Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 08:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8715b119994af477aa53a702ed7a700N.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d8715b119994af477aa53a702ed7a700N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d8715b119994af477aa53a702ed7a700N.exe
-
Size
1.5MB
-
MD5
d8715b119994af477aa53a702ed7a700
-
SHA1
fdb2e3b0b3db429855a1cb502108d3438854f1b9
-
SHA256
f00ce9350aba64d71f3d68b92b7f17165d91aa10926eb547ad6abef07f15b374
-
SHA512
391cf2aacd8d916e4df2a19b89509a3e258fdf8817ae55f63f884738976f3019ef3da95f09d015b2cb7ce8adf4d7ee787daac74d12a5b659c69d4a2457e1ec51
-
SSDEEP
12288:s0mdPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oWB+:xmzecI50+YNpsKv2EvZHp3oWB+
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchppmij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnnljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qapnmopa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enopghee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgdejd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglnkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknmla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbemgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biiobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmlddqem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fligqhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocgkan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbanq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcekfnkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodiqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihagaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefabkej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmdnbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doccpcja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlghoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abcgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkondfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqdlnde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpajgmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lomjicei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpqnneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcodihc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhakh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnmke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekimjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmcpoedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domdjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpedeiff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbnpnme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdemd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnhajba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmaciefp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edaaccbj.exe -
Executes dropped EXE 64 IoCs
pid Process 4848 Mjpbam32.exe 2052 Mjbogmdb.exe 4472 Mlbkap32.exe 4236 Naaqofgj.exe 2316 Nlfelogp.exe 2656 Nbqmiinl.exe 3028 Nafjjf32.exe 4244 Niooqcad.exe 1708 Ohghgodi.exe 3268 Oihagaji.exe 1372 Olgncmim.exe 2576 Obafpg32.exe 3580 Ohnohn32.exe 1984 Phbhcmjl.exe 3664 Pchlpfjb.exe 2704 Poajkgnc.exe 3300 Pkhjph32.exe 4308 Qlggjk32.exe 4480 Qcaofebg.exe 1280 Ajpqnneo.exe 1400 Aomifecf.exe 4412 Ackbmcjl.exe 2876 Akffafgg.exe 2240 Abponp32.exe 4476 Boflmdkk.exe 3164 Bjlpjm32.exe 4420 Bfendmoc.exe 4332 Bckkca32.exe 3296 Cbphdn32.exe 4832 Cfnqklgh.exe 4040 Cofecami.exe 3244 Ckmehb32.exe 1856 Cmmbbejp.exe 3732 Ccgjopal.exe 3220 Dfefkkqp.exe 452 Dblgpl32.exe 4688 Dmalne32.exe 2864 Dfjpfj32.exe 220 Dlghoa32.exe 4904 Dikihe32.exe 4124 Djjebh32.exe 1928 Ebejfk32.exe 2120 Eiobceef.exe 1452 Eiaoid32.exe 3084 Efepbi32.exe 2388 Epndknin.exe 900 Eifhdd32.exe 4956 Eclmamod.exe 4780 Eiieicml.exe 4600 Fpbmfn32.exe 4988 Fjhacf32.exe 4560 Fbcfhibj.exe 3956 Fjjnifbl.exe 4732 Fllkqn32.exe 4960 Ffaong32.exe 2300 Fmkgkapm.exe 2420 Fbhpch32.exe 4368 Fibhpbea.exe 752 Flqdlnde.exe 4596 Fdglmkeg.exe 396 Fjadje32.exe 3692 Gbmingjo.exe 4500 Gigaka32.exe 1352 Gdlfhj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fkccgodj.dll Ffqhcq32.exe File created C:\Windows\SysWOW64\Binlfp32.dll Nmfcok32.exe File created C:\Windows\SysWOW64\Bbdcakkc.dll Fkofga32.exe File created C:\Windows\SysWOW64\Afappe32.exe Acccdj32.exe File created C:\Windows\SysWOW64\Jcggmk32.dll Fbfkceca.exe File created C:\Windows\SysWOW64\Knknhqjn.dll Dikihe32.exe File created C:\Windows\SysWOW64\Fooclapd.exe Ekajec32.exe File created C:\Windows\SysWOW64\Oqklkbbi.exe Ojqcnhkl.exe File opened for modification C:\Windows\SysWOW64\Neqopnhb.exe Nmigoagp.exe File opened for modification C:\Windows\SysWOW64\Mmmqhl32.exe Mfchlbfd.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Nfaemp32.exe File created C:\Windows\SysWOW64\Nnndji32.dll Ojqcnhkl.exe File created C:\Windows\SysWOW64\Jfdnfdoa.dll Ndflak32.exe File created C:\Windows\SysWOW64\Fjmfmh32.exe Fkjfakng.exe File created C:\Windows\SysWOW64\Fbhpch32.exe Fmkgkapm.exe File opened for modification C:\Windows\SysWOW64\Ekodjiol.exe Eeelnp32.exe File opened for modification C:\Windows\SysWOW64\Gbchdp32.exe Glipgf32.exe File created C:\Windows\SysWOW64\Ekfjcc32.dll Iikmbh32.exe File opened for modification C:\Windows\SysWOW64\Kadpdp32.exe Kpccmhdg.exe File opened for modification C:\Windows\SysWOW64\Kmaopfjm.exe Kjccdkki.exe File created C:\Windows\SysWOW64\Kjamidgd.dll Ahofoogd.exe File created C:\Windows\SysWOW64\Cdpcal32.exe Ckgohf32.exe File created C:\Windows\SysWOW64\Lojmcdgl.exe Lllagh32.exe File created C:\Windows\SysWOW64\Nobkpkdh.dll Dkfadkgf.exe File opened for modification C:\Windows\SysWOW64\Ckhecmcf.exe Chiigadc.exe File created C:\Windows\SysWOW64\Iefeek32.dll Iefgbh32.exe File created C:\Windows\SysWOW64\Mapppn32.exe Loacdc32.exe File created C:\Windows\SysWOW64\Dahfkimd.exe Dgbanq32.exe File created C:\Windows\SysWOW64\Ikfbpdlg.dll Ddfbgelh.exe File created C:\Windows\SysWOW64\Ilafiihp.exe Iloidijb.exe File created C:\Windows\SysWOW64\Bgqoll32.dll Lfgipd32.exe File created C:\Windows\SysWOW64\Bnoddcef.exe Bdfpkm32.exe File created C:\Windows\SysWOW64\Gcmjja32.dll Jldbpl32.exe File created C:\Windows\SysWOW64\Lhnhajba.exe Kadpdp32.exe File created C:\Windows\SysWOW64\Domdjj32.exe Ddgplado.exe File opened for modification C:\Windows\SysWOW64\Fggdpnkf.exe Edihdb32.exe File created C:\Windows\SysWOW64\Bdkohe32.dll Mcqjon32.exe File created C:\Windows\SysWOW64\Eopjfnlo.dll Pjkmomfn.exe File created C:\Windows\SysWOW64\Afpjel32.exe Qpeahb32.exe File created C:\Windows\SysWOW64\Amjbbfgo.exe Afpjel32.exe File created C:\Windows\SysWOW64\Eemeqinf.dll Dgdncplk.exe File created C:\Windows\SysWOW64\Kjeqge32.dll Mmbanbmg.exe File opened for modification C:\Windows\SysWOW64\Bdgged32.exe Bnmoijje.exe File opened for modification C:\Windows\SysWOW64\Coadnlnb.exe Chglab32.exe File opened for modification C:\Windows\SysWOW64\Hbhboolf.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Iknmmg32.dll Mfchlbfd.exe File created C:\Windows\SysWOW64\Bdgged32.exe Bnmoijje.exe File created C:\Windows\SysWOW64\Hmkigh32.exe Hedafk32.exe File opened for modification C:\Windows\SysWOW64\Baegibae.exe Bklomh32.exe File created C:\Windows\SysWOW64\Cbgpnkdm.dll Naaqofgj.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Nhmofj32.exe File created C:\Windows\SysWOW64\Hfhgkmpj.exe Hlbcnd32.exe File opened for modification C:\Windows\SysWOW64\Klpakj32.exe Kefiopki.exe File created C:\Windows\SysWOW64\Qjhbfd32.exe Qbajeg32.exe File created C:\Windows\SysWOW64\Ohcegi32.exe Nnkpnclp.exe File created C:\Windows\SysWOW64\Anqlll32.dll Oldjcg32.exe File opened for modification C:\Windows\SysWOW64\Chnbbqpn.exe Cbdjeg32.exe File created C:\Windows\SysWOW64\Ipihpkkd.exe Ieccbbkn.exe File opened for modification C:\Windows\SysWOW64\Jblmgf32.exe Jlbejloe.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jpaleglc.exe File opened for modification C:\Windows\SysWOW64\Mjpbam32.exe d8715b119994af477aa53a702ed7a700N.exe File opened for modification C:\Windows\SysWOW64\Eiieicml.exe Eclmamod.exe File opened for modification C:\Windows\SysWOW64\Kpcjgnhb.exe Kjjbjd32.exe File created C:\Windows\SysWOW64\Bdlgcp32.dll Ohlqcagj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 13172 4940 WerFault.exe 731 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlqqcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjbhmad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncchae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeldnpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcihgaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjadje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigaka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmdbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekqckmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abponp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihpkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmcgcmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekimjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblimcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpajgmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhjcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodiqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgihop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkalplel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccfdmmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkdek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokfja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbqbae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcneeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchlpfjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpfbjlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjmdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpcal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaaccbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdlfhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohbhmfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidlqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackbmcjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aafemk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmenca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmoijje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpcodihc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfefkkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlgpod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhaggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camgolnm.dll" Enemaimp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binnimfj.dll" Dmalne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbchdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhldbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpiaimfg.dll" Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll" Enopghee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" Fjocbhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipehcj32.dll" Dlghoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobbbd32.dll" Igpdfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lojmcdgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll" Djgdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll" Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeofeib.dll" Onnmdcjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihiic32.dll" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fealin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Locfbi32.dll" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicakqhn.dll" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" Paiogf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbejloe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebejfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jncoikmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgeghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgdncplk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnjoi32.dll" Fmhdkknd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njedbjej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll" Fbfkceca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baegibae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll" Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adbofa32.dll" Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgmoc32.dll" Ackbmcjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggikgqe.dll" Njljch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddgplado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkceokii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll" Geaepk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll" Ocnabm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nabfjpak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmaciefp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpedeiff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" Fligqhga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifomll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeifdjo.dll" Fbgbnkfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqphic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Melmcj32.dll" Niooqcad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popbpqjh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3264 wrote to memory of 4848 3264 d8715b119994af477aa53a702ed7a700N.exe 87 PID 3264 wrote to memory of 4848 3264 d8715b119994af477aa53a702ed7a700N.exe 87 PID 3264 wrote to memory of 4848 3264 d8715b119994af477aa53a702ed7a700N.exe 87 PID 4848 wrote to memory of 2052 4848 Mjpbam32.exe 88 PID 4848 wrote to memory of 2052 4848 Mjpbam32.exe 88 PID 4848 wrote to memory of 2052 4848 Mjpbam32.exe 88 PID 2052 wrote to memory of 4472 2052 Mjbogmdb.exe 89 PID 2052 wrote to memory of 4472 2052 Mjbogmdb.exe 89 PID 2052 wrote to memory of 4472 2052 Mjbogmdb.exe 89 PID 4472 wrote to memory of 4236 4472 Mlbkap32.exe 92 PID 4472 wrote to memory of 4236 4472 Mlbkap32.exe 92 PID 4472 wrote to memory of 4236 4472 Mlbkap32.exe 92 PID 4236 wrote to memory of 2316 4236 Naaqofgj.exe 93 PID 4236 wrote to memory of 2316 4236 Naaqofgj.exe 93 PID 4236 wrote to memory of 2316 4236 Naaqofgj.exe 93 PID 2316 wrote to memory of 2656 2316 Nlfelogp.exe 94 PID 2316 wrote to memory of 2656 2316 Nlfelogp.exe 94 PID 2316 wrote to memory of 2656 2316 Nlfelogp.exe 94 PID 2656 wrote to memory of 3028 2656 Nbqmiinl.exe 96 PID 2656 wrote to memory of 3028 2656 Nbqmiinl.exe 96 PID 2656 wrote to memory of 3028 2656 Nbqmiinl.exe 96 PID 3028 wrote to memory of 4244 3028 Nafjjf32.exe 97 PID 3028 wrote to memory of 4244 3028 Nafjjf32.exe 97 PID 3028 wrote to memory of 4244 3028 Nafjjf32.exe 97 PID 4244 wrote to memory of 1708 4244 Niooqcad.exe 98 PID 4244 wrote to memory of 1708 4244 Niooqcad.exe 98 PID 4244 wrote to memory of 1708 4244 Niooqcad.exe 98 PID 1708 wrote to memory of 3268 1708 Ohghgodi.exe 99 PID 1708 wrote to memory of 3268 1708 Ohghgodi.exe 99 PID 1708 wrote to memory of 3268 1708 Ohghgodi.exe 99 PID 3268 wrote to memory of 1372 3268 Oihagaji.exe 100 PID 3268 wrote to memory of 1372 3268 Oihagaji.exe 100 PID 3268 wrote to memory of 1372 3268 Oihagaji.exe 100 PID 1372 wrote to memory of 2576 1372 Olgncmim.exe 101 PID 1372 wrote to memory of 2576 1372 Olgncmim.exe 101 PID 1372 wrote to memory of 2576 1372 Olgncmim.exe 101 PID 2576 wrote to memory of 3580 2576 Obafpg32.exe 102 PID 2576 wrote to memory of 3580 2576 Obafpg32.exe 102 PID 2576 wrote to memory of 3580 2576 Obafpg32.exe 102 PID 3580 wrote to memory of 1984 3580 Ohnohn32.exe 103 PID 3580 wrote to memory of 1984 3580 Ohnohn32.exe 103 PID 3580 wrote to memory of 1984 3580 Ohnohn32.exe 103 PID 1984 wrote to memory of 3664 1984 Phbhcmjl.exe 104 PID 1984 wrote to memory of 3664 1984 Phbhcmjl.exe 104 PID 1984 wrote to memory of 3664 1984 Phbhcmjl.exe 104 PID 3664 wrote to memory of 2704 3664 Pchlpfjb.exe 105 PID 3664 wrote to memory of 2704 3664 Pchlpfjb.exe 105 PID 3664 wrote to memory of 2704 3664 Pchlpfjb.exe 105 PID 2704 wrote to memory of 3300 2704 Poajkgnc.exe 106 PID 2704 wrote to memory of 3300 2704 Poajkgnc.exe 106 PID 2704 wrote to memory of 3300 2704 Poajkgnc.exe 106 PID 3300 wrote to memory of 4308 3300 Pkhjph32.exe 107 PID 3300 wrote to memory of 4308 3300 Pkhjph32.exe 107 PID 3300 wrote to memory of 4308 3300 Pkhjph32.exe 107 PID 4308 wrote to memory of 4480 4308 Qlggjk32.exe 108 PID 4308 wrote to memory of 4480 4308 Qlggjk32.exe 108 PID 4308 wrote to memory of 4480 4308 Qlggjk32.exe 108 PID 4480 wrote to memory of 1280 4480 Qcaofebg.exe 109 PID 4480 wrote to memory of 1280 4480 Qcaofebg.exe 109 PID 4480 wrote to memory of 1280 4480 Qcaofebg.exe 109 PID 1280 wrote to memory of 1400 1280 Ajpqnneo.exe 110 PID 1280 wrote to memory of 1400 1280 Ajpqnneo.exe 110 PID 1280 wrote to memory of 1400 1280 Ajpqnneo.exe 110 PID 1400 wrote to memory of 4412 1400 Aomifecf.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8715b119994af477aa53a702ed7a700N.exe"C:\Users\Admin\AppData\Local\Temp\d8715b119994af477aa53a702ed7a700N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Ohghgodi.exeC:\Windows\system32\Ohghgodi.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe24⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Boflmdkk.exeC:\Windows\system32\Boflmdkk.exe26⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3164 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe28⤵
- Executes dropped EXE
PID:4420 -
C:\Windows\SysWOW64\Bckkca32.exeC:\Windows\system32\Bckkca32.exe29⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe30⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe31⤵
- Executes dropped EXE
PID:4832 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe32⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe33⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe34⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe35⤵
- Executes dropped EXE
PID:3732 -
C:\Windows\SysWOW64\Dfefkkqp.exeC:\Windows\system32\Dfefkkqp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3220 -
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe37⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Dmalne32.exeC:\Windows\system32\Dmalne32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4688 -
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe39⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Dikihe32.exeC:\Windows\system32\Dikihe32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904 -
C:\Windows\SysWOW64\Djjebh32.exeC:\Windows\system32\Djjebh32.exe42⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Ebejfk32.exeC:\Windows\system32\Ebejfk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Eiaoid32.exeC:\Windows\system32\Eiaoid32.exe45⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe46⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\Epndknin.exeC:\Windows\system32\Epndknin.exe47⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe48⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4956 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe50⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4988 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe53⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe54⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe55⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe56⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe58⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe59⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe61⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe63⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe66⤵PID:4008
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe67⤵PID:4056
-
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe68⤵PID:760
-
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4636 -
C:\Windows\SysWOW64\Gingkqkd.exeC:\Windows\system32\Gingkqkd.exe70⤵PID:4312
-
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe71⤵PID:3460
-
C:\Windows\SysWOW64\Hpjmnjqn.exeC:\Windows\system32\Hpjmnjqn.exe72⤵PID:1260
-
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Hibafp32.exeC:\Windows\system32\Hibafp32.exe74⤵PID:3104
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe75⤵PID:112
-
C:\Windows\SysWOW64\Hienlpel.exeC:\Windows\system32\Hienlpel.exe76⤵PID:3684
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe77⤵PID:4632
-
C:\Windows\SysWOW64\Hcmbee32.exeC:\Windows\system32\Hcmbee32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4080 -
C:\Windows\SysWOW64\Hmbfbn32.exeC:\Windows\system32\Hmbfbn32.exe79⤵PID:3952
-
C:\Windows\SysWOW64\Hgkkkcbc.exeC:\Windows\system32\Hgkkkcbc.exe80⤵PID:1836
-
C:\Windows\SysWOW64\Hpcodihc.exeC:\Windows\system32\Hpcodihc.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:456 -
C:\Windows\SysWOW64\Iljpij32.exeC:\Windows\system32\Iljpij32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1516 -
C:\Windows\SysWOW64\Igpdfb32.exeC:\Windows\system32\Igpdfb32.exe83⤵
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe84⤵PID:1584
-
C:\Windows\SysWOW64\Iphioh32.exeC:\Windows\system32\Iphioh32.exe85⤵PID:4804
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Ilafiihp.exeC:\Windows\system32\Ilafiihp.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe89⤵PID:5224
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe90⤵PID:5268
-
C:\Windows\SysWOW64\Igigla32.exeC:\Windows\system32\Igigla32.exe91⤵PID:5312
-
C:\Windows\SysWOW64\Jncoikmp.exeC:\Windows\system32\Jncoikmp.exe92⤵
- Modifies registry class
PID:5356 -
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe93⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Jgkdbacp.exeC:\Windows\system32\Jgkdbacp.exe94⤵PID:5444
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe95⤵PID:5488
-
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe96⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\Jgnqgqan.exeC:\Windows\system32\Jgnqgqan.exe97⤵PID:5580
-
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe98⤵PID:5624
-
C:\Windows\SysWOW64\Jcdala32.exeC:\Windows\system32\Jcdala32.exe99⤵PID:5668
-
C:\Windows\SysWOW64\Jqhafffk.exeC:\Windows\system32\Jqhafffk.exe100⤵PID:5712
-
C:\Windows\SysWOW64\Jgbjbp32.exeC:\Windows\system32\Jgbjbp32.exe101⤵PID:5756
-
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe102⤵PID:5800
-
C:\Windows\SysWOW64\Jqknkedi.exeC:\Windows\system32\Jqknkedi.exe103⤵PID:5844
-
C:\Windows\SysWOW64\Jgeghp32.exeC:\Windows\system32\Jgeghp32.exe104⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Kjccdkki.exeC:\Windows\system32\Kjccdkki.exe105⤵
- Drops file in System32 directory
PID:5932 -
C:\Windows\SysWOW64\Kmaopfjm.exeC:\Windows\system32\Kmaopfjm.exe106⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Kclgmq32.exeC:\Windows\system32\Kclgmq32.exe107⤵PID:6028
-
C:\Windows\SysWOW64\Kqphfe32.exeC:\Windows\system32\Kqphfe32.exe108⤵PID:6088
-
C:\Windows\SysWOW64\Kkeldnpi.exeC:\Windows\system32\Kkeldnpi.exe109⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Windows\SysWOW64\Kqbdldnq.exeC:\Windows\system32\Kqbdldnq.exe110⤵PID:5172
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe111⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Kqdaadln.exeC:\Windows\system32\Kqdaadln.exe112⤵PID:5304
-
C:\Windows\SysWOW64\Kkjeomld.exeC:\Windows\system32\Kkjeomld.exe113⤵PID:5384
-
C:\Windows\SysWOW64\Knhakh32.exeC:\Windows\system32\Knhakh32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5452 -
C:\Windows\SysWOW64\Kdbjhbbd.exeC:\Windows\system32\Kdbjhbbd.exe115⤵PID:5524
-
C:\Windows\SysWOW64\Lmmolepp.exeC:\Windows\system32\Lmmolepp.exe116⤵
- System Location Discovery: System Language Discovery
PID:5592 -
C:\Windows\SysWOW64\Lddgmbpb.exeC:\Windows\system32\Lddgmbpb.exe117⤵PID:5656
-
C:\Windows\SysWOW64\Lnmkfh32.exeC:\Windows\system32\Lnmkfh32.exe118⤵PID:5724
-
C:\Windows\SysWOW64\Lqkgbcff.exeC:\Windows\system32\Lqkgbcff.exe119⤵PID:5796
-
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe120⤵
- System Location Discovery: System Language Discovery
PID:5872 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe121⤵PID:5940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-