Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 15:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0740d2b160f8b3486e091d57df27610N.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e0740d2b160f8b3486e091d57df27610N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
e0740d2b160f8b3486e091d57df27610N.exe
-
Size
55KB
-
MD5
e0740d2b160f8b3486e091d57df27610
-
SHA1
c24a7504fbc7d059c321fbc858c090a2d43dcdce
-
SHA256
699194faa36d42228969adcff804c0afb41bae2f4ae5e2b8629fcc7f6de8b8a0
-
SHA512
cc5c995219575e6f8ed6c7bc83c55d1891af7750334e32dff72b47687973dcf69b16f0cd9b03da17020530f5d955ba1febbf2122f9361a9a5f1d667c5bd6f342
-
SSDEEP
1536:ZiFOcxPnmVaSX1JjiUiVD0mJ5daoNSoNSd0A3shxD6:AkcxPnuFJjinoi5dFNXNW0A8hh
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlbjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihfgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcpkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpqpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgiepced.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helngnie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfonkfqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbniid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbahpec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dohgomgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphkbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmojnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngneph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnldjekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioliqbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidphq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenakoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imjkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inafbooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiecgjba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnmpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbekjcf.exe -
Executes dropped EXE 64 IoCs
pid Process 2840 Dnjngk32.exe 2616 Dphjcf32.exe 1684 Dnlkmkpn.exe 2712 Dahgni32.exe 700 Dkpkfooh.exe 1100 Eckpkamb.exe 2024 Efjlgmlf.exe 1688 Epoqde32.exe 2928 Ejgemkbm.exe 2656 Eqamje32.exe 2920 Efnfbl32.exe 2932 Elhnof32.exe 1044 Ebefgm32.exe 2452 Ehoocgeb.exe 2272 Enlglnci.exe 1468 Edfpih32.exe 836 Fokdfajl.exe 1644 Fqmpni32.exe 764 Fgfhjcgg.exe 3036 Fnqqgm32.exe 1904 Fdjidgfa.exe 904 Fgiepced.exe 2504 Fncmmmma.exe 1292 Femeig32.exe 1720 Ffnbaojm.exe 3028 Fmhjni32.exe 2832 Fpffje32.exe 2852 Fcbbjcif.exe 2652 Fmjgcipg.exe 2316 Gjngmmnp.exe 580 Gfehan32.exe 2684 Gehhmkko.exe 2980 Gejebk32.exe 2148 Gppipc32.exe 2968 Gembhj32.exe 2816 Glgjednf.exe 1940 Gdboig32.exe 3056 Gligjd32.exe 532 Gmjcblbb.exe 2340 Hddlof32.exe 2156 Hmmphlpp.exe 1564 Hdfhdfgl.exe 1860 Hfedqagp.exe 1336 Hmomml32.exe 1484 Hbleeb32.exe 1680 Hifmbmda.exe 860 Hppfog32.exe 1796 Hdkape32.exe 2880 Hbnbkbja.exe 2860 Helngnie.exe 2876 Hihjhl32.exe 2844 Hpbbdfik.exe 776 Hbqoqbho.exe 1264 Heokmmgb.exe 1772 Ihmgiiff.exe 3016 Ipdojfgh.exe 2904 Ihpdoh32.exe 1972 Iknpkd32.exe 2236 Iahhgnkd.exe 2204 Ihbqdh32.exe 2168 Ioliqbjn.exe 2052 Iefamlak.exe 1676 Ikbifcpb.exe 1768 Inafbooe.exe -
Loads dropped DLL 64 IoCs
pid Process 2740 e0740d2b160f8b3486e091d57df27610N.exe 2740 e0740d2b160f8b3486e091d57df27610N.exe 2840 Dnjngk32.exe 2840 Dnjngk32.exe 2616 Dphjcf32.exe 2616 Dphjcf32.exe 1684 Dnlkmkpn.exe 1684 Dnlkmkpn.exe 2712 Dahgni32.exe 2712 Dahgni32.exe 700 Dkpkfooh.exe 700 Dkpkfooh.exe 1100 Eckpkamb.exe 1100 Eckpkamb.exe 2024 Efjlgmlf.exe 2024 Efjlgmlf.exe 1688 Epoqde32.exe 1688 Epoqde32.exe 2928 Ejgemkbm.exe 2928 Ejgemkbm.exe 2656 Eqamje32.exe 2656 Eqamje32.exe 2920 Efnfbl32.exe 2920 Efnfbl32.exe 2932 Elhnof32.exe 2932 Elhnof32.exe 1044 Ebefgm32.exe 1044 Ebefgm32.exe 2452 Ehoocgeb.exe 2452 Ehoocgeb.exe 2272 Enlglnci.exe 2272 Enlglnci.exe 1468 Edfpih32.exe 1468 Edfpih32.exe 836 Fokdfajl.exe 836 Fokdfajl.exe 1644 Fqmpni32.exe 1644 Fqmpni32.exe 764 Fgfhjcgg.exe 764 Fgfhjcgg.exe 3036 Fnqqgm32.exe 3036 Fnqqgm32.exe 1904 Fdjidgfa.exe 1904 Fdjidgfa.exe 904 Fgiepced.exe 904 Fgiepced.exe 2504 Fncmmmma.exe 2504 Fncmmmma.exe 1292 Femeig32.exe 1292 Femeig32.exe 1720 Ffnbaojm.exe 1720 Ffnbaojm.exe 3028 Fmhjni32.exe 3028 Fmhjni32.exe 2832 Fpffje32.exe 2832 Fpffje32.exe 2852 Fcbbjcif.exe 2852 Fcbbjcif.exe 2652 Fmjgcipg.exe 2652 Fmjgcipg.exe 2316 Gjngmmnp.exe 2316 Gjngmmnp.exe 580 Gfehan32.exe 580 Gfehan32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opplolac.exe Oldpnn32.exe File opened for modification C:\Windows\SysWOW64\Aggpdnpj.exe Aidphq32.exe File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Cfcijf32.exe File created C:\Windows\SysWOW64\Ncmljjmf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Goiehm32.exe Fmkilb32.exe File created C:\Windows\SysWOW64\Jiepeo32.dll Hfcjdkpg.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File opened for modification C:\Windows\SysWOW64\Mflgih32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Idadnd32.exe Iabhah32.exe File created C:\Windows\SysWOW64\Dlfgcl32.exe Ddpobo32.exe File opened for modification C:\Windows\SysWOW64\Eacljf32.exe Eoepnk32.exe File opened for modification C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File created C:\Windows\SysWOW64\Oehiknbl.dll Process not Found File created C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Aaddfb32.dll Cbppnbhm.exe File created C:\Windows\SysWOW64\Cmedlk32.exe Cenljmgq.exe File created C:\Windows\SysWOW64\Foahmh32.exe Fhgppnan.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Process not Found File created C:\Windows\SysWOW64\Aoohekal.exe Aggpdnpj.exe File created C:\Windows\SysWOW64\Kfnmpn32.exe Kgkleabc.exe File created C:\Windows\SysWOW64\Ncniim32.dll Lblcfnhj.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Locjhqpa.exe File created C:\Windows\SysWOW64\Gdhdkn32.exe Gaihob32.exe File opened for modification C:\Windows\SysWOW64\Jhoklnkg.exe Jeqopcld.exe File created C:\Windows\SysWOW64\Eiilephi.dll Process not Found File created C:\Windows\SysWOW64\Pddjlb32.exe Process not Found File created C:\Windows\SysWOW64\Abkeba32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nidkmojn.exe Nplfdj32.exe File created C:\Windows\SysWOW64\Odchbe32.exe Opglafab.exe File created C:\Windows\SysWOW64\Jhjphfgi.exe Ielclkhe.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe Process not Found File created C:\Windows\SysWOW64\Bfagpiam.exe Bccjdnbi.exe File created C:\Windows\SysWOW64\Jjnhhjjk.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Process not Found File created C:\Windows\SysWOW64\Ncmflp32.dll Cbajkiof.exe File opened for modification C:\Windows\SysWOW64\Dllhhaep.exe Dinklffl.exe File created C:\Windows\SysWOW64\Bchqdi32.dll Bnldjekl.exe File opened for modification C:\Windows\SysWOW64\Lfmbek32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Neknki32.exe File created C:\Windows\SysWOW64\Bigkel32.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Dncibp32.exe Process not Found File created C:\Windows\SysWOW64\Loeccoai.dll Process not Found File created C:\Windows\SysWOW64\Hbleeb32.exe Hmomml32.exe File created C:\Windows\SysWOW64\Ejkkfjkj.exe Egmojnlf.exe File created C:\Windows\SysWOW64\Fdmhbplb.exe Flfpabkp.exe File created C:\Windows\SysWOW64\Gcmoda32.exe Gmbfggdo.exe File opened for modification C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Jbefcm32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Mgcchb32.dll Nmfbpk32.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Process not Found File created C:\Windows\SysWOW64\Ciohqa32.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Adifpk32.exe File created C:\Windows\SysWOW64\Phklaacg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Makjho32.exe Ljabkeaf.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Deollamj.exe File created C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Nnafnopi.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bniajoic.exe File created C:\Windows\SysWOW64\Cbehjc32.dll Dnpciaef.exe File created C:\Windows\SysWOW64\Lihcil32.dll Dnjngk32.exe File created C:\Windows\SysWOW64\Ooclji32.exe Opplolac.exe File opened for modification C:\Windows\SysWOW64\Cdgpnqpo.exe Caidaeak.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 632 5056 Process not Found 1337 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkofjijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcaonhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdojfgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhoice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olophhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idknoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padeldeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqcjlhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgoboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapeic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peanbblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfdhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeeolig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acekjjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baigca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekmle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epecbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpalp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclhdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinklffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jepmgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekiphge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agljom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inafbooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncmmmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngmmnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heokmmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkleabc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggogki32.dll" Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihieggm.dll" Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfnoac.dll" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmffciep.dll" Bflbigdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Kjokokha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehoocgeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aakepajf.dll" Foafdoag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagojlib.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkgcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiefffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opglafab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beackp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefqie32.dll" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhjni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikepamg.dll" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnpioai.dll" Djiqdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmlem32.dll" Lldmleam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjdkjpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehoblpm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgkfh32.dll" Opplolac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkifdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Illbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgflflqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojieb32.dll" Emagacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coglpp32.dll" Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhchoj.dll" Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbafdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaihob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nidkmojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibhndp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peanbblf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpkhqmc.dll" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2840 2740 e0740d2b160f8b3486e091d57df27610N.exe 30 PID 2740 wrote to memory of 2840 2740 e0740d2b160f8b3486e091d57df27610N.exe 30 PID 2740 wrote to memory of 2840 2740 e0740d2b160f8b3486e091d57df27610N.exe 30 PID 2740 wrote to memory of 2840 2740 e0740d2b160f8b3486e091d57df27610N.exe 30 PID 2840 wrote to memory of 2616 2840 Dnjngk32.exe 31 PID 2840 wrote to memory of 2616 2840 Dnjngk32.exe 31 PID 2840 wrote to memory of 2616 2840 Dnjngk32.exe 31 PID 2840 wrote to memory of 2616 2840 Dnjngk32.exe 31 PID 2616 wrote to memory of 1684 2616 Dphjcf32.exe 32 PID 2616 wrote to memory of 1684 2616 Dphjcf32.exe 32 PID 2616 wrote to memory of 1684 2616 Dphjcf32.exe 32 PID 2616 wrote to memory of 1684 2616 Dphjcf32.exe 32 PID 1684 wrote to memory of 2712 1684 Dnlkmkpn.exe 33 PID 1684 wrote to memory of 2712 1684 Dnlkmkpn.exe 33 PID 1684 wrote to memory of 2712 1684 Dnlkmkpn.exe 33 PID 1684 wrote to memory of 2712 1684 Dnlkmkpn.exe 33 PID 2712 wrote to memory of 700 2712 Dahgni32.exe 34 PID 2712 wrote to memory of 700 2712 Dahgni32.exe 34 PID 2712 wrote to memory of 700 2712 Dahgni32.exe 34 PID 2712 wrote to memory of 700 2712 Dahgni32.exe 34 PID 700 wrote to memory of 1100 700 Dkpkfooh.exe 35 PID 700 wrote to memory of 1100 700 Dkpkfooh.exe 35 PID 700 wrote to memory of 1100 700 Dkpkfooh.exe 35 PID 700 wrote to memory of 1100 700 Dkpkfooh.exe 35 PID 1100 wrote to memory of 2024 1100 Eckpkamb.exe 36 PID 1100 wrote to memory of 2024 1100 Eckpkamb.exe 36 PID 1100 wrote to memory of 2024 1100 Eckpkamb.exe 36 PID 1100 wrote to memory of 2024 1100 Eckpkamb.exe 36 PID 2024 wrote to memory of 1688 2024 Efjlgmlf.exe 37 PID 2024 wrote to memory of 1688 2024 Efjlgmlf.exe 37 PID 2024 wrote to memory of 1688 2024 Efjlgmlf.exe 37 PID 2024 wrote to memory of 1688 2024 Efjlgmlf.exe 37 PID 1688 wrote to memory of 2928 1688 Epoqde32.exe 38 PID 1688 wrote to memory of 2928 1688 Epoqde32.exe 38 PID 1688 wrote to memory of 2928 1688 Epoqde32.exe 38 PID 1688 wrote to memory of 2928 1688 Epoqde32.exe 38 PID 2928 wrote to memory of 2656 2928 Ejgemkbm.exe 39 PID 2928 wrote to memory of 2656 2928 Ejgemkbm.exe 39 PID 2928 wrote to memory of 2656 2928 Ejgemkbm.exe 39 PID 2928 wrote to memory of 2656 2928 Ejgemkbm.exe 39 PID 2656 wrote to memory of 2920 2656 Eqamje32.exe 40 PID 2656 wrote to memory of 2920 2656 Eqamje32.exe 40 PID 2656 wrote to memory of 2920 2656 Eqamje32.exe 40 PID 2656 wrote to memory of 2920 2656 Eqamje32.exe 40 PID 2920 wrote to memory of 2932 2920 Efnfbl32.exe 41 PID 2920 wrote to memory of 2932 2920 Efnfbl32.exe 41 PID 2920 wrote to memory of 2932 2920 Efnfbl32.exe 41 PID 2920 wrote to memory of 2932 2920 Efnfbl32.exe 41 PID 2932 wrote to memory of 1044 2932 Elhnof32.exe 42 PID 2932 wrote to memory of 1044 2932 Elhnof32.exe 42 PID 2932 wrote to memory of 1044 2932 Elhnof32.exe 42 PID 2932 wrote to memory of 1044 2932 Elhnof32.exe 42 PID 1044 wrote to memory of 2452 1044 Ebefgm32.exe 43 PID 1044 wrote to memory of 2452 1044 Ebefgm32.exe 43 PID 1044 wrote to memory of 2452 1044 Ebefgm32.exe 43 PID 1044 wrote to memory of 2452 1044 Ebefgm32.exe 43 PID 2452 wrote to memory of 2272 2452 Ehoocgeb.exe 44 PID 2452 wrote to memory of 2272 2452 Ehoocgeb.exe 44 PID 2452 wrote to memory of 2272 2452 Ehoocgeb.exe 44 PID 2452 wrote to memory of 2272 2452 Ehoocgeb.exe 44 PID 2272 wrote to memory of 1468 2272 Enlglnci.exe 45 PID 2272 wrote to memory of 1468 2272 Enlglnci.exe 45 PID 2272 wrote to memory of 1468 2272 Enlglnci.exe 45 PID 2272 wrote to memory of 1468 2272 Enlglnci.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0740d2b160f8b3486e091d57df27610N.exe"C:\Users\Admin\AppData\Local\Temp\e0740d2b160f8b3486e091d57df27610N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Fgfhjcgg.exeC:\Windows\system32\Fgfhjcgg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Gfehan32.exeC:\Windows\system32\Gfehan32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe33⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe34⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe35⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe36⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe37⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe38⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe39⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe40⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe41⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe42⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe43⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe46⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe47⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe48⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe49⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe52⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe53⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe54⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe56⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe58⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe59⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe61⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe63⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe64⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe68⤵PID:2500
-
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2660 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe72⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe73⤵PID:1604
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe74⤵PID:2028
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe76⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe77⤵PID:1432
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe78⤵PID:1996
-
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe79⤵PID:2276
-
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe80⤵PID:1804
-
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe81⤵PID:2144
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe82⤵PID:2992
-
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe83⤵PID:1908
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe84⤵PID:2376
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe85⤵PID:2748
-
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe86⤵PID:2280
-
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe87⤵PID:2620
-
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe88⤵PID:1028
-
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe89⤵PID:2076
-
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe90⤵PID:3004
-
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe91⤵PID:2112
-
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe92⤵PID:876
-
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe93⤵PID:3040
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe94⤵PID:812
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe95⤵PID:2100
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe96⤵PID:1936
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe97⤵PID:1616
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe98⤵PID:692
-
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe99⤵PID:2892
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe101⤵PID:1500
-
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe102⤵PID:2924
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe103⤵PID:2348
-
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe104⤵PID:2820
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe105⤵PID:1148
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe106⤵PID:2208
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe107⤵PID:2460
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe109⤵PID:1704
-
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe110⤵PID:1964
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe111⤵PID:828
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe112⤵PID:2252
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe113⤵PID:2360
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe114⤵PID:2072
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe115⤵PID:1596
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe116⤵PID:2256
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe117⤵PID:1952
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe118⤵PID:1976
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe119⤵PID:2240
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe120⤵PID:2524
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-