Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 06:01
Behavioral task
behavioral1
Sample
19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
-
Size
128KB
-
MD5
adf8527fd0cd380fb7f55d9eaa214700
-
SHA1
bd2fd5691bfcdfb5a7b46b7972c6c6569bdb7208
-
SHA256
19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152
-
SHA512
c1dbf8ac06fb7ab0f8783c8535847711d1c5eaa2b558b496b24cf918c02e1a50f582967b53a74c28af5f5c2a7f7cbb893b7e41dadd4d5a6d725db88ac1f462a3
-
SSDEEP
3072:+LCGvY2v2lSs2Mymz7E5AtiUF78NPBYBoBd9B9pax3FQo7fnEBctcp:+LtjvESs2My2uAti+wNZYBoBd9B9paxK
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmafnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddfbln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdepkg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbncfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmogopcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdlhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kblphgai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdqncffd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfqecdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpmpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbcehe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmakd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dffdcccb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekljdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhckqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkffacpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qqadmagh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfolehep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagfooep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbphh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjlfecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hooncplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncakqaqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofijckhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cabfjmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeoalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foholc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afebeg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhjbcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aejfce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boiamiih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmdqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ledojqhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbhocegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npcodf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkpjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffmnmnle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhbdgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmimhpoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahffjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddklgmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdoclbla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfolehep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqfmhacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcdpd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdfim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkaemafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbknjkno.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbifh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmaknb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqplhkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbpbjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqdqbaee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoelf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkbpda32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehbdcmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmadepao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfcmij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedfnoii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kemhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npoeif32.exe -
Executes dropped EXE 64 IoCs
pid Process 2844 Anmaakce.exe 4520 Aegine32.exe 1512 Ahffjq32.exe 4128 Anpnfkac.exe 4760 Aejfce32.exe 4332 Ahhbpp32.exe 2264 Anbklj32.exe 5116 Bdocda32.exe 3956 Bjikaked.exe 1124 Bbpcbiff.exe 4556 Bdapja32.exe 2524 Bbbphh32.exe 3048 Bhohpo32.exe 404 Boiamiih.exe 3000 Bdfiephp.exe 3432 Blmafnhb.exe 1256 Bajjodfi.exe 3540 Bhdbkonf.exe 620 Bonjhi32.exe 5000 Cehbdcmp.exe 4364 Clakam32.exe 3900 Copgnh32.exe 696 Caocjd32.exe 5024 Cdmofoag.exe 4384 Ckghbi32.exe 2944 Cellpb32.exe 2508 Cdolkope.exe 3160 Ckidhi32.exe 4744 Cacmecno.exe 1708 Cdaiaonb.exe 512 Cklanieo.exe 1184 Cogmng32.exe 1752 Clkngl32.exe 3508 Decbqabb.exe 1012 Ddfbln32.exe 3016 Dkpjih32.exe 684 Dajbebhf.exe 3212 Defofa32.exe 1788 Dhdkbl32.exe 4312 Dkbgnh32.exe 2616 Damokbfd.exe 3236 Ddklgmeg.exe 5048 Dhfhhl32.exe 4888 Dkeddgmd.exe 1408 Daolqa32.exe 3216 Ddmhmm32.exe 4656 Dkgqigka.exe 3328 Docmjf32.exe 1916 Daaifa32.exe 2520 Dhkackjk.exe 1328 Dkjmogio.exe 2420 Eoeipeah.exe 408 Eeoalp32.exe 4020 Ekljdf32.exe 3528 Eccbed32.exe 392 Eddomlmm.exe 816 Ehpjnk32.exe 3632 Edgkcl32.exe 3500 Ekqcpfbg.exe 4308 Eolopd32.exe 400 Eakllp32.exe 3104 Ehddijaq.exe 1036 Ekcpeeqd.exe 368 Eamhbp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aqdqbaee.exe Anedfffb.exe File created C:\Windows\SysWOW64\Kemhia32.exe Kbolmf32.exe File created C:\Windows\SysWOW64\Mchhjbii.exe Mpjlngje.exe File created C:\Windows\SysWOW64\Nfpgmmpb.exe Ncakqaqo.exe File created C:\Windows\SysWOW64\Opmakd32.exe Onneoi32.exe File created C:\Windows\SysWOW64\Mlibenih.dll Cdlhki32.exe File created C:\Windows\SysWOW64\Fqehlmla.dll Ckghbi32.exe File created C:\Windows\SysWOW64\Danefkqe.exe Dopijpab.exe File opened for modification C:\Windows\SysWOW64\Jeolhdjj.exe Jbqplhkf.exe File opened for modification C:\Windows\SysWOW64\Bjhdgeai.exe Bgjhkjbe.exe File opened for modification C:\Windows\SysWOW64\Qqadmagh.exe Qncgqf32.exe File opened for modification C:\Windows\SysWOW64\Anedfffb.exe Qfolehep.exe File created C:\Windows\SysWOW64\Cfhdmdld.dll Anedfffb.exe File opened for modification C:\Windows\SysWOW64\Ifbifh32.exe Ipiajndn.exe File created C:\Windows\SysWOW64\Jmcgcamo.exe Jempbd32.exe File opened for modification C:\Windows\SysWOW64\Kmadepao.exe Kekldbpm.exe File created C:\Windows\SysWOW64\Kbolmf32.exe Kdllaihl.exe File opened for modification C:\Windows\SysWOW64\Lipkkp32.exe Ledojqhb.exe File created C:\Windows\SysWOW64\Iajphd32.dll Onekoh32.exe File created C:\Windows\SysWOW64\Aemgbbfa.dll Pfqpcj32.exe File created C:\Windows\SysWOW64\Acfpbg32.dll Ipiajndn.exe File opened for modification C:\Windows\SysWOW64\Hbiadl32.exe Hokdhp32.exe File opened for modification C:\Windows\SysWOW64\Jmaknb32.exe Ifgbahhe.exe File created C:\Windows\SysWOW64\Ecpakh32.dll Ampkbagd.exe File created C:\Windows\SysWOW64\Ajcklf32.exe Ageopj32.exe File created C:\Windows\SysWOW64\Aeioio32.exe Ambgha32.exe File created C:\Windows\SysWOW64\Bmfqcqql.exe Bjhdgeai.exe File created C:\Windows\SysWOW64\Flgfjh32.exe Fhljjiki.exe File created C:\Windows\SysWOW64\Hlncijdi.dll Kemhia32.exe File created C:\Windows\SysWOW64\Qncgqf32.exe Qflpoi32.exe File opened for modification C:\Windows\SysWOW64\Bmddma32.exe Bjfhae32.exe File created C:\Windows\SysWOW64\Dkeddgmd.exe Dhfhhl32.exe File opened for modification C:\Windows\SysWOW64\Ekljdf32.exe Eeoalp32.exe File opened for modification C:\Windows\SysWOW64\Fleidhfd.exe Fekahn32.exe File created C:\Windows\SysWOW64\Nngonjqd.exe Nfpgmmpb.exe File created C:\Windows\SysWOW64\Fikqmk32.dll Dkjmogio.exe File opened for modification C:\Windows\SysWOW64\Fclelb32.exe Ekemke32.exe File created C:\Windows\SysWOW64\Cndekieb.dll Hmjlfecl.exe File created C:\Windows\SysWOW64\Icimdkmp.dll Ifeflh32.exe File opened for modification C:\Windows\SysWOW64\Ipmjen32.exe Imonhb32.exe File created C:\Windows\SysWOW64\Qqoggb32.exe Pnakkf32.exe File created C:\Windows\SysWOW64\Gdphjm32.dll Ekqcpfbg.exe File created C:\Windows\SysWOW64\Bagfooep.exe Bnhjbcfl.exe File created C:\Windows\SysWOW64\Okhbpe32.dll Ekemke32.exe File created C:\Windows\SysWOW64\Gedikbhp.dll Hcmgin32.exe File created C:\Windows\SysWOW64\Finkejjm.dll Jpgmkl32.exe File opened for modification C:\Windows\SysWOW64\Gomhgbmn.exe Flnlkgnj.exe File created C:\Windows\SysWOW64\Qhbncj32.dll Ngpcgp32.exe File created C:\Windows\SysWOW64\Kggeihia.dll Olcbpe32.exe File created C:\Windows\SysWOW64\Ocmjlpfa.exe Odjjqc32.exe File opened for modification C:\Windows\SysWOW64\Anhaledo.exe Acbmnmdi.exe File created C:\Windows\SysWOW64\Dhfhhl32.exe Ddklgmeg.exe File created C:\Windows\SysWOW64\Jdeikd32.dll Ofncnkcb.exe File created C:\Windows\SysWOW64\Cakpjn32.exe Cnmcnb32.exe File created C:\Windows\SysWOW64\Cdlhki32.exe Cmbpoofo.exe File created C:\Windows\SysWOW64\Kngnfp32.dll Dfakhc32.exe File opened for modification C:\Windows\SysWOW64\Fllpegpl.exe Fdegdj32.exe File created C:\Windows\SysWOW64\Akfdeb32.dll Mmgfgl32.exe File opened for modification C:\Windows\SysWOW64\Gkjomb32.exe Gmgoaeeo.exe File created C:\Windows\SysWOW64\Jfcbmfnh.exe Jececc32.exe File created C:\Windows\SysWOW64\Dkgqigka.exe Ddmhmm32.exe File created C:\Windows\SysWOW64\Flnlkgnj.exe Fcfhba32.exe File created C:\Windows\SysWOW64\Cjfqhcei.exe Cdlhki32.exe File created C:\Windows\SysWOW64\Pkgfhh32.dll Blmafnhb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8944 9204 WerFault.exe 436 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbiadl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbjkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjikaked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqcpfbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fleidhfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfakhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeddgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieapgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leabdaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammnmbig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcpeeqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoakioje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfcmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjlfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfqegfpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfolehep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchmno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liddfolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcodf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adplbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjemgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmafnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lipkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcenhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcklf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhagbfnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aegine32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkdnkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipiajndn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbcehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmgin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeflh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffhjcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojlabop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdgildf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdepkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfjcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbmnmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhjbcfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngonjqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffkleae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpcnbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbifh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefngkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmanaccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopijpab.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kogfbg32.dll" Cdaiaonb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfpcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemcdk32.dll" Hmlhle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcgqaog.dll" Jbncfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfclkak.dll" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipmjen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oloidfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfciocm.dll" Pfjcji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcmnbpaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjdll32.dll" Njnpck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odcdpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odfqecdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opmakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfkjolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jliden32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fadobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdegdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnlapgnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjahhilp.dll" Pckfnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjddbcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hklijm32.dll" Cogmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lghdockp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemmfe32.dll" Flnlkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmfdiakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbheqgmg.dll" Qfolehep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafndn32.dll" Cjfqhcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbaofa32.dll" Fojlabop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbdgildf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblfkanb.dll" Mebkko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanlej32.dll" Ogkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkibbp32.dll" Aefbcogf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkhpc32.dll" Baicdncn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmifon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmpmpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aegine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gecqkjag.dll" Bhohpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlncnbnn.dll" Edkdnkge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdllaihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbcehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbko32.dll" Lipkkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddmhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolbbjep.dll" Ekcpeeqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkhjjld.dll" Ghgiegak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmcgcamo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlfhon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnopcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqahee32.dll" Fklckdhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfbdodj.dll" Iecmledg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdqncffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocmjlpfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfoelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Copgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fojlabop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imekbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpcljnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lffhjcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohneobmn.dll" Mpjlngje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fppfio32.dll" Gbdgildf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmlhle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjllg32.dll" Kmadepao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odmgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bccfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dopijpab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mebkko32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4840 wrote to memory of 2844 4840 19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe 81 PID 4840 wrote to memory of 2844 4840 19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe 81 PID 4840 wrote to memory of 2844 4840 19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe 81 PID 2844 wrote to memory of 4520 2844 Anmaakce.exe 82 PID 2844 wrote to memory of 4520 2844 Anmaakce.exe 82 PID 2844 wrote to memory of 4520 2844 Anmaakce.exe 82 PID 4520 wrote to memory of 1512 4520 Aegine32.exe 83 PID 4520 wrote to memory of 1512 4520 Aegine32.exe 83 PID 4520 wrote to memory of 1512 4520 Aegine32.exe 83 PID 1512 wrote to memory of 4128 1512 Ahffjq32.exe 84 PID 1512 wrote to memory of 4128 1512 Ahffjq32.exe 84 PID 1512 wrote to memory of 4128 1512 Ahffjq32.exe 84 PID 4128 wrote to memory of 4760 4128 Anpnfkac.exe 85 PID 4128 wrote to memory of 4760 4128 Anpnfkac.exe 85 PID 4128 wrote to memory of 4760 4128 Anpnfkac.exe 85 PID 4760 wrote to memory of 4332 4760 Aejfce32.exe 86 PID 4760 wrote to memory of 4332 4760 Aejfce32.exe 86 PID 4760 wrote to memory of 4332 4760 Aejfce32.exe 86 PID 4332 wrote to memory of 2264 4332 Ahhbpp32.exe 87 PID 4332 wrote to memory of 2264 4332 Ahhbpp32.exe 87 PID 4332 wrote to memory of 2264 4332 Ahhbpp32.exe 87 PID 2264 wrote to memory of 5116 2264 Anbklj32.exe 88 PID 2264 wrote to memory of 5116 2264 Anbklj32.exe 88 PID 2264 wrote to memory of 5116 2264 Anbklj32.exe 88 PID 5116 wrote to memory of 3956 5116 Bdocda32.exe 89 PID 5116 wrote to memory of 3956 5116 Bdocda32.exe 89 PID 5116 wrote to memory of 3956 5116 Bdocda32.exe 89 PID 3956 wrote to memory of 1124 3956 Bjikaked.exe 90 PID 3956 wrote to memory of 1124 3956 Bjikaked.exe 90 PID 3956 wrote to memory of 1124 3956 Bjikaked.exe 90 PID 1124 wrote to memory of 4556 1124 Bbpcbiff.exe 91 PID 1124 wrote to memory of 4556 1124 Bbpcbiff.exe 91 PID 1124 wrote to memory of 4556 1124 Bbpcbiff.exe 91 PID 4556 wrote to memory of 2524 4556 Bdapja32.exe 92 PID 4556 wrote to memory of 2524 4556 Bdapja32.exe 92 PID 4556 wrote to memory of 2524 4556 Bdapja32.exe 92 PID 2524 wrote to memory of 3048 2524 Bbbphh32.exe 93 PID 2524 wrote to memory of 3048 2524 Bbbphh32.exe 93 PID 2524 wrote to memory of 3048 2524 Bbbphh32.exe 93 PID 3048 wrote to memory of 404 3048 Bhohpo32.exe 94 PID 3048 wrote to memory of 404 3048 Bhohpo32.exe 94 PID 3048 wrote to memory of 404 3048 Bhohpo32.exe 94 PID 404 wrote to memory of 3000 404 Boiamiih.exe 95 PID 404 wrote to memory of 3000 404 Boiamiih.exe 95 PID 404 wrote to memory of 3000 404 Boiamiih.exe 95 PID 3000 wrote to memory of 3432 3000 Bdfiephp.exe 96 PID 3000 wrote to memory of 3432 3000 Bdfiephp.exe 96 PID 3000 wrote to memory of 3432 3000 Bdfiephp.exe 96 PID 3432 wrote to memory of 1256 3432 Blmafnhb.exe 97 PID 3432 wrote to memory of 1256 3432 Blmafnhb.exe 97 PID 3432 wrote to memory of 1256 3432 Blmafnhb.exe 97 PID 1256 wrote to memory of 3540 1256 Bajjodfi.exe 98 PID 1256 wrote to memory of 3540 1256 Bajjodfi.exe 98 PID 1256 wrote to memory of 3540 1256 Bajjodfi.exe 98 PID 3540 wrote to memory of 620 3540 Bhdbkonf.exe 99 PID 3540 wrote to memory of 620 3540 Bhdbkonf.exe 99 PID 3540 wrote to memory of 620 3540 Bhdbkonf.exe 99 PID 620 wrote to memory of 5000 620 Bonjhi32.exe 100 PID 620 wrote to memory of 5000 620 Bonjhi32.exe 100 PID 620 wrote to memory of 5000 620 Bonjhi32.exe 100 PID 5000 wrote to memory of 4364 5000 Cehbdcmp.exe 101 PID 5000 wrote to memory of 4364 5000 Cehbdcmp.exe 101 PID 5000 wrote to memory of 4364 5000 Cehbdcmp.exe 101 PID 4364 wrote to memory of 3900 4364 Clakam32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe"C:\Users\Admin\AppData\Local\Temp\19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Anmaakce.exeC:\Windows\system32\Anmaakce.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Aegine32.exeC:\Windows\system32\Aegine32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\Ahffjq32.exeC:\Windows\system32\Ahffjq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Anpnfkac.exeC:\Windows\system32\Anpnfkac.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Aejfce32.exeC:\Windows\system32\Aejfce32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\Ahhbpp32.exeC:\Windows\system32\Ahhbpp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\Anbklj32.exeC:\Windows\system32\Anbklj32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Bdocda32.exeC:\Windows\system32\Bdocda32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\Bjikaked.exeC:\Windows\system32\Bjikaked.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\Bbpcbiff.exeC:\Windows\system32\Bbpcbiff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Bdapja32.exeC:\Windows\system32\Bdapja32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Bbbphh32.exeC:\Windows\system32\Bbbphh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bhohpo32.exeC:\Windows\system32\Bhohpo32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Boiamiih.exeC:\Windows\system32\Boiamiih.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Bdfiephp.exeC:\Windows\system32\Bdfiephp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\Bajjodfi.exeC:\Windows\system32\Bajjodfi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Bhdbkonf.exeC:\Windows\system32\Bhdbkonf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Bonjhi32.exeC:\Windows\system32\Bonjhi32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\Clakam32.exeC:\Windows\system32\Clakam32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Copgnh32.exeC:\Windows\system32\Copgnh32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe24⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Cdmofoag.exeC:\Windows\system32\Cdmofoag.exe25⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Cellpb32.exeC:\Windows\system32\Cellpb32.exe27⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe28⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ckidhi32.exeC:\Windows\system32\Ckidhi32.exe29⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe30⤵
- Executes dropped EXE
PID:4744 -
C:\Windows\SysWOW64\Cdaiaonb.exeC:\Windows\system32\Cdaiaonb.exe31⤵
- Executes dropped EXE
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe32⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Cogmng32.exeC:\Windows\system32\Cogmng32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe35⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Ddfbln32.exeC:\Windows\system32\Ddfbln32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Dkpjih32.exeC:\Windows\system32\Dkpjih32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Dajbebhf.exeC:\Windows\system32\Dajbebhf.exe38⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe39⤵
- Executes dropped EXE
PID:3212 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe40⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Dkbgnh32.exeC:\Windows\system32\Dkbgnh32.exe41⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Damokbfd.exeC:\Windows\system32\Damokbfd.exe42⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3236 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\Dkeddgmd.exeC:\Windows\system32\Dkeddgmd.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe46⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Ddmhmm32.exeC:\Windows\system32\Ddmhmm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3216 -
C:\Windows\SysWOW64\Dkgqigka.exeC:\Windows\system32\Dkgqigka.exe48⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\Docmjf32.exeC:\Windows\system32\Docmjf32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\SysWOW64\Daaifa32.exeC:\Windows\system32\Daaifa32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe51⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Dkjmogio.exeC:\Windows\system32\Dkjmogio.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Eoeipeah.exeC:\Windows\system32\Eoeipeah.exe53⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Ekljdf32.exeC:\Windows\system32\Ekljdf32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe56⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe57⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Ehpjnk32.exeC:\Windows\system32\Ehpjnk32.exe58⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe59⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Ekqcpfbg.exeC:\Windows\system32\Ekqcpfbg.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe61⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\Eakllp32.exeC:\Windows\system32\Eakllp32.exe62⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Ehddijaq.exeC:\Windows\system32\Ehddijaq.exe63⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Eamhbp32.exeC:\Windows\system32\Eamhbp32.exe65⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Ekemke32.exeC:\Windows\system32\Ekemke32.exe67⤵
- Drops file in System32 directory
PID:3452 -
C:\Windows\SysWOW64\Fclelb32.exeC:\Windows\system32\Fclelb32.exe68⤵PID:1992
-
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe69⤵
- Drops file in System32 directory
PID:4488 -
C:\Windows\SysWOW64\Fleidhfd.exeC:\Windows\system32\Fleidhfd.exe70⤵
- System Location Discovery: System Language Discovery
PID:4088 -
C:\Windows\SysWOW64\Fcoaab32.exeC:\Windows\system32\Fcoaab32.exe71⤵PID:4788
-
C:\Windows\SysWOW64\Ffmnmnle.exeC:\Windows\system32\Ffmnmnle.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe73⤵
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Flgfjh32.exeC:\Windows\system32\Flgfjh32.exe74⤵PID:1748
-
C:\Windows\SysWOW64\Foebfc32.exeC:\Windows\system32\Foebfc32.exe75⤵PID:3312
-
C:\Windows\SysWOW64\Fadobo32.exeC:\Windows\system32\Fadobo32.exe76⤵
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\Fdbkoj32.exeC:\Windows\system32\Fdbkoj32.exe77⤵PID:3772
-
C:\Windows\SysWOW64\Fklckdhj.exeC:\Windows\system32\Fklckdhj.exe78⤵
- Modifies registry class
PID:4424 -
C:\Windows\SysWOW64\Foholc32.exeC:\Windows\system32\Foholc32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Fdegdj32.exeC:\Windows\system32\Fdegdj32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:4792 -
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe81⤵PID:3480
-
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4484 -
C:\Windows\SysWOW64\Fcfhba32.exeC:\Windows\system32\Fcfhba32.exe83⤵
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Flnlkgnj.exeC:\Windows\system32\Flnlkgnj.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Gomhgbmn.exeC:\Windows\system32\Gomhgbmn.exe85⤵PID:3604
-
C:\Windows\SysWOW64\Gdiaoike.exeC:\Windows\system32\Gdiaoike.exe86⤵PID:4232
-
C:\Windows\SysWOW64\Glqipf32.exeC:\Windows\system32\Glqipf32.exe87⤵PID:4496
-
C:\Windows\SysWOW64\Gooemb32.exeC:\Windows\system32\Gooemb32.exe88⤵PID:1936
-
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe89⤵PID:820
-
C:\Windows\SysWOW64\Gfimilbh.exeC:\Windows\system32\Gfimilbh.exe90⤵PID:3860
-
C:\Windows\SysWOW64\Ghgiegak.exeC:\Windows\system32\Ghgiegak.exe91⤵
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Gkffacpo.exeC:\Windows\system32\Gkffacpo.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4876 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe93⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Gfkjolpe.exeC:\Windows\system32\Gfkjolpe.exe94⤵
- Modifies registry class
PID:5012 -
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe95⤵PID:928
-
C:\Windows\SysWOW64\Gocohafe.exeC:\Windows\system32\Gocohafe.exe96⤵PID:2304
-
C:\Windows\SysWOW64\Gbbkdmfi.exeC:\Windows\system32\Gbbkdmfi.exe97⤵PID:1756
-
C:\Windows\SysWOW64\Gdqgphem.exeC:\Windows\system32\Gdqgphem.exe98⤵PID:3120
-
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe99⤵
- Drops file in System32 directory
PID:4288 -
C:\Windows\SysWOW64\Gkjomb32.exeC:\Windows\system32\Gkjomb32.exe100⤵PID:1892
-
C:\Windows\SysWOW64\Gbdgildf.exeC:\Windows\system32\Gbdgildf.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4376 -
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe102⤵
- Modifies registry class
PID:3516 -
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5040 -
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe104⤵PID:2468
-
C:\Windows\SysWOW64\Hcddcoki.exeC:\Windows\system32\Hcddcoki.exe105⤵PID:3612
-
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe106⤵PID:3968
-
C:\Windows\SysWOW64\Hdepkg32.exeC:\Windows\system32\Hdepkg32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\Hmlhle32.exeC:\Windows\system32\Hmlhle32.exe108⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe109⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe110⤵
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\Hfdmejhj.exeC:\Windows\system32\Hfdmejhj.exe111⤵PID:2488
-
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe112⤵PID:2256
-
C:\Windows\SysWOW64\Hkaemafa.exeC:\Windows\system32\Hkaemafa.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4832 -
C:\Windows\SysWOW64\Hchmno32.exeC:\Windows\system32\Hchmno32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Hiefge32.exeC:\Windows\system32\Hiefge32.exe116⤵PID:2012
-
C:\Windows\SysWOW64\Hkdbca32.exeC:\Windows\system32\Hkdbca32.exe117⤵PID:1844
-
C:\Windows\SysWOW64\Hooncplh.exeC:\Windows\system32\Hooncplh.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Hbnjpkll.exeC:\Windows\system32\Hbnjpkll.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Helflfkp.exeC:\Windows\system32\Helflfkp.exe120⤵PID:5220
-
C:\Windows\SysWOW64\Hmcomdkb.exeC:\Windows\system32\Hmcomdkb.exe121⤵PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-