Analysis
-
max time kernel
106s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 07:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf6f63e4ab76e179c88b60482e186090N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
bf6f63e4ab76e179c88b60482e186090N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
bf6f63e4ab76e179c88b60482e186090N.exe
-
Size
237KB
-
MD5
bf6f63e4ab76e179c88b60482e186090
-
SHA1
d8149cc32cdf9a777362d06116bb3b0e9cde34b7
-
SHA256
d9e59b74360bd046f4183acbc221b38305980f6d8276626e7f05813be9bf0065
-
SHA512
659e5ebff0d83fc8182aec7063a5780b8de979b1d596b5d86214ab56f175614158cd4d962e024c7626b71e8f412228319f2d332d105f6f8d32cb74f8d0f0e309
-
SSDEEP
3072:ktBPfQKTGAUbj8Nq75Sq4iqnAUUjE02ZoL9snKKq:kXQ2GXj8U5ihYjEToZY8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjeojhbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcjgml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daqblk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpefbja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihnpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidfbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeiojnj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abngmihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfoqnlc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eacelapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gofkmadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kicddk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljklah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjkhgkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmceff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpppakpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogokokj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcocjnm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdbmace.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhkfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllpegpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeilbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojjgiba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacmecno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgebbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jghhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnggk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqigmnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgqigmnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfchlopl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpgbkhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmebkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfmdfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanaccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagfooep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjjbolj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfhkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdkgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgebbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekngjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibijkiao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdckifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebihpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emqegkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajnighe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eefhmobm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjffdjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbnlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolnfkoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caapocpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginpff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmabgdmd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofncnkcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfchlopl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbqkomke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjaqbn32.exe -
Executes dropped EXE 64 IoCs
pid Process 4864 Abimaj32.exe 3312 Aegine32.exe 2504 Acjjibbm.exe 4644 Alaajobo.exe 4064 Ajdbfl32.exe 2920 Ahhbpp32.exe 3208 Abngmihi.exe 4872 Belcidgm.exe 2528 Bhjoepfq.exe 2952 Baccne32.exe 3364 Bdapja32.exe 972 Bjkhgkca.exe 1136 Bdcmpqjb.exe 4008 Blkdqnjd.exe 1680 Bjnelk32.exe 2720 Bdfiephp.exe 4308 Blmafnhb.exe 2820 Boknbige.exe 3152 Bbgich32.exe 3720 Bdhfkp32.exe 4164 Bonjhi32.exe 1092 Chfoqnlc.exe 2044 Copgnh32.exe 4928 Cblcngli.exe 2232 Chhkfn32.exe 1284 Cobcchan.exe 5008 Caapocpa.exe 4100 Cdolkope.exe 4108 Cacmecno.exe 3860 Cdaiaonb.exe 2240 Chmeamfk.exe 2988 Cliabl32.exe 2860 Caeijc32.exe 4640 Ceaekade.exe 1920 Clkngl32.exe 2736 Dahfpb32.exe 4272 Ddfbln32.exe 2432 Dhbnmmaf.exe 3000 Dkpjih32.exe 3480 Dajbebhf.exe 4484 Ddhoangj.exe 656 Dlpgbkhl.exe 4364 Dbjooe32.exe 696 Ddklgmeg.exe 2728 Dkeddgmd.exe 3604 Dclleemf.exe 2508 Dhidmlln.exe 1036 Dcnhjdkd.exe 3396 Ddpebm32.exe 4920 Dhkackjk.exe 896 Dkjmogio.exe 3976 Eacelapl.exe 3016 Edbbhlop.exe 1064 Ekljdf32.exe 4812 Eogfeeoe.exe 3940 Eccbed32.exe 1408 Eddomlmm.exe 5112 Ekngjf32.exe 4668 Eedkgodp.exe 5040 Elncdi32.exe 1556 Echkqcci.exe 4204 Eefhmobm.exe 1504 Ehddijaq.exe 3840 Eooled32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hdkbie32.dll Cepnqkai.exe File opened for modification C:\Windows\SysWOW64\Pomgmi32.exe Phcopoib.exe File created C:\Windows\SysWOW64\Clkngl32.exe Ceaekade.exe File created C:\Windows\SysWOW64\Cepnqkai.exe Cmifon32.exe File created C:\Windows\SysWOW64\Mpghna32.exe Mimpagqp.exe File created C:\Windows\SysWOW64\Plnohm32.dll Gooemb32.exe File created C:\Windows\SysWOW64\Nbidpq32.dll Ibbckj32.exe File opened for modification C:\Windows\SysWOW64\Nockpmgl.exe Nldodahi.exe File created C:\Windows\SysWOW64\Ahhhlohd.dll Cdaiaonb.exe File created C:\Windows\SysWOW64\Jkcgqaog.dll Jckcklfo.exe File opened for modification C:\Windows\SysWOW64\Pjcbeh32.exe Pgdfim32.exe File opened for modification C:\Windows\SysWOW64\Lifjahgh.exe Lfgndmhd.exe File created C:\Windows\SysWOW64\Lcfbok32.dll Qodmnhjg.exe File opened for modification C:\Windows\SysWOW64\Cblcngli.exe Copgnh32.exe File created C:\Windows\SysWOW64\Ndlnoelf.exe Neknam32.exe File created C:\Windows\SysWOW64\Khpkgglb.dll Degdaj32.exe File opened for modification C:\Windows\SysWOW64\Bnfmmc32.exe Bglepipb.exe File created C:\Windows\SysWOW64\Kbilhq32.exe Kgchjh32.exe File created C:\Windows\SysWOW64\Belcidgm.exe Abngmihi.exe File created C:\Windows\SysWOW64\Hgmbll32.dll Igoehk32.exe File created C:\Windows\SysWOW64\Cpboqkek.dll Khmjqf32.exe File created C:\Windows\SysWOW64\Khnggmgp.dll Pojjgiba.exe File created C:\Windows\SysWOW64\Ifbmad32.dll Klapqf32.exe File opened for modification C:\Windows\SysWOW64\Liapfi32.exe Leedejbd.exe File opened for modification C:\Windows\SysWOW64\Fccklail.exe Flibpg32.exe File created C:\Windows\SysWOW64\Gmgfll32.dll Pdfjla32.exe File created C:\Windows\SysWOW64\Aamchpmk.exe Ajcklf32.exe File created C:\Windows\SysWOW64\Eaghljhk.exe Eoilpoig.exe File opened for modification C:\Windows\SysWOW64\Jbmllb32.exe Jooppg32.exe File created C:\Windows\SysWOW64\Ibijkiao.exe Immacbcg.exe File opened for modification C:\Windows\SysWOW64\Mhkgbdlp.exe Mfjjjl32.exe File opened for modification C:\Windows\SysWOW64\Ncadfk32.exe Noehelej.exe File opened for modification C:\Windows\SysWOW64\Ajiaka32.exe Agkeoeki.exe File created C:\Windows\SysWOW64\Icigpifa.dll Llbigdhn.exe File created C:\Windows\SysWOW64\Copgnh32.exe Chfoqnlc.exe File created C:\Windows\SysWOW64\Kpkobkej.dll Ibijkiao.exe File created C:\Windows\SysWOW64\Jmkndq32.exe Jececc32.exe File created C:\Windows\SysWOW64\Lkgpeh32.dll Kmogopcb.exe File opened for modification C:\Windows\SysWOW64\Keondk32.exe Kbpbhp32.exe File created C:\Windows\SysWOW64\Bagfooep.exe Bnhjbcfl.exe File created C:\Windows\SysWOW64\Kbdjmenm.dll Ehoccd32.exe File created C:\Windows\SysWOW64\Fapmlh32.dll Igcocjnm.exe File created C:\Windows\SysWOW64\Pjcbeh32.exe Pgdfim32.exe File opened for modification C:\Windows\SysWOW64\Mfapkkpi.exe Mpghna32.exe File opened for modification C:\Windows\SysWOW64\Jbgfmg32.exe Jlnnpmna.exe File created C:\Windows\SysWOW64\Bpkaabfp.dll Hkckhk32.exe File opened for modification C:\Windows\SysWOW64\Jgakeh32.exe Jecoimci.exe File created C:\Windows\SysWOW64\Kmhdje32.dll Nemcmg32.exe File created C:\Windows\SysWOW64\Lkgobc32.dll Ikhknppj.exe File opened for modification C:\Windows\SysWOW64\Jfqegfpj.exe Jbeigh32.exe File created C:\Windows\SysWOW64\Pngpja32.dll Lpnlbi32.exe File created C:\Windows\SysWOW64\Hdgffq32.exe Hfdfkddo.exe File created C:\Windows\SysWOW64\Hmoieafo.dll Eccbed32.exe File created C:\Windows\SysWOW64\Cbndlo32.dll Llbpbjlj.exe File opened for modification C:\Windows\SysWOW64\Egmjdb32.exe Daqblk32.exe File created C:\Windows\SysWOW64\Gcmieg32.dll Agbkpdea.exe File created C:\Windows\SysWOW64\Hbnjpkll.exe Hooncplh.exe File created C:\Windows\SysWOW64\Oqgehi32.dll Pgdfim32.exe File created C:\Windows\SysWOW64\Jbhfcmeh.dll Cegljmid.exe File opened for modification C:\Windows\SysWOW64\Edhane32.exe Eajebj32.exe File opened for modification C:\Windows\SysWOW64\Jghhoi32.exe Jeilbn32.exe File opened for modification C:\Windows\SysWOW64\Fneobj32.exe Fkgbfo32.exe File opened for modification C:\Windows\SysWOW64\Inkjkd32.exe Iohjoh32.exe File opened for modification C:\Windows\SysWOW64\Jecoimci.exe Jbdbmace.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12348 2112 WerFault.exe 678 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imekbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plgdpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgabig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhkfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccklail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oncoihfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcocjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liapfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncadfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnpck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helflfkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpmjbch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moleonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgdealp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddklgmeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoihahd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhocegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkagb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmajifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abimaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbpbjlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aceidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbkpfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnfkoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkejcfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmceff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekngjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onlhii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihnpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjnelk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmimhpoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnffcajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilemnkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfchlopl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpgmmpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onneoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedjmfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmebkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddmga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglpln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpbpbpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnjpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehddijaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbgkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpklee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdaiaonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npekjeph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgplnmib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajebj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdgildf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joamef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalhqlbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhoangj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifklkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belcidgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpebm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegljmid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moeooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doicia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooagak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacelapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfehoi32.dll" Nfpgmmpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaplbcc.dll" Aqdqbaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbdaobnl.dll" Fhkcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppcholp.dll" Bcdkpdph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmoead32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnphnke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohahjod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcdhnhd.dll" Hgebbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqfodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpepb32.dll" Nldodahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gofkmadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnpimkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdfmocil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gochmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllcch32.dll" Mlnicbnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfdfkddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbchemic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llnekfjh.dll" Miomggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkpjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniahkff.dll" Gecmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndlnoelf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feiolnip.dll" Agbbjkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjeno32.dll" Edakmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanpca32.dll" Gehfofol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfiephp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhpeapee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpboqkek.dll" Khmjqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aegine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diikmo32.dll" Mdckifda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ageopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngidgh32.dll" Cnffcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmlcm32.dll" Eefhmobm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgekepd.dll" Fdpnij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmolp32.dll" Baicdncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhlch32.dll" Iglhckde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajlnqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklijm32.dll" Ceaekade.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhoangj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hegmqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdmjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpghg32.dll" Djpcnbmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoadoigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjlfecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdmpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkklco32.dll" Qleaamkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpcioha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jooppg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfqgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gofkmadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghbgn32.dll" Aclpdklo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chjaag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iojgegoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjjbolj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkllanen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4864 1580 bf6f63e4ab76e179c88b60482e186090N.exe 83 PID 1580 wrote to memory of 4864 1580 bf6f63e4ab76e179c88b60482e186090N.exe 83 PID 1580 wrote to memory of 4864 1580 bf6f63e4ab76e179c88b60482e186090N.exe 83 PID 4864 wrote to memory of 3312 4864 Abimaj32.exe 84 PID 4864 wrote to memory of 3312 4864 Abimaj32.exe 84 PID 4864 wrote to memory of 3312 4864 Abimaj32.exe 84 PID 3312 wrote to memory of 2504 3312 Aegine32.exe 85 PID 3312 wrote to memory of 2504 3312 Aegine32.exe 85 PID 3312 wrote to memory of 2504 3312 Aegine32.exe 85 PID 2504 wrote to memory of 4644 2504 Acjjibbm.exe 86 PID 2504 wrote to memory of 4644 2504 Acjjibbm.exe 86 PID 2504 wrote to memory of 4644 2504 Acjjibbm.exe 86 PID 4644 wrote to memory of 4064 4644 Alaajobo.exe 87 PID 4644 wrote to memory of 4064 4644 Alaajobo.exe 87 PID 4644 wrote to memory of 4064 4644 Alaajobo.exe 87 PID 4064 wrote to memory of 2920 4064 Ajdbfl32.exe 88 PID 4064 wrote to memory of 2920 4064 Ajdbfl32.exe 88 PID 4064 wrote to memory of 2920 4064 Ajdbfl32.exe 88 PID 2920 wrote to memory of 3208 2920 Ahhbpp32.exe 89 PID 2920 wrote to memory of 3208 2920 Ahhbpp32.exe 89 PID 2920 wrote to memory of 3208 2920 Ahhbpp32.exe 89 PID 3208 wrote to memory of 4872 3208 Abngmihi.exe 90 PID 3208 wrote to memory of 4872 3208 Abngmihi.exe 90 PID 3208 wrote to memory of 4872 3208 Abngmihi.exe 90 PID 4872 wrote to memory of 2528 4872 Belcidgm.exe 92 PID 4872 wrote to memory of 2528 4872 Belcidgm.exe 92 PID 4872 wrote to memory of 2528 4872 Belcidgm.exe 92 PID 2528 wrote to memory of 2952 2528 Bhjoepfq.exe 93 PID 2528 wrote to memory of 2952 2528 Bhjoepfq.exe 93 PID 2528 wrote to memory of 2952 2528 Bhjoepfq.exe 93 PID 2952 wrote to memory of 3364 2952 Baccne32.exe 94 PID 2952 wrote to memory of 3364 2952 Baccne32.exe 94 PID 2952 wrote to memory of 3364 2952 Baccne32.exe 94 PID 3364 wrote to memory of 972 3364 Bdapja32.exe 95 PID 3364 wrote to memory of 972 3364 Bdapja32.exe 95 PID 3364 wrote to memory of 972 3364 Bdapja32.exe 95 PID 972 wrote to memory of 1136 972 Bjkhgkca.exe 97 PID 972 wrote to memory of 1136 972 Bjkhgkca.exe 97 PID 972 wrote to memory of 1136 972 Bjkhgkca.exe 97 PID 1136 wrote to memory of 4008 1136 Bdcmpqjb.exe 98 PID 1136 wrote to memory of 4008 1136 Bdcmpqjb.exe 98 PID 1136 wrote to memory of 4008 1136 Bdcmpqjb.exe 98 PID 4008 wrote to memory of 1680 4008 Blkdqnjd.exe 99 PID 4008 wrote to memory of 1680 4008 Blkdqnjd.exe 99 PID 4008 wrote to memory of 1680 4008 Blkdqnjd.exe 99 PID 1680 wrote to memory of 2720 1680 Bjnelk32.exe 101 PID 1680 wrote to memory of 2720 1680 Bjnelk32.exe 101 PID 1680 wrote to memory of 2720 1680 Bjnelk32.exe 101 PID 2720 wrote to memory of 4308 2720 Bdfiephp.exe 102 PID 2720 wrote to memory of 4308 2720 Bdfiephp.exe 102 PID 2720 wrote to memory of 4308 2720 Bdfiephp.exe 102 PID 4308 wrote to memory of 2820 4308 Blmafnhb.exe 103 PID 4308 wrote to memory of 2820 4308 Blmafnhb.exe 103 PID 4308 wrote to memory of 2820 4308 Blmafnhb.exe 103 PID 2820 wrote to memory of 3152 2820 Boknbige.exe 104 PID 2820 wrote to memory of 3152 2820 Boknbige.exe 104 PID 2820 wrote to memory of 3152 2820 Boknbige.exe 104 PID 3152 wrote to memory of 3720 3152 Bbgich32.exe 105 PID 3152 wrote to memory of 3720 3152 Bbgich32.exe 105 PID 3152 wrote to memory of 3720 3152 Bbgich32.exe 105 PID 3720 wrote to memory of 4164 3720 Bdhfkp32.exe 106 PID 3720 wrote to memory of 4164 3720 Bdhfkp32.exe 106 PID 3720 wrote to memory of 4164 3720 Bdhfkp32.exe 106 PID 4164 wrote to memory of 1092 4164 Bonjhi32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf6f63e4ab76e179c88b60482e186090N.exe"C:\Users\Admin\AppData\Local\Temp\bf6f63e4ab76e179c88b60482e186090N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Abimaj32.exeC:\Windows\system32\Abimaj32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Aegine32.exeC:\Windows\system32\Aegine32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Acjjibbm.exeC:\Windows\system32\Acjjibbm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Alaajobo.exeC:\Windows\system32\Alaajobo.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\Ajdbfl32.exeC:\Windows\system32\Ajdbfl32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Ahhbpp32.exeC:\Windows\system32\Ahhbpp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Abngmihi.exeC:\Windows\system32\Abngmihi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Belcidgm.exeC:\Windows\system32\Belcidgm.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Bhjoepfq.exeC:\Windows\system32\Bhjoepfq.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Baccne32.exeC:\Windows\system32\Baccne32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Bdapja32.exeC:\Windows\system32\Bdapja32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\Bjkhgkca.exeC:\Windows\system32\Bjkhgkca.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Bdcmpqjb.exeC:\Windows\system32\Bdcmpqjb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Blkdqnjd.exeC:\Windows\system32\Blkdqnjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\Bjnelk32.exeC:\Windows\system32\Bjnelk32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Boknbige.exeC:\Windows\system32\Boknbige.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Bdhfkp32.exeC:\Windows\system32\Bdhfkp32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Bonjhi32.exeC:\Windows\system32\Bonjhi32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\Chfoqnlc.exeC:\Windows\system32\Chfoqnlc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Cblcngli.exeC:\Windows\system32\Cblcngli.exe25⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe27⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe29⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Cdaiaonb.exeC:\Windows\system32\Cdaiaonb.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe32⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Cliabl32.exeC:\Windows\system32\Cliabl32.exe33⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe34⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4640 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe37⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe38⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\Dhbnmmaf.exeC:\Windows\system32\Dhbnmmaf.exe39⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Dkpjih32.exeC:\Windows\system32\Dkpjih32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe41⤵
- Executes dropped EXE
PID:3480 -
C:\Windows\SysWOW64\Ddhoangj.exeC:\Windows\system32\Ddhoangj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Dlpgbkhl.exeC:\Windows\system32\Dlpgbkhl.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Dbjooe32.exeC:\Windows\system32\Dbjooe32.exe44⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe46⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Dclleemf.exeC:\Windows\system32\Dclleemf.exe47⤵
- Executes dropped EXE
PID:3604 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe48⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe49⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe51⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe52⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe54⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ekljdf32.exeC:\Windows\system32\Ekljdf32.exe55⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe56⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3940 -
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe58⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ekngjf32.exeC:\Windows\system32\Ekngjf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Eedkgodp.exeC:\Windows\system32\Eedkgodp.exe60⤵
- Executes dropped EXE
PID:4668 -
C:\Windows\SysWOW64\Elncdi32.exeC:\Windows\system32\Elncdi32.exe61⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe62⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Ehddijaq.exeC:\Windows\system32\Ehddijaq.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Eooled32.exeC:\Windows\system32\Eooled32.exe65⤵
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe66⤵PID:2056
-
C:\Windows\SysWOW64\Elbmohhg.exeC:\Windows\system32\Elbmohhg.exe67⤵PID:3856
-
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe68⤵PID:3960
-
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe69⤵PID:700
-
C:\Windows\SysWOW64\Fhimdi32.exeC:\Windows\system32\Fhimdi32.exe70⤵PID:1584
-
C:\Windows\SysWOW64\Fkhipe32.exeC:\Windows\system32\Fkhipe32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe72⤵PID:4280
-
C:\Windows\SysWOW64\Fdpnij32.exeC:\Windows\system32\Fdpnij32.exe73⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4648 -
C:\Windows\SysWOW64\Ffpjcmjb.exeC:\Windows\system32\Ffpjcmjb.exe75⤵PID:3048
-
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe76⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Fccklail.exeC:\Windows\system32\Fccklail.exe77⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Windows\SysWOW64\Fbfkhn32.exeC:\Windows\system32\Fbfkhn32.exe78⤵PID:3672
-
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe80⤵PID:4732
-
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe81⤵PID:1976
-
C:\Windows\SysWOW64\Fhbpjh32.exeC:\Windows\system32\Fhbpjh32.exe82⤵PID:4760
-
C:\Windows\SysWOW64\Gomhgbmn.exeC:\Windows\system32\Gomhgbmn.exe83⤵PID:2784
-
C:\Windows\SysWOW64\Gbkdcnla.exeC:\Windows\system32\Gbkdcnla.exe84⤵PID:4980
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe85⤵PID:2712
-
C:\Windows\SysWOW64\Gooemb32.exeC:\Windows\system32\Gooemb32.exe86⤵
- Drops file in System32 directory
PID:5100 -
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe87⤵PID:1940
-
C:\Windows\SysWOW64\Gfimilbh.exeC:\Windows\system32\Gfimilbh.exe88⤵PID:1540
-
C:\Windows\SysWOW64\Gmceff32.exeC:\Windows\system32\Gmceff32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\Gfkjolpe.exeC:\Windows\system32\Gfkjolpe.exe90⤵PID:1756
-
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Gfngdk32.exeC:\Windows\system32\Gfngdk32.exe92⤵PID:4880
-
C:\Windows\SysWOW64\Gilcqg32.exeC:\Windows\system32\Gilcqg32.exe93⤵PID:1552
-
C:\Windows\SysWOW64\Gofkmadc.exeC:\Windows\system32\Gofkmadc.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5132 -
C:\Windows\SysWOW64\Gbdgildf.exeC:\Windows\system32\Gbdgildf.exe95⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Ginpff32.exeC:\Windows\system32\Ginpff32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5292 -
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe98⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Hkmlbb32.exeC:\Windows\system32\Hkmlbb32.exe99⤵PID:5380
-
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe100⤵PID:5436
-
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5488 -
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe102⤵PID:5524
-
C:\Windows\SysWOW64\Hdepkg32.exeC:\Windows\system32\Hdepkg32.exe103⤵PID:5572
-
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe104⤵PID:5604
-
C:\Windows\SysWOW64\Hkoihahd.exeC:\Windows\system32\Hkoihahd.exe105⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe106⤵PID:5696
-
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe107⤵PID:5740
-
C:\Windows\SysWOW64\Hfdmejhj.exeC:\Windows\system32\Hfdmejhj.exe108⤵PID:5784
-
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe109⤵
- Modifies registry class
PID:5828 -
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe110⤵
- Modifies registry class
PID:5872 -
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe111⤵PID:5904
-
C:\Windows\SysWOW64\Hchmno32.exeC:\Windows\system32\Hchmno32.exe112⤵PID:5948
-
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe113⤵PID:5988
-
C:\Windows\SysWOW64\Hmabgdmd.exeC:\Windows\system32\Hmabgdmd.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6032 -
C:\Windows\SysWOW64\Hooncplh.exeC:\Windows\system32\Hooncplh.exe115⤵
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\Hbnjpkll.exeC:\Windows\system32\Hbnjpkll.exe116⤵
- System Location Discovery: System Language Discovery
PID:6124 -
C:\Windows\SysWOW64\Helflfkp.exeC:\Windows\system32\Helflfkp.exe117⤵
- System Location Discovery: System Language Discovery
PID:5148 -
C:\Windows\SysWOW64\Hkfohq32.exeC:\Windows\system32\Hkfohq32.exe118⤵PID:5228
-
C:\Windows\SysWOW64\Hoakioje.exeC:\Windows\system32\Hoakioje.exe119⤵PID:5328
-
C:\Windows\SysWOW64\Heocaf32.exeC:\Windows\system32\Heocaf32.exe120⤵PID:5424
-
C:\Windows\SysWOW64\Imekbc32.exeC:\Windows\system32\Imekbc32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-