Analysis
-
max time kernel
104s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 03:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
81a9986ef164e39f82da2e718a0eb740N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
81a9986ef164e39f82da2e718a0eb740N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
81a9986ef164e39f82da2e718a0eb740N.exe
-
Size
96KB
-
MD5
81a9986ef164e39f82da2e718a0eb740
-
SHA1
b4084f7002aeeeddad81e3ba4d4c310e8df5c515
-
SHA256
163800235c4caef23edbc1ed2ca598fd6f47f2ac3a4042701843d7511778cefb
-
SHA512
b4d3c8edba7911ba8bb01d8b75c4835e12834d3239e5ea394a141346277936a567650be3662a2ef09c6a41555e570aa00bef8e3105d2f42c0f9932e198de9fb5
-
SSDEEP
1536:a5DfhTGQRYizg9Qdfhhv9N7HOgq/BOmECMy0QiLiizHNQNdq:6D5rNc9sP9RTq5OmECMyELiAHONdq
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbplml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljeafb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkqfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaajnfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojnfihmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhmbqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepleocn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opbean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppeim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klekfinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocefm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiogf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqppci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 81a9986ef164e39f82da2e718a0eb740N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebifmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehkajig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enkmfolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jilfifme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibfnqmpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hppeim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffceip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agimkk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iamamcop.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihbip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfjola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpiplm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkahilkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoideh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjmjdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbpedjnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Komhll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaplqh32.exe -
Executes dropped EXE 64 IoCs
pid Process 3936 Dokgdkeh.exe 5104 Dbicpfdk.exe 1432 Ddgplado.exe 832 Dkahilkl.exe 3724 Dbkqfe32.exe 2336 Ddjmba32.exe 2760 Dkceokii.exe 412 Dfiildio.exe 4088 Digehphc.exe 4152 Dndnpf32.exe 576 Dijbno32.exe 4708 Eoideh32.exe 924 Ebgpad32.exe 4944 Emmdom32.exe 4252 Eokqkh32.exe 5056 Eehicoel.exe 2660 Emoadlfo.exe 2728 Ekaapi32.exe 940 Enpmld32.exe 2540 Efgemb32.exe 3676 Emanjldl.exe 5088 Eppjfgcp.exe 5008 Felbnn32.exe 2552 Feoodn32.exe 3632 Fpdcag32.exe 2004 Fealin32.exe 4828 Fpgpgfmh.exe 1940 Fechomko.exe 3168 Fpimlfke.exe 4260 Ffceip32.exe 4308 Fiaael32.exe 1564 Fpkibf32.exe 1924 Gfeaopqo.exe 4620 Gidnkkpc.exe 4160 Glbjggof.exe 3540 Gblbca32.exe 2784 Gifkpknp.exe 4616 Gppcmeem.exe 436 Gemkelcd.exe 1640 Glgcbf32.exe 2108 Gbalopbn.exe 2944 Gikdkj32.exe 2912 Gpelhd32.exe 1728 Geaepk32.exe 4356 Glkmmefl.exe 2812 Gbeejp32.exe 1304 Hfaajnfb.exe 3744 Hmkigh32.exe 1460 Hbhboolf.exe 4332 Hlpfhe32.exe 3120 Hplbickp.exe 4056 Hehkajig.exe 4236 Hlbcnd32.exe 3468 Hekgfj32.exe 1604 Hlepcdoa.exe 4508 Hbohpn32.exe 3360 Hlglidlo.exe 4184 Ibaeen32.exe 3664 Iikmbh32.exe 3616 Imgicgca.exe 1496 Ipeeobbe.exe 3220 Ibcaknbi.exe 324 Ifomll32.exe 4264 Iinjhh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jgbchj32.exe Jcfggkac.exe File created C:\Windows\SysWOW64\Ofkhpmpa.dll Ncnofeof.exe File created C:\Windows\SysWOW64\Mpnmig32.dll Jafdcbge.exe File created C:\Windows\SysWOW64\Bgnpek32.dll Lllagh32.exe File created C:\Windows\SysWOW64\Oqklkbbi.exe Ojqcnhkl.exe File created C:\Windows\SysWOW64\Cmpdihki.dll Fechomko.exe File created C:\Windows\SysWOW64\Oppceehj.dll Nfohgqlg.exe File created C:\Windows\SysWOW64\Jbagbebm.exe Jpbjfjci.exe File opened for modification C:\Windows\SysWOW64\Ncbafoge.exe Nqcejcha.exe File opened for modification C:\Windows\SysWOW64\Gemkelcd.exe Gppcmeem.exe File opened for modification C:\Windows\SysWOW64\Hnnljj32.exe Hlppno32.exe File created C:\Windows\SysWOW64\Lhcali32.exe Laiipofp.exe File created C:\Windows\SysWOW64\Nijqcf32.exe Nbphglbe.exe File created C:\Windows\SysWOW64\Nqcejcha.exe Nimmifgo.exe File created C:\Windows\SysWOW64\Pbekii32.exe Ppgomnai.exe File created C:\Windows\SysWOW64\Ddjmba32.exe Dbkqfe32.exe File opened for modification C:\Windows\SysWOW64\Digehphc.exe Dfiildio.exe File opened for modification C:\Windows\SysWOW64\Komhll32.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Hcjnlmph.dll Cnjdpaki.exe File created C:\Windows\SysWOW64\Ffeifdjo.dll Fbgbnkfm.exe File opened for modification C:\Windows\SysWOW64\Hlppno32.exe Hhdcmp32.exe File created C:\Windows\SysWOW64\Kiodpebj.dll Ioolkncg.exe File created C:\Windows\SysWOW64\Lgibpf32.exe Lqojclne.exe File created C:\Windows\SysWOW64\Nphihiif.dll Oghghb32.exe File created C:\Windows\SysWOW64\Aanfno32.dll Iondqhpl.exe File created C:\Windows\SysWOW64\Iinjhh32.exe Ifomll32.exe File created C:\Windows\SysWOW64\Mlelal32.dll Ilnbicff.exe File opened for modification C:\Windows\SysWOW64\Hpioin32.exe Hioflcbj.exe File created C:\Windows\SysWOW64\Cimjkpjn.dll Ibqnkh32.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Iiopca32.exe File opened for modification C:\Windows\SysWOW64\Ebifmm32.exe Eojiqb32.exe File created C:\Windows\SysWOW64\Gokbgpeg.exe Fiqjke32.exe File created C:\Windows\SysWOW64\Ceknlgnl.dll Gngeik32.exe File opened for modification C:\Windows\SysWOW64\Jpnakk32.exe Jhgiim32.exe File opened for modification C:\Windows\SysWOW64\Lohqnd32.exe Lepleocn.exe File created C:\Windows\SysWOW64\Llgdkbfj.dll Nbphglbe.exe File created C:\Windows\SysWOW64\Hbohpn32.exe Hlepcdoa.exe File opened for modification C:\Windows\SysWOW64\Ipeeobbe.exe Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Igfclkdj.exe Ioolkncg.exe File opened for modification C:\Windows\SysWOW64\Baegibae.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Iiopca32.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Pnfiplog.exe Ohlqcagj.exe File created C:\Windows\SysWOW64\Okhbek32.dll Cponen32.exe File created C:\Windows\SysWOW64\Gaebef32.exe Gngeik32.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File opened for modification C:\Windows\SysWOW64\Mhoahh32.exe Mbdiknlb.exe File created C:\Windows\SysWOW64\Felbnn32.exe Eppjfgcp.exe File created C:\Windows\SysWOW64\Kidben32.exe Kcjjhdjb.exe File opened for modification C:\Windows\SysWOW64\Ljbnfleo.exe Lakfeodm.exe File created C:\Windows\SysWOW64\Fpgkbmbm.dll Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Ioolkncg.exe Iplkpa32.exe File opened for modification C:\Windows\SysWOW64\Nadleilm.exe Nnfpinmi.exe File created C:\Windows\SysWOW64\Falmlm32.dll Jikoopij.exe File created C:\Windows\SysWOW64\Mfcjqc32.dll Kjblje32.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Mqfpckhm.exe File opened for modification C:\Windows\SysWOW64\Ocjoadei.exe Ompfej32.exe File opened for modification C:\Windows\SysWOW64\Enpfan32.exe Ekajec32.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kakmna32.exe File opened for modification C:\Windows\SysWOW64\Lakfeodm.exe Lpjjmg32.exe File created C:\Windows\SysWOW64\Jeciaina.dll Dbkqfe32.exe File created C:\Windows\SysWOW64\Hhjhdagb.dll Hlbcnd32.exe File opened for modification C:\Windows\SysWOW64\Jgkmgk32.exe Jocefm32.exe File opened for modification C:\Windows\SysWOW64\Ojfcdnjc.exe Oghghb32.exe File opened for modification C:\Windows\SysWOW64\Ahofoogd.exe Aphnnafb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9756 11180 WerFault.exe 536 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdenmbkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamamcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjdpaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdbpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblajhje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chdialdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjiipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impliekg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgklkoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojiqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaclqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihbip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbepme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hppeim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojqcnhkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkndie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doojec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikdkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digehphc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohfbpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlqcagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghojbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkdek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johggfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhkfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqgedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjblje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgibpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iafkld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgkjlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifomll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkmgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjmjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbliicp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjiipk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljdkll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igajal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcmdaljn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlppno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjjfdfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" Iinjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Impliekg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqbpojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll" Gikdkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hehkajig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doojec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iikmbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll" Jhgiim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfaajnfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocihgnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipoheakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhifomdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocgkan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfiildio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ihmfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jphkkpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll" Dkekjdck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpgpgfmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbdfl32.dll" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphnbpql.dll" Klekfinp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll" Ocjoadei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glfmgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iamamcop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oanokhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpiplm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmmqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeifdjo.dll" Fbgbnkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqfgdpo.dll" Mbdiknlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll" Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddipic32.dll" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll" Kpccmhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll" Enpmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll" Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaafn32.dll" Gemkelcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecipcemb.dll" Fiqjke32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 3936 2256 81a9986ef164e39f82da2e718a0eb740N.exe 84 PID 2256 wrote to memory of 3936 2256 81a9986ef164e39f82da2e718a0eb740N.exe 84 PID 2256 wrote to memory of 3936 2256 81a9986ef164e39f82da2e718a0eb740N.exe 84 PID 3936 wrote to memory of 5104 3936 Dokgdkeh.exe 85 PID 3936 wrote to memory of 5104 3936 Dokgdkeh.exe 85 PID 3936 wrote to memory of 5104 3936 Dokgdkeh.exe 85 PID 5104 wrote to memory of 1432 5104 Dbicpfdk.exe 86 PID 5104 wrote to memory of 1432 5104 Dbicpfdk.exe 86 PID 5104 wrote to memory of 1432 5104 Dbicpfdk.exe 86 PID 1432 wrote to memory of 832 1432 Ddgplado.exe 87 PID 1432 wrote to memory of 832 1432 Ddgplado.exe 87 PID 1432 wrote to memory of 832 1432 Ddgplado.exe 87 PID 832 wrote to memory of 3724 832 Dkahilkl.exe 88 PID 832 wrote to memory of 3724 832 Dkahilkl.exe 88 PID 832 wrote to memory of 3724 832 Dkahilkl.exe 88 PID 3724 wrote to memory of 2336 3724 Dbkqfe32.exe 89 PID 3724 wrote to memory of 2336 3724 Dbkqfe32.exe 89 PID 3724 wrote to memory of 2336 3724 Dbkqfe32.exe 89 PID 2336 wrote to memory of 2760 2336 Ddjmba32.exe 90 PID 2336 wrote to memory of 2760 2336 Ddjmba32.exe 90 PID 2336 wrote to memory of 2760 2336 Ddjmba32.exe 90 PID 2760 wrote to memory of 412 2760 Dkceokii.exe 92 PID 2760 wrote to memory of 412 2760 Dkceokii.exe 92 PID 2760 wrote to memory of 412 2760 Dkceokii.exe 92 PID 412 wrote to memory of 4088 412 Dfiildio.exe 93 PID 412 wrote to memory of 4088 412 Dfiildio.exe 93 PID 412 wrote to memory of 4088 412 Dfiildio.exe 93 PID 4088 wrote to memory of 4152 4088 Digehphc.exe 94 PID 4088 wrote to memory of 4152 4088 Digehphc.exe 94 PID 4088 wrote to memory of 4152 4088 Digehphc.exe 94 PID 4152 wrote to memory of 576 4152 Dndnpf32.exe 95 PID 4152 wrote to memory of 576 4152 Dndnpf32.exe 95 PID 4152 wrote to memory of 576 4152 Dndnpf32.exe 95 PID 576 wrote to memory of 4708 576 Dijbno32.exe 96 PID 576 wrote to memory of 4708 576 Dijbno32.exe 96 PID 576 wrote to memory of 4708 576 Dijbno32.exe 96 PID 4708 wrote to memory of 924 4708 Eoideh32.exe 97 PID 4708 wrote to memory of 924 4708 Eoideh32.exe 97 PID 4708 wrote to memory of 924 4708 Eoideh32.exe 97 PID 924 wrote to memory of 4944 924 Ebgpad32.exe 98 PID 924 wrote to memory of 4944 924 Ebgpad32.exe 98 PID 924 wrote to memory of 4944 924 Ebgpad32.exe 98 PID 4944 wrote to memory of 4252 4944 Emmdom32.exe 99 PID 4944 wrote to memory of 4252 4944 Emmdom32.exe 99 PID 4944 wrote to memory of 4252 4944 Emmdom32.exe 99 PID 4252 wrote to memory of 5056 4252 Eokqkh32.exe 101 PID 4252 wrote to memory of 5056 4252 Eokqkh32.exe 101 PID 4252 wrote to memory of 5056 4252 Eokqkh32.exe 101 PID 5056 wrote to memory of 2660 5056 Eehicoel.exe 102 PID 5056 wrote to memory of 2660 5056 Eehicoel.exe 102 PID 5056 wrote to memory of 2660 5056 Eehicoel.exe 102 PID 2660 wrote to memory of 2728 2660 Emoadlfo.exe 103 PID 2660 wrote to memory of 2728 2660 Emoadlfo.exe 103 PID 2660 wrote to memory of 2728 2660 Emoadlfo.exe 103 PID 2728 wrote to memory of 940 2728 Ekaapi32.exe 104 PID 2728 wrote to memory of 940 2728 Ekaapi32.exe 104 PID 2728 wrote to memory of 940 2728 Ekaapi32.exe 104 PID 940 wrote to memory of 2540 940 Enpmld32.exe 105 PID 940 wrote to memory of 2540 940 Enpmld32.exe 105 PID 940 wrote to memory of 2540 940 Enpmld32.exe 105 PID 2540 wrote to memory of 3676 2540 Efgemb32.exe 106 PID 2540 wrote to memory of 3676 2540 Efgemb32.exe 106 PID 2540 wrote to memory of 3676 2540 Efgemb32.exe 106 PID 3676 wrote to memory of 5088 3676 Emanjldl.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a9986ef164e39f82da2e718a0eb740N.exe"C:\Users\Admin\AppData\Local\Temp\81a9986ef164e39f82da2e718a0eb740N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Dfiildio.exeC:\Windows\system32\Dfiildio.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Dndnpf32.exeC:\Windows\system32\Dndnpf32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\Eehicoel.exeC:\Windows\system32\Eehicoel.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ekaapi32.exeC:\Windows\system32\Ekaapi32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Enpmld32.exeC:\Windows\system32\Enpmld32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5088 -
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe24⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Feoodn32.exeC:\Windows\system32\Feoodn32.exe25⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe26⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe27⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe30⤵
- Executes dropped EXE
PID:3168 -
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4260 -
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe32⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe33⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe34⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe35⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe36⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe37⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\Gifkpknp.exeC:\Windows\system32\Gifkpknp.exe38⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:436 -
C:\Windows\SysWOW64\Glgcbf32.exeC:\Windows\system32\Glgcbf32.exe41⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Geaepk32.exeC:\Windows\system32\Geaepk32.exe45⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Glkmmefl.exeC:\Windows\system32\Glkmmefl.exe46⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Gbeejp32.exeC:\Windows\system32\Gbeejp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Hfaajnfb.exeC:\Windows\system32\Hfaajnfb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1304 -
C:\Windows\SysWOW64\Hmkigh32.exeC:\Windows\system32\Hmkigh32.exe49⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Hbhboolf.exeC:\Windows\system32\Hbhboolf.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Hlpfhe32.exeC:\Windows\system32\Hlpfhe32.exe51⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe52⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4056 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4236 -
C:\Windows\SysWOW64\Hekgfj32.exeC:\Windows\system32\Hekgfj32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Hlepcdoa.exeC:\Windows\system32\Hlepcdoa.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Hbohpn32.exeC:\Windows\system32\Hbohpn32.exe57⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Hlglidlo.exeC:\Windows\system32\Hlglidlo.exe58⤵
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe59⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Iikmbh32.exeC:\Windows\system32\Iikmbh32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3664 -
C:\Windows\SysWOW64\Imgicgca.exeC:\Windows\system32\Imgicgca.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3616 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe62⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Ibcaknbi.exeC:\Windows\system32\Ibcaknbi.exe63⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Ifomll32.exeC:\Windows\system32\Ifomll32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Iinjhh32.exeC:\Windows\system32\Iinjhh32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe66⤵PID:1332
-
C:\Windows\SysWOW64\Ipgbdbqb.exeC:\Windows\system32\Ipgbdbqb.exe67⤵PID:2504
-
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4640 -
C:\Windows\SysWOW64\Igajal32.exeC:\Windows\system32\Igajal32.exe69⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Iedjmioj.exeC:\Windows\system32\Iedjmioj.exe70⤵PID:776
-
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe71⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ibhkfm32.exeC:\Windows\system32\Ibhkfm32.exe72⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Iefgbh32.exeC:\Windows\system32\Iefgbh32.exe73⤵PID:540
-
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Iplkpa32.exeC:\Windows\system32\Iplkpa32.exe75⤵
- Drops file in System32 directory
PID:4936 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe76⤵
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Igfclkdj.exeC:\Windows\system32\Igfclkdj.exe77⤵PID:4532
-
C:\Windows\SysWOW64\Ieidhh32.exeC:\Windows\system32\Ieidhh32.exe78⤵PID:1708
-
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Ipoheakj.exeC:\Windows\system32\Ipoheakj.exe80⤵
- Modifies registry class
PID:3796 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe81⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Jghpbk32.exeC:\Windows\system32\Jghpbk32.exe82⤵PID:4840
-
C:\Windows\SysWOW64\Jiglnf32.exeC:\Windows\system32\Jiglnf32.exe83⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Jpaekqhh.exeC:\Windows\system32\Jpaekqhh.exe84⤵PID:2572
-
C:\Windows\SysWOW64\Jocefm32.exeC:\Windows\system32\Jocefm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\Jgkmgk32.exeC:\Windows\system32\Jgkmgk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\Jiiicf32.exeC:\Windows\system32\Jiiicf32.exe87⤵PID:3812
-
C:\Windows\SysWOW64\Jmeede32.exeC:\Windows\system32\Jmeede32.exe88⤵PID:452
-
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe89⤵PID:432
-
C:\Windows\SysWOW64\Jcanll32.exeC:\Windows\system32\Jcanll32.exe90⤵PID:552
-
C:\Windows\SysWOW64\Jgmjmjnb.exeC:\Windows\system32\Jgmjmjnb.exe91⤵PID:2848
-
C:\Windows\SysWOW64\Jilfifme.exeC:\Windows\system32\Jilfifme.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Jngbjd32.exeC:\Windows\system32\Jngbjd32.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Jpenfp32.exeC:\Windows\system32\Jpenfp32.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Jcdjbk32.exeC:\Windows\system32\Jcdjbk32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5144 -
C:\Windows\SysWOW64\Jgpfbjlo.exeC:\Windows\system32\Jgpfbjlo.exe96⤵PID:5192
-
C:\Windows\SysWOW64\Jinboekc.exeC:\Windows\system32\Jinboekc.exe97⤵PID:5264
-
C:\Windows\SysWOW64\Jllokajf.exeC:\Windows\system32\Jllokajf.exe98⤵PID:5312
-
C:\Windows\SysWOW64\Jphkkpbp.exeC:\Windows\system32\Jphkkpbp.exe99⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Jcfggkac.exeC:\Windows\system32\Jcfggkac.exe100⤵
- Drops file in System32 directory
PID:5424 -
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe101⤵PID:5480
-
C:\Windows\SysWOW64\Jjpode32.exeC:\Windows\system32\Jjpode32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5552 -
C:\Windows\SysWOW64\Jlolpq32.exeC:\Windows\system32\Jlolpq32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Windows\SysWOW64\Komhll32.exeC:\Windows\system32\Komhll32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5652 -
C:\Windows\SysWOW64\Kegpifod.exeC:\Windows\system32\Kegpifod.exe105⤵PID:5696
-
C:\Windows\SysWOW64\Kjblje32.exeC:\Windows\system32\Kjblje32.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe107⤵PID:5792
-
C:\Windows\SysWOW64\Koodbl32.exeC:\Windows\system32\Koodbl32.exe108⤵PID:5848
-
C:\Windows\SysWOW64\Kckqbj32.exeC:\Windows\system32\Kckqbj32.exe109⤵PID:5892
-
C:\Windows\SysWOW64\Kgflcifg.exeC:\Windows\system32\Kgflcifg.exe110⤵PID:5936
-
C:\Windows\SysWOW64\Klcekpdo.exeC:\Windows\system32\Klcekpdo.exe111⤵PID:5980
-
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe112⤵PID:6024
-
C:\Windows\SysWOW64\Kgiiiidd.exeC:\Windows\system32\Kgiiiidd.exe113⤵
- System Location Discovery: System Language Discovery
PID:6068 -
C:\Windows\SysWOW64\Klfaapbl.exeC:\Windows\system32\Klfaapbl.exe114⤵PID:6112
-
C:\Windows\SysWOW64\Kgkfnh32.exeC:\Windows\system32\Kgkfnh32.exe115⤵PID:2380
-
C:\Windows\SysWOW64\Knenkbio.exeC:\Windows\system32\Knenkbio.exe116⤵PID:5252
-
C:\Windows\SysWOW64\Kpcjgnhb.exeC:\Windows\system32\Kpcjgnhb.exe117⤵PID:5320
-
C:\Windows\SysWOW64\Kgnbdh32.exeC:\Windows\system32\Kgnbdh32.exe118⤵PID:5412
-
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5508 -
C:\Windows\SysWOW64\Lpfgmnfp.exeC:\Windows\system32\Lpfgmnfp.exe120⤵PID:5596
-
C:\Windows\SysWOW64\Lgpoihnl.exeC:\Windows\system32\Lgpoihnl.exe121⤵PID:5668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-