Analysis
-
max time kernel
106s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 16:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4452b45be863ddb6542606bec3c8d8a0N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4452b45be863ddb6542606bec3c8d8a0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
4452b45be863ddb6542606bec3c8d8a0N.exe
-
Size
56KB
-
MD5
4452b45be863ddb6542606bec3c8d8a0
-
SHA1
6e136477e4221f9ac5d690a88dadb50b2b89974c
-
SHA256
b795567cd17ab7b064716262ba7eab97c12a3384b48653f222aec308878b418d
-
SHA512
10b8323375a9fad5a9399d433d08e35c37869751f13a1b1b992aa866e98926880c57859ce801a2d1abca378903a76fb12ae8c20f7a311cbdb6e7683438aefb9a
-
SSDEEP
1536:TcB8H04+mWRp8h/rBT+9ZiTQxZR+XEMxT7SR8pS5:AB+0D38h/rBKJZROxTuR805
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqejfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijpkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcakbql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikgolpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghecpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcbccfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glpknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdmebp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpkikbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cigahb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfdhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idfoaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Digcdjka.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjbmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihebeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckagiqe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkakmmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlbkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghegh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpodedpg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqmpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noiaenaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiogcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlngopgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hniahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoompho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmnfjigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbhca32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdemdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpbbm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lakeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbejom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjleq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfhho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffjco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaiob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbopoeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpakad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnipn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgnojog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnflia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnipn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohhke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmadmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmiloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfedhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihjeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcbla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccogh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbmkhej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okfhkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdjdodf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmflll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekacnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alkggn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppqip32.exe -
Executes dropped EXE 64 IoCs
pid Process 704 Bfdkahba.exe 2200 Bichmcae.exe 3432 Bpmpjm32.exe 2212 Cgdhkk32.exe 2332 Ciedbcob.exe 1788 Cmapca32.exe 4660 Cckipl32.exe 1324 Cjeamffe.exe 1128 Cigahb32.exe 4196 Cpaiemdl.exe 4044 Ccmeek32.exe 2752 Cflaag32.exe 4696 Cijnnb32.exe 3296 Cmejnacf.exe 4452 Cpdfjlbj.exe 2256 Cgknlj32.exe 1848 Cjijhe32.exe 2472 Cacbdoil.exe 4776 Cfpkmfhd.exe 3096 Ciogiagg.exe 3772 Cpipel32.exe 2436 Dgpggiof.exe 3576 Diadna32.exe 1364 Dahlpo32.exe 3068 Dpklkkla.exe 3760 Dgbdlimd.exe 3164 Dfedhe32.exe 2032 Dicqda32.exe 2572 Dajien32.exe 4692 Dpmiqkjo.exe 2080 Dfgame32.exe 2820 Diemiqqp.exe 644 Dmaijo32.exe 5072 Dameknaa.exe 1820 Dckagiqe.exe 884 Dfjncepi.exe 560 Djejcc32.exe 1824 Dmcfpo32.exe 760 Dpbblj32.exe 748 Ddnnlinc.exe 796 Dhijmh32.exe 1768 Djgfic32.exe 4280 Daaofm32.exe 2868 Edpkbi32.exe 2536 Ejjcocdm.exe 396 Emhpkncq.exe 3496 Epglgjbd.exe 3536 Ehnchgbf.exe 2292 Ejlpdbbj.exe 4524 Emklpn32.exe 4536 Eafhamig.exe 3468 Ehppng32.exe 1908 Efcqicgo.exe 1808 Eiameofb.exe 3860 Emmifn32.exe 3204 Edgabhfh.exe 4596 Ehbmcf32.exe 4376 Ejaiob32.exe 1828 Emoekm32.exe 532 Epnbgill.exe 4000 Ehejifmo.exe 2156 Ekcfealb.exe 4856 Eiffpn32.exe 3192 Famnal32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Llqilf32.exe Lakeon32.exe File created C:\Windows\SysWOW64\Pciphjga.exe Pondgk32.exe File created C:\Windows\SysWOW64\Qcnici32.exe Qkgaalcj.exe File created C:\Windows\SysWOW64\Diefoj32.exe Djbfcnfi.exe File created C:\Windows\SysWOW64\Hkcahfla.exe Hghegh32.exe File created C:\Windows\SysWOW64\Pkljga32.dll Cjeamffe.exe File opened for modification C:\Windows\SysWOW64\Dfjncepi.exe Dckagiqe.exe File created C:\Windows\SysWOW64\Jqhpbq32.exe Jjngefam.exe File created C:\Windows\SysWOW64\Lpiqegea.dll Mbddoohl.exe File opened for modification C:\Windows\SysWOW64\Ohcbccfo.exe Oeefghgk.exe File created C:\Windows\SysWOW64\Fpannb32.dll Oeefghgk.exe File created C:\Windows\SysWOW64\Coelef32.exe Ckjpeg32.exe File created C:\Windows\SysWOW64\Ehbmcf32.exe Edgabhfh.exe File opened for modification C:\Windows\SysWOW64\Kjcqqf32.exe Kkpqeigm.exe File created C:\Windows\SysWOW64\Mengpk32.exe Mjhcbb32.exe File created C:\Windows\SysWOW64\Obaflagn.dll Phaoea32.exe File opened for modification C:\Windows\SysWOW64\Hkcahfla.exe Hghegh32.exe File created C:\Windows\SysWOW64\Gpnknf32.exe Ggffeagi.exe File opened for modification C:\Windows\SysWOW64\Kikgolpo.exe Kadonool.exe File created C:\Windows\SysWOW64\Bjkiah32.dll Njdbna32.exe File created C:\Windows\SysWOW64\Gbicjlkd.exe Glpknb32.exe File created C:\Windows\SysWOW64\Dfgame32.exe Dpmiqkjo.exe File opened for modification C:\Windows\SysWOW64\Hadmihod.exe Hniahj32.exe File opened for modification C:\Windows\SysWOW64\Aklkmk32.exe Ahmnqp32.exe File created C:\Windows\SysWOW64\Ajadfbbo.exe Aajldebl.exe File created C:\Windows\SysWOW64\Bojljggi.exe Bhpdmm32.exe File created C:\Windows\SysWOW64\Pjibpfoh.dll Ccokqe32.exe File opened for modification C:\Windows\SysWOW64\Ckjpeg32.exe Cjicmond.exe File created C:\Windows\SysWOW64\Hmoqobmg.exe Hkadbgnd.exe File opened for modification C:\Windows\SysWOW64\Iihnicpi.exe Igjbmg32.exe File created C:\Windows\SysWOW64\Nghbeibk.dll Peeonf32.exe File created C:\Windows\SysWOW64\Bpmpjm32.exe Bichmcae.exe File opened for modification C:\Windows\SysWOW64\Dameknaa.exe Dmaijo32.exe File opened for modification C:\Windows\SysWOW64\Fmmbmkqi.exe Fgcjpa32.exe File created C:\Windows\SysWOW64\Jheqde32.dll Hadmihod.exe File created C:\Windows\SysWOW64\Noedad32.dll Hjpbmklp.exe File opened for modification C:\Windows\SysWOW64\Iabjjfbd.exe Ingnjh32.exe File created C:\Windows\SysWOW64\Bmnaao32.dll Jqhpbq32.exe File created C:\Windows\SysWOW64\Phnklenp.dll Diefoj32.exe File created C:\Windows\SysWOW64\Glpknb32.exe Giaoaf32.exe File created C:\Windows\SysWOW64\Ijmgdbld.exe Ikjgie32.exe File created C:\Windows\SysWOW64\Phdojnfc.dll 4452b45be863ddb6542606bec3c8d8a0N.exe File created C:\Windows\SysWOW64\Jbmnicfe.dll Dpbblj32.exe File created C:\Windows\SysWOW64\Hhahpnbq.dll Fgcjpa32.exe File created C:\Windows\SysWOW64\Dqcdfo32.dll Jjlkpgdp.exe File created C:\Windows\SysWOW64\Npaoqmhk.dll Fpdana32.exe File opened for modification C:\Windows\SysWOW64\Hplgpdaj.exe Hnnkcibf.exe File created C:\Windows\SysWOW64\Iqmpfb32.exe Inndjg32.exe File opened for modification C:\Windows\SysWOW64\Ecdnbb32.exe Ephabclf.exe File created C:\Windows\SysWOW64\Opgmijml.dll Jgnndk32.exe File created C:\Windows\SysWOW64\Cbkekb32.exe Coliog32.exe File created C:\Windows\SysWOW64\Bdbaepib.dll Fldlbc32.exe File opened for modification C:\Windows\SysWOW64\Kidaomff.exe Kqmimped.exe File created C:\Windows\SysWOW64\Mpcanc32.dll Lekkjl32.exe File opened for modification C:\Windows\SysWOW64\Giclgf32.exe Gfeokk32.exe File created C:\Windows\SysWOW64\Hdiikl32.exe Hmoqobmg.exe File created C:\Windows\SysWOW64\Ggmlfp32.exe Gpcdifjd.exe File created C:\Windows\SysWOW64\Ddmjklad.dll Kemninih.exe File created C:\Windows\SysWOW64\Iqejfc32.exe Iabjjfbd.exe File created C:\Windows\SysWOW64\Dffjco32.exe Dchngc32.exe File created C:\Windows\SysWOW64\Kcoejp32.dll Dfedhe32.exe File created C:\Windows\SysWOW64\Kkndpi32.exe Jiogcn32.exe File opened for modification C:\Windows\SysWOW64\Djbfcnfi.exe Dffjco32.exe File opened for modification C:\Windows\SysWOW64\Hiahhdfa.exe Hgcllhgm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10920 10624 WerFault.exe 536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoiccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldlbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihebeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dameknaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehppng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfnhceb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihnicpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pondgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigjnlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagjohma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciigcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikgolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlelnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbqmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coliog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpeaoeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlkpgdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaqkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcfpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpdifnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmqbpiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cckipl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnchgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdana32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhecabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbojkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejpbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggffeagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmiloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djbfcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhpkncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmohbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoqobmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minmli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkndpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obigalfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgcbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojljggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacbdoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbkbhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkadbgnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cigjnlid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knecbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poijllcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpbel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpkmfhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmifn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdaikaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdiikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbllqejj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiccbopq.dll" Hnnkcibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnabnafk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmnfjigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcjnclme.dll" Ffjgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdcjednh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bojljggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciigcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpadhbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npaoqmhk.dll" Fpdana32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkajolg.dll" Ejjcocdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfeaocg.dll" Oagnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaainfjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeaojdnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbnmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clamioea.dll" Hagjohma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaopjckc.dll" Fpadhbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfoaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lapojmeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecbif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkekb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecaamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgnbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igjbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhlne32.dll" Knomadfq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnqqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aolphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdana32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfdoj32.dll" Cpipel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neigljah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paejbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pladqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkejppj.dll" Ajcakbql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmkhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmapca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldjmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmhlkhh.dll" Knecbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnabnafk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pagfhgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhapcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjkglakd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciigcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfmgmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccahfded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjopci32.dll" Jqfcmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjgmnie.dll" Giaoaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Einiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbnhojh.dll" Nilimgci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Albmgmpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebdahonl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmbgqja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbkbhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbqikkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlpddpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcfpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbodb32.dll" Kjcqqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacold32.dll" Bbhhfcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpmpjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccmeek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fioifm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnmcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdiikl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 456 wrote to memory of 704 456 4452b45be863ddb6542606bec3c8d8a0N.exe 85 PID 456 wrote to memory of 704 456 4452b45be863ddb6542606bec3c8d8a0N.exe 85 PID 456 wrote to memory of 704 456 4452b45be863ddb6542606bec3c8d8a0N.exe 85 PID 704 wrote to memory of 2200 704 Bfdkahba.exe 86 PID 704 wrote to memory of 2200 704 Bfdkahba.exe 86 PID 704 wrote to memory of 2200 704 Bfdkahba.exe 86 PID 2200 wrote to memory of 3432 2200 Bichmcae.exe 87 PID 2200 wrote to memory of 3432 2200 Bichmcae.exe 87 PID 2200 wrote to memory of 3432 2200 Bichmcae.exe 87 PID 3432 wrote to memory of 2212 3432 Bpmpjm32.exe 88 PID 3432 wrote to memory of 2212 3432 Bpmpjm32.exe 88 PID 3432 wrote to memory of 2212 3432 Bpmpjm32.exe 88 PID 2212 wrote to memory of 2332 2212 Cgdhkk32.exe 89 PID 2212 wrote to memory of 2332 2212 Cgdhkk32.exe 89 PID 2212 wrote to memory of 2332 2212 Cgdhkk32.exe 89 PID 2332 wrote to memory of 1788 2332 Ciedbcob.exe 90 PID 2332 wrote to memory of 1788 2332 Ciedbcob.exe 90 PID 2332 wrote to memory of 1788 2332 Ciedbcob.exe 90 PID 1788 wrote to memory of 4660 1788 Cmapca32.exe 91 PID 1788 wrote to memory of 4660 1788 Cmapca32.exe 91 PID 1788 wrote to memory of 4660 1788 Cmapca32.exe 91 PID 4660 wrote to memory of 1324 4660 Cckipl32.exe 92 PID 4660 wrote to memory of 1324 4660 Cckipl32.exe 92 PID 4660 wrote to memory of 1324 4660 Cckipl32.exe 92 PID 1324 wrote to memory of 1128 1324 Cjeamffe.exe 93 PID 1324 wrote to memory of 1128 1324 Cjeamffe.exe 93 PID 1324 wrote to memory of 1128 1324 Cjeamffe.exe 93 PID 1128 wrote to memory of 4196 1128 Cigahb32.exe 94 PID 1128 wrote to memory of 4196 1128 Cigahb32.exe 94 PID 1128 wrote to memory of 4196 1128 Cigahb32.exe 94 PID 4196 wrote to memory of 4044 4196 Cpaiemdl.exe 95 PID 4196 wrote to memory of 4044 4196 Cpaiemdl.exe 95 PID 4196 wrote to memory of 4044 4196 Cpaiemdl.exe 95 PID 4044 wrote to memory of 2752 4044 Ccmeek32.exe 96 PID 4044 wrote to memory of 2752 4044 Ccmeek32.exe 96 PID 4044 wrote to memory of 2752 4044 Ccmeek32.exe 96 PID 2752 wrote to memory of 4696 2752 Cflaag32.exe 97 PID 2752 wrote to memory of 4696 2752 Cflaag32.exe 97 PID 2752 wrote to memory of 4696 2752 Cflaag32.exe 97 PID 4696 wrote to memory of 3296 4696 Cijnnb32.exe 99 PID 4696 wrote to memory of 3296 4696 Cijnnb32.exe 99 PID 4696 wrote to memory of 3296 4696 Cijnnb32.exe 99 PID 3296 wrote to memory of 4452 3296 Cmejnacf.exe 100 PID 3296 wrote to memory of 4452 3296 Cmejnacf.exe 100 PID 3296 wrote to memory of 4452 3296 Cmejnacf.exe 100 PID 4452 wrote to memory of 2256 4452 Cpdfjlbj.exe 101 PID 4452 wrote to memory of 2256 4452 Cpdfjlbj.exe 101 PID 4452 wrote to memory of 2256 4452 Cpdfjlbj.exe 101 PID 2256 wrote to memory of 1848 2256 Cgknlj32.exe 102 PID 2256 wrote to memory of 1848 2256 Cgknlj32.exe 102 PID 2256 wrote to memory of 1848 2256 Cgknlj32.exe 102 PID 1848 wrote to memory of 2472 1848 Cjijhe32.exe 103 PID 1848 wrote to memory of 2472 1848 Cjijhe32.exe 103 PID 1848 wrote to memory of 2472 1848 Cjijhe32.exe 103 PID 2472 wrote to memory of 4776 2472 Cacbdoil.exe 105 PID 2472 wrote to memory of 4776 2472 Cacbdoil.exe 105 PID 2472 wrote to memory of 4776 2472 Cacbdoil.exe 105 PID 4776 wrote to memory of 3096 4776 Cfpkmfhd.exe 106 PID 4776 wrote to memory of 3096 4776 Cfpkmfhd.exe 106 PID 4776 wrote to memory of 3096 4776 Cfpkmfhd.exe 106 PID 3096 wrote to memory of 3772 3096 Ciogiagg.exe 107 PID 3096 wrote to memory of 3772 3096 Ciogiagg.exe 107 PID 3096 wrote to memory of 3772 3096 Ciogiagg.exe 107 PID 3772 wrote to memory of 2436 3772 Cpipel32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\4452b45be863ddb6542606bec3c8d8a0N.exe"C:\Users\Admin\AppData\Local\Temp\4452b45be863ddb6542606bec3c8d8a0N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\Bfdkahba.exeC:\Windows\system32\Bfdkahba.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Bichmcae.exeC:\Windows\system32\Bichmcae.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Bpmpjm32.exeC:\Windows\system32\Bpmpjm32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Cgdhkk32.exeC:\Windows\system32\Cgdhkk32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ciedbcob.exeC:\Windows\system32\Ciedbcob.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Cmapca32.exeC:\Windows\system32\Cmapca32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Cckipl32.exeC:\Windows\system32\Cckipl32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Cjeamffe.exeC:\Windows\system32\Cjeamffe.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cigahb32.exeC:\Windows\system32\Cigahb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Cpaiemdl.exeC:\Windows\system32\Cpaiemdl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\Ccmeek32.exeC:\Windows\system32\Ccmeek32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Cflaag32.exeC:\Windows\system32\Cflaag32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cijnnb32.exeC:\Windows\system32\Cijnnb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Cmejnacf.exeC:\Windows\system32\Cmejnacf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Cpdfjlbj.exeC:\Windows\system32\Cpdfjlbj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\Cgknlj32.exeC:\Windows\system32\Cgknlj32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Cjijhe32.exeC:\Windows\system32\Cjijhe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Cacbdoil.exeC:\Windows\system32\Cacbdoil.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Cfpkmfhd.exeC:\Windows\system32\Cfpkmfhd.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Ciogiagg.exeC:\Windows\system32\Ciogiagg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Cpipel32.exeC:\Windows\system32\Cpipel32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Dgpggiof.exeC:\Windows\system32\Dgpggiof.exe23⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Diadna32.exeC:\Windows\system32\Diadna32.exe24⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Dahlpo32.exeC:\Windows\system32\Dahlpo32.exe25⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Dpklkkla.exeC:\Windows\system32\Dpklkkla.exe26⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Dgbdlimd.exeC:\Windows\system32\Dgbdlimd.exe27⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Dfedhe32.exeC:\Windows\system32\Dfedhe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Dicqda32.exeC:\Windows\system32\Dicqda32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Dajien32.exeC:\Windows\system32\Dajien32.exe30⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Dpmiqkjo.exeC:\Windows\system32\Dpmiqkjo.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\Dfgame32.exeC:\Windows\system32\Dfgame32.exe32⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Diemiqqp.exeC:\Windows\system32\Diemiqqp.exe33⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Dmaijo32.exeC:\Windows\system32\Dmaijo32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Dameknaa.exeC:\Windows\system32\Dameknaa.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Dckagiqe.exeC:\Windows\system32\Dckagiqe.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Dfjncepi.exeC:\Windows\system32\Dfjncepi.exe37⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Djejcc32.exeC:\Windows\system32\Djejcc32.exe38⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Dmcfpo32.exeC:\Windows\system32\Dmcfpo32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Dpbblj32.exeC:\Windows\system32\Dpbblj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Ddnnlinc.exeC:\Windows\system32\Ddnnlinc.exe41⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Dhijmh32.exeC:\Windows\system32\Dhijmh32.exe42⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Djgfic32.exeC:\Windows\system32\Djgfic32.exe43⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Daaofm32.exeC:\Windows\system32\Daaofm32.exe44⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\Edpkbi32.exeC:\Windows\system32\Edpkbi32.exe45⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ejjcocdm.exeC:\Windows\system32\Ejjcocdm.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Emhpkncq.exeC:\Windows\system32\Emhpkncq.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Epglgjbd.exeC:\Windows\system32\Epglgjbd.exe48⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Ehnchgbf.exeC:\Windows\system32\Ehnchgbf.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Windows\SysWOW64\Ejlpdbbj.exeC:\Windows\system32\Ejlpdbbj.exe50⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Emklpn32.exeC:\Windows\system32\Emklpn32.exe51⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Eafhamig.exeC:\Windows\system32\Eafhamig.exe52⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Ehppng32.exeC:\Windows\system32\Ehppng32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\Efcqicgo.exeC:\Windows\system32\Efcqicgo.exe54⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Eiameofb.exeC:\Windows\system32\Eiameofb.exe55⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Emmifn32.exeC:\Windows\system32\Emmifn32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\Edgabhfh.exeC:\Windows\system32\Edgabhfh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3204 -
C:\Windows\SysWOW64\Ehbmcf32.exeC:\Windows\system32\Ehbmcf32.exe58⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Ejaiob32.exeC:\Windows\system32\Ejaiob32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Emoekm32.exeC:\Windows\system32\Emoekm32.exe60⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Epnbgill.exeC:\Windows\system32\Epnbgill.exe61⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ehejifmo.exeC:\Windows\system32\Ehejifmo.exe62⤵
- Executes dropped EXE
PID:4000 -
C:\Windows\SysWOW64\Ekcfealb.exeC:\Windows\system32\Ekcfealb.exe63⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Eiffpn32.exeC:\Windows\system32\Eiffpn32.exe64⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\Famnal32.exeC:\Windows\system32\Famnal32.exe65⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\Fdljng32.exeC:\Windows\system32\Fdljng32.exe66⤵PID:2100
-
C:\Windows\SysWOW64\Ffjgjb32.exeC:\Windows\system32\Ffjgjb32.exe67⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Fihcfn32.exeC:\Windows\system32\Fihcfn32.exe68⤵PID:1236
-
C:\Windows\SysWOW64\Fpbkbhhg.exeC:\Windows\system32\Fpbkbhhg.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Fhicde32.exeC:\Windows\system32\Fhicde32.exe70⤵PID:996
-
C:\Windows\SysWOW64\Fflcobod.exeC:\Windows\system32\Fflcobod.exe71⤵PID:1484
-
C:\Windows\SysWOW64\Fikpknng.exeC:\Windows\system32\Fikpknng.exe72⤵PID:1856
-
C:\Windows\SysWOW64\Fmflll32.exeC:\Windows\system32\Fmflll32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Fpehhh32.exeC:\Windows\system32\Fpehhh32.exe74⤵PID:4580
-
C:\Windows\SysWOW64\Fdpdifnm.exeC:\Windows\system32\Fdpdifnm.exe75⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Fkjleq32.exeC:\Windows\system32\Fkjleq32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1304 -
C:\Windows\SysWOW64\Fmihal32.exeC:\Windows\system32\Fmihal32.exe77⤵PID:336
-
C:\Windows\SysWOW64\Fpgdng32.exeC:\Windows\system32\Fpgdng32.exe78⤵PID:3752
-
C:\Windows\SysWOW64\Fhnmoedd.exeC:\Windows\system32\Fhnmoedd.exe79⤵PID:4576
-
C:\Windows\SysWOW64\Fioifm32.exeC:\Windows\system32\Fioifm32.exe80⤵
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Fmkeglbk.exeC:\Windows\system32\Fmkeglbk.exe81⤵PID:3436
-
C:\Windows\SysWOW64\Fdemdf32.exeC:\Windows\system32\Fdemdf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Fgcjpa32.exeC:\Windows\system32\Fgcjpa32.exe83⤵
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Fmmbmkqi.exeC:\Windows\system32\Fmmbmkqi.exe84⤵PID:3780
-
C:\Windows\SysWOW64\Gdgjie32.exeC:\Windows\system32\Gdgjie32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Ggffeagi.exeC:\Windows\system32\Ggffeagi.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Gpnknf32.exeC:\Windows\system32\Gpnknf32.exe87⤵PID:3400
-
C:\Windows\SysWOW64\Ghecpd32.exeC:\Windows\system32\Ghecpd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4492 -
C:\Windows\SysWOW64\Gifogldj.exeC:\Windows\system32\Gifogldj.exe89⤵PID:232
-
C:\Windows\SysWOW64\Ganghiel.exeC:\Windows\system32\Ganghiel.exe90⤵PID:1984
-
C:\Windows\SysWOW64\Gpqgdf32.exeC:\Windows\system32\Gpqgdf32.exe91⤵PID:5132
-
C:\Windows\SysWOW64\Ghgpec32.exeC:\Windows\system32\Ghgpec32.exe92⤵PID:5176
-
C:\Windows\SysWOW64\Ggjpqpcd.exeC:\Windows\system32\Ggjpqpcd.exe93⤵PID:5220
-
C:\Windows\SysWOW64\Giilml32.exeC:\Windows\system32\Giilml32.exe94⤵PID:5268
-
C:\Windows\SysWOW64\Gndhmjjq.exeC:\Windows\system32\Gndhmjjq.exe95⤵PID:5312
-
C:\Windows\SysWOW64\Gpcdifjd.exeC:\Windows\system32\Gpcdifjd.exe96⤵
- Drops file in System32 directory
PID:5356 -
C:\Windows\SysWOW64\Ggmlfp32.exeC:\Windows\system32\Ggmlfp32.exe97⤵PID:5400
-
C:\Windows\SysWOW64\Gikibk32.exeC:\Windows\system32\Gikibk32.exe98⤵PID:5444
-
C:\Windows\SysWOW64\Gngdcjhn.exeC:\Windows\system32\Gngdcjhn.exe99⤵PID:5488
-
C:\Windows\SysWOW64\Gpeaoeha.exeC:\Windows\system32\Gpeaoeha.exe100⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Windows\SysWOW64\Ghlipchd.exeC:\Windows\system32\Ghlipchd.exe101⤵PID:5576
-
C:\Windows\SysWOW64\Gkkelngg.exeC:\Windows\system32\Gkkelngg.exe102⤵PID:5620
-
C:\Windows\SysWOW64\Hniahj32.exeC:\Windows\system32\Hniahj32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5664 -
C:\Windows\SysWOW64\Hadmihod.exeC:\Windows\system32\Hadmihod.exe104⤵
- Drops file in System32 directory
PID:5708 -
C:\Windows\SysWOW64\Hdcjednh.exeC:\Windows\system32\Hdcjednh.exe105⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Hkmbbn32.exeC:\Windows\system32\Hkmbbn32.exe106⤵PID:5796
-
C:\Windows\SysWOW64\Hjpbmklp.exeC:\Windows\system32\Hjpbmklp.exe107⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Hagjohma.exeC:\Windows\system32\Hagjohma.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Hdefkcle.exeC:\Windows\system32\Hdefkcle.exe109⤵PID:5932
-
C:\Windows\SysWOW64\Hgdbgoki.exeC:\Windows\system32\Hgdbgoki.exe110⤵PID:5976
-
C:\Windows\SysWOW64\Hkoogn32.exeC:\Windows\system32\Hkoogn32.exe111⤵PID:6024
-
C:\Windows\SysWOW64\Hnnkcibf.exeC:\Windows\system32\Hnnkcibf.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Hplgpdaj.exeC:\Windows\system32\Hplgpdaj.exe113⤵PID:6112
-
C:\Windows\SysWOW64\Hhcoabbl.exeC:\Windows\system32\Hhcoabbl.exe114⤵PID:5128
-
C:\Windows\SysWOW64\Hkakmmap.exeC:\Windows\system32\Hkakmmap.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5188 -
C:\Windows\SysWOW64\Hnpgiipc.exeC:\Windows\system32\Hnpgiipc.exe116⤵PID:5276
-
C:\Windows\SysWOW64\Hpodedpg.exeC:\Windows\system32\Hpodedpg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5344 -
C:\Windows\SysWOW64\Hghlbn32.exeC:\Windows\system32\Hghlbn32.exe118⤵PID:5408
-
C:\Windows\SysWOW64\Hnbdohnq.exeC:\Windows\system32\Hnbdohnq.exe119⤵PID:5476
-
C:\Windows\SysWOW64\Hpaqkd32.exeC:\Windows\system32\Hpaqkd32.exe120⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Hkfdhm32.exeC:\Windows\system32\Hkfdhm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-