Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe
-
Size
123KB
-
MD5
fc2f1ec9b26732228322bbc96e4549e1
-
SHA1
b81f77768fb429ca644fbcefc465a67012ba700b
-
SHA256
fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e
-
SHA512
ad3f0ede0f7b0fd43f00604b21e6489d92b522e058176f71e3d47db2e8cfa19bf8ddbbad9219259fcbdf1d6d81dfafaff0d57d43d073bf78d90ae0af3e34477b
-
SSDEEP
3072:6q/fYDUUejCq3ue3ENvxuNfKHRYSa9rR85DEn5k7r8:vTKH4rQD85k/8
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffmfadl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcldb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Johnamkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Embddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkpgafg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kclgmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmpiiai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmjjdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bokehc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkafmd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgeaifia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhpgofm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnebd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnicid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnckpmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igcoqocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epagkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iddljmpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfngdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkdliame.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljaoeini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kldmckic.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moaogand.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpjnjii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bclang32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlkge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opeiadfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lldfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pomgjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogcgj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjcbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glgcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Poodpmca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpbdopck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqafhl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aflaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glldgljg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqkigkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmlfl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehcfaboo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohiemobf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpihcgoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmfplibd.exe -
Executes dropped EXE 64 IoCs
pid Process 2588 Fnckpmql.exe 384 Gekcaj32.exe 2388 Gglpibgm.exe 3644 Gnfhfl32.exe 1424 Ghklce32.exe 2864 Gkjhoq32.exe 3068 Gepmlimi.exe 3704 Ghniielm.exe 3764 Gohaeo32.exe 4092 Gfbibikg.exe 3496 Ghpendjj.exe 4696 Gkobjpin.exe 904 Gahjgj32.exe 2148 Gfdfgiid.exe 700 Ghbbcd32.exe 4748 Hkckeo32.exe 4148 Hdlpneli.exe 1296 Hgjljpkm.exe 2780 Hoadkn32.exe 3184 Hocqam32.exe 5072 Hdpiid32.exe 1984 Hhlejcpm.exe 3172 Hofmfmhj.exe 4916 Hninbj32.exe 116 Hhnbpb32.exe 3532 Hkmnln32.exe 4580 Ibffhhek.exe 1968 Igcoqocb.exe 2756 Inmgmijo.exe 2512 Iickkbje.exe 3620 Inpccihl.exe 2840 Ifgldfio.exe 2224 Ioopml32.exe 1488 Inbqhhfj.exe 3176 Iigdfa32.exe 3016 Ioambknl.exe 3584 Igmagnkg.exe 2688 Jkhngl32.exe 2280 Jeqbpb32.exe 4932 Jilnqqbj.exe 5060 Jkkjmlan.exe 1560 Jfpojead.exe 1232 Jkmgblok.exe 4212 Jfbkpd32.exe 4936 Jgdhgmep.exe 1672 Jnnpdg32.exe 3456 Jicdap32.exe 3120 Jnpmjf32.exe 320 Jejefqaf.exe 3572 Kldmckic.exe 4392 Kgknhl32.exe 1028 Kpbfii32.exe 2836 Kbbokdlk.exe 4976 Klkcdj32.exe 1508 Kbekqdjh.exe 3548 Klmpiiai.exe 1748 Kefdbo32.exe 3780 Lhdqnj32.exe 4300 Lnnikdnj.exe 4636 Lidmhmnp.exe 4964 Lpneegel.exe 3368 Lblaabdp.exe 220 Lldfjh32.exe 4080 Lppbkgcj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jgdhgmep.exe Jfbkpd32.exe File created C:\Windows\SysWOW64\Eiobodkp.dll Acnemi32.exe File opened for modification C:\Windows\SysWOW64\Bfqkddfd.exe Bogcgj32.exe File created C:\Windows\SysWOW64\Jnfcia32.exe Jkhgmf32.exe File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe Felbnn32.exe File created C:\Windows\SysWOW64\Bddcenpi.exe Baegibae.exe File opened for modification C:\Windows\SysWOW64\Caojpaij.exe Coqncejg.exe File created C:\Windows\SysWOW64\Ilccmqen.dll Fnckpmql.exe File created C:\Windows\SysWOW64\Lflbkcll.exe Lobjni32.exe File created C:\Windows\SysWOW64\Leopnglc.exe Lbpdblmo.exe File created C:\Windows\SysWOW64\Cppnfc32.dll Gdmmbq32.exe File created C:\Windows\SysWOW64\Nkddkljd.dll Mhfppabl.exe File created C:\Windows\SysWOW64\Pojcjh32.exe Ohpkmn32.exe File created C:\Windows\SysWOW64\Qepkbpak.exe Qofcff32.exe File created C:\Windows\SysWOW64\Idahjg32.exe Iljpij32.exe File created C:\Windows\SysWOW64\Pfnmog32.dll Gejopl32.exe File created C:\Windows\SysWOW64\Qikoka32.dll Gmimai32.exe File created C:\Windows\SysWOW64\Plcdiabk.exe Phhhhc32.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Nmfcok32.exe File opened for modification C:\Windows\SysWOW64\Nhbolp32.exe Niooqcad.exe File created C:\Windows\SysWOW64\Dpdaepai.exe Dikihe32.exe File opened for modification C:\Windows\SysWOW64\Hildmn32.exe Hgmgqc32.exe File created C:\Windows\SysWOW64\Eokqkh32.exe Emmdom32.exe File opened for modification C:\Windows\SysWOW64\Efgemb32.exe Enpmld32.exe File created C:\Windows\SysWOW64\Iakiia32.exe Ikqqlgem.exe File created C:\Windows\SysWOW64\Dfggbllc.dll Pomgjn32.exe File opened for modification C:\Windows\SysWOW64\Pgflqkdd.exe Poodpmca.exe File created C:\Windows\SysWOW64\Knghil32.dll Eibfck32.exe File created C:\Windows\SysWOW64\Dckdjomg.exe Dkdliame.exe File created C:\Windows\SysWOW64\Kamhmbej.dll Dpdaepai.exe File created C:\Windows\SysWOW64\Bcflijmh.dll Lmbhgd32.exe File created C:\Windows\SysWOW64\Obnbpa32.dll Mgobel32.exe File created C:\Windows\SysWOW64\Jknfplei.dll Gnfhfl32.exe File created C:\Windows\SysWOW64\Gaeaha32.dll Ljbfpo32.exe File opened for modification C:\Windows\SysWOW64\Oehlkc32.exe Objpoh32.exe File opened for modification C:\Windows\SysWOW64\Qlggjk32.exe Piijno32.exe File created C:\Windows\SysWOW64\Fmpqfq32.exe Fjadje32.exe File created C:\Windows\SysWOW64\Aefjii32.exe Anobgl32.exe File created C:\Windows\SysWOW64\Khblgpag.dll Dnmhpg32.exe File opened for modification C:\Windows\SysWOW64\Komhll32.exe Jlolpq32.exe File created C:\Windows\SysWOW64\Ocaikjof.dll Hnodaecc.exe File opened for modification C:\Windows\SysWOW64\Oaifpi32.exe Onkidm32.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ojdgnn32.exe File created C:\Windows\SysWOW64\Cjceejee.dll Pmnbfhal.exe File created C:\Windows\SysWOW64\Kbqceofn.dll Bgkiaj32.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nagiji32.exe File created C:\Windows\SysWOW64\Oahlhhel.dll Jejefqaf.exe File created C:\Windows\SysWOW64\Facdchai.dll Hdmein32.exe File created C:\Windows\SysWOW64\Gfheof32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Gmfplibd.exe Gflhoo32.exe File created C:\Windows\SysWOW64\Mgnlkfal.exe Mogcihaj.exe File created C:\Windows\SysWOW64\Nnahhegq.dll Oaplqh32.exe File created C:\Windows\SysWOW64\Mhghfqcd.dll Jfpojead.exe File created C:\Windows\SysWOW64\Eplnpeol.exe Eibfck32.exe File created C:\Windows\SysWOW64\Fdmfqg32.dll Najceeoo.exe File opened for modification C:\Windows\SysWOW64\Elnoopdj.exe Eiobceef.exe File opened for modification C:\Windows\SysWOW64\Kkconn32.exe Kclgmq32.exe File created C:\Windows\SysWOW64\Paelfmaf.exe Oogpjbbb.exe File opened for modification C:\Windows\SysWOW64\Knnhjcog.exe Kegpifod.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Cfadkb32.exe Ccchof32.exe File opened for modification C:\Windows\SysWOW64\Niniei32.exe Nlihle32.exe File opened for modification C:\Windows\SysWOW64\Fjmkoeqi.exe Fbfcmhpg.exe File created C:\Windows\SysWOW64\Hdokdg32.exe Hmechmip.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 16724 16616 WerFault.exe 1066 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepmlimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflkpblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhgmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopocbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eleepoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijchhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifljdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qofcff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokdnjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcmpodi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaajed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqpoakco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgeedch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdnabjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibfck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnphmkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdjomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollnhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojomm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giinpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnlme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdphngfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgifbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqdlnde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhakh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmfeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onapdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkobjpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejalcgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cggimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bahdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgaeolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflbkcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahofoogd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megljppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllbaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflfac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofmfmhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkmal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpiid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqnpfi32.dll" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" Anobgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbohpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfkblnn.dll" Hkpheidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpomcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obonfmck.dll" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olgncmim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moehgcil.dll" Aefjii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" Bhbcfbjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhkbjd32.dll" Ekkkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkqgckn.dll" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqbhbo32.dll" Hdlpneli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhkikq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnhpfjhc.dll" Obcceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flqdlnde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afjeceml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdehni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lddgmbpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hninbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgacokc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illddp32.dll" Lggldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lflbkcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llodgnja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfpjcbmh.dll" Lpekef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mefiblfk.dll" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" Mchppmij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjbkgfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" Lcjcnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqglioac.dll" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngqagcag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pplobcpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilqdd32.dll" Ollnhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoigbgj.dll" Injmcmej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geaepk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcpel32.dll" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdmdnadc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkconn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enpmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpgeee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iqklon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahobhgo.dll" Oeaoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohpkmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doaneiop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmbhoeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Nncccnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbighjdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Nnicid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baegibae.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3180 wrote to memory of 2588 3180 fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe 83 PID 3180 wrote to memory of 2588 3180 fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe 83 PID 3180 wrote to memory of 2588 3180 fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe 83 PID 2588 wrote to memory of 384 2588 Fnckpmql.exe 84 PID 2588 wrote to memory of 384 2588 Fnckpmql.exe 84 PID 2588 wrote to memory of 384 2588 Fnckpmql.exe 84 PID 384 wrote to memory of 2388 384 Gekcaj32.exe 85 PID 384 wrote to memory of 2388 384 Gekcaj32.exe 85 PID 384 wrote to memory of 2388 384 Gekcaj32.exe 85 PID 2388 wrote to memory of 3644 2388 Gglpibgm.exe 87 PID 2388 wrote to memory of 3644 2388 Gglpibgm.exe 87 PID 2388 wrote to memory of 3644 2388 Gglpibgm.exe 87 PID 3644 wrote to memory of 1424 3644 Gnfhfl32.exe 88 PID 3644 wrote to memory of 1424 3644 Gnfhfl32.exe 88 PID 3644 wrote to memory of 1424 3644 Gnfhfl32.exe 88 PID 1424 wrote to memory of 2864 1424 Ghklce32.exe 89 PID 1424 wrote to memory of 2864 1424 Ghklce32.exe 89 PID 1424 wrote to memory of 2864 1424 Ghklce32.exe 89 PID 2864 wrote to memory of 3068 2864 Gkjhoq32.exe 90 PID 2864 wrote to memory of 3068 2864 Gkjhoq32.exe 90 PID 2864 wrote to memory of 3068 2864 Gkjhoq32.exe 90 PID 3068 wrote to memory of 3704 3068 Gepmlimi.exe 92 PID 3068 wrote to memory of 3704 3068 Gepmlimi.exe 92 PID 3068 wrote to memory of 3704 3068 Gepmlimi.exe 92 PID 3704 wrote to memory of 3764 3704 Ghniielm.exe 93 PID 3704 wrote to memory of 3764 3704 Ghniielm.exe 93 PID 3704 wrote to memory of 3764 3704 Ghniielm.exe 93 PID 3764 wrote to memory of 4092 3764 Gohaeo32.exe 94 PID 3764 wrote to memory of 4092 3764 Gohaeo32.exe 94 PID 3764 wrote to memory of 4092 3764 Gohaeo32.exe 94 PID 4092 wrote to memory of 3496 4092 Gfbibikg.exe 95 PID 4092 wrote to memory of 3496 4092 Gfbibikg.exe 95 PID 4092 wrote to memory of 3496 4092 Gfbibikg.exe 95 PID 3496 wrote to memory of 4696 3496 Ghpendjj.exe 96 PID 3496 wrote to memory of 4696 3496 Ghpendjj.exe 96 PID 3496 wrote to memory of 4696 3496 Ghpendjj.exe 96 PID 4696 wrote to memory of 904 4696 Gkobjpin.exe 97 PID 4696 wrote to memory of 904 4696 Gkobjpin.exe 97 PID 4696 wrote to memory of 904 4696 Gkobjpin.exe 97 PID 904 wrote to memory of 2148 904 Gahjgj32.exe 98 PID 904 wrote to memory of 2148 904 Gahjgj32.exe 98 PID 904 wrote to memory of 2148 904 Gahjgj32.exe 98 PID 2148 wrote to memory of 700 2148 Gfdfgiid.exe 100 PID 2148 wrote to memory of 700 2148 Gfdfgiid.exe 100 PID 2148 wrote to memory of 700 2148 Gfdfgiid.exe 100 PID 700 wrote to memory of 4748 700 Ghbbcd32.exe 101 PID 700 wrote to memory of 4748 700 Ghbbcd32.exe 101 PID 700 wrote to memory of 4748 700 Ghbbcd32.exe 101 PID 4748 wrote to memory of 4148 4748 Hkckeo32.exe 102 PID 4748 wrote to memory of 4148 4748 Hkckeo32.exe 102 PID 4748 wrote to memory of 4148 4748 Hkckeo32.exe 102 PID 4148 wrote to memory of 1296 4148 Hdlpneli.exe 103 PID 4148 wrote to memory of 1296 4148 Hdlpneli.exe 103 PID 4148 wrote to memory of 1296 4148 Hdlpneli.exe 103 PID 1296 wrote to memory of 2780 1296 Hgjljpkm.exe 104 PID 1296 wrote to memory of 2780 1296 Hgjljpkm.exe 104 PID 1296 wrote to memory of 2780 1296 Hgjljpkm.exe 104 PID 2780 wrote to memory of 3184 2780 Hoadkn32.exe 105 PID 2780 wrote to memory of 3184 2780 Hoadkn32.exe 105 PID 2780 wrote to memory of 3184 2780 Hoadkn32.exe 105 PID 3184 wrote to memory of 5072 3184 Hocqam32.exe 106 PID 3184 wrote to memory of 5072 3184 Hocqam32.exe 106 PID 3184 wrote to memory of 5072 3184 Hocqam32.exe 106 PID 5072 wrote to memory of 1984 5072 Hdpiid32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe"C:\Users\Admin\AppData\Local\Temp\fda5eabf5bb7421e608ae14aa778eea8855409050bf979b3f2e778e4b7bd9a5e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\Fnckpmql.exeC:\Windows\system32\Fnckpmql.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Gepmlimi.exeC:\Windows\system32\Gepmlimi.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\Gohaeo32.exeC:\Windows\system32\Gohaeo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\Gfbibikg.exeC:\Windows\system32\Gfbibikg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ghbbcd32.exeC:\Windows\system32\Ghbbcd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Hgjljpkm.exeC:\Windows\system32\Hgjljpkm.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\Hdpiid32.exeC:\Windows\system32\Hdpiid32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe23⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\Hhnbpb32.exeC:\Windows\system32\Hhnbpb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe27⤵
- Executes dropped EXE
PID:3532 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe28⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Inmgmijo.exeC:\Windows\system32\Inmgmijo.exe30⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe31⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe32⤵
- Executes dropped EXE
PID:3620 -
C:\Windows\SysWOW64\Ifgldfio.exeC:\Windows\system32\Ifgldfio.exe33⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe34⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe35⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe36⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe37⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Igmagnkg.exeC:\Windows\system32\Igmagnkg.exe38⤵
- Executes dropped EXE
PID:3584 -
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe39⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe40⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Jilnqqbj.exeC:\Windows\system32\Jilnqqbj.exe41⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe42⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe44⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4212 -
C:\Windows\SysWOW64\Jgdhgmep.exeC:\Windows\system32\Jgdhgmep.exe46⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Jnnpdg32.exeC:\Windows\system32\Jnnpdg32.exe47⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Jicdap32.exeC:\Windows\system32\Jicdap32.exe48⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Kldmckic.exeC:\Windows\system32\Kldmckic.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Kgknhl32.exeC:\Windows\system32\Kgknhl32.exe52⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\SysWOW64\Kpbfii32.exeC:\Windows\system32\Kpbfii32.exe53⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Kbbokdlk.exeC:\Windows\system32\Kbbokdlk.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe55⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe56⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Kefdbo32.exeC:\Windows\system32\Kefdbo32.exe58⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lhdqnj32.exeC:\Windows\system32\Lhdqnj32.exe59⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Lnnikdnj.exeC:\Windows\system32\Lnnikdnj.exe60⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\Lidmhmnp.exeC:\Windows\system32\Lidmhmnp.exe61⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe62⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\Lblaabdp.exeC:\Windows\system32\Lblaabdp.exe63⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\Lldfjh32.exeC:\Windows\system32\Lldfjh32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe65⤵
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe66⤵PID:1776
-
C:\Windows\SysWOW64\Lhkgoiqe.exeC:\Windows\system32\Lhkgoiqe.exe67⤵PID:4072
-
C:\Windows\SysWOW64\Likcilhh.exeC:\Windows\system32\Likcilhh.exe68⤵PID:4344
-
C:\Windows\SysWOW64\Lpekef32.exeC:\Windows\system32\Lpekef32.exe69⤵
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Lbchba32.exeC:\Windows\system32\Lbchba32.exe70⤵PID:2776
-
C:\Windows\SysWOW64\Leadnm32.exeC:\Windows\system32\Leadnm32.exe71⤵PID:2712
-
C:\Windows\SysWOW64\Mlklkgei.exeC:\Windows\system32\Mlklkgei.exe72⤵PID:1848
-
C:\Windows\SysWOW64\Mbedga32.exeC:\Windows\system32\Mbedga32.exe73⤵PID:4640
-
C:\Windows\SysWOW64\Miomdk32.exeC:\Windows\system32\Miomdk32.exe74⤵PID:3328
-
C:\Windows\SysWOW64\Mpieqeko.exeC:\Windows\system32\Mpieqeko.exe75⤵PID:3708
-
C:\Windows\SysWOW64\Mbhamajc.exeC:\Windows\system32\Mbhamajc.exe76⤵PID:3684
-
C:\Windows\SysWOW64\Mibijk32.exeC:\Windows\system32\Mibijk32.exe77⤵PID:3656
-
C:\Windows\SysWOW64\Moobbb32.exeC:\Windows\system32\Moobbb32.exe78⤵PID:2060
-
C:\Windows\SysWOW64\Mbjnbqhp.exeC:\Windows\system32\Mbjnbqhp.exe79⤵PID:4188
-
C:\Windows\SysWOW64\Mhgfkg32.exeC:\Windows\system32\Mhgfkg32.exe80⤵PID:4876
-
C:\Windows\SysWOW64\Moaogand.exeC:\Windows\system32\Moaogand.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4496 -
C:\Windows\SysWOW64\Mifcejnj.exeC:\Windows\system32\Mifcejnj.exe82⤵PID:4340
-
C:\Windows\SysWOW64\Mockmala.exeC:\Windows\system32\Mockmala.exe83⤵PID:2504
-
C:\Windows\SysWOW64\Niipjj32.exeC:\Windows\system32\Niipjj32.exe84⤵PID:1208
-
C:\Windows\SysWOW64\Nlglfe32.exeC:\Windows\system32\Nlglfe32.exe85⤵PID:1148
-
C:\Windows\SysWOW64\Neppokal.exeC:\Windows\system32\Neppokal.exe86⤵PID:2016
-
C:\Windows\SysWOW64\Nlihle32.exeC:\Windows\system32\Nlihle32.exe87⤵
- Drops file in System32 directory
PID:5052 -
C:\Windows\SysWOW64\Niniei32.exeC:\Windows\system32\Niniei32.exe88⤵PID:940
-
C:\Windows\SysWOW64\Npgabc32.exeC:\Windows\system32\Npgabc32.exe89⤵PID:3256
-
C:\Windows\SysWOW64\Ncfmno32.exeC:\Windows\system32\Ncfmno32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:64 -
C:\Windows\SysWOW64\Nedjjj32.exeC:\Windows\system32\Nedjjj32.exe91⤵PID:1144
-
C:\Windows\SysWOW64\Olgemcli.exeC:\Windows\system32\Olgemcli.exe92⤵PID:2128
-
C:\Windows\SysWOW64\Ocamjm32.exeC:\Windows\system32\Ocamjm32.exe93⤵PID:1088
-
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3916 -
C:\Windows\SysWOW64\Ohnebd32.exeC:\Windows\system32\Ohnebd32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4700 -
C:\Windows\SysWOW64\Opemca32.exeC:\Windows\system32\Opemca32.exe96⤵PID:4488
-
C:\Windows\SysWOW64\Ocdjpmac.exeC:\Windows\system32\Ocdjpmac.exe97⤵PID:2828
-
C:\Windows\SysWOW64\Ojnblg32.exeC:\Windows\system32\Ojnblg32.exe98⤵PID:624
-
C:\Windows\SysWOW64\Ollnhb32.exeC:\Windows\system32\Ollnhb32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe100⤵PID:4796
-
C:\Windows\SysWOW64\Pedbahod.exeC:\Windows\system32\Pedbahod.exe101⤵PID:3592
-
C:\Windows\SysWOW64\Phcomcng.exeC:\Windows\system32\Phcomcng.exe102⤵PID:440
-
C:\Windows\SysWOW64\Pomgjn32.exeC:\Windows\system32\Pomgjn32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe104⤵PID:808
-
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe105⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Plagcbdn.exeC:\Windows\system32\Plagcbdn.exe106⤵PID:2376
-
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4564 -
C:\Windows\SysWOW64\Pgflqkdd.exeC:\Windows\system32\Pgflqkdd.exe108⤵PID:5148
-
C:\Windows\SysWOW64\Phhhhc32.exeC:\Windows\system32\Phhhhc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5192 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe110⤵PID:5236
-
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe112⤵PID:5324
-
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe113⤵PID:5368
-
C:\Windows\SysWOW64\Podmkm32.exeC:\Windows\system32\Podmkm32.exe114⤵
- System Location Discovery: System Language Discovery
PID:5412 -
C:\Windows\SysWOW64\Pgkelj32.exeC:\Windows\system32\Pgkelj32.exe115⤵PID:5456
-
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe116⤵PID:5500
-
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe117⤵PID:5544
-
C:\Windows\SysWOW64\Pofjpl32.exeC:\Windows\system32\Pofjpl32.exe118⤵PID:5588
-
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe119⤵PID:5632
-
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe120⤵PID:5676
-
C:\Windows\SysWOW64\Qoifflkg.exeC:\Windows\system32\Qoifflkg.exe121⤵PID:5720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-