Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe
-
Size
461KB
-
MD5
b32d90ba22553cfa0537e760b0d1dde0
-
SHA1
26aa46fa04886c2d4a107530e412cd8e3eff227c
-
SHA256
091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949
-
SHA512
0e7d711ccc1dcce93f75e94d29a33a11940544445010201b26292212c824ae96937102c551b87c7586e930a82a5dce1dae94c35b6a9f7aaec11816fd962bcf0c
-
SSDEEP
6144:/E5laGD8NQDVi3ULUgNQPi3UPUgNQViEUjUgN:GYiUJ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiaoclgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndlem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imgnjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdmdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfcijf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnihdemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmfmlen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkndb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foojop32.exe -
Executes dropped EXE 64 IoCs
pid Process 2532 Lnlnlc32.exe 2940 Mbhjlbbh.exe 2760 Mmakmp32.exe 2908 Mhgoji32.exe 2648 Mfjoeeeh.exe 2780 Mdbiji32.exe 2684 Medeaaej.exe 1620 Nhdocl32.exe 2008 Noogpfjh.exe 2872 Nocpkf32.exe 1892 Nemhhpmp.exe 376 Opifnm32.exe 2284 Ommfga32.exe 2592 Opplolac.exe 2180 Oihqgbhd.exe 2340 Peanbblf.exe 936 Pgckjk32.exe 1664 Phbgcnig.exe 1652 Pggdejno.exe 336 Pjfpafmb.exe 2464 Qqbecp32.exe 1776 Afajafoa.exe 896 Aipfmane.exe 1916 Abhkfg32.exe 2412 Aollokco.exe 2260 Abmdafpp.exe 2912 Aekqmbod.exe 2964 Agjmim32.exe 2804 Ajjfkh32.exe 1956 Bgnfdm32.exe 1732 Bjmbqhif.exe 2808 Baigca32.exe 1112 Bcgdom32.exe 1476 Bbonei32.exe 2508 Cemjae32.exe 1280 Clgbno32.exe 2572 Cljodo32.exe 2460 Cohkpj32.exe 2944 Cafgle32.exe 2596 Ckolek32.exe 768 Cmmhaf32.exe 836 Cdgpnqpo.exe 1104 Ckahkk32.exe 2056 Comdkipe.exe 276 Cmbalfem.exe 2576 Dpqnhadq.exe 2444 Ddliip32.exe 2264 Dbojdmcd.exe 112 Diibag32.exe 2796 Dpcjnabn.exe 2516 Dbafjlaa.exe 2764 Dgmbkk32.exe 2924 Dohgomgf.exe 2644 Dhplhc32.exe 1992 Dojddmec.exe 2724 Dedlag32.exe 1248 Dlndnacm.exe 2840 Ddiibc32.exe 1792 Elqaca32.exe 2424 Eoompl32.exe 1752 Enbnkigh.exe 1908 Edlfhc32.exe 844 Ehgbhbgn.exe 1940 Eoajel32.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 2532 Lnlnlc32.exe 2532 Lnlnlc32.exe 2940 Mbhjlbbh.exe 2940 Mbhjlbbh.exe 2760 Mmakmp32.exe 2760 Mmakmp32.exe 2908 Mhgoji32.exe 2908 Mhgoji32.exe 2648 Mfjoeeeh.exe 2648 Mfjoeeeh.exe 2780 Mdbiji32.exe 2780 Mdbiji32.exe 2684 Medeaaej.exe 2684 Medeaaej.exe 1620 Nhdocl32.exe 1620 Nhdocl32.exe 2008 Noogpfjh.exe 2008 Noogpfjh.exe 2872 Nocpkf32.exe 2872 Nocpkf32.exe 1892 Nemhhpmp.exe 1892 Nemhhpmp.exe 376 Opifnm32.exe 376 Opifnm32.exe 2284 Ommfga32.exe 2284 Ommfga32.exe 2592 Opplolac.exe 2592 Opplolac.exe 2180 Oihqgbhd.exe 2180 Oihqgbhd.exe 2340 Peanbblf.exe 2340 Peanbblf.exe 936 Pgckjk32.exe 936 Pgckjk32.exe 1664 Phbgcnig.exe 1664 Phbgcnig.exe 1652 Pggdejno.exe 1652 Pggdejno.exe 336 Pjfpafmb.exe 336 Pjfpafmb.exe 2464 Qqbecp32.exe 2464 Qqbecp32.exe 1776 Afajafoa.exe 1776 Afajafoa.exe 896 Aipfmane.exe 896 Aipfmane.exe 1916 Abhkfg32.exe 1916 Abhkfg32.exe 2412 Aollokco.exe 2412 Aollokco.exe 2260 Abmdafpp.exe 2260 Abmdafpp.exe 2912 Aekqmbod.exe 2912 Aekqmbod.exe 2964 Agjmim32.exe 2964 Agjmim32.exe 2804 Ajjfkh32.exe 2804 Ajjfkh32.exe 1956 Bgnfdm32.exe 1956 Bgnfdm32.exe 1732 Bjmbqhif.exe 1732 Bjmbqhif.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bkklhjnk.exe Bimoloog.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Pleofj32.exe File opened for modification C:\Windows\SysWOW64\Nohaklfk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdmnam32.exe Pejmfqan.exe File opened for modification C:\Windows\SysWOW64\Gfejjgli.exe Gcgnnlle.exe File created C:\Windows\SysWOW64\Oiflajhd.dll Process not Found File created C:\Windows\SysWOW64\Hiepfnbn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jkopndcb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbmaon32.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Hefnockl.dll Process not Found File created C:\Windows\SysWOW64\Jokqnhpa.exe Jhahanie.exe File created C:\Windows\SysWOW64\Eeebpcpj.dll Ppkjac32.exe File opened for modification C:\Windows\SysWOW64\Emaijk32.exe Ejcmmp32.exe File created C:\Windows\SysWOW64\Fkcilc32.exe Fdiqpigl.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Process not Found File created C:\Windows\SysWOW64\Ngoleb32.exe Process not Found File created C:\Windows\SysWOW64\Ainmlomf.exe Process not Found File created C:\Windows\SysWOW64\Ibfaopoi.exe Idcacc32.exe File created C:\Windows\SysWOW64\Nnoiio32.exe Ngealejo.exe File opened for modification C:\Windows\SysWOW64\Makkcc32.exe Process not Found File created C:\Windows\SysWOW64\Djpjjl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fnadkjlc.exe Process not Found File created C:\Windows\SysWOW64\Inbnhihl.exe Imaapa32.exe File created C:\Windows\SysWOW64\Dbhbaq32.dll Afliclij.exe File created C:\Windows\SysWOW64\Fpbnjjkm.exe Faonom32.exe File created C:\Windows\SysWOW64\Apilcoho.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mhgoji32.exe Mmakmp32.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Ffkoai32.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Aeoijidl.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Pndalkgf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ligfakaa.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fbdlkj32.exe Fnipkkdl.exe File opened for modification C:\Windows\SysWOW64\Gjbmelgm.exe Ggcaiqhj.exe File created C:\Windows\SysWOW64\Cihifg32.dll Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Pleofj32.exe Pifbjn32.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hfepod32.exe File created C:\Windows\SysWOW64\Joidhh32.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Comdkipe.exe Ckahkk32.exe File created C:\Windows\SysWOW64\Fllmhajo.dll Ohfqmi32.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Olqhfa32.dll Process not Found File created C:\Windows\SysWOW64\Gpccle32.dll Process not Found File created C:\Windows\SysWOW64\Mmjomogn.exe Process not Found File created C:\Windows\SysWOW64\Kdhdfgep.dll Jieaofmp.exe File created C:\Windows\SysWOW64\Kcnhjgln.dll Process not Found File created C:\Windows\SysWOW64\Kmjgaeke.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ogohdeam.exe Process not Found File created C:\Windows\SysWOW64\Ojbapc32.dll Phbgcnig.exe File created C:\Windows\SysWOW64\Biliep32.dll Cmbalfem.exe File created C:\Windows\SysWOW64\Hpkompgg.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Jjmeignj.dll Adnpkjde.exe File created C:\Windows\SysWOW64\Agflga32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Maiqfl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbkgog32.exe Process not Found File created C:\Windows\SysWOW64\Ekjgpm32.exe Egokonjc.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bammlq32.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pafdjmkq.exe File created C:\Windows\SysWOW64\Nijjkf32.dll Oioipf32.exe File created C:\Windows\SysWOW64\Qnqjkh32.exe Process not Found File created C:\Windows\SysWOW64\Ibkhgp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fncpef32.exe Fjhcegll.exe File created C:\Windows\SysWOW64\Eoobfoke.dll Adlcfjgh.exe File created C:\Windows\SysWOW64\Akdafn32.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abegfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkleabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnlocgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmojnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkfal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlccdboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnmmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiddbbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ildnklen.dll" Filgbdfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekkjheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfnehe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcgij32.dll" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kddomchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgibpac.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffefjmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfihkoal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aobnniji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gegfanil.dll" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgdc32.dll" Bfabnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjkbmim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppjddce.dll" Ehgbhbgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbakd32.dll" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkaaf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikeaokpb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdnhoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmfdqgf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjikp32.dll" Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lanbdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiddfd.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eacljf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2532 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 30 PID 3016 wrote to memory of 2532 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 30 PID 3016 wrote to memory of 2532 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 30 PID 3016 wrote to memory of 2532 3016 091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe 30 PID 2532 wrote to memory of 2940 2532 Lnlnlc32.exe 31 PID 2532 wrote to memory of 2940 2532 Lnlnlc32.exe 31 PID 2532 wrote to memory of 2940 2532 Lnlnlc32.exe 31 PID 2532 wrote to memory of 2940 2532 Lnlnlc32.exe 31 PID 2940 wrote to memory of 2760 2940 Mbhjlbbh.exe 32 PID 2940 wrote to memory of 2760 2940 Mbhjlbbh.exe 32 PID 2940 wrote to memory of 2760 2940 Mbhjlbbh.exe 32 PID 2940 wrote to memory of 2760 2940 Mbhjlbbh.exe 32 PID 2760 wrote to memory of 2908 2760 Mmakmp32.exe 33 PID 2760 wrote to memory of 2908 2760 Mmakmp32.exe 33 PID 2760 wrote to memory of 2908 2760 Mmakmp32.exe 33 PID 2760 wrote to memory of 2908 2760 Mmakmp32.exe 33 PID 2908 wrote to memory of 2648 2908 Mhgoji32.exe 34 PID 2908 wrote to memory of 2648 2908 Mhgoji32.exe 34 PID 2908 wrote to memory of 2648 2908 Mhgoji32.exe 34 PID 2908 wrote to memory of 2648 2908 Mhgoji32.exe 34 PID 2648 wrote to memory of 2780 2648 Mfjoeeeh.exe 35 PID 2648 wrote to memory of 2780 2648 Mfjoeeeh.exe 35 PID 2648 wrote to memory of 2780 2648 Mfjoeeeh.exe 35 PID 2648 wrote to memory of 2780 2648 Mfjoeeeh.exe 35 PID 2780 wrote to memory of 2684 2780 Mdbiji32.exe 36 PID 2780 wrote to memory of 2684 2780 Mdbiji32.exe 36 PID 2780 wrote to memory of 2684 2780 Mdbiji32.exe 36 PID 2780 wrote to memory of 2684 2780 Mdbiji32.exe 36 PID 2684 wrote to memory of 1620 2684 Medeaaej.exe 37 PID 2684 wrote to memory of 1620 2684 Medeaaej.exe 37 PID 2684 wrote to memory of 1620 2684 Medeaaej.exe 37 PID 2684 wrote to memory of 1620 2684 Medeaaej.exe 37 PID 1620 wrote to memory of 2008 1620 Nhdocl32.exe 38 PID 1620 wrote to memory of 2008 1620 Nhdocl32.exe 38 PID 1620 wrote to memory of 2008 1620 Nhdocl32.exe 38 PID 1620 wrote to memory of 2008 1620 Nhdocl32.exe 38 PID 2008 wrote to memory of 2872 2008 Noogpfjh.exe 39 PID 2008 wrote to memory of 2872 2008 Noogpfjh.exe 39 PID 2008 wrote to memory of 2872 2008 Noogpfjh.exe 39 PID 2008 wrote to memory of 2872 2008 Noogpfjh.exe 39 PID 2872 wrote to memory of 1892 2872 Nocpkf32.exe 40 PID 2872 wrote to memory of 1892 2872 Nocpkf32.exe 40 PID 2872 wrote to memory of 1892 2872 Nocpkf32.exe 40 PID 2872 wrote to memory of 1892 2872 Nocpkf32.exe 40 PID 1892 wrote to memory of 376 1892 Nemhhpmp.exe 41 PID 1892 wrote to memory of 376 1892 Nemhhpmp.exe 41 PID 1892 wrote to memory of 376 1892 Nemhhpmp.exe 41 PID 1892 wrote to memory of 376 1892 Nemhhpmp.exe 41 PID 376 wrote to memory of 2284 376 Opifnm32.exe 42 PID 376 wrote to memory of 2284 376 Opifnm32.exe 42 PID 376 wrote to memory of 2284 376 Opifnm32.exe 42 PID 376 wrote to memory of 2284 376 Opifnm32.exe 42 PID 2284 wrote to memory of 2592 2284 Ommfga32.exe 43 PID 2284 wrote to memory of 2592 2284 Ommfga32.exe 43 PID 2284 wrote to memory of 2592 2284 Ommfga32.exe 43 PID 2284 wrote to memory of 2592 2284 Ommfga32.exe 43 PID 2592 wrote to memory of 2180 2592 Opplolac.exe 44 PID 2592 wrote to memory of 2180 2592 Opplolac.exe 44 PID 2592 wrote to memory of 2180 2592 Opplolac.exe 44 PID 2592 wrote to memory of 2180 2592 Opplolac.exe 44 PID 2180 wrote to memory of 2340 2180 Oihqgbhd.exe 45 PID 2180 wrote to memory of 2340 2180 Oihqgbhd.exe 45 PID 2180 wrote to memory of 2340 2180 Oihqgbhd.exe 45 PID 2180 wrote to memory of 2340 2180 Oihqgbhd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe"C:\Users\Admin\AppData\Local\Temp\091c813ff42443a6e87ba6778c636302021612b88fa5b2f59d33e3e11e6d1949.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe33⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe34⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe35⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe36⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe37⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe38⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe40⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe41⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe42⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe43⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe45⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe47⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe48⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe49⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe50⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe51⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe52⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe53⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe54⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe55⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe56⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe58⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe60⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe61⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe62⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe63⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe65⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe66⤵PID:1400
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe67⤵PID:968
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe68⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe69⤵PID:2108
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe70⤵PID:1672
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe71⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe72⤵PID:992
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe73⤵PID:888
-
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe74⤵PID:2396
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe75⤵PID:1848
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe76⤵PID:1700
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe77⤵PID:1836
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe78⤵PID:2388
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe79⤵PID:1820
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe80⤵PID:2344
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe81⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe82⤵PID:2828
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe84⤵PID:1608
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe85⤵PID:1148
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe86⤵PID:2016
-
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe87⤵PID:1972
-
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe88⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe89⤵PID:760
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe90⤵PID:440
-
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe91⤵PID:396
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe92⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe93⤵
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe94⤵PID:2368
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe95⤵PID:308
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe96⤵PID:880
-
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe97⤵PID:2696
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe98⤵PID:1272
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe99⤵PID:2768
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe100⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe101⤵PID:2884
-
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe102⤵PID:3052
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe103⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe104⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe105⤵PID:1980
-
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe106⤵PID:636
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe107⤵PID:2500
-
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe108⤵PID:952
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe109⤵PID:1632
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe110⤵PID:1532
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe111⤵PID:784
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe112⤵PID:2380
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe113⤵PID:2316
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe114⤵PID:2404
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe115⤵PID:2348
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe116⤵PID:2704
-
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe117⤵PID:2756
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe118⤵PID:2676
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe119⤵PID:1048
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe120⤵PID:1324
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe121⤵PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-