Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 23:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe
-
Size
96KB
-
MD5
c31cc084a5ac177104ea050b8b2cf8fa
-
SHA1
b395b2c74c5be24f4765e4556c53b09dfa21438e
-
SHA256
619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514
-
SHA512
1ef0eb8ce3284dacef3d48b3b854ddf43650c471c9c15031ae9b413d91652f112356b6b67745bda881c3234ce361f915bcac09ff0ae1929f1acd3c9fff33a8ae
-
SSDEEP
3072:/4mvEfArxxR2bzUAYb7Ye+XHrtG9MW3+3l2X:/XxsbqzgtGDuMX
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfningai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbbfdfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nchjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkahilkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknicb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Elbhjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmgabcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jngbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mekgdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ophjiaql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhngolpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfnqklgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmfchle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chcddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jehhaaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjjcfabm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hpjmnjqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgllfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfdodjhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loeolc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkbkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjcnoej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Famjkl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppbkgcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njpdnedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnfamjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkmmefl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnjlpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bagflcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Doilmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eggmge32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohehq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eajeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfdhkhjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihqoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hdmoohbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jenmcggo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpoihnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ohjlgefb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfldelik.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1800 Mdhdajea.exe 3124 Mgfqmfde.exe 3700 Meiaib32.exe 4540 Mdjagjco.exe 968 Melnob32.exe 660 Mlefklpj.exe 1524 Mgkjhe32.exe 3948 Mlhbal32.exe 4860 Ndokbi32.exe 760 Nilcjp32.exe 3744 Npfkgjdn.exe 4112 Ngpccdlj.exe 3640 Nnjlpo32.exe 5016 Ndcdmikd.exe 208 Ngbpidjh.exe 1212 Nnlhfn32.exe 5072 Npjebj32.exe 1416 Njciko32.exe 1480 Nlaegk32.exe 2784 Ndhmhh32.exe 3296 Nfjjppmm.exe 2328 Olcbmj32.exe 2640 Odkjng32.exe 3688 Ojgbfocc.exe 4596 Opakbi32.exe 1400 Ocpgod32.exe 2004 Ojjolnaq.exe 2660 Olhlhjpd.exe 464 Ocbddc32.exe 2432 Onhhamgg.exe 380 Ocdqjceo.exe 3804 Ojoign32.exe 1488 Oddmdf32.exe 4888 Ofeilobp.exe 4528 Pqknig32.exe 4548 Pjcbbmif.exe 4836 Pdifoehl.exe 4844 Pfjcgn32.exe 4856 Pdkcde32.exe 2252 Pncgmkmj.exe 1188 Pgllfp32.exe 3568 Pnfdcjkg.exe 2476 Pqdqof32.exe 2688 Qqfmde32.exe 4684 Qmmnjfnl.exe 220 Ajanck32.exe 2072 Adgbpc32.exe 3376 Ajckij32.exe 2968 Aclpap32.exe 4656 Amddjegd.exe 1732 Acnlgp32.exe 3928 Afmhck32.exe 4104 Amgapeea.exe 1648 Aeniabfd.exe 1824 Ajkaii32.exe 1600 Aminee32.exe 4288 Agoabn32.exe 1804 Bnhjohkb.exe 4884 Bagflcje.exe 3416 Bfdodjhm.exe 3108 Bmngqdpj.exe 2052 Beeoaapl.exe 728 Bgcknmop.exe 880 Bmpcfdmg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jilfifme.exe Jcanll32.exe File created C:\Windows\SysWOW64\Fdijbg32.exe Folaiqng.exe File created C:\Windows\SysWOW64\Kcbnnpka.exe Kqdaadln.exe File created C:\Windows\SysWOW64\Hlnjbedi.exe Hipmfjee.exe File created C:\Windows\SysWOW64\Bhbcfbjk.exe Bahkih32.exe File created C:\Windows\SysWOW64\Iepaaico.exe Hoeieolb.exe File created C:\Windows\SysWOW64\Fpjjac32.exe Fipbdikp.exe File opened for modification C:\Windows\SysWOW64\Eciplm32.exe Elbhjp32.exe File created C:\Windows\SysWOW64\Ijcahd32.exe Igedlh32.exe File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe Opakbi32.exe File opened for modification C:\Windows\SysWOW64\Amddjegd.exe Aclpap32.exe File created C:\Windows\SysWOW64\Gdppbfff.exe Gnfhfl32.exe File created C:\Windows\SysWOW64\Lnijaa32.dll Iijaka32.exe File opened for modification C:\Windows\SysWOW64\Hlbcnd32.exe Hmpcbhji.exe File opened for modification C:\Windows\SysWOW64\Ljclki32.exe Lcjcnoej.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Bcelmhen.exe Bqfoamfj.exe File created C:\Windows\SysWOW64\Kdinljnk.exe Jjdjoane.exe File created C:\Windows\SysWOW64\Aaiimadl.exe Aojlaeei.exe File opened for modification C:\Windows\SysWOW64\Cdlqqcnl.exe Cfipef32.exe File created C:\Windows\SysWOW64\Jcmdaljn.exe Ipoheakj.exe File created C:\Windows\SysWOW64\Lmjhab32.dll Jjpode32.exe File opened for modification C:\Windows\SysWOW64\Pmblagmf.exe Process not Found File created C:\Windows\SysWOW64\Nilcjp32.exe Ndokbi32.exe File created C:\Windows\SysWOW64\Koijai32.dll Hkehkocf.exe File created C:\Windows\SysWOW64\Qdbpmock.dll Cbeapmll.exe File created C:\Windows\SysWOW64\Lbmock32.dll Jcdala32.exe File created C:\Windows\SysWOW64\Ofkhal32.dll Process not Found File created C:\Windows\SysWOW64\Cmakeiil.dll Nhpbfpka.exe File opened for modification C:\Windows\SysWOW64\Caebma32.exe Cjkjpgfi.exe File opened for modification C:\Windows\SysWOW64\Bepmoh32.exe Bnhenj32.exe File created C:\Windows\SysWOW64\Hmpcbhji.exe Hehkajig.exe File created C:\Windows\SysWOW64\Hkjafn32.exe Hdpiid32.exe File created C:\Windows\SysWOW64\Kpdboimg.exe Khmknk32.exe File created C:\Windows\SysWOW64\Bicdfa32.dll Liqihglg.exe File created C:\Windows\SysWOW64\Hjpcoo32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Gnepna32.exe Glgcbf32.exe File created C:\Windows\SysWOW64\Hmmfmhll.exe Hefnkkkj.exe File created C:\Windows\SysWOW64\Qfoaecol.dll Process not Found File created C:\Windows\SysWOW64\Bnffda32.dll Dfgcakon.exe File created C:\Windows\SysWOW64\Mdafpj32.dll Kcbnnpka.exe File created C:\Windows\SysWOW64\Fbpchb32.exe Fpbflg32.exe File created C:\Windows\SysWOW64\Pkoaeldi.dll Process not Found File created C:\Windows\SysWOW64\Ckgohf32.exe Process not Found File created C:\Windows\SysWOW64\Qkmdkgob.exe Qhngolpo.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Ahgjejhd.exe File created C:\Windows\SysWOW64\Eephln32.dll Igigla32.exe File created C:\Windows\SysWOW64\Cbdjeg32.exe Cofnik32.exe File created C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File opened for modification C:\Windows\SysWOW64\Ojdgnn32.exe Process not Found File created C:\Windows\SysWOW64\Ppolhcnm.exe Process not Found File created C:\Windows\SysWOW64\Leenhhdn.exe Lbgalmej.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Ifihif32.exe Ioopml32.exe File created C:\Windows\SysWOW64\Elnoopdj.exe Emkndc32.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlkepaam.exe Mhoipb32.exe File created C:\Windows\SysWOW64\Jkchlonc.dll Cofnik32.exe File created C:\Windows\SysWOW64\Omocan32.dll Cabfga32.exe File created C:\Windows\SysWOW64\Dgfnagdi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cfbkeh32.exe Caebma32.exe File opened for modification C:\Windows\SysWOW64\Locbfd32.exe Lppbkgcj.exe File created C:\Windows\SysWOW64\Icland32.dll Cfigpm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6524 7876 Process not Found 1250 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjicdmmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiaglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejchhgid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqmhnko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgejpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppqqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlefklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpiid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhamajc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akglloai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojoign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfcmhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdgglfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgbccni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdfbfdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnbqnjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikndgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoofle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbabigfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maggnali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjcfabm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhndpol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cippgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcogje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemefcap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfldelik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlieda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnoopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhlhjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knefeffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgehfkop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbcfbjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdqjceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdafkdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lacdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhgkmpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclkee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohgdhfn.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlndcmq.dll" Hgmgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gkhkjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngpccdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aeniabfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aobilkcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eobocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknhhh32.dll" Cippgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqomdf32.dll" Mbhamajc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Meepdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ipgbdbqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbcjnilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmkqpkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Efmmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eppqqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iankcfdg.dll" Gbabigfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmhgok32.dll" Ealkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnknamej.dll" Jhijqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahamgib.dll" Dbnmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pnfdcjkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ngaionfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ohnebd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eoekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdbei32.dll" Jbbfdfkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lbchba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pdkcde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnijaa32.dll" Iijaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcldc32.dll" Faenpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okjnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcplf32.dll" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aehgnied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chalkm32.dll" Olijhmgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igdgglfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mennkfdm.dll" Cceddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojoign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bapiabak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edflhb32.dll" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkceokii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll" Adgbpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ohjlgefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghpel32.dll" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaimehd.dll" Bckkca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmejn32.dll" Gfdfgiid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kndojobi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbghfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndigcej.dll" Ihdafkdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oadfkdgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcmlj32.dll" Ijcjmmil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Acnlgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklphn32.dll" Folaiqng.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 1800 4600 619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe 82 PID 4600 wrote to memory of 1800 4600 619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe 82 PID 4600 wrote to memory of 1800 4600 619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe 82 PID 1800 wrote to memory of 3124 1800 Mdhdajea.exe 83 PID 1800 wrote to memory of 3124 1800 Mdhdajea.exe 83 PID 1800 wrote to memory of 3124 1800 Mdhdajea.exe 83 PID 3124 wrote to memory of 3700 3124 Mgfqmfde.exe 84 PID 3124 wrote to memory of 3700 3124 Mgfqmfde.exe 84 PID 3124 wrote to memory of 3700 3124 Mgfqmfde.exe 84 PID 3700 wrote to memory of 4540 3700 Meiaib32.exe 85 PID 3700 wrote to memory of 4540 3700 Meiaib32.exe 85 PID 3700 wrote to memory of 4540 3700 Meiaib32.exe 85 PID 4540 wrote to memory of 968 4540 Mdjagjco.exe 86 PID 4540 wrote to memory of 968 4540 Mdjagjco.exe 86 PID 4540 wrote to memory of 968 4540 Mdjagjco.exe 86 PID 968 wrote to memory of 660 968 Melnob32.exe 87 PID 968 wrote to memory of 660 968 Melnob32.exe 87 PID 968 wrote to memory of 660 968 Melnob32.exe 87 PID 660 wrote to memory of 1524 660 Mlefklpj.exe 88 PID 660 wrote to memory of 1524 660 Mlefklpj.exe 88 PID 660 wrote to memory of 1524 660 Mlefklpj.exe 88 PID 1524 wrote to memory of 3948 1524 Mgkjhe32.exe 89 PID 1524 wrote to memory of 3948 1524 Mgkjhe32.exe 89 PID 1524 wrote to memory of 3948 1524 Mgkjhe32.exe 89 PID 3948 wrote to memory of 4860 3948 Mlhbal32.exe 90 PID 3948 wrote to memory of 4860 3948 Mlhbal32.exe 90 PID 3948 wrote to memory of 4860 3948 Mlhbal32.exe 90 PID 4860 wrote to memory of 760 4860 Ndokbi32.exe 91 PID 4860 wrote to memory of 760 4860 Ndokbi32.exe 91 PID 4860 wrote to memory of 760 4860 Ndokbi32.exe 91 PID 760 wrote to memory of 3744 760 Nilcjp32.exe 92 PID 760 wrote to memory of 3744 760 Nilcjp32.exe 92 PID 760 wrote to memory of 3744 760 Nilcjp32.exe 92 PID 3744 wrote to memory of 4112 3744 Npfkgjdn.exe 93 PID 3744 wrote to memory of 4112 3744 Npfkgjdn.exe 93 PID 3744 wrote to memory of 4112 3744 Npfkgjdn.exe 93 PID 4112 wrote to memory of 3640 4112 Ngpccdlj.exe 94 PID 4112 wrote to memory of 3640 4112 Ngpccdlj.exe 94 PID 4112 wrote to memory of 3640 4112 Ngpccdlj.exe 94 PID 3640 wrote to memory of 5016 3640 Nnjlpo32.exe 95 PID 3640 wrote to memory of 5016 3640 Nnjlpo32.exe 95 PID 3640 wrote to memory of 5016 3640 Nnjlpo32.exe 95 PID 5016 wrote to memory of 208 5016 Ndcdmikd.exe 96 PID 5016 wrote to memory of 208 5016 Ndcdmikd.exe 96 PID 5016 wrote to memory of 208 5016 Ndcdmikd.exe 96 PID 208 wrote to memory of 1212 208 Ngbpidjh.exe 97 PID 208 wrote to memory of 1212 208 Ngbpidjh.exe 97 PID 208 wrote to memory of 1212 208 Ngbpidjh.exe 97 PID 1212 wrote to memory of 5072 1212 Nnlhfn32.exe 98 PID 1212 wrote to memory of 5072 1212 Nnlhfn32.exe 98 PID 1212 wrote to memory of 5072 1212 Nnlhfn32.exe 98 PID 5072 wrote to memory of 1416 5072 Npjebj32.exe 99 PID 5072 wrote to memory of 1416 5072 Npjebj32.exe 99 PID 5072 wrote to memory of 1416 5072 Npjebj32.exe 99 PID 1416 wrote to memory of 1480 1416 Njciko32.exe 100 PID 1416 wrote to memory of 1480 1416 Njciko32.exe 100 PID 1416 wrote to memory of 1480 1416 Njciko32.exe 100 PID 1480 wrote to memory of 2784 1480 Nlaegk32.exe 101 PID 1480 wrote to memory of 2784 1480 Nlaegk32.exe 101 PID 1480 wrote to memory of 2784 1480 Nlaegk32.exe 101 PID 2784 wrote to memory of 3296 2784 Ndhmhh32.exe 102 PID 2784 wrote to memory of 3296 2784 Ndhmhh32.exe 102 PID 2784 wrote to memory of 3296 2784 Ndhmhh32.exe 102 PID 3296 wrote to memory of 2328 3296 Nfjjppmm.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe"C:\Users\Admin\AppData\Local\Temp\619dc32538999fc76ad873ddb0d9c489da1dcc4febb761bfc89a9d8ef1f97514.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Ndhmhh32.exeC:\Windows\system32\Ndhmhh32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe23⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe24⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ojgbfocc.exeC:\Windows\system32\Ojgbfocc.exe25⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596 -
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe27⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe28⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe30⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe31⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe34⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe35⤵
- Executes dropped EXE
PID:4888 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe36⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe37⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe38⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe39⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4856 -
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe41⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:3568 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe44⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe45⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe46⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe47⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Ajckij32.exeC:\Windows\system32\Ajckij32.exe49⤵
- Executes dropped EXE
PID:3376 -
C:\Windows\SysWOW64\Aclpap32.exeC:\Windows\system32\Aclpap32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe51⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe53⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe54⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Ajkaii32.exeC:\Windows\system32\Ajkaii32.exe56⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe57⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Agoabn32.exeC:\Windows\system32\Agoabn32.exe58⤵
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe59⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Bagflcje.exeC:\Windows\system32\Bagflcje.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\Bfdodjhm.exeC:\Windows\system32\Bfdodjhm.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe62⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe63⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Bgcknmop.exeC:\Windows\system32\Bgcknmop.exe64⤵
- Executes dropped EXE
PID:728 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe65⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Beglgani.exeC:\Windows\system32\Beglgani.exe66⤵PID:2020
-
C:\Windows\SysWOW64\Bfhhoi32.exeC:\Windows\system32\Bfhhoi32.exe67⤵PID:2012
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe68⤵PID:2188
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe69⤵PID:396
-
C:\Windows\SysWOW64\Bjfaeh32.exeC:\Windows\system32\Bjfaeh32.exe70⤵PID:1520
-
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe71⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Cfmajipb.exeC:\Windows\system32\Cfmajipb.exe72⤵PID:2124
-
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe73⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Cjkjpgfi.exeC:\Windows\system32\Cjkjpgfi.exe74⤵
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\Caebma32.exeC:\Windows\system32\Caebma32.exe75⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe76⤵PID:4908
-
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe77⤵PID:2420
-
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe78⤵PID:4356
-
C:\Windows\SysWOW64\Cfdhkhjj.exeC:\Windows\system32\Cfdhkhjj.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe80⤵PID:4668
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636 -
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe82⤵PID:4408
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe83⤵PID:1924
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe84⤵PID:3820
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe85⤵PID:784
-
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe86⤵PID:4444
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe87⤵PID:3100
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe88⤵PID:4604
-
C:\Windows\SysWOW64\Daconoae.exeC:\Windows\system32\Daconoae.exe89⤵PID:2132
-
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe90⤵
- Drops file in System32 directory
PID:3088 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe91⤵PID:4124
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe92⤵PID:1460
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe93⤵PID:4108
-
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4556 -
C:\Windows\SysWOW64\Edfdej32.exeC:\Windows\system32\Edfdej32.exe95⤵PID:3684
-
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe96⤵PID:3136
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe97⤵PID:3796
-
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3900 -
C:\Windows\SysWOW64\Eggmge32.exeC:\Windows\system32\Eggmge32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3776 -
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe100⤵PID:1748
-
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe101⤵PID:3996
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe102⤵PID:3224
-
C:\Windows\SysWOW64\Eopbnbhd.exeC:\Windows\system32\Eopbnbhd.exe103⤵PID:1324
-
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe104⤵PID:1736
-
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe105⤵PID:452
-
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe106⤵
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe107⤵
- Modifies registry class
PID:5152 -
C:\Windows\SysWOW64\Edpgli32.exeC:\Windows\system32\Edpgli32.exe108⤵PID:5196
-
C:\Windows\SysWOW64\Egnchd32.exeC:\Windows\system32\Egnchd32.exe109⤵PID:5236
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe110⤵
- Modifies registry class
PID:5280 -
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe111⤵PID:5324
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe112⤵PID:5360
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe113⤵PID:5412
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe114⤵PID:5456
-
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe115⤵PID:5500
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5544 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe117⤵PID:5588
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe118⤵PID:5632
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe119⤵PID:5680
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe120⤵
- Drops file in System32 directory
- Modifies registry class
PID:5724 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe121⤵PID:5768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-