Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 12:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe
Resource
win7-20250207-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe
-
Size
84KB
-
MD5
a4af8f396ba256635b06d2293c37e0fc
-
SHA1
a3c018322fc0095650ff11f61d85be6a8d60db33
-
SHA256
e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c
-
SHA512
b5899c134dc297b1f4b11e573a2be86eb91ac6dce55d4904464ad3c9f59253eb7810d8d73dd20764cce449ba6183c1c5b849260a2efb245d06db8d9d4d6913f8
-
SSDEEP
1536:yudSAcP3sumJzTy0Mq8ANZLvfPDyH6n8dEelLYR7xeGSmUmmmmmmmmmmmmmmdGnZ:BdSAU3XEvCy3PDyH6n8djlLYR7xr3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieidhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnlhncgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knchpiom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjiej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnohlgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naecop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebimgcfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmbjgpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebdcld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebimgcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofalmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhgkgijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohidbkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedjmioj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opclldhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiopca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnhajba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnoiqdq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akblfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfcofa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkdaepb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loighj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcncibp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocacl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodjjimm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnknafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbjcljl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnbfhal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmmif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocnlg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohidbkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqdbdbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiiggoaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjlcjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cancekeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aogiap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jghpbk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaaiahei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgobel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdgged32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1212 Glldgljg.exe 4720 Gbfldf32.exe 4852 Gkmdecbg.exe 5544 Hmlpaoaj.exe 5704 Hpjmnjqn.exe 6072 Hdehni32.exe 5444 Hgdejd32.exe 3168 Hibafp32.exe 3292 Hdhedh32.exe 3468 Hckeoeno.exe 4320 Hiiggoaf.exe 4208 Hmechmip.exe 2992 Hpcodihc.exe 2228 Hcblpdgg.exe 5812 Hkicaahi.exe 3208 Iljpij32.exe 4784 Icdheded.exe 5620 Iinqbn32.exe 4612 Injmcmej.exe 1700 Idcepgmg.exe 2760 Ijqmhnko.exe 6136 Ipjedh32.exe 1952 Igdnabjh.exe 1884 Ijcjmmil.exe 3940 Ipmbjgpi.exe 968 Ikbfgppo.exe 2572 Ilccoh32.exe 2148 Igigla32.exe 2824 Jjgchm32.exe 1544 Jlfpdh32.exe 1560 Jcphab32.exe 1824 Jkgpbp32.exe 216 Jlhljhbg.exe 3336 Jdodkebj.exe 4908 Jgnqgqan.exe 5380 Jjlmclqa.exe 2440 Jlkipgpe.exe 1240 Jpfepf32.exe 4944 Jcdala32.exe 5672 Jklinohd.exe 5356 Jjoiil32.exe 3344 Jlmfeg32.exe 2340 Jqhafffk.exe 5140 Jcgnbaeo.exe 1848 Jknfcofa.exe 3024 Jnlbojee.exe 4652 Jdfjld32.exe 876 Jcikgacl.exe 4128 Kkpbin32.exe 1300 Knooej32.exe 5296 Kqmkae32.exe 3040 Kclgmq32.exe 4416 Kkconn32.exe 3588 Knalji32.exe 5796 Kqphfe32.exe 4656 Kgipcogp.exe 2988 Kkeldnpi.exe 808 Knchpiom.exe 4360 Kqbdldnq.exe 2276 Kcpahpmd.exe 5280 Kglmio32.exe 2592 Kjjiej32.exe 5952 Kcbnnpka.exe 2384 Kkjeomld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ihjoke32.dll Ilphdlqh.exe File opened for modification C:\Windows\SysWOW64\Ipmbjgpi.exe Ijcjmmil.exe File opened for modification C:\Windows\SysWOW64\Dfiildio.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Pmhkafda.dll Iinjhh32.exe File created C:\Windows\SysWOW64\Hnibokbd.exe Ghojbq32.exe File created C:\Windows\SysWOW64\Pbcncibp.exe Pqbala32.exe File created C:\Windows\SysWOW64\Flpbbbdk.dll Ejlnfjbd.exe File opened for modification C:\Windows\SysWOW64\Fdkdibjp.exe Famhmfkl.exe File opened for modification C:\Windows\SysWOW64\Eqiibjlj.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Glhimp32.exe Geoapenf.exe File opened for modification C:\Windows\SysWOW64\Hkicaahi.exe Hcblpdgg.exe File created C:\Windows\SysWOW64\Jdodkebj.exe Jlhljhbg.exe File opened for modification C:\Windows\SysWOW64\Kcpahpmd.exe Kqbdldnq.exe File created C:\Windows\SysWOW64\Cnkkjh32.exe Cohkokgj.exe File created C:\Windows\SysWOW64\Oiikeffm.dll Doojec32.exe File created C:\Windows\SysWOW64\Cjeejn32.dll Eaceghcg.exe File created C:\Windows\SysWOW64\Jdfjld32.exe Jnlbojee.exe File opened for modification C:\Windows\SysWOW64\Oacoqnci.exe Olfghg32.exe File created C:\Windows\SysWOW64\Ebgpad32.exe Enkdaepb.exe File created C:\Windows\SysWOW64\Ekaapi32.exe Eicedn32.exe File created C:\Windows\SysWOW64\Oeokal32.exe Oacoqnci.exe File created C:\Windows\SysWOW64\Egljbmnm.dll Dbnmke32.exe File created C:\Windows\SysWOW64\Kpmdfonj.exe Kjblje32.exe File created C:\Windows\SysWOW64\Qgngnj32.dll Jnlbojee.exe File created C:\Windows\SysWOW64\Ocoaob32.dll Gnqfcbnj.exe File opened for modification C:\Windows\SysWOW64\Gmafajfi.exe Gifkpknp.exe File opened for modification C:\Windows\SysWOW64\Ddcebe32.exe Daeifj32.exe File opened for modification C:\Windows\SysWOW64\Ejjaqk32.exe Egkddo32.exe File created C:\Windows\SysWOW64\Ckmonl32.exe Cljobphg.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Lfbped32.exe File opened for modification C:\Windows\SysWOW64\Nfnamjhk.exe Nqaiecjd.exe File opened for modification C:\Windows\SysWOW64\Egkddo32.exe Ddmhhd32.exe File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Ejlnfjbd.exe File created C:\Windows\SysWOW64\Klbbcjfp.dll Olicnfco.exe File opened for modification C:\Windows\SysWOW64\Cdkifmjq.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Gqnejaff.exe Gbkdod32.exe File created C:\Windows\SysWOW64\Ljaoeini.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Ilphdlqh.exe Iefphb32.exe File created C:\Windows\SysWOW64\Cgogbi32.dll Lplfcf32.exe File opened for modification C:\Windows\SysWOW64\Pblajhje.exe Pmphaaln.exe File opened for modification C:\Windows\SysWOW64\Ilccoh32.exe Ikbfgppo.exe File created C:\Windows\SysWOW64\Onlche32.dll Nenbjo32.exe File created C:\Windows\SysWOW64\Ialjan32.dll Eicedn32.exe File created C:\Windows\SysWOW64\Ckjinf32.dll Gppcmeem.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Pafkgphl.exe File created C:\Windows\SysWOW64\Hpcodihc.exe Hmechmip.exe File created C:\Windows\SysWOW64\Oilmjcon.dll Ljfhqh32.exe File opened for modification C:\Windows\SysWOW64\Meepdp32.exe Mmnhcb32.exe File created C:\Windows\SysWOW64\Ilcldb32.exe Impliekg.exe File created C:\Windows\SysWOW64\Omqmop32.exe Oloahhki.exe File created C:\Windows\SysWOW64\Ongbqjjf.dll Dnbakghm.exe File created C:\Windows\SysWOW64\Imqpnq32.dll Mfenglqf.exe File created C:\Windows\SysWOW64\Ppgomnai.exe Pmhbqbae.exe File created C:\Windows\SysWOW64\Dncpkjoc.exe Dgihop32.exe File created C:\Windows\SysWOW64\Cljobphg.exe Cdbfab32.exe File created C:\Windows\SysWOW64\Najmjokc.exe Nmnqjp32.exe File opened for modification C:\Windows\SysWOW64\Plbfdekd.exe Pehngkcg.exe File opened for modification C:\Windows\SysWOW64\Dbpjaeoc.exe Dndnpf32.exe File created C:\Windows\SysWOW64\Lqhdbm32.exe Lnjgfb32.exe File created C:\Windows\SysWOW64\Kqkplq32.dll Pbcncibp.exe File created C:\Windows\SysWOW64\Fpgpgfmh.exe Fmhdkknd.exe File created C:\Windows\SysWOW64\Pmphaaln.exe Pplhhm32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mgobel32.exe File created C:\Windows\SysWOW64\Iomoenej.exe Ipjoja32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16216 16068 WerFault.exe 841 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjfecno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkifmjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgihop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkkmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkadfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mablfnne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkondfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghekkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkpcfal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfglfdkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebimgcfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcekfnkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqbncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpcoefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnjpfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pagbaglh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdodkebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehicoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqojclne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haaaaeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piapkbeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcikgacl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domdjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkbnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgbii32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqnejaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicbkkca.dll" Kqbdldnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phaahggp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcjmmil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egacbb32.dll" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll" Jokkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edplhjhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfagf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkbgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffkpn32.dll" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ineedcfb.dll" Cndeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fechomko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaceghcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjpeo32.dll" Nmbjcljl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egegjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll" Fdkdibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjaphgpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkfjqib.dll" Nnicid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbkdod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcimdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbaclegm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" Adkqoohc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckebcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iohejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accimdgp.dll" Jmbhoeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kofkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglmfnhm.dll" Baadiiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojfcdnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edaaccbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmkhgho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekaapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" Jenmcggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgmdec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mociom32.dll" Ijqmhnko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbbnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqjbddpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igigla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mklbeh32.dll" Bheplb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqojclne.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 1212 4264 e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe 85 PID 4264 wrote to memory of 1212 4264 e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe 85 PID 4264 wrote to memory of 1212 4264 e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe 85 PID 1212 wrote to memory of 4720 1212 Glldgljg.exe 86 PID 1212 wrote to memory of 4720 1212 Glldgljg.exe 86 PID 1212 wrote to memory of 4720 1212 Glldgljg.exe 86 PID 4720 wrote to memory of 4852 4720 Gbfldf32.exe 87 PID 4720 wrote to memory of 4852 4720 Gbfldf32.exe 87 PID 4720 wrote to memory of 4852 4720 Gbfldf32.exe 87 PID 4852 wrote to memory of 5544 4852 Gkmdecbg.exe 88 PID 4852 wrote to memory of 5544 4852 Gkmdecbg.exe 88 PID 4852 wrote to memory of 5544 4852 Gkmdecbg.exe 88 PID 5544 wrote to memory of 5704 5544 Hmlpaoaj.exe 89 PID 5544 wrote to memory of 5704 5544 Hmlpaoaj.exe 89 PID 5544 wrote to memory of 5704 5544 Hmlpaoaj.exe 89 PID 5704 wrote to memory of 6072 5704 Hpjmnjqn.exe 90 PID 5704 wrote to memory of 6072 5704 Hpjmnjqn.exe 90 PID 5704 wrote to memory of 6072 5704 Hpjmnjqn.exe 90 PID 6072 wrote to memory of 5444 6072 Hdehni32.exe 91 PID 6072 wrote to memory of 5444 6072 Hdehni32.exe 91 PID 6072 wrote to memory of 5444 6072 Hdehni32.exe 91 PID 5444 wrote to memory of 3168 5444 Hgdejd32.exe 92 PID 5444 wrote to memory of 3168 5444 Hgdejd32.exe 92 PID 5444 wrote to memory of 3168 5444 Hgdejd32.exe 92 PID 3168 wrote to memory of 3292 3168 Hibafp32.exe 93 PID 3168 wrote to memory of 3292 3168 Hibafp32.exe 93 PID 3168 wrote to memory of 3292 3168 Hibafp32.exe 93 PID 3292 wrote to memory of 3468 3292 Hdhedh32.exe 94 PID 3292 wrote to memory of 3468 3292 Hdhedh32.exe 94 PID 3292 wrote to memory of 3468 3292 Hdhedh32.exe 94 PID 3468 wrote to memory of 4320 3468 Hckeoeno.exe 95 PID 3468 wrote to memory of 4320 3468 Hckeoeno.exe 95 PID 3468 wrote to memory of 4320 3468 Hckeoeno.exe 95 PID 4320 wrote to memory of 4208 4320 Hiiggoaf.exe 96 PID 4320 wrote to memory of 4208 4320 Hiiggoaf.exe 96 PID 4320 wrote to memory of 4208 4320 Hiiggoaf.exe 96 PID 4208 wrote to memory of 2992 4208 Hmechmip.exe 97 PID 4208 wrote to memory of 2992 4208 Hmechmip.exe 97 PID 4208 wrote to memory of 2992 4208 Hmechmip.exe 97 PID 2992 wrote to memory of 2228 2992 Hpcodihc.exe 98 PID 2992 wrote to memory of 2228 2992 Hpcodihc.exe 98 PID 2992 wrote to memory of 2228 2992 Hpcodihc.exe 98 PID 2228 wrote to memory of 5812 2228 Hcblpdgg.exe 100 PID 2228 wrote to memory of 5812 2228 Hcblpdgg.exe 100 PID 2228 wrote to memory of 5812 2228 Hcblpdgg.exe 100 PID 5812 wrote to memory of 3208 5812 Hkicaahi.exe 101 PID 5812 wrote to memory of 3208 5812 Hkicaahi.exe 101 PID 5812 wrote to memory of 3208 5812 Hkicaahi.exe 101 PID 3208 wrote to memory of 4784 3208 Iljpij32.exe 102 PID 3208 wrote to memory of 4784 3208 Iljpij32.exe 102 PID 3208 wrote to memory of 4784 3208 Iljpij32.exe 102 PID 4784 wrote to memory of 5620 4784 Icdheded.exe 103 PID 4784 wrote to memory of 5620 4784 Icdheded.exe 103 PID 4784 wrote to memory of 5620 4784 Icdheded.exe 103 PID 5620 wrote to memory of 4612 5620 Iinqbn32.exe 104 PID 5620 wrote to memory of 4612 5620 Iinqbn32.exe 104 PID 5620 wrote to memory of 4612 5620 Iinqbn32.exe 104 PID 4612 wrote to memory of 1700 4612 Injmcmej.exe 105 PID 4612 wrote to memory of 1700 4612 Injmcmej.exe 105 PID 4612 wrote to memory of 1700 4612 Injmcmej.exe 105 PID 1700 wrote to memory of 2760 1700 Idcepgmg.exe 106 PID 1700 wrote to memory of 2760 1700 Idcepgmg.exe 106 PID 1700 wrote to memory of 2760 1700 Idcepgmg.exe 106 PID 2760 wrote to memory of 6136 2760 Ijqmhnko.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe"C:\Users\Admin\AppData\Local\Temp\e909241823d4c54ab8ed8a19091b37ed31880b8e89f2ebb8fbce8a209c0b575c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Gbfldf32.exeC:\Windows\system32\Gbfldf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5544 -
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5704 -
C:\Windows\SysWOW64\Hdehni32.exeC:\Windows\system32\Hdehni32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6072 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5444 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Hiiggoaf.exeC:\Windows\system32\Hiiggoaf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\Hmechmip.exeC:\Windows\system32\Hmechmip.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Hcblpdgg.exeC:\Windows\system32\Hcblpdgg.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Hkicaahi.exeC:\Windows\system32\Hkicaahi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5620 -
C:\Windows\SysWOW64\Injmcmej.exeC:\Windows\system32\Injmcmej.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ipjedh32.exeC:\Windows\system32\Ipjedh32.exe23⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe24⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ipmbjgpi.exeC:\Windows\system32\Ipmbjgpi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe28⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Jjgchm32.exeC:\Windows\system32\Jjgchm32.exe30⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe31⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe32⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Jkgpbp32.exeC:\Windows\system32\Jkgpbp32.exe33⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Jlhljhbg.exeC:\Windows\system32\Jlhljhbg.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Jdodkebj.exeC:\Windows\system32\Jdodkebj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3336 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe36⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe37⤵
- Executes dropped EXE
PID:5380 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe38⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe39⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe40⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Jklinohd.exeC:\Windows\system32\Jklinohd.exe41⤵
- Executes dropped EXE
PID:5672 -
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe42⤵
- Executes dropped EXE
PID:5356 -
C:\Windows\SysWOW64\Jlmfeg32.exeC:\Windows\system32\Jlmfeg32.exe43⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe44⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe45⤵
- Executes dropped EXE
PID:5140 -
C:\Windows\SysWOW64\Jknfcofa.exeC:\Windows\system32\Jknfcofa.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Jnlbojee.exeC:\Windows\system32\Jnlbojee.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Jdfjld32.exeC:\Windows\system32\Jdfjld32.exe48⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Jcikgacl.exeC:\Windows\system32\Jcikgacl.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe50⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe51⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Kqmkae32.exeC:\Windows\system32\Kqmkae32.exe52⤵
- Executes dropped EXE
PID:5296 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe53⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Kkconn32.exeC:\Windows\system32\Kkconn32.exe54⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Knalji32.exeC:\Windows\system32\Knalji32.exe55⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe56⤵
- Executes dropped EXE
PID:5796 -
C:\Windows\SysWOW64\Kgipcogp.exeC:\Windows\system32\Kgipcogp.exe57⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Knchpiom.exeC:\Windows\system32\Knchpiom.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kglmio32.exeC:\Windows\system32\Kglmio32.exe62⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\Kjjiej32.exeC:\Windows\system32\Kjjiej32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe65⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Kmkbfeab.exeC:\Windows\system32\Kmkbfeab.exe66⤵PID:2504
-
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe67⤵PID:1056
-
C:\Windows\SysWOW64\Lklbdm32.exeC:\Windows\system32\Lklbdm32.exe68⤵PID:5000
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe69⤵PID:4712
-
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe70⤵PID:5780
-
C:\Windows\SysWOW64\Lgccinoe.exeC:\Windows\system32\Lgccinoe.exe71⤵
- Drops file in System32 directory
PID:6120 -
C:\Windows\SysWOW64\Ljaoeini.exeC:\Windows\system32\Ljaoeini.exe72⤵PID:5976
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe73⤵PID:5948
-
C:\Windows\SysWOW64\Lcjcnoej.exeC:\Windows\system32\Lcjcnoej.exe74⤵PID:5772
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe75⤵PID:3620
-
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe77⤵PID:5816
-
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe78⤵PID:4348
-
C:\Windows\SysWOW64\Lggldm32.exeC:\Windows\system32\Lggldm32.exe79⤵PID:5848
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe80⤵
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Lmdemd32.exeC:\Windows\system32\Lmdemd32.exe81⤵PID:220
-
C:\Windows\SysWOW64\Lcnmin32.exeC:\Windows\system32\Lcnmin32.exe82⤵PID:4920
-
C:\Windows\SysWOW64\Ljhefhha.exeC:\Windows\system32\Ljhefhha.exe83⤵PID:5268
-
C:\Windows\SysWOW64\Lqbncb32.exeC:\Windows\system32\Lqbncb32.exe84⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe85⤵PID:5500
-
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe86⤵PID:1724
-
C:\Windows\SysWOW64\Mjkblhfo.exeC:\Windows\system32\Mjkblhfo.exe87⤵PID:3428
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe88⤵PID:5560
-
C:\Windows\SysWOW64\Mgobel32.exeC:\Windows\system32\Mgobel32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Mjmoag32.exeC:\Windows\system32\Mjmoag32.exe90⤵PID:4744
-
C:\Windows\SysWOW64\Mmkkmc32.exeC:\Windows\system32\Mmkkmc32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe92⤵PID:3660
-
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe93⤵PID:2816
-
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe94⤵
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\Mnkggfkb.exeC:\Windows\system32\Mnkggfkb.exe95⤵PID:508
-
C:\Windows\SysWOW64\Mmnhcb32.exeC:\Windows\system32\Mmnhcb32.exe96⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe97⤵PID:2724
-
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe98⤵PID:3240
-
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe99⤵PID:5016
-
C:\Windows\SysWOW64\Mjahlgpf.exeC:\Windows\system32\Mjahlgpf.exe100⤵PID:6140
-
C:\Windows\SysWOW64\Mmpdhboj.exeC:\Windows\system32\Mmpdhboj.exe101⤵PID:5964
-
C:\Windows\SysWOW64\Megljppl.exeC:\Windows\system32\Megljppl.exe102⤵PID:868
-
C:\Windows\SysWOW64\Mgehfkop.exeC:\Windows\system32\Mgehfkop.exe103⤵PID:5008
-
C:\Windows\SysWOW64\Mkadfj32.exeC:\Windows\system32\Mkadfj32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Windows\SysWOW64\Mnpabe32.exeC:\Windows\system32\Mnpabe32.exe105⤵PID:5536
-
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe106⤵PID:5020
-
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe107⤵PID:4772
-
C:\Windows\SysWOW64\Nghekkmn.exeC:\Windows\system32\Nghekkmn.exe108⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\Njfagf32.exeC:\Windows\system32\Njfagf32.exe109⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe110⤵PID:1668
-
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe111⤵PID:3644
-
C:\Windows\SysWOW64\Ncofplba.exeC:\Windows\system32\Ncofplba.exe112⤵PID:3992
-
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe113⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Njinmf32.exeC:\Windows\system32\Njinmf32.exe114⤵PID:3420
-
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe115⤵PID:3604
-
C:\Windows\SysWOW64\Nenbjo32.exeC:\Windows\system32\Nenbjo32.exe116⤵
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe117⤵PID:3948
-
C:\Windows\SysWOW64\Nlhkgi32.exeC:\Windows\system32\Nlhkgi32.exe118⤵PID:5600
-
C:\Windows\SysWOW64\Nnfgcd32.exeC:\Windows\system32\Nnfgcd32.exe119⤵PID:1080
-
C:\Windows\SysWOW64\Naecop32.exeC:\Windows\system32\Naecop32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3856 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe121⤵PID:5376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-