Analysis
-
max time kernel
103s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 09:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3b3f674a5907c486eb3c80bf1bc12020N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3b3f674a5907c486eb3c80bf1bc12020N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
3b3f674a5907c486eb3c80bf1bc12020N.exe
-
Size
95KB
-
MD5
3b3f674a5907c486eb3c80bf1bc12020
-
SHA1
fc579d293d13253030314c6f0789c54bc2df678f
-
SHA256
f23f6e3e5771ed36845c8b67956f0c01722b9030baa999e8bdaf22f4aa4e76af
-
SHA512
4f6fe2f88db7bb0c2b03e75a8ef7abda39c9dfe0b21034e85796fdacae6ea5c856c12d08e897ae2dc69ba5c60b76026bd5d26efb8fbf1b8e1f026b13fd2ff60a
-
SSDEEP
1536:V59xMSkNL4g5OzvqrTVQfFiW8dcXJ98IRCmvidJxL4qozO8AUPDkOM6bOLXi8Pm2:X90RPlQkDdGKmvo/KVAUPDkDrLXfzoeV
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbpcbiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megdfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ockngp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpffqfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Licmkhij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmlkpdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmjjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanaccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnlebibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igekijlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbkpfb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlafnag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjjbolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpnfkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foceqceh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmabgdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekpmepok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagmiehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gooemb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faoegofo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Megdfnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifklkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckijehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkbngjmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekldbpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbpiab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noqojm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgbfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Delnljgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffbpcbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggeikohp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojbkemc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfddo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdllaihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaogdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfilocfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfodh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elppii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfpcjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nljoig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamjngfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjkejcfm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjikaked.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homanp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iicbhcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coephhok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgplnmib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocopgiac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqmlnjio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bijnhleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eehdbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfonbdij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ooagak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cegljmid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqhljhob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipdgoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjhlpgpk.exe -
Executes dropped EXE 64 IoCs
pid Process 1976 Ahffjq32.exe 8 Anpnfkac.exe 4820 Aejfce32.exe 5116 Ahhbpp32.exe 4540 Anbklj32.exe 1820 Aaqghf32.exe 1908 Bdocda32.exe 3512 Bjikaked.exe 2420 Bbpcbiff.exe 5040 Benpndej.exe 2732 Bhmlkpdn.exe 4984 Blhhkn32.exe 3528 Bngdgj32.exe 1540 Bbbphh32.exe 5000 Bhohpo32.exe 456 Bjnelk32.exe 696 Bagmiehl.exe 5024 Bdfiephp.exe 4880 Boknbige.exe 700 Beefocob.exe 3924 Bhdbkonf.exe 1640 Bkbngjmj.exe 556 Bbifhgnl.exe 1172 Cehbdcmp.exe 4448 Clakam32.exe 1584 Ckdkmjkg.exe 2816 Cejojb32.exe 1780 Cldggmbj.exe 2976 Cobcchan.exe 4476 Caapocpa.exe 2192 Cdolkope.exe 4280 Chkhln32.exe 452 Coephhok.exe 4648 Cacmecno.exe 1980 Chmeamfk.exe 3208 Cklanieo.exe 4664 Cbbiofea.exe 3932 Caeijc32.exe 2160 Chpagmdi.exe 4996 Cknnchcl.exe 972 Dahfpb32.exe 392 Ddfbln32.exe 1396 Dlmjmkjo.exe 1940 Dolfigic.exe 628 Dajbebhf.exe 1880 Dhdkbl32.exe 1352 Dlpgbkhl.exe 3856 Dbjooe32.exe 3120 Dehkkq32.exe 368 Dhfhhl32.exe 1520 Doqpdf32.exe 3320 Daolqa32.exe 1848 Ddmhmm32.exe 1284 Dhidmlln.exe 3476 Dkgqigka.exe 3764 Dcnhjdkd.exe 1084 Demefpjh.exe 4864 Dhkackjk.exe 3144 Dkjmogio.exe 2316 Ecqepd32.exe 2068 Eeoalp32.exe 2440 Edbbhlop.exe 2216 Elijijpb.exe 3588 Eccbed32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pfgojchl.exe Pomgmi32.exe File created C:\Windows\SysWOW64\Kngnfp32.dll Djmgiboq.exe File created C:\Windows\SysWOW64\Dajbebhf.exe Dolfigic.exe File created C:\Windows\SysWOW64\Eefhmobm.exe Echkqcci.exe File created C:\Windows\SysWOW64\Hdbmkaoo.exe Hacqofpk.exe File created C:\Windows\SysWOW64\Oedjmfha.exe Ogaiai32.exe File created C:\Windows\SysWOW64\Plgdpo32.exe Pemlcdpf.exe File created C:\Windows\SysWOW64\Gcmnbpaa.exe Ghgiegak.exe File created C:\Windows\SysWOW64\Dggnppip.dll Nlllof32.exe File opened for modification C:\Windows\SysWOW64\Gdkgjb32.exe Gamjngfc.exe File created C:\Windows\SysWOW64\Pdhfbacf.exe Pmanaccd.exe File created C:\Windows\SysWOW64\Deckfkof.exe Dmlcennd.exe File opened for modification C:\Windows\SysWOW64\Meogkiji.exe Moeooo32.exe File created C:\Windows\SysWOW64\Ilpaoo32.exe Ifbifh32.exe File created C:\Windows\SysWOW64\Jkcgqaog.dll Jfjoggfb.exe File opened for modification C:\Windows\SysWOW64\Bbifhgnl.exe Bkbngjmj.exe File created C:\Windows\SysWOW64\Mlibenih.dll Chhdlhfe.exe File opened for modification C:\Windows\SysWOW64\Fdnackeb.exe Faoegofo.exe File created C:\Windows\SysWOW64\Ioglib32.dll Ieebgooi.exe File opened for modification C:\Windows\SysWOW64\Demefpjh.exe Dcnhjdkd.exe File created C:\Windows\SysWOW64\Eojbkemc.exe Ehpjnk32.exe File opened for modification C:\Windows\SysWOW64\Fkdfpokf.exe Fhfjdclb.exe File created C:\Windows\SysWOW64\Hklehl32.exe Hgqigmnb.exe File created C:\Windows\SysWOW64\Odiboe32.dll Cqhljhob.exe File created C:\Windows\SysWOW64\Ehpjnk32.exe Eeanao32.exe File opened for modification C:\Windows\SysWOW64\Hkdbca32.exe Hmabgdmd.exe File opened for modification C:\Windows\SysWOW64\Kpppakpc.exe Klddql32.exe File created C:\Windows\SysWOW64\Ecpakh32.dll Ampkbagd.exe File created C:\Windows\SysWOW64\Mlcjmmjq.dll Kekldbpm.exe File created C:\Windows\SysWOW64\Pmmefd32.exe Pnjejgpo.exe File opened for modification C:\Windows\SysWOW64\Qqoggb32.exe Pnakkf32.exe File created C:\Windows\SysWOW64\Jakbcoao.dll Dgknnb32.exe File created C:\Windows\SysWOW64\Hhglbo32.exe Hfioec32.exe File opened for modification C:\Windows\SysWOW64\Lechpjdf.exe Lfqgdn32.exe File created C:\Windows\SysWOW64\Pepoal32.dll Demefpjh.exe File opened for modification C:\Windows\SysWOW64\Ifbifh32.exe Icdmjm32.exe File created C:\Windows\SysWOW64\Fiaeni32.dll Pfeiojnj.exe File opened for modification C:\Windows\SysWOW64\Hffbpcbl.exe Hnokofaj.exe File created C:\Windows\SysWOW64\Khnggmgp.dll Pphjlm32.exe File opened for modification C:\Windows\SysWOW64\Bmkccjik.exe Bfqkgp32.exe File created C:\Windows\SysWOW64\Dkgkbe32.dll Ddmhmm32.exe File created C:\Windows\SysWOW64\Pgedglll.dll Ojgbij32.exe File created C:\Windows\SysWOW64\Plnohm32.dll Gooemb32.exe File created C:\Windows\SysWOW64\Cjfqhcei.exe Chhdlhfe.exe File opened for modification C:\Windows\SysWOW64\Niipmefb.exe Ngjcajgo.exe File created C:\Windows\SysWOW64\Gdjdgonh.dll Bhmlkpdn.exe File created C:\Windows\SysWOW64\Kogfbg32.dll Chmeamfk.exe File created C:\Windows\SysWOW64\Ocpgbodo.exe Oqakfdek.exe File created C:\Windows\SysWOW64\Ampkbagd.exe Ajanffhq.exe File created C:\Windows\SysWOW64\Mkgachhn.dll Eefhmobm.exe File created C:\Windows\SysWOW64\Fcqomh32.dll Jimenb32.exe File created C:\Windows\SysWOW64\Jfnibg32.exe Jcplfk32.exe File opened for modification C:\Windows\SysWOW64\Pfeiojnj.exe Pddmga32.exe File created C:\Windows\SysWOW64\Mppbnb32.exe Mhijle32.exe File opened for modification C:\Windows\SysWOW64\Nldodahi.exe Nifchfhe.exe File created C:\Windows\SysWOW64\Mphqbmpf.dll Noehelej.exe File created C:\Windows\SysWOW64\Agfjci32.dll Ckdkmjkg.exe File created C:\Windows\SysWOW64\Jcplfk32.exe Jliden32.exe File created C:\Windows\SysWOW64\Jncnlgoj.dll Aohfig32.exe File created C:\Windows\SysWOW64\Klddql32.exe Kmadepao.exe File created C:\Windows\SysWOW64\Ajoaqfjc.exe Agpedkjp.exe File created C:\Windows\SysWOW64\Dhjqkifa.dll Qcnccm32.exe File created C:\Windows\SysWOW64\Bnfmmc32.exe Bjjalepf.exe File created C:\Windows\SysWOW64\Gdfmocil.exe Fahachjh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13812 13544 WerFault.exe 724 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghklfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imekbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iioimd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekifdqec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaghljhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqoicigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnigifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dailkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkcabij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keondk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdjbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilpaoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgfdikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkagb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpkcad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibijkiao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihnpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgqflfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpimkfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnecplk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acping32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnepefp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmlmbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedfnoii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkiokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oedjmfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeainchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidkoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oolnfkoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpagqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echkqcci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfqegfpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmgap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpdklo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfjdclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieapgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeikohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpelm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifchfhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cknnchcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjfqhcei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmpebfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfaehpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keghdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moleonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljafneq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daolqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqfodh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoead32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqplhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpebch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbmfo32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 13656 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmpo32.dll" Eeoalp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhogff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmopd32.dll" Mmicll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhjcj32.dll" Goqkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jooppg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonhjq32.dll" Agmbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aohfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifplqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnjejgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnfmmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oafjmj32.dll" Fgpppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcecpc32.dll" Hckjdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baicdncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnqhbjia.dll" Gkpelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nonbem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olledp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mepnfone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmbpoofo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keondk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioaanhdk.dll" Bijnhleg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjdkhpm.dll" Iijobeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmadepao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmebkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphojcfd.dll" Kpeilj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhckqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhckqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfgplld.dll" Agniok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkfaehpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egckpjdo.dll" Cdabfhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjkjcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikhdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likblpff.dll" Npedpoll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daolqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Echkqcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjni32.dll" Lbjlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanlej32.dll" Ocpgbodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agbkpdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomgfo32.dll" Hdgffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pambekce.dll" Oimihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpeilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdank32.dll" Mlqlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogohcl32.dll" Cfmamdkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljmpb32.dll" Opljpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcnhjdkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edbbhlop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfnneioi.dll" Fdnackeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpbmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cegooa32.dll" Aebihpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlpeib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhikp32.dll" Ddekah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmpmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfggia32.dll" Oqonpdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjjheg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ifmiqbld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igekijlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nignddpa.dll" Ieapgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gefjif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbghiocp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ilmeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfnef32.dll" Ghklfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anpnfkac.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1976 2516 3b3f674a5907c486eb3c80bf1bc12020N.exe 83 PID 2516 wrote to memory of 1976 2516 3b3f674a5907c486eb3c80bf1bc12020N.exe 83 PID 2516 wrote to memory of 1976 2516 3b3f674a5907c486eb3c80bf1bc12020N.exe 83 PID 1976 wrote to memory of 8 1976 Ahffjq32.exe 84 PID 1976 wrote to memory of 8 1976 Ahffjq32.exe 84 PID 1976 wrote to memory of 8 1976 Ahffjq32.exe 84 PID 8 wrote to memory of 4820 8 Anpnfkac.exe 85 PID 8 wrote to memory of 4820 8 Anpnfkac.exe 85 PID 8 wrote to memory of 4820 8 Anpnfkac.exe 85 PID 4820 wrote to memory of 5116 4820 Aejfce32.exe 86 PID 4820 wrote to memory of 5116 4820 Aejfce32.exe 86 PID 4820 wrote to memory of 5116 4820 Aejfce32.exe 86 PID 5116 wrote to memory of 4540 5116 Ahhbpp32.exe 87 PID 5116 wrote to memory of 4540 5116 Ahhbpp32.exe 87 PID 5116 wrote to memory of 4540 5116 Ahhbpp32.exe 87 PID 4540 wrote to memory of 1820 4540 Anbklj32.exe 88 PID 4540 wrote to memory of 1820 4540 Anbklj32.exe 88 PID 4540 wrote to memory of 1820 4540 Anbklj32.exe 88 PID 1820 wrote to memory of 1908 1820 Aaqghf32.exe 89 PID 1820 wrote to memory of 1908 1820 Aaqghf32.exe 89 PID 1820 wrote to memory of 1908 1820 Aaqghf32.exe 89 PID 1908 wrote to memory of 3512 1908 Bdocda32.exe 90 PID 1908 wrote to memory of 3512 1908 Bdocda32.exe 90 PID 1908 wrote to memory of 3512 1908 Bdocda32.exe 90 PID 3512 wrote to memory of 2420 3512 Bjikaked.exe 91 PID 3512 wrote to memory of 2420 3512 Bjikaked.exe 91 PID 3512 wrote to memory of 2420 3512 Bjikaked.exe 91 PID 2420 wrote to memory of 5040 2420 Bbpcbiff.exe 92 PID 2420 wrote to memory of 5040 2420 Bbpcbiff.exe 92 PID 2420 wrote to memory of 5040 2420 Bbpcbiff.exe 92 PID 5040 wrote to memory of 2732 5040 Benpndej.exe 93 PID 5040 wrote to memory of 2732 5040 Benpndej.exe 93 PID 5040 wrote to memory of 2732 5040 Benpndej.exe 93 PID 2732 wrote to memory of 4984 2732 Bhmlkpdn.exe 95 PID 2732 wrote to memory of 4984 2732 Bhmlkpdn.exe 95 PID 2732 wrote to memory of 4984 2732 Bhmlkpdn.exe 95 PID 4984 wrote to memory of 3528 4984 Blhhkn32.exe 96 PID 4984 wrote to memory of 3528 4984 Blhhkn32.exe 96 PID 4984 wrote to memory of 3528 4984 Blhhkn32.exe 96 PID 3528 wrote to memory of 1540 3528 Bngdgj32.exe 97 PID 3528 wrote to memory of 1540 3528 Bngdgj32.exe 97 PID 3528 wrote to memory of 1540 3528 Bngdgj32.exe 97 PID 1540 wrote to memory of 5000 1540 Bbbphh32.exe 98 PID 1540 wrote to memory of 5000 1540 Bbbphh32.exe 98 PID 1540 wrote to memory of 5000 1540 Bbbphh32.exe 98 PID 5000 wrote to memory of 456 5000 Bhohpo32.exe 100 PID 5000 wrote to memory of 456 5000 Bhohpo32.exe 100 PID 5000 wrote to memory of 456 5000 Bhohpo32.exe 100 PID 456 wrote to memory of 696 456 Bjnelk32.exe 101 PID 456 wrote to memory of 696 456 Bjnelk32.exe 101 PID 456 wrote to memory of 696 456 Bjnelk32.exe 101 PID 696 wrote to memory of 5024 696 Bagmiehl.exe 102 PID 696 wrote to memory of 5024 696 Bagmiehl.exe 102 PID 696 wrote to memory of 5024 696 Bagmiehl.exe 102 PID 5024 wrote to memory of 4880 5024 Bdfiephp.exe 104 PID 5024 wrote to memory of 4880 5024 Bdfiephp.exe 104 PID 5024 wrote to memory of 4880 5024 Bdfiephp.exe 104 PID 4880 wrote to memory of 700 4880 Boknbige.exe 105 PID 4880 wrote to memory of 700 4880 Boknbige.exe 105 PID 4880 wrote to memory of 700 4880 Boknbige.exe 105 PID 700 wrote to memory of 3924 700 Beefocob.exe 106 PID 700 wrote to memory of 3924 700 Beefocob.exe 106 PID 700 wrote to memory of 3924 700 Beefocob.exe 106 PID 3924 wrote to memory of 1640 3924 Bhdbkonf.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b3f674a5907c486eb3c80bf1bc12020N.exe"C:\Users\Admin\AppData\Local\Temp\3b3f674a5907c486eb3c80bf1bc12020N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Ahffjq32.exeC:\Windows\system32\Ahffjq32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Anpnfkac.exeC:\Windows\system32\Anpnfkac.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\Aejfce32.exeC:\Windows\system32\Aejfce32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Ahhbpp32.exeC:\Windows\system32\Ahhbpp32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Anbklj32.exeC:\Windows\system32\Anbklj32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Aaqghf32.exeC:\Windows\system32\Aaqghf32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Bdocda32.exeC:\Windows\system32\Bdocda32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Bjikaked.exeC:\Windows\system32\Bjikaked.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\Bbpcbiff.exeC:\Windows\system32\Bbpcbiff.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Benpndej.exeC:\Windows\system32\Benpndej.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\Bhmlkpdn.exeC:\Windows\system32\Bhmlkpdn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Blhhkn32.exeC:\Windows\system32\Blhhkn32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Bngdgj32.exeC:\Windows\system32\Bngdgj32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\Bbbphh32.exeC:\Windows\system32\Bbbphh32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Bhohpo32.exeC:\Windows\system32\Bhohpo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Bjnelk32.exeC:\Windows\system32\Bjnelk32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Bagmiehl.exeC:\Windows\system32\Bagmiehl.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Boknbige.exeC:\Windows\system32\Boknbige.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Beefocob.exeC:\Windows\system32\Beefocob.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Bhdbkonf.exeC:\Windows\system32\Bhdbkonf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\Bkbngjmj.exeC:\Windows\system32\Bkbngjmj.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Bbifhgnl.exeC:\Windows\system32\Bbifhgnl.exe24⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe25⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Clakam32.exeC:\Windows\system32\Clakam32.exe26⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ckdkmjkg.exeC:\Windows\system32\Ckdkmjkg.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Cejojb32.exeC:\Windows\system32\Cejojb32.exe28⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Cldggmbj.exeC:\Windows\system32\Cldggmbj.exe29⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe30⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe31⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe32⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Chkhln32.exeC:\Windows\system32\Chkhln32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe35⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Chmeamfk.exeC:\Windows\system32\Chmeamfk.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe37⤵
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Cbbiofea.exeC:\Windows\system32\Cbbiofea.exe38⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Caeijc32.exeC:\Windows\system32\Caeijc32.exe39⤵
- Executes dropped EXE
PID:3932 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe40⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Cknnchcl.exeC:\Windows\system32\Cknnchcl.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe42⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe43⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Dlmjmkjo.exeC:\Windows\system32\Dlmjmkjo.exe44⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe46⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe47⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Dlpgbkhl.exeC:\Windows\system32\Dlpgbkhl.exe48⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Dbjooe32.exeC:\Windows\system32\Dbjooe32.exe49⤵
- Executes dropped EXE
PID:3856 -
C:\Windows\SysWOW64\Dehkkq32.exeC:\Windows\system32\Dehkkq32.exe50⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe51⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Doqpdf32.exeC:\Windows\system32\Doqpdf32.exe52⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3320 -
C:\Windows\SysWOW64\Ddmhmm32.exeC:\Windows\system32\Ddmhmm32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Dhidmlln.exeC:\Windows\system32\Dhidmlln.exe55⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe56⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Demefpjh.exeC:\Windows\system32\Demefpjh.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1084 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe59⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe60⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe61⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Elijijpb.exeC:\Windows\system32\Elijijpb.exe64⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe65⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe66⤵
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\Ehpjnk32.exeC:\Windows\system32\Ehpjnk32.exe67⤵
- Drops file in System32 directory
PID:4908 -
C:\Windows\SysWOW64\Eojbkemc.exeC:\Windows\system32\Eojbkemc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe69⤵PID:5064
-
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe70⤵PID:2712
-
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe72⤵
- Drops file in System32 directory
PID:4732 -
C:\Windows\SysWOW64\Elppii32.exeC:\Windows\system32\Elppii32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Eooled32.exeC:\Windows\system32\Eooled32.exe74⤵PID:412
-
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe76⤵PID:3656
-
C:\Windows\SysWOW64\Foaikdgk.exeC:\Windows\system32\Foaikdgk.exe77⤵PID:408
-
C:\Windows\SysWOW64\Faoegofo.exeC:\Windows\system32\Faoegofo.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4008 -
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe79⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Foceqceh.exeC:\Windows\system32\Foceqceh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4776 -
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe81⤵PID:3548
-
C:\Windows\SysWOW64\Fdpnij32.exeC:\Windows\system32\Fdpnij32.exe82⤵PID:3188
-
C:\Windows\SysWOW64\Flgfjh32.exeC:\Windows\system32\Flgfjh32.exe83⤵PID:2692
-
C:\Windows\SysWOW64\Fkjffdjl.exeC:\Windows\system32\Fkjffdjl.exe84⤵PID:116
-
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe85⤵PID:3668
-
C:\Windows\SysWOW64\Fhbpjh32.exeC:\Windows\system32\Fhbpjh32.exe86⤵PID:1268
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe87⤵PID:4792
-
C:\Windows\SysWOW64\Gooemb32.exeC:\Windows\system32\Gooemb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe89⤵PID:5008
-
C:\Windows\SysWOW64\Gdlnei32.exeC:\Windows\system32\Gdlnei32.exe90⤵PID:3500
-
C:\Windows\SysWOW64\Ghgiegak.exeC:\Windows\system32\Ghgiegak.exe91⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Gbpnnm32.exeC:\Windows\system32\Gbpnnm32.exe93⤵PID:5132
-
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe94⤵PID:5176
-
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe95⤵
- Modifies registry class
PID:5220 -
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe96⤵PID:5264
-
C:\Windows\SysWOW64\Gofkmadc.exeC:\Windows\system32\Gofkmadc.exe97⤵PID:5308
-
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5352 -
C:\Windows\SysWOW64\Ginpff32.exeC:\Windows\system32\Ginpff32.exe99⤵PID:5396
-
C:\Windows\SysWOW64\Hkmlbb32.exeC:\Windows\system32\Hkmlbb32.exe100⤵PID:5444
-
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe101⤵PID:5488
-
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe102⤵PID:5556
-
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe103⤵PID:5624
-
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe104⤵PID:5668
-
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe105⤵PID:5708
-
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe106⤵
- System Location Discovery: System Language Discovery
PID:5756 -
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5800 -
C:\Windows\SysWOW64\Hchmno32.exeC:\Windows\system32\Hchmno32.exe108⤵PID:5844
-
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe109⤵PID:5888
-
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe110⤵PID:5928
-
C:\Windows\SysWOW64\Hmabgdmd.exeC:\Windows\system32\Hmabgdmd.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5976 -
C:\Windows\SysWOW64\Hkdbca32.exeC:\Windows\system32\Hkdbca32.exe112⤵PID:6016
-
C:\Windows\SysWOW64\Hckjdn32.exeC:\Windows\system32\Hckjdn32.exe113⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Hfifpj32.exeC:\Windows\system32\Hfifpj32.exe114⤵PID:6104
-
C:\Windows\SysWOW64\Hihble32.exeC:\Windows\system32\Hihble32.exe115⤵PID:2392
-
C:\Windows\SysWOW64\Hmcomdkb.exeC:\Windows\system32\Hmcomdkb.exe116⤵PID:5188
-
C:\Windows\SysWOW64\Hoakioje.exeC:\Windows\system32\Hoakioje.exe117⤵PID:5248
-
C:\Windows\SysWOW64\Hcmgin32.exeC:\Windows\system32\Hcmgin32.exe118⤵PID:5320
-
C:\Windows\SysWOW64\Hflceibb.exeC:\Windows\system32\Hflceibb.exe119⤵PID:5388
-
C:\Windows\SysWOW64\Iijobeaf.exeC:\Windows\system32\Iijobeaf.exe120⤵
- Modifies registry class
PID:5484 -
C:\Windows\SysWOW64\Imekbc32.exeC:\Windows\system32\Imekbc32.exe121⤵
- System Location Discovery: System Language Discovery
PID:5548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-