Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 02:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dd27fd97908788551180494cf455d590N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
dd27fd97908788551180494cf455d590N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
dd27fd97908788551180494cf455d590N.exe
-
Size
111KB
-
MD5
dd27fd97908788551180494cf455d590
-
SHA1
ec7ef42f3e6049dd9af7c4eeb9c151f87d605c76
-
SHA256
f6280b0cd98602cf625f770766fbe9179b5caeb18417bc76dd888e6242c51eb1
-
SHA512
5596953675fa985ccb360b7b47e6f24c2cd10f3152e762e8691eb2c8af599f85c49acfaf9440eb2886c0f785b0053406a6897896259f272903994f92345e0229
-
SSDEEP
3072:doKSxlT46ry5dNeIw0v0wnJcefSXQHPTTAkvB5Ddj:dzils0oQ2tnJfKXqPTX7DB
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbeogcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pcdfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkecjajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmgpijng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebgnnokj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mhqmgffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjbojkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fabhmkoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdqmpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcbla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acbbniog.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcligiko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjngefam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeobdd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Caafop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmikpcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cckipl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Halcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbeogcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaecie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diadna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikknclie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Piooiecd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hmkgcc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfnnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiijjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdipdobg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniceadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eakall32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Plknpqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Almdln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Epmkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaqqghhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokgalak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejpbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fjjekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnnkcibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjpkeml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejildmpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lebhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leddjmcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbqikkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hbecfjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iligknmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fflcobod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knaigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmchlfeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjgie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpggiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhgjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ejnfol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemninih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fioblggf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjbdgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhabkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kqmimped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oinfbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmbob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmmbmkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igfhclkd.exe -
Executes dropped EXE 64 IoCs
pid Process 3688 Bgakek32.exe 3204 Bjpgaf32.exe 3168 Bqjpnqag.exe 2196 Bchljlqk.exe 1664 Cjbdgf32.exe 3028 Cmapca32.exe 2764 Cckipl32.exe 2448 Cjeamffe.exe 5108 Caoiip32.exe 4800 Cgiafjeo.exe 1824 Cjgnbedb.exe 760 Caafop32.exe 4696 Ccpbkk32.exe 2972 Cfnngfjf.exe 2156 Cacbdoil.exe 396 Cfpkmfhd.exe 3568 Cmjcip32.exe 2628 Cpipel32.exe 988 Dgpggiof.exe 4944 Diadna32.exe 1916 Dpklkkla.exe 4972 Dfedhe32.exe 3576 Djqphdlg.exe 4772 Dmomdpkk.exe 4368 Dhdabhka.exe 3248 Diemiqqp.exe 4080 Dmaijo32.exe 2032 Dckagiqe.exe 3860 Dfjncepi.exe 3120 Dmcfpo32.exe 2524 Ddnnlinc.exe 836 Dhijmh32.exe 1144 Djgfic32.exe 3212 Daaofm32.exe 3180 Edpkbi32.exe 4188 Efngnd32.exe 3088 Eimcjp32.exe 3020 Epglgjbd.exe 2100 Ehnchgbf.exe 3296 Ejlpdbbj.exe 2520 Emklpn32.exe 1860 Epihli32.exe 1760 Ehppng32.exe 684 Ejomjb32.exe 4776 Emmifn32.exe 4284 Ehbmcf32.exe 2284 Eicjkodp.exe 1320 Eakall32.exe 4564 Edinhg32.exe 1472 Ekcfealb.exe 2104 Eiffpn32.exe 3980 Fppomhjj.exe 1164 Fhgfnfjl.exe 4692 Fkecjajp.exe 4588 Fihcfn32.exe 5080 Fapkgk32.exe 4376 Fflcobod.exe 3640 Fmflll32.exe 1920 Fabhmkoj.exe 1896 Fpehhh32.exe 696 Fhlpie32.exe 5040 Fkjleq32.exe 776 Fmihal32.exe 2988 Fdbqnflk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ebgnnokj.exe Ecdnbb32.exe File opened for modification C:\Windows\SysWOW64\Fjbojkhf.exe Efgcjmpm.exe File opened for modification C:\Windows\SysWOW64\Cjeamffe.exe Cckipl32.exe File created C:\Windows\SysWOW64\Fflcobod.exe Fapkgk32.exe File created C:\Windows\SysWOW64\Clfnggik.dll Hjpbmklp.exe File created C:\Windows\SysWOW64\Nlbabn32.dll Iabjjfbd.exe File created C:\Windows\SysWOW64\Mkldoa32.dll Lebhdm32.exe File opened for modification C:\Windows\SysWOW64\Bcqoogcg.exe Bkgjhjdg.exe File created C:\Windows\SysWOW64\Flfhgc32.exe Fmchlfeg.exe File opened for modification C:\Windows\SysWOW64\Hgafaoml.exe Hadmihod.exe File opened for modification C:\Windows\SysWOW64\Jhfdmobf.exe Jqomlb32.exe File created C:\Windows\SysWOW64\Lekkjl32.exe Lbmnnp32.exe File created C:\Windows\SysWOW64\Fagkindc.dll Fmakfggj.exe File created C:\Windows\SysWOW64\Hdpedijp.dll Dmaijo32.exe File created C:\Windows\SysWOW64\Lgngki32.exe Kadonool.exe File created C:\Windows\SysWOW64\Qeleoe32.exe Qobmbkkc.exe File opened for modification C:\Windows\SysWOW64\Ejnfol32.exe Ebgnnokj.exe File created C:\Windows\SysWOW64\Fjbojkhf.exe Efgcjmpm.exe File created C:\Windows\SysWOW64\Jeiahb32.dll Hkohmg32.exe File opened for modification C:\Windows\SysWOW64\Cjgnbedb.exe Cgiafjeo.exe File opened for modification C:\Windows\SysWOW64\Hadmihod.exe Ggoilp32.exe File opened for modification C:\Windows\SysWOW64\Jgnndk32.exe Jdobhp32.exe File created C:\Windows\SysWOW64\Dkdhmo32.dll Oejpbg32.exe File created C:\Windows\SysWOW64\Acjioh32.exe Ahddao32.exe File created C:\Windows\SysWOW64\Fdpakipb.dll Dmqbpiem.exe File created C:\Windows\SysWOW64\Qpllgkkl.dll Lbfhna32.exe File opened for modification C:\Windows\SysWOW64\Pokgalak.exe Pkpkam32.exe File created C:\Windows\SysWOW64\Edinhg32.exe Eakall32.exe File opened for modification C:\Windows\SysWOW64\Nhefbe32.exe Maknekka.exe File opened for modification C:\Windows\SysWOW64\Djmmhn32.exe Dccdldca.exe File created C:\Windows\SysWOW64\Lbckha32.exe Ljlcgd32.exe File opened for modification C:\Windows\SysWOW64\Miicqj32.exe Mbokdp32.exe File created C:\Windows\SysWOW64\Bngikaoc.dll Albmgmpp.exe File opened for modification C:\Windows\SysWOW64\Ebijcn32.exe Epkngc32.exe File created C:\Windows\SysWOW64\Fieofh32.exe Fjbojkhf.exe File created C:\Windows\SysWOW64\Hkaeea32.dll Kkndpi32.exe File opened for modification C:\Windows\SysWOW64\Nabdfjdj.exe Nodhjoef.exe File opened for modification C:\Windows\SysWOW64\Peqfcfmm.exe Pognfl32.exe File created C:\Windows\SysWOW64\Bojljggi.exe Bcqoogcg.exe File created C:\Windows\SysWOW64\Nnonbi32.dll Bcqoogcg.exe File created C:\Windows\SysWOW64\Cdhdnhfo.dll Dklmjgbp.exe File created C:\Windows\SysWOW64\Npojbnma.dll Daaofm32.exe File created C:\Windows\SysWOW64\Fkhcmiii.dll Emklpn32.exe File opened for modification C:\Windows\SysWOW64\Mipiaimf.exe Mnkedpnq.exe File created C:\Windows\SysWOW64\Hkcahfla.exe Hghegh32.exe File created C:\Windows\SysWOW64\Lejkad32.dll Iniceadm.exe File opened for modification C:\Windows\SysWOW64\Eicjkodp.exe Ehbmcf32.exe File created C:\Windows\SysWOW64\Plbllp32.dll Jdmebp32.exe File opened for modification C:\Windows\SysWOW64\Noakdo32.exe Nlcohd32.exe File opened for modification C:\Windows\SysWOW64\Nelcaioe.exe Noakdo32.exe File opened for modification C:\Windows\SysWOW64\Gmadmd32.exe Gkchai32.exe File created C:\Windows\SysWOW64\Lojfnqag.dll Hgqogiip.exe File created C:\Windows\SysWOW64\Gkhhgoij.exe Ghjlkcjf.exe File opened for modification C:\Windows\SysWOW64\Kqklhpgg.exe Knlpldhc.exe File created C:\Windows\SysWOW64\Glbhca32.exe Giclgf32.exe File created C:\Windows\SysWOW64\Dmlidj32.exe Djmmhn32.exe File created C:\Windows\SysWOW64\Igjbmg32.exe Icofliil.exe File opened for modification C:\Windows\SysWOW64\Dgpggiof.exe Cpipel32.exe File opened for modification C:\Windows\SysWOW64\Dpklkkla.exe Diadna32.exe File created C:\Windows\SysWOW64\Dakkik32.dll Eicjkodp.exe File opened for modification C:\Windows\SysWOW64\Fhlpie32.exe Fpehhh32.exe File created C:\Windows\SysWOW64\Kiamkolf.dll Noooop32.exe File opened for modification C:\Windows\SysWOW64\Plhaja32.exe Pijene32.exe File created C:\Windows\SysWOW64\Dmomdpkk.exe Djqphdlg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10648 10548 WerFault.exe 493 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlelnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipiaimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgcllhgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filefgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmbmkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabdfjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhheeqcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchljlqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpggiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdabhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpipel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkeglbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmkmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqomlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdnbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggjpqpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnabnafk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqoogcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekkjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkafef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmemnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhlgalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcqqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edinhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapkgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocopfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejomjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noooop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodhjoef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmedp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeobdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcbadda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjeamffe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqogiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhllcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpinnhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diadna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfolo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbhjhlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epglgjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjpbmklp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfeokk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhijmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejpbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idleal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgnbedb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanpoggj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjicmond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikianl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhqmgffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digcdjka.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijnh32.dll" Gdqmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpjjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadanljg.dll" Pichdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebgnnokj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffaeagkd.dll" Fdbjdpho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gpdjdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igokhgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fmflll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nenpgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbdmfmjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjbdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ijbhjhlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Leddjmcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dccdldca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcaofb32.dll" Igdknmmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmmfo32.dll" Cfnngfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gplnigpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kncflc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Noooop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oighif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joldiccl.dll" Qeleoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbaklana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflnadao.dll" Bchljlqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hghegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgbqfhbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebckmgam.dll" Pcdfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcqoogcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbecfjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdnmafbf.dll" Iligknmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgnndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhcoabbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Plknpqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekfamcj.dll" Edpkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpqcd32.dll" Aeobdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmbocik.dll" Emlbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iligknmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbcbadda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phalpk32.dll" Kqmimped.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bglmpika.dll" Hbcfqkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkjleq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plogkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacold32.dll" Bojljggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemgog32.dll" Ohfoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kidibiag.dll" Jncmefpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjhcbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mjjphbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlcohd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Efngnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jjgaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Noakdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Okiepnoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Diemiqqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebmbkad.dll" Fmchlfeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjpip32.dll" Hmhjnccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hghegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cmjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpaqkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jdobhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oloodb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfhpndk.dll" Dkoipfpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeoanb32.dll" Glbhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bchljlqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olchoajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdinejf.dll" Pijene32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3456 wrote to memory of 3688 3456 dd27fd97908788551180494cf455d590N.exe 84 PID 3456 wrote to memory of 3688 3456 dd27fd97908788551180494cf455d590N.exe 84 PID 3456 wrote to memory of 3688 3456 dd27fd97908788551180494cf455d590N.exe 84 PID 3688 wrote to memory of 3204 3688 Bgakek32.exe 85 PID 3688 wrote to memory of 3204 3688 Bgakek32.exe 85 PID 3688 wrote to memory of 3204 3688 Bgakek32.exe 85 PID 3204 wrote to memory of 3168 3204 Bjpgaf32.exe 86 PID 3204 wrote to memory of 3168 3204 Bjpgaf32.exe 86 PID 3204 wrote to memory of 3168 3204 Bjpgaf32.exe 86 PID 3168 wrote to memory of 2196 3168 Bqjpnqag.exe 87 PID 3168 wrote to memory of 2196 3168 Bqjpnqag.exe 87 PID 3168 wrote to memory of 2196 3168 Bqjpnqag.exe 87 PID 2196 wrote to memory of 1664 2196 Bchljlqk.exe 88 PID 2196 wrote to memory of 1664 2196 Bchljlqk.exe 88 PID 2196 wrote to memory of 1664 2196 Bchljlqk.exe 88 PID 1664 wrote to memory of 3028 1664 Cjbdgf32.exe 89 PID 1664 wrote to memory of 3028 1664 Cjbdgf32.exe 89 PID 1664 wrote to memory of 3028 1664 Cjbdgf32.exe 89 PID 3028 wrote to memory of 2764 3028 Cmapca32.exe 90 PID 3028 wrote to memory of 2764 3028 Cmapca32.exe 90 PID 3028 wrote to memory of 2764 3028 Cmapca32.exe 90 PID 2764 wrote to memory of 2448 2764 Cckipl32.exe 91 PID 2764 wrote to memory of 2448 2764 Cckipl32.exe 91 PID 2764 wrote to memory of 2448 2764 Cckipl32.exe 91 PID 2448 wrote to memory of 5108 2448 Cjeamffe.exe 92 PID 2448 wrote to memory of 5108 2448 Cjeamffe.exe 92 PID 2448 wrote to memory of 5108 2448 Cjeamffe.exe 92 PID 5108 wrote to memory of 4800 5108 Caoiip32.exe 93 PID 5108 wrote to memory of 4800 5108 Caoiip32.exe 93 PID 5108 wrote to memory of 4800 5108 Caoiip32.exe 93 PID 4800 wrote to memory of 1824 4800 Cgiafjeo.exe 94 PID 4800 wrote to memory of 1824 4800 Cgiafjeo.exe 94 PID 4800 wrote to memory of 1824 4800 Cgiafjeo.exe 94 PID 1824 wrote to memory of 760 1824 Cjgnbedb.exe 95 PID 1824 wrote to memory of 760 1824 Cjgnbedb.exe 95 PID 1824 wrote to memory of 760 1824 Cjgnbedb.exe 95 PID 760 wrote to memory of 4696 760 Caafop32.exe 97 PID 760 wrote to memory of 4696 760 Caafop32.exe 97 PID 760 wrote to memory of 4696 760 Caafop32.exe 97 PID 4696 wrote to memory of 2972 4696 Ccpbkk32.exe 98 PID 4696 wrote to memory of 2972 4696 Ccpbkk32.exe 98 PID 4696 wrote to memory of 2972 4696 Ccpbkk32.exe 98 PID 2972 wrote to memory of 2156 2972 Cfnngfjf.exe 99 PID 2972 wrote to memory of 2156 2972 Cfnngfjf.exe 99 PID 2972 wrote to memory of 2156 2972 Cfnngfjf.exe 99 PID 2156 wrote to memory of 396 2156 Cacbdoil.exe 101 PID 2156 wrote to memory of 396 2156 Cacbdoil.exe 101 PID 2156 wrote to memory of 396 2156 Cacbdoil.exe 101 PID 396 wrote to memory of 3568 396 Cfpkmfhd.exe 102 PID 396 wrote to memory of 3568 396 Cfpkmfhd.exe 102 PID 396 wrote to memory of 3568 396 Cfpkmfhd.exe 102 PID 3568 wrote to memory of 2628 3568 Cmjcip32.exe 104 PID 3568 wrote to memory of 2628 3568 Cmjcip32.exe 104 PID 3568 wrote to memory of 2628 3568 Cmjcip32.exe 104 PID 2628 wrote to memory of 988 2628 Cpipel32.exe 105 PID 2628 wrote to memory of 988 2628 Cpipel32.exe 105 PID 2628 wrote to memory of 988 2628 Cpipel32.exe 105 PID 988 wrote to memory of 4944 988 Dgpggiof.exe 106 PID 988 wrote to memory of 4944 988 Dgpggiof.exe 106 PID 988 wrote to memory of 4944 988 Dgpggiof.exe 106 PID 4944 wrote to memory of 1916 4944 Diadna32.exe 107 PID 4944 wrote to memory of 1916 4944 Diadna32.exe 107 PID 4944 wrote to memory of 1916 4944 Diadna32.exe 107 PID 1916 wrote to memory of 4972 1916 Dpklkkla.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd27fd97908788551180494cf455d590N.exe"C:\Users\Admin\AppData\Local\Temp\dd27fd97908788551180494cf455d590N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\Bgakek32.exeC:\Windows\system32\Bgakek32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\Bjpgaf32.exeC:\Windows\system32\Bjpgaf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Bqjpnqag.exeC:\Windows\system32\Bqjpnqag.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\Bchljlqk.exeC:\Windows\system32\Bchljlqk.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Cjbdgf32.exeC:\Windows\system32\Cjbdgf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Cmapca32.exeC:\Windows\system32\Cmapca32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cckipl32.exeC:\Windows\system32\Cckipl32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Cjeamffe.exeC:\Windows\system32\Cjeamffe.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Caoiip32.exeC:\Windows\system32\Caoiip32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\Cgiafjeo.exeC:\Windows\system32\Cgiafjeo.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Cjgnbedb.exeC:\Windows\system32\Cjgnbedb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Caafop32.exeC:\Windows\system32\Caafop32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Ccpbkk32.exeC:\Windows\system32\Ccpbkk32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Cfnngfjf.exeC:\Windows\system32\Cfnngfjf.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Cacbdoil.exeC:\Windows\system32\Cacbdoil.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Cfpkmfhd.exeC:\Windows\system32\Cfpkmfhd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Cmjcip32.exeC:\Windows\system32\Cmjcip32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Cpipel32.exeC:\Windows\system32\Cpipel32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Dgpggiof.exeC:\Windows\system32\Dgpggiof.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe23⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Djqphdlg.exeC:\Windows\system32\Djqphdlg.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3576 -
C:\Windows\SysWOW64\Dmomdpkk.exeC:\Windows\system32\Dmomdpkk.exe25⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Dhdabhka.exeC:\Windows\system32\Dhdabhka.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Windows\SysWOW64\Diemiqqp.exeC:\Windows\system32\Diemiqqp.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Dmaijo32.exeC:\Windows\system32\Dmaijo32.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4080 -
C:\Windows\SysWOW64\Dckagiqe.exeC:\Windows\system32\Dckagiqe.exe29⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Dfjncepi.exeC:\Windows\system32\Dfjncepi.exe30⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Dmcfpo32.exeC:\Windows\system32\Dmcfpo32.exe31⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Ddnnlinc.exeC:\Windows\system32\Ddnnlinc.exe32⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Dhijmh32.exeC:\Windows\system32\Dhijmh32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Djgfic32.exeC:\Windows\system32\Djgfic32.exe34⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Daaofm32.exeC:\Windows\system32\Daaofm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Efngnd32.exeC:\Windows\system32\Efngnd32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:4188 -
C:\Windows\SysWOW64\Eimcjp32.exeC:\Windows\system32\Eimcjp32.exe38⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Epglgjbd.exeC:\Windows\system32\Epglgjbd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Ehnchgbf.exeC:\Windows\system32\Ehnchgbf.exe40⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ejlpdbbj.exeC:\Windows\system32\Ejlpdbbj.exe41⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Emklpn32.exeC:\Windows\system32\Emklpn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Epihli32.exeC:\Windows\system32\Epihli32.exe43⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ehppng32.exeC:\Windows\system32\Ehppng32.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ejomjb32.exeC:\Windows\system32\Ejomjb32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Emmifn32.exeC:\Windows\system32\Emmifn32.exe46⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\Ehbmcf32.exeC:\Windows\system32\Ehbmcf32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4284 -
C:\Windows\SysWOW64\Eicjkodp.exeC:\Windows\system32\Eicjkodp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Eakall32.exeC:\Windows\system32\Eakall32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Edinhg32.exeC:\Windows\system32\Edinhg32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\SysWOW64\Ekcfealb.exeC:\Windows\system32\Ekcfealb.exe51⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe52⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Fppomhjj.exeC:\Windows\system32\Fppomhjj.exe53⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Fhgfnfjl.exeC:\Windows\system32\Fhgfnfjl.exe54⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Fkecjajp.exeC:\Windows\system32\Fkecjajp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Fihcfn32.exeC:\Windows\system32\Fihcfn32.exe56⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Fapkgk32.exeC:\Windows\system32\Fapkgk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Fflcobod.exeC:\Windows\system32\Fflcobod.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Fmflll32.exeC:\Windows\system32\Fmflll32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Fabhmkoj.exeC:\Windows\system32\Fabhmkoj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Fpehhh32.exeC:\Windows\system32\Fpehhh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Fhlpie32.exeC:\Windows\system32\Fhlpie32.exe62⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Fmihal32.exeC:\Windows\system32\Fmihal32.exe64⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Fdbqnflk.exeC:\Windows\system32\Fdbqnflk.exe65⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fkmikpcg.exeC:\Windows\system32\Fkmikpcg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3508 -
C:\Windows\SysWOW64\Fmkeglbk.exeC:\Windows\system32\Fmkeglbk.exe67⤵
- System Location Discovery: System Language Discovery
PID:3564 -
C:\Windows\SysWOW64\Fafahj32.exeC:\Windows\system32\Fafahj32.exe68⤵PID:2432
-
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe69⤵PID:3156
-
C:\Windows\SysWOW64\Fkoeqpae.exeC:\Windows\system32\Fkoeqpae.exe70⤵PID:4496
-
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Gplnigpl.exeC:\Windows\system32\Gplnigpl.exe72⤵
- Modifies registry class
PID:4880 -
C:\Windows\SysWOW64\Ghcfjd32.exeC:\Windows\system32\Ghcfjd32.exe73⤵PID:1820
-
C:\Windows\SysWOW64\Gpnknf32.exeC:\Windows\system32\Gpnknf32.exe74⤵PID:4560
-
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe75⤵PID:1388
-
C:\Windows\SysWOW64\Gkcolo32.exeC:\Windows\system32\Gkcolo32.exe76⤵PID:1344
-
C:\Windows\SysWOW64\Ghgpec32.exeC:\Windows\system32\Ghgpec32.exe77⤵PID:668
-
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe78⤵
- System Location Discovery: System Language Discovery
PID:4684 -
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe79⤵PID:4952
-
C:\Windows\SysWOW64\Gapdni32.exeC:\Windows\system32\Gapdni32.exe80⤵PID:4612
-
C:\Windows\SysWOW64\Ghjlkcjf.exeC:\Windows\system32\Ghjlkcjf.exe81⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Gkhhgoij.exeC:\Windows\system32\Gkhhgoij.exe82⤵PID:3108
-
C:\Windows\SysWOW64\Gngdcjhn.exeC:\Windows\system32\Gngdcjhn.exe83⤵PID:932
-
C:\Windows\SysWOW64\Gdqmpd32.exeC:\Windows\system32\Gdqmpd32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Ggoilp32.exeC:\Windows\system32\Ggoilp32.exe85⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Hadmihod.exeC:\Windows\system32\Hadmihod.exe86⤵
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Hgafaoml.exeC:\Windows\system32\Hgafaoml.exe87⤵PID:180
-
C:\Windows\SysWOW64\Hjpbmklp.exeC:\Windows\system32\Hjpbmklp.exe88⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Hpjjje32.exeC:\Windows\system32\Hpjjje32.exe89⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Hhabkb32.exeC:\Windows\system32\Hhabkb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Hkoogn32.exeC:\Windows\system32\Hkoogn32.exe91⤵PID:572
-
C:\Windows\SysWOW64\Hnnkcibf.exeC:\Windows\system32\Hnnkcibf.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Hplgpdaj.exeC:\Windows\system32\Hplgpdaj.exe93⤵PID:5136
-
C:\Windows\SysWOW64\Hhcoabbl.exeC:\Windows\system32\Hhcoabbl.exe94⤵
- Modifies registry class
PID:5180 -
C:\Windows\SysWOW64\Hgfolo32.exeC:\Windows\system32\Hgfolo32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5216 -
C:\Windows\SysWOW64\Hnpgiipc.exeC:\Windows\system32\Hnpgiipc.exe96⤵PID:5260
-
C:\Windows\SysWOW64\Halcjg32.exeC:\Windows\system32\Halcjg32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5312 -
C:\Windows\SysWOW64\Hdjpfc32.exeC:\Windows\system32\Hdjpfc32.exe98⤵PID:5356
-
C:\Windows\SysWOW64\Hghlbn32.exeC:\Windows\system32\Hghlbn32.exe99⤵PID:5400
-
C:\Windows\SysWOW64\Hjghnj32.exeC:\Windows\system32\Hjghnj32.exe100⤵PID:5444
-
C:\Windows\SysWOW64\Hanpoggj.exeC:\Windows\system32\Hanpoggj.exe101⤵
- System Location Discovery: System Language Discovery
PID:5492 -
C:\Windows\SysWOW64\Hpaqkd32.exeC:\Windows\system32\Hpaqkd32.exe102⤵
- Modifies registry class
PID:5536 -
C:\Windows\SysWOW64\Ijiecide.exeC:\Windows\system32\Ijiecide.exe103⤵PID:5580
-
C:\Windows\SysWOW64\Ineadh32.exeC:\Windows\system32\Ineadh32.exe104⤵PID:5628
-
C:\Windows\SysWOW64\Igmemnco.exeC:\Windows\system32\Igmemnco.exe105⤵
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Windows\SysWOW64\Ikianl32.exeC:\Windows\system32\Ikianl32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5736 -
C:\Windows\SysWOW64\Ijlaiibb.exeC:\Windows\system32\Ijlaiibb.exe107⤵PID:5796
-
C:\Windows\SysWOW64\Iabjjfbd.exeC:\Windows\system32\Iabjjfbd.exe108⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Ihmbgqja.exeC:\Windows\system32\Ihmbgqja.exe109⤵PID:5884
-
C:\Windows\SysWOW64\Ikknclie.exeC:\Windows\system32\Ikknclie.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5928 -
C:\Windows\SysWOW64\Ijnnoi32.exeC:\Windows\system32\Ijnnoi32.exe111⤵PID:5972
-
C:\Windows\SysWOW64\Iaefpf32.exeC:\Windows\system32\Iaefpf32.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Idcbla32.exeC:\Windows\system32\Idcbla32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6060 -
C:\Windows\SysWOW64\Igbohm32.exeC:\Windows\system32\Igbohm32.exe114⤵PID:6104
-
C:\Windows\SysWOW64\Ijpkdh32.exeC:\Windows\system32\Ijpkdh32.exe115⤵PID:1252
-
C:\Windows\SysWOW64\Ibgcef32.exeC:\Windows\system32\Ibgcef32.exe116⤵PID:5196
-
C:\Windows\SysWOW64\Idfoaa32.exeC:\Windows\system32\Idfoaa32.exe117⤵PID:5256
-
C:\Windows\SysWOW64\Igdknmmf.exeC:\Windows\system32\Igdknmmf.exe118⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Ijbhjhlj.exeC:\Windows\system32\Ijbhjhlj.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5392 -
C:\Windows\SysWOW64\Ibjpkeml.exeC:\Windows\system32\Ibjpkeml.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5488 -
C:\Windows\SysWOW64\Idhlgalp.exeC:\Windows\system32\Idhlgalp.exe121⤵
- System Location Discovery: System Language Discovery
PID:5544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-