Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 03:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe
-
Size
512KB
-
MD5
cf22a3e5b2f2dd682f11d8409a394eef
-
SHA1
301ce368805add8882318075725f5b0780981070
-
SHA256
adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71
-
SHA512
6192783dc64570ad7ce4ce1277f9f74d0d18693c29b43334f1d8d5b8c6d7f9a775f1964237c3953c1ce08ed118ab246f73e654c01d5321eb268cf66ffb5105ab
-
SSDEEP
6144:fqS1+B0UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:RAJUG5t1sI5yl48pArv8o4L
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpqkad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijcahd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpiljh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olckbd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnddgjbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lflgmqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olckbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diccgfpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfipef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcjiff32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcinna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Badanigc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agdcpkll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbjelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikgacl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiiiidd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnkcekm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nclbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkclgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cibmlmeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfjbdmk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inainbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahpfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qohpkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbmdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkaopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifnhpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkfnh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaplqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkabjbih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aednci32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijnep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcldb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmpcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiejmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbalopbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepifi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjjocap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjchaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmalne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbabigfj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeeobbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqdoem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piphgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknifq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phonha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpojead.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahpfc32.exe -
Executes dropped EXE 64 IoCs
pid Process 3536 Ealadnik.exe 776 Egijmegb.exe 344 Edmjfifl.exe 3152 Ekgbccni.exe 2220 Emeoooml.exe 1108 Ehkclgmb.exe 3792 Emhldnkj.exe 1736 Fdbdah32.exe 1504 Foghnabl.exe 4992 Fddqghpd.exe 4752 Fnmepn32.exe 948 Fhbimf32.exe 1816 Fajnfl32.exe 368 Fhdfbfdh.exe 2256 Fdkggg32.exe 4820 Fgjccb32.exe 1056 Gdncmghi.exe 3296 Ghipne32.exe 2016 Ggnlobej.exe 4924 Gdbmhf32.exe 2972 Gkleeplq.exe 1416 Gddinf32.exe 4564 Ggcfja32.exe 4116 Gnmnfkia.exe 4304 Gahjgj32.exe 5056 Gdgfce32.exe 4432 Ggeboaob.exe 4796 Gkaopp32.exe 2840 Goljqnpd.exe 4872 Hakgmjoh.exe 4388 Hffcmh32.exe 3092 Hdicienl.exe 1276 Hghoeqmp.exe 396 Hkckeo32.exe 4524 Hoogfnnb.exe 2276 Hnagak32.exe 2200 Hfipbh32.exe 3504 Hdlpneli.exe 2616 Hhgloc32.exe 3876 Hkehkocf.exe 4404 Hoadkn32.exe 2876 Hnddgjbj.exe 4824 Hfklhhcl.exe 1616 Hdnldd32.exe 4352 Hhihdcbp.exe 4944 Hkhdqoac.exe 8 Hocqam32.exe 3840 Hbbmmi32.exe 4856 Hfningai.exe 2680 Hhlejcpm.exe 1940 Hkjafn32.exe 1440 Hninbj32.exe 4604 Hbdjchgn.exe 3172 Hfpecg32.exe 3636 Hdbfodfa.exe 936 Hgabkoee.exe 3300 Hkmnln32.exe 2004 Inkjhi32.exe 4400 Ibffhhek.exe 404 Idebdcdo.exe 3544 Iokgal32.exe 4276 Iickkbje.exe 2296 Ikaggmii.exe 3820 Inpccihl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fdbdah32.exe Emhldnkj.exe File created C:\Windows\SysWOW64\Ikaggmii.exe Iickkbje.exe File opened for modification C:\Windows\SysWOW64\Oblmdhdo.exe Ooqqdi32.exe File opened for modification C:\Windows\SysWOW64\Injmcmej.exe Iinqbn32.exe File opened for modification C:\Windows\SysWOW64\Badanigc.exe Bkjiao32.exe File opened for modification C:\Windows\SysWOW64\Bheplb32.exe Bffcpg32.exe File created C:\Windows\SysWOW64\Bocbindj.dll Gdncmghi.exe File created C:\Windows\SysWOW64\Koijai32.dll Hoadkn32.exe File created C:\Windows\SysWOW64\Cigddnif.dll Hbbmmi32.exe File opened for modification C:\Windows\SysWOW64\Mockmala.exe Mpqkad32.exe File created C:\Windows\SysWOW64\Dpgeee32.exe Djklmo32.exe File created C:\Windows\SysWOW64\Qhjibgnp.dll Hfipbh32.exe File opened for modification C:\Windows\SysWOW64\Lehaho32.exe Lbjelc32.exe File created C:\Windows\SysWOW64\Mpieqeko.exe Mhbmphjm.exe File created C:\Windows\SysWOW64\Mkohaj32.exe Meepdp32.exe File created C:\Windows\SysWOW64\Aknbkjfh.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Inkjhi32.exe Hkmnln32.exe File created C:\Windows\SysWOW64\Jfpojead.exe Jnifigpa.exe File opened for modification C:\Windows\SysWOW64\Epjajeqo.exe Djmibn32.exe File created C:\Windows\SysWOW64\Jbdlop32.exe Jjmcnbdm.exe File created C:\Windows\SysWOW64\Jhpqaiji.exe Jqiipljg.exe File created C:\Windows\SysWOW64\Jkimho32.exe Jcbdgb32.exe File created C:\Windows\SysWOW64\Jhepna32.dll Hfningai.exe File opened for modification C:\Windows\SysWOW64\Pjpobg32.exe Pedbahod.exe File created C:\Windows\SysWOW64\Jipegn32.dll Epmmqheb.exe File created C:\Windows\SysWOW64\Qoifflkg.exe Qqffjo32.exe File created C:\Windows\SysWOW64\Cofecami.exe Cimmggfl.exe File opened for modification C:\Windows\SysWOW64\Jlfpdh32.exe Jjgchm32.exe File opened for modification C:\Windows\SysWOW64\Iphioh32.exe Injmcmej.exe File opened for modification C:\Windows\SysWOW64\Dbbffdlq.exe Dkhnjk32.exe File created C:\Windows\SysWOW64\Hmdlmg32.exe Hfjdqmng.exe File created C:\Windows\SysWOW64\Ibcaknbi.exe Ipeeobbe.exe File created C:\Windows\SysWOW64\Inainbcn.exe Idieem32.exe File created C:\Windows\SysWOW64\Hcblpdgg.exe Hpcodihc.exe File opened for modification C:\Windows\SysWOW64\Ingpmmgm.exe Hkicaahi.exe File opened for modification C:\Windows\SysWOW64\Lhijijbg.exe Lejnmncd.exe File opened for modification C:\Windows\SysWOW64\Fpodlbng.exe Fielph32.exe File created C:\Windows\SysWOW64\Apjkcadp.exe Amlogfel.exe File opened for modification C:\Windows\SysWOW64\Mcqjon32.exe Lmgabcge.exe File created C:\Windows\SysWOW64\Fadggj32.dll Anmfbl32.exe File opened for modification C:\Windows\SysWOW64\Klcekpdo.exe Kjeiodek.exe File created C:\Windows\SysWOW64\Nedjjj32.exe Ngaionfl.exe File created C:\Windows\SysWOW64\Jnfcia32.exe Jglklggl.exe File created C:\Windows\SysWOW64\Piiqdm32.dll Djhimica.exe File created C:\Windows\SysWOW64\Efjbcakl.exe Ebnfbcbc.exe File created C:\Windows\SysWOW64\Imnbiq32.dll Mogcihaj.exe File created C:\Windows\SysWOW64\Mkfepj32.dll Amaqjp32.exe File opened for modification C:\Windows\SysWOW64\Hjedffig.exe Hgghjjid.exe File created C:\Windows\SysWOW64\Ljeffhcd.dll Hmechmip.exe File opened for modification C:\Windows\SysWOW64\Gjdaodja.exe Gdjibj32.exe File created C:\Windows\SysWOW64\Ecpfpo32.dll Process not Found File created C:\Windows\SysWOW64\Knhebpni.dll Pahpfc32.exe File created C:\Windows\SysWOW64\Jecampmk.dll Ccgjopal.exe File opened for modification C:\Windows\SysWOW64\Eidlnd32.exe Efepbi32.exe File created C:\Windows\SysWOW64\Kjjiej32.exe Kglmio32.exe File created C:\Windows\SysWOW64\Plkpcfal.exe Pddhbipj.exe File opened for modification C:\Windows\SysWOW64\Gkaopp32.exe Ggeboaob.exe File created C:\Windows\SysWOW64\Jnifigpa.exe Jgonlm32.exe File created C:\Windows\SysWOW64\Ophjiaql.exe Ohqbhdpj.exe File opened for modification C:\Windows\SysWOW64\Hkckeo32.exe Hghoeqmp.exe File created C:\Windows\SysWOW64\Micgbemj.dll Clgbmp32.exe File created C:\Windows\SysWOW64\Dafipibl.dll Jjoiil32.exe File opened for modification C:\Windows\SysWOW64\Mmkdcm32.exe Mjlhgaqp.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Ahdged32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7960 17944 Process not Found 1173 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpecg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medqcmki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkchelci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnangaoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgbccni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmfjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgobel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbognp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjenbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goljqnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojajin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkckeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahchda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giqkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkqpkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbchdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocqam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqfdnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilgmdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkicaahi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbbqpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnlobej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flfkkhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcliikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofecami.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjkaabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifigpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljaccjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfipbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpdfb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gahjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cncijina.dll" Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocbnhog.dll" Mjaabq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ephccnmj.dll" Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlbcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkhcegh.dll" Gdgfce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoqoo32.dll" Lhijijbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kkeldnpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Demnop32.dll" Gdbmhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqkiok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjeljhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokgal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbplbf32.dll" Mehjol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhmqp32.dll" Ffclcgfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bddjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaplqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodapf32.dll" Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inojnf32.dll" Lhfmdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gghpel32.dll" Qhlkilba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqcnc32.dll" Gncchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekoglqie.dll" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aboiil32.dll" Ibffhhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mibijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opeemh32.dll" Edhjqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phedhmhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlihle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bciehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakqg32.dll" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdnhmdp.dll" Ocamjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" Aednci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kelkaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdcpkll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iokgal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldcjeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egijmegb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mefmimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohokaph.dll" Qepkbpak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccgjopal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbjhbbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfjpgfm.dll" Emehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipebnafj.dll" Mekgdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfnaicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgmfg32.dll" Lcnmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnangaoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofecami.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3244 wrote to memory of 3536 3244 adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe 84 PID 3244 wrote to memory of 3536 3244 adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe 84 PID 3244 wrote to memory of 3536 3244 adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe 84 PID 3536 wrote to memory of 776 3536 Ealadnik.exe 85 PID 3536 wrote to memory of 776 3536 Ealadnik.exe 85 PID 3536 wrote to memory of 776 3536 Ealadnik.exe 85 PID 776 wrote to memory of 344 776 Egijmegb.exe 86 PID 776 wrote to memory of 344 776 Egijmegb.exe 86 PID 776 wrote to memory of 344 776 Egijmegb.exe 86 PID 344 wrote to memory of 3152 344 Edmjfifl.exe 87 PID 344 wrote to memory of 3152 344 Edmjfifl.exe 87 PID 344 wrote to memory of 3152 344 Edmjfifl.exe 87 PID 3152 wrote to memory of 2220 3152 Ekgbccni.exe 88 PID 3152 wrote to memory of 2220 3152 Ekgbccni.exe 88 PID 3152 wrote to memory of 2220 3152 Ekgbccni.exe 88 PID 2220 wrote to memory of 1108 2220 Emeoooml.exe 90 PID 2220 wrote to memory of 1108 2220 Emeoooml.exe 90 PID 2220 wrote to memory of 1108 2220 Emeoooml.exe 90 PID 1108 wrote to memory of 3792 1108 Ehkclgmb.exe 91 PID 1108 wrote to memory of 3792 1108 Ehkclgmb.exe 91 PID 1108 wrote to memory of 3792 1108 Ehkclgmb.exe 91 PID 3792 wrote to memory of 1736 3792 Emhldnkj.exe 92 PID 3792 wrote to memory of 1736 3792 Emhldnkj.exe 92 PID 3792 wrote to memory of 1736 3792 Emhldnkj.exe 92 PID 1736 wrote to memory of 1504 1736 Fdbdah32.exe 93 PID 1736 wrote to memory of 1504 1736 Fdbdah32.exe 93 PID 1736 wrote to memory of 1504 1736 Fdbdah32.exe 93 PID 1504 wrote to memory of 4992 1504 Foghnabl.exe 95 PID 1504 wrote to memory of 4992 1504 Foghnabl.exe 95 PID 1504 wrote to memory of 4992 1504 Foghnabl.exe 95 PID 4992 wrote to memory of 4752 4992 Fddqghpd.exe 96 PID 4992 wrote to memory of 4752 4992 Fddqghpd.exe 96 PID 4992 wrote to memory of 4752 4992 Fddqghpd.exe 96 PID 4752 wrote to memory of 948 4752 Fnmepn32.exe 97 PID 4752 wrote to memory of 948 4752 Fnmepn32.exe 97 PID 4752 wrote to memory of 948 4752 Fnmepn32.exe 97 PID 948 wrote to memory of 1816 948 Fhbimf32.exe 99 PID 948 wrote to memory of 1816 948 Fhbimf32.exe 99 PID 948 wrote to memory of 1816 948 Fhbimf32.exe 99 PID 1816 wrote to memory of 368 1816 Fajnfl32.exe 100 PID 1816 wrote to memory of 368 1816 Fajnfl32.exe 100 PID 1816 wrote to memory of 368 1816 Fajnfl32.exe 100 PID 368 wrote to memory of 2256 368 Fhdfbfdh.exe 101 PID 368 wrote to memory of 2256 368 Fhdfbfdh.exe 101 PID 368 wrote to memory of 2256 368 Fhdfbfdh.exe 101 PID 2256 wrote to memory of 4820 2256 Fdkggg32.exe 102 PID 2256 wrote to memory of 4820 2256 Fdkggg32.exe 102 PID 2256 wrote to memory of 4820 2256 Fdkggg32.exe 102 PID 4820 wrote to memory of 1056 4820 Fgjccb32.exe 103 PID 4820 wrote to memory of 1056 4820 Fgjccb32.exe 103 PID 4820 wrote to memory of 1056 4820 Fgjccb32.exe 103 PID 1056 wrote to memory of 3296 1056 Gdncmghi.exe 104 PID 1056 wrote to memory of 3296 1056 Gdncmghi.exe 104 PID 1056 wrote to memory of 3296 1056 Gdncmghi.exe 104 PID 3296 wrote to memory of 2016 3296 Ghipne32.exe 105 PID 3296 wrote to memory of 2016 3296 Ghipne32.exe 105 PID 3296 wrote to memory of 2016 3296 Ghipne32.exe 105 PID 2016 wrote to memory of 4924 2016 Ggnlobej.exe 106 PID 2016 wrote to memory of 4924 2016 Ggnlobej.exe 106 PID 2016 wrote to memory of 4924 2016 Ggnlobej.exe 106 PID 4924 wrote to memory of 2972 4924 Gdbmhf32.exe 107 PID 4924 wrote to memory of 2972 4924 Gdbmhf32.exe 107 PID 4924 wrote to memory of 2972 4924 Gdbmhf32.exe 107 PID 2972 wrote to memory of 1416 2972 Gkleeplq.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe"C:\Users\Admin\AppData\Local\Temp\adbbbf091ac3a6217491a5d9c27ed8102d0d1863430cf5cc65739c82989dbc71.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Edmjfifl.exeC:\Windows\system32\Edmjfifl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Ekgbccni.exeC:\Windows\system32\Ekgbccni.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Emhldnkj.exeC:\Windows\system32\Emhldnkj.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Fajnfl32.exeC:\Windows\system32\Fajnfl32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Ggnlobej.exeC:\Windows\system32\Ggnlobej.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Gddinf32.exeC:\Windows\system32\Gddinf32.exe23⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ggcfja32.exeC:\Windows\system32\Ggcfja32.exe24⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\SysWOW64\Gnmnfkia.exeC:\Windows\system32\Gnmnfkia.exe25⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:4304 -
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Ggeboaob.exeC:\Windows\system32\Ggeboaob.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Goljqnpd.exeC:\Windows\system32\Goljqnpd.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Hakgmjoh.exeC:\Windows\system32\Hakgmjoh.exe31⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe32⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Hdicienl.exeC:\Windows\system32\Hdicienl.exe33⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\SysWOW64\Hghoeqmp.exeC:\Windows\system32\Hghoeqmp.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Hkckeo32.exeC:\Windows\system32\Hkckeo32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe36⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Hnagak32.exeC:\Windows\system32\Hnagak32.exe37⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Hdlpneli.exeC:\Windows\system32\Hdlpneli.exe39⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe40⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe41⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Hoadkn32.exeC:\Windows\system32\Hoadkn32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4404 -
C:\Windows\SysWOW64\Hnddgjbj.exeC:\Windows\system32\Hnddgjbj.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe44⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Hhihdcbp.exeC:\Windows\system32\Hhihdcbp.exe46⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Hkhdqoac.exeC:\Windows\system32\Hkhdqoac.exe47⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Hocqam32.exeC:\Windows\system32\Hocqam32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8 -
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3840 -
C:\Windows\SysWOW64\Hfningai.exeC:\Windows\system32\Hfningai.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4856 -
C:\Windows\SysWOW64\Hhlejcpm.exeC:\Windows\system32\Hhlejcpm.exe51⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Hkjafn32.exeC:\Windows\system32\Hkjafn32.exe52⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe53⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe54⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Hfpecg32.exeC:\Windows\system32\Hfpecg32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172 -
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe56⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\Hgabkoee.exeC:\Windows\system32\Hgabkoee.exe57⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3300 -
C:\Windows\SysWOW64\Inkjhi32.exeC:\Windows\system32\Inkjhi32.exe59⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:4400 -
C:\Windows\SysWOW64\Idebdcdo.exeC:\Windows\system32\Idebdcdo.exe61⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3544 -
C:\Windows\SysWOW64\Iickkbje.exeC:\Windows\system32\Iickkbje.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4276 -
C:\Windows\SysWOW64\Ikaggmii.exeC:\Windows\system32\Ikaggmii.exe64⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe65⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe66⤵PID:3144
-
C:\Windows\SysWOW64\Ighhln32.exeC:\Windows\system32\Ighhln32.exe67⤵PID:1436
-
C:\Windows\SysWOW64\Inbqhhfj.exeC:\Windows\system32\Inbqhhfj.exe68⤵PID:4124
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe69⤵PID:4348
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe70⤵PID:4008
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe71⤵PID:1396
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe72⤵PID:3000
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe73⤵PID:2468
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe74⤵PID:2968
-
C:\Windows\SysWOW64\Jbbfdfkn.exeC:\Windows\system32\Jbbfdfkn.exe75⤵PID:4128
-
C:\Windows\SysWOW64\Jeqbpb32.exeC:\Windows\system32\Jeqbpb32.exe76⤵PID:2000
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe77⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe80⤵PID:532
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe81⤵PID:2924
-
C:\Windows\SysWOW64\Jnkcogno.exeC:\Windows\system32\Jnkcogno.exe82⤵PID:3048
-
C:\Windows\SysWOW64\Jbgoof32.exeC:\Windows\system32\Jbgoof32.exe83⤵PID:3480
-
C:\Windows\SysWOW64\Jpkphjeb.exeC:\Windows\system32\Jpkphjeb.exe84⤵PID:2792
-
C:\Windows\SysWOW64\Jbileede.exeC:\Windows\system32\Jbileede.exe85⤵PID:3756
-
C:\Windows\SysWOW64\Jehhaaci.exeC:\Windows\system32\Jehhaaci.exe86⤵PID:2152
-
C:\Windows\SysWOW64\Jkaqnk32.exeC:\Windows\system32\Jkaqnk32.exe87⤵PID:4464
-
C:\Windows\SysWOW64\Jnpmjf32.exeC:\Windows\system32\Jnpmjf32.exe88⤵PID:4192
-
C:\Windows\SysWOW64\Jejefqaf.exeC:\Windows\system32\Jejefqaf.exe89⤵PID:4264
-
C:\Windows\SysWOW64\Jghabl32.exeC:\Windows\system32\Jghabl32.exe90⤵PID:3852
-
C:\Windows\SysWOW64\Knbiofhg.exeC:\Windows\system32\Knbiofhg.exe91⤵PID:3156
-
C:\Windows\SysWOW64\Kfjapcii.exeC:\Windows\system32\Kfjapcii.exe92⤵PID:3272
-
C:\Windows\SysWOW64\Kihnmohm.exeC:\Windows\system32\Kihnmohm.exe93⤵PID:4140
-
C:\Windows\SysWOW64\Klfjijgq.exeC:\Windows\system32\Klfjijgq.exe94⤵PID:4328
-
C:\Windows\SysWOW64\Knefeffd.exeC:\Windows\system32\Knefeffd.exe95⤵PID:5132
-
C:\Windows\SysWOW64\Kbpbed32.exeC:\Windows\system32\Kbpbed32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176 -
C:\Windows\SysWOW64\Kijjbofj.exeC:\Windows\system32\Kijjbofj.exe97⤵PID:5220
-
C:\Windows\SysWOW64\Kpdboimg.exeC:\Windows\system32\Kpdboimg.exe98⤵PID:5268
-
C:\Windows\SysWOW64\Kfnkkb32.exeC:\Windows\system32\Kfnkkb32.exe99⤵PID:5312
-
C:\Windows\SysWOW64\Kimghn32.exeC:\Windows\system32\Kimghn32.exe100⤵PID:5356
-
C:\Windows\SysWOW64\Klkcdj32.exeC:\Windows\system32\Klkcdj32.exe101⤵PID:5400
-
C:\Windows\SysWOW64\Kpgodhkd.exeC:\Windows\system32\Kpgodhkd.exe102⤵PID:5444
-
C:\Windows\SysWOW64\Kbekqdjh.exeC:\Windows\system32\Kbekqdjh.exe103⤵PID:5488
-
C:\Windows\SysWOW64\Kechmoil.exeC:\Windows\system32\Kechmoil.exe104⤵PID:5536
-
C:\Windows\SysWOW64\Kiodmn32.exeC:\Windows\system32\Kiodmn32.exe105⤵PID:5580
-
C:\Windows\SysWOW64\Klmpiiai.exeC:\Windows\system32\Klmpiiai.exe106⤵PID:5620
-
C:\Windows\SysWOW64\Kpiljh32.exeC:\Windows\system32\Kpiljh32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5660 -
C:\Windows\SysWOW64\Kbghfc32.exeC:\Windows\system32\Kbghfc32.exe108⤵PID:5700
-
C:\Windows\SysWOW64\Kfcdfbqo.exeC:\Windows\system32\Kfcdfbqo.exe109⤵PID:5740
-
C:\Windows\SysWOW64\Kiaqcnpb.exeC:\Windows\system32\Kiaqcnpb.exe110⤵PID:5780
-
C:\Windows\SysWOW64\Lpkiph32.exeC:\Windows\system32\Lpkiph32.exe111⤵PID:5820
-
C:\Windows\SysWOW64\Lbjelc32.exeC:\Windows\system32\Lbjelc32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5864 -
C:\Windows\SysWOW64\Lehaho32.exeC:\Windows\system32\Lehaho32.exe113⤵PID:5904
-
C:\Windows\SysWOW64\Lhfmdj32.exeC:\Windows\system32\Lhfmdj32.exe114⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Lpneegel.exeC:\Windows\system32\Lpneegel.exe115⤵PID:5984
-
C:\Windows\SysWOW64\Lnqeqd32.exeC:\Windows\system32\Lnqeqd32.exe116⤵PID:6024
-
C:\Windows\SysWOW64\Lejnmncd.exeC:\Windows\system32\Lejnmncd.exe117⤵
- Drops file in System32 directory
PID:6064 -
C:\Windows\SysWOW64\Lhijijbg.exeC:\Windows\system32\Lhijijbg.exe118⤵
- Modifies registry class
PID:6112 -
C:\Windows\SysWOW64\Lppbkgcj.exeC:\Windows\system32\Lppbkgcj.exe119⤵PID:3264
-
C:\Windows\SysWOW64\Lbnngbbn.exeC:\Windows\system32\Lbnngbbn.exe120⤵PID:5164
-
C:\Windows\SysWOW64\Lemkcnaa.exeC:\Windows\system32\Lemkcnaa.exe121⤵PID:5264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-