
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe105⤵
- Modifies registry class
PID:5240 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe106⤵PID:5284
-
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5328 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5372 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe109⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe110⤵PID:5464
-
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe111⤵PID:5512
-
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe112⤵PID:5556
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5600 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe114⤵PID:5644
-
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe115⤵PID:5684
-
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe116⤵
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe117⤵PID:5788
-
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe118⤵PID:5836
-
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe119⤵PID:5880
-
C:\Windows\SysWOW64\Neoieenp.exeC:\Windows\system32\Neoieenp.exe120⤵
- Modifies registry class
PID:5924 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe121⤵
- Modifies registry class
PID:5968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-