Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 23:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe
-
Size
75KB
-
MD5
db3a7f577f7b8a8ab140712a1a5609b5
-
SHA1
f28f406d62e69ad9e70effd342dd4c7fb3df2821
-
SHA256
e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c
-
SHA512
aacf90e7c79dd7f23df4a1d32ec6001f25d7b6925914d8f302eac6d6619476262c835c8b67111fb9fddbb930f9acb420e9ef5be6fadc5931cb1f0361c4b965d3
-
SSDEEP
768:npmfwAqDqu2SL+alqit8fyTDc5xr892YzsB7q+1DuDH3dqPYR/1H5PXdnh0M+3qv:npmpC2ATtOyvs80YHHpbO53q52IrFH
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkioed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igjlgale.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbkkjlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lilpjiad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noknnmof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naqqkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pceogg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmcghgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpephpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjgbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gikbkdla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfaijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docapmlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgngj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kilnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkech32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdoida32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejlbdiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkelpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacakj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkiflm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjjfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qefhib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efgcml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihloglf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejkilbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjbkdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgngnhfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfbako32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbfqgke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nielge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehgodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekahem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbmhbjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeoiplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonige32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnohhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chehpnne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpamol32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnomec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afkinh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbkijjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didjnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjeaicc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmijab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdnbjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbapebl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklojmpi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moeohd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcjhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgfjcbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojpdjfdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chpfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkhkgegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olaeclgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaekpppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecdfn32.exe -
Executes dropped EXE 64 IoCs
pid Process 1452 Lpeifp32.exe 2104 Leabng32.exe 1488 Lbebgkol.exe 1140 Lmkfddnb.exe 2988 Ldeoan32.exe 1144 Lefkiflm.exe 4872 Lplpfo32.exe 232 Lehhof32.exe 2376 Mpnllo32.exe 1532 Mekdde32.exe 5052 Mdlebm32.exe 1868 Memajeee.exe 3776 Mlgjfo32.exe 3684 Mmgfqbdd.exe 2888 Mdqnml32.exe 4372 Mebked32.exe 3920 Mpgobm32.exe 4920 Mcfkni32.exe 1572 Medgjd32.exe 2584 Nlnpgngj.exe 2320 Ngdddg32.exe 5096 Nnnlaanl.exe 4616 Ncjdihld.exe 1056 Nnpifalj.exe 3140 Neknkcie.exe 4756 Ncondg32.exe 4072 Nfpgfb32.exe 432 Ojnpla32.exe 5016 Ocfdefbf.exe 4940 Ojplbq32.exe 700 Olaeclgd.exe 1152 Ojefmpen.exe 4504 Pjgbbp32.exe 220 Pgkclc32.exe 4804 Pmhldk32.exe 396 Pfppmp32.exe 1644 Pqfdji32.exe 4584 Pfbmbp32.exe 3624 Pmmeojmg.exe 376 Pqhaph32.exe 1660 Pgbimb32.exe 4824 Pjqein32.exe 4972 Pqknehcn.exe 4012 Qgdfbb32.exe 4184 Qmanji32.exe 4140 Qdhfkf32.exe 3632 Qnakdl32.exe 4928 Acncmc32.exe 1368 Aempffeo.exe 4816 Agniha32.exe 5020 Amkaqh32.exe 2348 Afcfimgg.exe 1632 Aaijgf32.exe 2408 Afebom32.exe 4800 Amoklgla.exe 4980 Bgeoiplh.exe 1540 Bjckekkk.exe 4960 Bamcbebh.exe 4856 Bfjljlap.exe 4484 Bcnlcqpi.exe 1480 Bncqqioo.exe 3248 Babmme32.exe 2108 Bfoeel32.exe 216 Bjjafjec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Coeeoo32.exe Clgibc32.exe File created C:\Windows\SysWOW64\Fbibdm32.dll Leendide.exe File created C:\Windows\SysWOW64\Acdjcomg.dll Lkelpo32.exe File created C:\Windows\SysWOW64\Bcnlcqpi.exe Bfjljlap.exe File opened for modification C:\Windows\SysWOW64\Kfgdge32.exe Khfdim32.exe File opened for modification C:\Windows\SysWOW64\Aqefgped.exe Amjjfa32.exe File opened for modification C:\Windows\SysWOW64\Jibkgc32.exe Jfdokg32.exe File opened for modification C:\Windows\SysWOW64\Ajnkpf32.exe Aqefgped.exe File created C:\Windows\SysWOW64\Oeoiaf32.exe Oodadlgk.exe File created C:\Windows\SysWOW64\Odcohlod.exe Omigkb32.exe File opened for modification C:\Windows\SysWOW64\Pmbjaq32.exe Phfaijae.exe File created C:\Windows\SysWOW64\Cekhgd32.dll Chckjn32.exe File created C:\Windows\SysWOW64\Lodhfb32.dll Ppcqjcej.exe File created C:\Windows\SysWOW64\Bhmick32.dll Agmbnk32.exe File created C:\Windows\SysWOW64\Adghldog.dll Fdgjmdgm.exe File created C:\Windows\SysWOW64\Ajpofmji.dll Jhpggmid.exe File opened for modification C:\Windows\SysWOW64\Hcflqg32.exe Hllddm32.exe File created C:\Windows\SysWOW64\Bcjbid32.exe Bkcjhg32.exe File created C:\Windows\SysWOW64\Hahkqick.dll Dflcam32.exe File opened for modification C:\Windows\SysWOW64\Mpgobm32.exe Mebked32.exe File created C:\Windows\SysWOW64\Mlenci32.dll Fhfjniap.exe File created C:\Windows\SysWOW64\Cpkloj32.exe Cfchfe32.exe File opened for modification C:\Windows\SysWOW64\Fmgefi32.exe Fgmljoqi.exe File created C:\Windows\SysWOW64\Oqfjkg32.dll Fgmljoqi.exe File opened for modification C:\Windows\SysWOW64\Najjjhnj.exe Noknnmof.exe File created C:\Windows\SysWOW64\Endhcged.dll Inbfoolj.exe File created C:\Windows\SysWOW64\Lkelpo32.exe Lcndoa32.exe File created C:\Windows\SysWOW64\Nnhkng32.exe Nljnbl32.exe File opened for modification C:\Windows\SysWOW64\Mdqnml32.exe Mmgfqbdd.exe File created C:\Windows\SysWOW64\Aqoghdml.dll Jjadoe32.exe File created C:\Windows\SysWOW64\Cflppp32.dll Mnbkhngq.exe File created C:\Windows\SysWOW64\Knjefk32.exe Kkkijp32.exe File created C:\Windows\SysWOW64\Fpnpgm32.dll Memajeee.exe File created C:\Windows\SysWOW64\Ihidmied.dll Cjddlimi.exe File created C:\Windows\SysWOW64\Kefkke32.dll Fblpck32.exe File created C:\Windows\SysWOW64\Elkhibeb.dll Ncgplnia.exe File created C:\Windows\SysWOW64\Hoemnhoi.dll Plhcjg32.exe File opened for modification C:\Windows\SysWOW64\Inpjionm.exe Icjelfng.exe File opened for modification C:\Windows\SysWOW64\Eodboe32.exe Emefdblg.exe File created C:\Windows\SysWOW64\Iebnlc32.dll Lpaffjpb.exe File created C:\Windows\SysWOW64\Ocpcfaoe.dll Mppbgh32.exe File created C:\Windows\SysWOW64\Bfqkpe32.exe Bmhfgpqk.exe File opened for modification C:\Windows\SysWOW64\Lgamke32.exe Linmohoa.exe File created C:\Windows\SysWOW64\Cjecmlco.exe Cbnkko32.exe File opened for modification C:\Windows\SysWOW64\Pfbmbp32.exe Pqfdji32.exe File created C:\Windows\SysWOW64\Fneokp32.exe Fdmjbj32.exe File opened for modification C:\Windows\SysWOW64\Necqpn32.exe Nfqpdaef.exe File created C:\Windows\SysWOW64\Kkkijp32.exe Kdaamfao.exe File opened for modification C:\Windows\SysWOW64\Lnjnmiim.exe Lebjdc32.exe File created C:\Windows\SysWOW64\Lcpekaom.dll Efkfndgd.exe File created C:\Windows\SysWOW64\Lncilo32.dll Ddcoenma.exe File created C:\Windows\SysWOW64\Hdoida32.exe Hpcmdbkj.exe File created C:\Windows\SysWOW64\Gdepdl32.exe Gmkggbpe.exe File opened for modification C:\Windows\SysWOW64\Facgandk.exe Fkioed32.exe File opened for modification C:\Windows\SysWOW64\Clgibc32.exe Bfmqfibg.exe File created C:\Windows\SysWOW64\Lpaffjpb.exe Lelahapl.exe File created C:\Windows\SysWOW64\Lnfnhbqm.dll Acaocf32.exe File created C:\Windows\SysWOW64\Podcac32.exe Plfgehfi.exe File opened for modification C:\Windows\SysWOW64\Plgnon32.exe Paaibe32.exe File opened for modification C:\Windows\SysWOW64\Aklcghpj.exe Afpkoa32.exe File opened for modification C:\Windows\SysWOW64\Pclmai32.exe Phfhcp32.exe File created C:\Windows\SysWOW64\Jgfjcbhm.exe Jdhnggij.exe File opened for modification C:\Windows\SysWOW64\Cfajah32.exe Cbfnpjei.exe File opened for modification C:\Windows\SysWOW64\Docapmlh.exe Dfkmgg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5428 5784 WerFault.exe 831 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmlgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfadgcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplgccaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdokg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjjfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdlbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnhjpei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdefbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbmhbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcqjcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daiejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebejcloa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoelnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhfoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngejpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjcgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccfaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbboge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqihmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmijab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeblbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqfbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoklgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fneokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogimqdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiggkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbfqgke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajcaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inpjionm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpmdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoodln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeijlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negcqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclehffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbaflma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckccoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhkng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbkijjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnigdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjbkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhbhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkkdfdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnlaanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occqep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcbgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibafocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmeggp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelhac32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkkifegd.dll" Jgigibfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcjic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Negcqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimajkm.dll" Fpnkbema.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilpjiad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldeoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjhlank.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbhc32.dll" Eamnekbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kebhhldk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedmof32.dll" Ooiceeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennhkdg.dll" Babmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghplnql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjeqjc.dll" Ibamjjih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohebhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblpck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqfdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Degdkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmfdkic.dll" Cohiodjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdlbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbjaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Badibd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emefdblg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiiaon32.dll" Lmfhhgfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjfoleaa.dll" Alggflkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjlkoifj.dll" Kcgnnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmkf32.dll" Lkecke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeehgodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpofmji.dll" Jhpggmid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgffgfo.dll" Lgjgjfld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmhlfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keghmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcjibgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epdaoo32.dll" Endnmggb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Babmme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbijgmio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iajpod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhlcm32.dll" Efgcml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdiphnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocelbfl.dll" Pmhldk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afnedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mppbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpdho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mknofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plhcjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekiohlp.dll" Pmmeojmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpamol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhcbgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohphg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekga32.dll" Oeblbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfnea32.dll" Ncjdihld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lflnbdgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhaihc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbfgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gamjhmlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjlipeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnlbpk32.dll" Kjccql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloafele.dll" Lmdlbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfaaqelp.dll" Mnadnhce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbfnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpgobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebacf32.dll" Holjmo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4496 wrote to memory of 1452 4496 e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe 89 PID 4496 wrote to memory of 1452 4496 e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe 89 PID 4496 wrote to memory of 1452 4496 e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe 89 PID 1452 wrote to memory of 2104 1452 Lpeifp32.exe 90 PID 1452 wrote to memory of 2104 1452 Lpeifp32.exe 90 PID 1452 wrote to memory of 2104 1452 Lpeifp32.exe 90 PID 2104 wrote to memory of 1488 2104 Leabng32.exe 91 PID 2104 wrote to memory of 1488 2104 Leabng32.exe 91 PID 2104 wrote to memory of 1488 2104 Leabng32.exe 91 PID 1488 wrote to memory of 1140 1488 Lbebgkol.exe 92 PID 1488 wrote to memory of 1140 1488 Lbebgkol.exe 92 PID 1488 wrote to memory of 1140 1488 Lbebgkol.exe 92 PID 1140 wrote to memory of 2988 1140 Lmkfddnb.exe 93 PID 1140 wrote to memory of 2988 1140 Lmkfddnb.exe 93 PID 1140 wrote to memory of 2988 1140 Lmkfddnb.exe 93 PID 2988 wrote to memory of 1144 2988 Ldeoan32.exe 94 PID 2988 wrote to memory of 1144 2988 Ldeoan32.exe 94 PID 2988 wrote to memory of 1144 2988 Ldeoan32.exe 94 PID 1144 wrote to memory of 4872 1144 Lefkiflm.exe 95 PID 1144 wrote to memory of 4872 1144 Lefkiflm.exe 95 PID 1144 wrote to memory of 4872 1144 Lefkiflm.exe 95 PID 4872 wrote to memory of 232 4872 Lplpfo32.exe 96 PID 4872 wrote to memory of 232 4872 Lplpfo32.exe 96 PID 4872 wrote to memory of 232 4872 Lplpfo32.exe 96 PID 232 wrote to memory of 2376 232 Lehhof32.exe 97 PID 232 wrote to memory of 2376 232 Lehhof32.exe 97 PID 232 wrote to memory of 2376 232 Lehhof32.exe 97 PID 2376 wrote to memory of 1532 2376 Mpnllo32.exe 98 PID 2376 wrote to memory of 1532 2376 Mpnllo32.exe 98 PID 2376 wrote to memory of 1532 2376 Mpnllo32.exe 98 PID 1532 wrote to memory of 5052 1532 Mekdde32.exe 99 PID 1532 wrote to memory of 5052 1532 Mekdde32.exe 99 PID 1532 wrote to memory of 5052 1532 Mekdde32.exe 99 PID 5052 wrote to memory of 1868 5052 Mdlebm32.exe 100 PID 5052 wrote to memory of 1868 5052 Mdlebm32.exe 100 PID 5052 wrote to memory of 1868 5052 Mdlebm32.exe 100 PID 1868 wrote to memory of 3776 1868 Memajeee.exe 101 PID 1868 wrote to memory of 3776 1868 Memajeee.exe 101 PID 1868 wrote to memory of 3776 1868 Memajeee.exe 101 PID 3776 wrote to memory of 3684 3776 Mlgjfo32.exe 102 PID 3776 wrote to memory of 3684 3776 Mlgjfo32.exe 102 PID 3776 wrote to memory of 3684 3776 Mlgjfo32.exe 102 PID 3684 wrote to memory of 2888 3684 Mmgfqbdd.exe 103 PID 3684 wrote to memory of 2888 3684 Mmgfqbdd.exe 103 PID 3684 wrote to memory of 2888 3684 Mmgfqbdd.exe 103 PID 2888 wrote to memory of 4372 2888 Mdqnml32.exe 104 PID 2888 wrote to memory of 4372 2888 Mdqnml32.exe 104 PID 2888 wrote to memory of 4372 2888 Mdqnml32.exe 104 PID 4372 wrote to memory of 3920 4372 Mebked32.exe 105 PID 4372 wrote to memory of 3920 4372 Mebked32.exe 105 PID 4372 wrote to memory of 3920 4372 Mebked32.exe 105 PID 3920 wrote to memory of 4920 3920 Mpgobm32.exe 106 PID 3920 wrote to memory of 4920 3920 Mpgobm32.exe 106 PID 3920 wrote to memory of 4920 3920 Mpgobm32.exe 106 PID 4920 wrote to memory of 1572 4920 Mcfkni32.exe 107 PID 4920 wrote to memory of 1572 4920 Mcfkni32.exe 107 PID 4920 wrote to memory of 1572 4920 Mcfkni32.exe 107 PID 1572 wrote to memory of 2584 1572 Medgjd32.exe 108 PID 1572 wrote to memory of 2584 1572 Medgjd32.exe 108 PID 1572 wrote to memory of 2584 1572 Medgjd32.exe 108 PID 2584 wrote to memory of 2320 2584 Nlnpgngj.exe 109 PID 2584 wrote to memory of 2320 2584 Nlnpgngj.exe 109 PID 2584 wrote to memory of 2320 2584 Nlnpgngj.exe 109 PID 2320 wrote to memory of 5096 2320 Ngdddg32.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe"C:\Users\Admin\AppData\Local\Temp\e6c47083854a8498a6d0351a23313e4e744ec488defbf72048240e8b59db066c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\Lpeifp32.exeC:\Windows\system32\Lpeifp32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Leabng32.exeC:\Windows\system32\Leabng32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lbebgkol.exeC:\Windows\system32\Lbebgkol.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lmkfddnb.exeC:\Windows\system32\Lmkfddnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Ldeoan32.exeC:\Windows\system32\Ldeoan32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Lefkiflm.exeC:\Windows\system32\Lefkiflm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lplpfo32.exeC:\Windows\system32\Lplpfo32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Lehhof32.exeC:\Windows\system32\Lehhof32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\Mpnllo32.exeC:\Windows\system32\Mpnllo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Mekdde32.exeC:\Windows\system32\Mekdde32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Mdlebm32.exeC:\Windows\system32\Mdlebm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Memajeee.exeC:\Windows\system32\Memajeee.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Mlgjfo32.exeC:\Windows\system32\Mlgjfo32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\Mmgfqbdd.exeC:\Windows\system32\Mmgfqbdd.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\Mdqnml32.exeC:\Windows\system32\Mdqnml32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Mebked32.exeC:\Windows\system32\Mebked32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Mpgobm32.exeC:\Windows\system32\Mpgobm32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Mcfkni32.exeC:\Windows\system32\Mcfkni32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\Medgjd32.exeC:\Windows\system32\Medgjd32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\Nlnpgngj.exeC:\Windows\system32\Nlnpgngj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ngdddg32.exeC:\Windows\system32\Ngdddg32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Nnnlaanl.exeC:\Windows\system32\Nnnlaanl.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\Ncjdihld.exeC:\Windows\system32\Ncjdihld.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Nnpifalj.exeC:\Windows\system32\Nnpifalj.exe25⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Neknkcie.exeC:\Windows\system32\Neknkcie.exe26⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\Ncondg32.exeC:\Windows\system32\Ncondg32.exe27⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Nfpgfb32.exeC:\Windows\system32\Nfpgfb32.exe28⤵
- Executes dropped EXE
PID:4072 -
C:\Windows\SysWOW64\Ojnpla32.exeC:\Windows\system32\Ojnpla32.exe29⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Ocfdefbf.exeC:\Windows\system32\Ocfdefbf.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\Ojplbq32.exeC:\Windows\system32\Ojplbq32.exe31⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Olaeclgd.exeC:\Windows\system32\Olaeclgd.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Ojefmpen.exeC:\Windows\system32\Ojefmpen.exe33⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Pjgbbp32.exeC:\Windows\system32\Pjgbbp32.exe34⤵
- Executes dropped EXE
PID:4504 -
C:\Windows\SysWOW64\Pgkclc32.exeC:\Windows\system32\Pgkclc32.exe35⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Pmhldk32.exeC:\Windows\system32\Pmhldk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Pfppmp32.exeC:\Windows\system32\Pfppmp32.exe37⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Pqfdji32.exeC:\Windows\system32\Pqfdji32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Pfbmbp32.exeC:\Windows\system32\Pfbmbp32.exe39⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Pmmeojmg.exeC:\Windows\system32\Pmmeojmg.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Pqhaph32.exeC:\Windows\system32\Pqhaph32.exe41⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Pgbimb32.exeC:\Windows\system32\Pgbimb32.exe42⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Pjqein32.exeC:\Windows\system32\Pjqein32.exe43⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Pqknehcn.exeC:\Windows\system32\Pqknehcn.exe44⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Qgdfbb32.exeC:\Windows\system32\Qgdfbb32.exe45⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Qmanji32.exeC:\Windows\system32\Qmanji32.exe46⤵
- Executes dropped EXE
PID:4184 -
C:\Windows\SysWOW64\Qdhfkf32.exeC:\Windows\system32\Qdhfkf32.exe47⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Qnakdl32.exeC:\Windows\system32\Qnakdl32.exe48⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Acncmc32.exeC:\Windows\system32\Acncmc32.exe49⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Aempffeo.exeC:\Windows\system32\Aempffeo.exe50⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Acbmhbjf.exeC:\Windows\system32\Acbmhbjf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Windows\SysWOW64\Agniha32.exeC:\Windows\system32\Agniha32.exe52⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Amkaqh32.exeC:\Windows\system32\Amkaqh32.exe53⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\SysWOW64\Afcfimgg.exeC:\Windows\system32\Afcfimgg.exe54⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Aaijgf32.exeC:\Windows\system32\Aaijgf32.exe55⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Afebom32.exeC:\Windows\system32\Afebom32.exe56⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Amoklgla.exeC:\Windows\system32\Amoklgla.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\Bgeoiplh.exeC:\Windows\system32\Bgeoiplh.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\Bjckekkk.exeC:\Windows\system32\Bjckekkk.exe59⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bamcbebh.exeC:\Windows\system32\Bamcbebh.exe60⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Bfjljlap.exeC:\Windows\system32\Bfjljlap.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Bcnlcqpi.exeC:\Windows\system32\Bcnlcqpi.exe62⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Bncqqioo.exeC:\Windows\system32\Bncqqioo.exe63⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Babmme32.exeC:\Windows\system32\Babmme32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\Bfoeel32.exeC:\Windows\system32\Bfoeel32.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Bjjafjec.exeC:\Windows\system32\Bjjafjec.exe66⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Badibd32.exeC:\Windows\system32\Badibd32.exe67⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Bjmnkjcq.exeC:\Windows\system32\Bjmnkjcq.exe68⤵PID:4368
-
C:\Windows\SysWOW64\Bmkjgebd.exeC:\Windows\system32\Bmkjgebd.exe69⤵PID:4984
-
C:\Windows\SysWOW64\Chqnen32.exeC:\Windows\system32\Chqnen32.exe70⤵PID:1764
-
C:\Windows\SysWOW64\Cjokaj32.exeC:\Windows\system32\Cjokaj32.exe71⤵PID:5040
-
C:\Windows\SysWOW64\Cnkfahig.exeC:\Windows\system32\Cnkfahig.exe72⤵PID:1824
-
C:\Windows\SysWOW64\Chckjn32.exeC:\Windows\system32\Chckjn32.exe73⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Cffkfkfb.exeC:\Windows\system32\Cffkfkfb.exe74⤵PID:952
-
C:\Windows\SysWOW64\Cnmcghgd.exeC:\Windows\system32\Cnmcghgd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Cakpccfh.exeC:\Windows\system32\Cakpccfh.exe76⤵PID:5180
-
C:\Windows\SysWOW64\Chehpnne.exeC:\Windows\system32\Chehpnne.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5248 -
C:\Windows\SysWOW64\Cjddlimi.exeC:\Windows\system32\Cjddlimi.exe78⤵
- Drops file in System32 directory
PID:5292 -
C:\Windows\SysWOW64\Capinc32.exeC:\Windows\system32\Capinc32.exe79⤵PID:5336
-
C:\Windows\SysWOW64\Dabfdbpp.exeC:\Windows\system32\Dabfdbpp.exe80⤵PID:5376
-
C:\Windows\SysWOW64\Ddcoenma.exeC:\Windows\system32\Ddcoenma.exe81⤵
- Drops file in System32 directory
PID:5420 -
C:\Windows\SysWOW64\Dagoob32.exeC:\Windows\system32\Dagoob32.exe82⤵PID:5460
-
C:\Windows\SysWOW64\Dfdggi32.exeC:\Windows\system32\Dfdggi32.exe83⤵PID:5504
-
C:\Windows\SysWOW64\Dhcdalae.exeC:\Windows\system32\Dhcdalae.exe84⤵PID:5556
-
C:\Windows\SysWOW64\Degdkp32.exeC:\Windows\system32\Degdkp32.exe85⤵
- Modifies registry class
PID:5600 -
C:\Windows\SysWOW64\Dkdmcg32.exeC:\Windows\system32\Dkdmcg32.exe86⤵PID:5644
-
C:\Windows\SysWOW64\Ehhmlk32.exeC:\Windows\system32\Ehhmlk32.exe87⤵PID:5688
-
C:\Windows\SysWOW64\Emefdblg.exeC:\Windows\system32\Emefdblg.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5740 -
C:\Windows\SysWOW64\Eodboe32.exeC:\Windows\system32\Eodboe32.exe89⤵PID:5784
-
C:\Windows\SysWOW64\Eacokp32.exeC:\Windows\system32\Eacokp32.exe90⤵PID:5828
-
C:\Windows\SysWOW64\Eaekpppk.exeC:\Windows\system32\Eaekpppk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5872 -
C:\Windows\SysWOW64\Emllea32.exeC:\Windows\system32\Emllea32.exe92⤵PID:5916
-
C:\Windows\SysWOW64\Eecdfn32.exeC:\Windows\system32\Eecdfn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5960 -
C:\Windows\SysWOW64\Ehapbj32.exeC:\Windows\system32\Ehapbj32.exe94⤵PID:6000
-
C:\Windows\SysWOW64\Fnnikq32.exeC:\Windows\system32\Fnnikq32.exe95⤵PID:6048
-
C:\Windows\SysWOW64\Feeqlndo.exeC:\Windows\system32\Feeqlndo.exe96⤵PID:6092
-
C:\Windows\SysWOW64\Foneec32.exeC:\Windows\system32\Foneec32.exe97⤵PID:6136
-
C:\Windows\SysWOW64\Fhfjniap.exeC:\Windows\system32\Fhfjniap.exe98⤵
- Drops file in System32 directory
PID:5164 -
C:\Windows\SysWOW64\Fkdfjdqc.exeC:\Windows\system32\Fkdfjdqc.exe99⤵PID:5268
-
C:\Windows\SysWOW64\Fejjgmpi.exeC:\Windows\system32\Fejjgmpi.exe100⤵PID:5332
-
C:\Windows\SysWOW64\Fdmjbj32.exeC:\Windows\system32\Fdmjbj32.exe101⤵
- Drops file in System32 directory
PID:5408 -
C:\Windows\SysWOW64\Fneokp32.exeC:\Windows\system32\Fneokp32.exe102⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\Felgmm32.exeC:\Windows\system32\Felgmm32.exe103⤵PID:5548
-
C:\Windows\SysWOW64\Fkioed32.exeC:\Windows\system32\Fkioed32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5632 -
C:\Windows\SysWOW64\Facgandk.exeC:\Windows\system32\Facgandk.exe105⤵PID:5684
-
C:\Windows\SysWOW64\Fgppje32.exeC:\Windows\system32\Fgppje32.exe106⤵PID:4256
-
C:\Windows\SysWOW64\Gnjhfoio.exeC:\Windows\system32\Gnjhfoio.exe107⤵
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Windows\SysWOW64\Gaedgn32.exeC:\Windows\system32\Gaedgn32.exe108⤵PID:5892
-
C:\Windows\SysWOW64\Geaphlja.exeC:\Windows\system32\Geaphlja.exe109⤵PID:5948
-
C:\Windows\SysWOW64\Gnlelogl.exeC:\Windows\system32\Gnlelogl.exe110⤵PID:6040
-
C:\Windows\SysWOW64\Ghbiiggb.exeC:\Windows\system32\Ghbiiggb.exe111⤵PID:6104
-
C:\Windows\SysWOW64\Golafaoo.exeC:\Windows\system32\Golafaoo.exe112⤵PID:2396
-
C:\Windows\SysWOW64\Gajnbmnc.exeC:\Windows\system32\Gajnbmnc.exe113⤵PID:5308
-
C:\Windows\SysWOW64\Ghdfog32.exeC:\Windows\system32\Ghdfog32.exe114⤵PID:5412
-
C:\Windows\SysWOW64\Gonnlaml.exeC:\Windows\system32\Gonnlaml.exe115⤵PID:5720
-
C:\Windows\SysWOW64\Gamjhmlp.exeC:\Windows\system32\Gamjhmlp.exe116⤵
- Modifies registry class
PID:5728 -
C:\Windows\SysWOW64\Goqkaa32.exeC:\Windows\system32\Goqkaa32.exe117⤵PID:5836
-
C:\Windows\SysWOW64\Gaogml32.exeC:\Windows\system32\Gaogml32.exe118⤵PID:5940
-
C:\Windows\SysWOW64\Gdmcih32.exeC:\Windows\system32\Gdmcih32.exe119⤵PID:6056
-
C:\Windows\SysWOW64\Hnfhbmoa.exeC:\Windows\system32\Hnfhbmoa.exe120⤵PID:5140
-
C:\Windows\SysWOW64\Hfmpckpd.exeC:\Windows\system32\Hfmpckpd.exe121⤵PID:5360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-