Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe
Resource
win10v2004-20241007-en
General
-
Target
60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe
-
Size
96KB
-
MD5
688a0415a45cd18806bbd430d3a74220
-
SHA1
c422f098c18c80303d3d3f1781bf9318d6adbc4a
-
SHA256
60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590ca
-
SHA512
c7228f995400cda8300787e2891e4c11f14f14bb367d7a9e075791a4392995654cea9c3e4038ee78749cbddc7d98c40b279a197fd08ca5618121a5bf7e3331fe
-
SSDEEP
1536:+AS1OqY36IknNNynDrUJtaCmnfl0mxiqTgX41qeto/YtMimFOM6bOLXi8PmCofGy:pSCKIknNNynDrSUCmnfCm04AetXSJFDk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfkapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cffljlpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbdee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejjbbkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hddlof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kohnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accnekon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfbaql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipbocjlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemjae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmljgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idfdcijh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpnkbpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odbeilbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgjebg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbqdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2776 Nkbalifo.exe 3068 Ndjfeo32.exe 2632 Nmbknddp.exe 2392 Nodgel32.exe 500 Niikceid.exe 1656 Npccpo32.exe 2336 Nadpgggp.exe 2604 Nilhhdga.exe 2608 Nhohda32.exe 2976 Oebimf32.exe 1976 Ookmfk32.exe 2044 Oaiibg32.exe 1940 Olonpp32.exe 1544 Oomjlk32.exe 2224 Ohendqhd.exe 768 Oopfakpa.exe 648 Oqacic32.exe 3032 Ogkkfmml.exe 968 Ojigbhlp.exe 1560 Oappcfmb.exe 1980 Odoloalf.exe 936 Pjldghjm.exe 1812 Pngphgbf.exe 2520 Pdaheq32.exe 1064 Pjnamh32.exe 2808 Pmlmic32.exe 2652 Pfdabino.exe 2324 Pqjfoa32.exe 988 Pomfkndo.exe 576 Pjbjhgde.exe 2056 Pmagdbci.exe 3024 Pbnoliap.exe 1072 Pkfceo32.exe 2968 Pndpajgd.exe 1308 Qbplbi32.exe 1832 Qijdocfj.exe 1888 Qbbhgi32.exe 1948 Qkkmqnck.exe 2484 Qjnmlk32.exe 1112 Abeemhkh.exe 1552 Aaheie32.exe 3044 Aganeoip.exe 692 Ajpjakhc.exe 2020 Aeenochi.exe 376 Achojp32.exe 2432 Afgkfl32.exe 2152 Annbhi32.exe 2340 Apoooa32.exe 2996 Afiglkle.exe 2640 Aigchgkh.exe 1556 Amcpie32.exe 952 Apalea32.exe 1748 Abphal32.exe 2136 Aijpnfif.exe 2944 Amelne32.exe 2516 Abbeflpf.exe 1444 Afnagk32.exe 1936 Bilmcf32.exe 2232 Blkioa32.exe 2456 Bpfeppop.exe 3048 Bbdallnd.exe 1744 Becnhgmg.exe 916 Biojif32.exe 2116 Bphbeplm.exe -
Loads dropped DLL 64 IoCs
pid Process 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 2776 Nkbalifo.exe 2776 Nkbalifo.exe 3068 Ndjfeo32.exe 3068 Ndjfeo32.exe 2632 Nmbknddp.exe 2632 Nmbknddp.exe 2392 Nodgel32.exe 2392 Nodgel32.exe 500 Niikceid.exe 500 Niikceid.exe 1656 Npccpo32.exe 1656 Npccpo32.exe 2336 Nadpgggp.exe 2336 Nadpgggp.exe 2604 Nilhhdga.exe 2604 Nilhhdga.exe 2608 Nhohda32.exe 2608 Nhohda32.exe 2976 Oebimf32.exe 2976 Oebimf32.exe 1976 Ookmfk32.exe 1976 Ookmfk32.exe 2044 Oaiibg32.exe 2044 Oaiibg32.exe 1940 Olonpp32.exe 1940 Olonpp32.exe 1544 Oomjlk32.exe 1544 Oomjlk32.exe 2224 Ohendqhd.exe 2224 Ohendqhd.exe 768 Oopfakpa.exe 768 Oopfakpa.exe 648 Oqacic32.exe 648 Oqacic32.exe 3032 Ogkkfmml.exe 3032 Ogkkfmml.exe 968 Ojigbhlp.exe 968 Ojigbhlp.exe 1560 Oappcfmb.exe 1560 Oappcfmb.exe 1980 Odoloalf.exe 1980 Odoloalf.exe 936 Pjldghjm.exe 936 Pjldghjm.exe 1812 Pngphgbf.exe 1812 Pngphgbf.exe 2520 Pdaheq32.exe 2520 Pdaheq32.exe 1064 Pjnamh32.exe 1064 Pjnamh32.exe 2808 Pmlmic32.exe 2808 Pmlmic32.exe 2652 Pfdabino.exe 2652 Pfdabino.exe 2324 Pqjfoa32.exe 2324 Pqjfoa32.exe 988 Pomfkndo.exe 988 Pomfkndo.exe 576 Pjbjhgde.exe 576 Pjbjhgde.exe 2056 Pmagdbci.exe 2056 Pmagdbci.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enkpahon.exe Ejpdai32.exe File created C:\Windows\SysWOW64\Lfoojj32.exe Process not Found File created C:\Windows\SysWOW64\Ibagdh32.dll Process not Found File created C:\Windows\SysWOW64\Qdfmchqk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ooclji32.exe Oldpnn32.exe File created C:\Windows\SysWOW64\Lqejbiim.exe Lngnfnji.exe File opened for modification C:\Windows\SysWOW64\Oioggmmc.exe Oagoep32.exe File created C:\Windows\SysWOW64\Modlbmmn.exe Process not Found File created C:\Windows\SysWOW64\Fkgfqf32.dll Process not Found File created C:\Windows\SysWOW64\Nedamakn.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dgiaefgg.exe Process not Found File created C:\Windows\SysWOW64\Mabanhgg.dll Cdoajb32.exe File created C:\Windows\SysWOW64\Ejecol32.dll Hhjcic32.exe File created C:\Windows\SysWOW64\Klehgh32.exe Kjglkm32.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Process not Found File created C:\Windows\SysWOW64\Cpfmmf32.exe Process not Found File created C:\Windows\SysWOW64\Aodcbn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Igceej32.exe Process not Found File created C:\Windows\SysWOW64\Gpggei32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Naalga32.exe Nocpkf32.exe File created C:\Windows\SysWOW64\Nihqegkl.dll Ajqljc32.exe File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Process not Found File created C:\Windows\SysWOW64\Fniamd32.dll Process not Found File created C:\Windows\SysWOW64\Ddaglffo.dll Process not Found File created C:\Windows\SysWOW64\Ghibjjnk.exe Process not Found File created C:\Windows\SysWOW64\Jlpdoo32.dll Eogjka32.exe File created C:\Windows\SysWOW64\Dhbggodl.dll Process not Found File created C:\Windows\SysWOW64\Fhgppnan.exe Process not Found File created C:\Windows\SysWOW64\Fijjok32.dll Process not Found File created C:\Windows\SysWOW64\Hqnapb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fjjpjgjj.exe Fgldnkkf.exe File created C:\Windows\SysWOW64\Gdhclbka.dll Jialfgcc.exe File created C:\Windows\SysWOW64\Abnhjmjc.dll Process not Found File created C:\Windows\SysWOW64\Djehli32.dll Kglcogeo.exe File created C:\Windows\SysWOW64\Nfdkoc32.exe Necogkbo.exe File created C:\Windows\SysWOW64\Eioigi32.dll Process not Found File created C:\Windows\SysWOW64\Gfcdmgon.dll Dgjfek32.exe File created C:\Windows\SysWOW64\Ldikdp32.dll Dldkmlhl.exe File created C:\Windows\SysWOW64\Jfofol32.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ckpckece.exe Process not Found File created C:\Windows\SysWOW64\Oqacic32.exe Oopfakpa.exe File created C:\Windows\SysWOW64\Nfdgghho.dll Process not Found File created C:\Windows\SysWOW64\Kjaiehik.dll Process not Found File created C:\Windows\SysWOW64\Jjmfenoo.dll Process not Found File created C:\Windows\SysWOW64\Ehieciqq.dll Bphbeplm.exe File created C:\Windows\SysWOW64\Bcebdq32.dll Dbojdmcd.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Fgldnkkf.exe File created C:\Windows\SysWOW64\Ggknna32.dll Process not Found File created C:\Windows\SysWOW64\Dgmbkk32.exe Dbafjlaa.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Process not Found File created C:\Windows\SysWOW64\Jmndgq32.dll Process not Found File created C:\Windows\SysWOW64\Ijnkifgp.exe Process not Found File created C:\Windows\SysWOW64\Lbijlpke.dll Gjfgqk32.exe File created C:\Windows\SysWOW64\Qpmcjc32.dll Dhkkbmnp.exe File created C:\Windows\SysWOW64\Ihniaa32.exe Iikifegp.exe File created C:\Windows\SysWOW64\Ehlmljkm.exe Process not Found File created C:\Windows\SysWOW64\Hjohmbpd.exe Process not Found File created C:\Windows\SysWOW64\Ifbgfk32.dll Pjldghjm.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Process not Found File created C:\Windows\SysWOW64\Dbabho32.exe Process not Found File created C:\Windows\SysWOW64\Pmhejhao.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 5932 7164 Process not Found 1780 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekqmbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbiji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocllehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjegqif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjlaplk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgkfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhgcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcqaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnhoag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjomgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilofhffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqqap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmdmmalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohgomgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppcmncq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbeiiqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbcdh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlocjifl.dll" Ejjbbkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaemgpd.dll" Fnfcel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecbbbh32.dll" Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Behjbjcf.dll" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll" Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpqain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdjpfaqc.dll" Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgffkh32.dll" Dkpkfooh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Liklhmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poeofkoh.dll" Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkpbdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minbnnfl.dll" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihhlp32.dll" Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foibdham.dll" Eggndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibeghl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqomci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghnaplj.dll" Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkgnjmo.dll" Qgjqjjll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpemp32.dll" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeinj32.dll" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" Bajomhbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nblpfepo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcemimp.dll" Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkcebll.dll" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgcnh32.dll" Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnaaeim.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpodcba.dll" Degiggjm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2776 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 30 PID 2856 wrote to memory of 2776 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 30 PID 2856 wrote to memory of 2776 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 30 PID 2856 wrote to memory of 2776 2856 60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe 30 PID 2776 wrote to memory of 3068 2776 Nkbalifo.exe 31 PID 2776 wrote to memory of 3068 2776 Nkbalifo.exe 31 PID 2776 wrote to memory of 3068 2776 Nkbalifo.exe 31 PID 2776 wrote to memory of 3068 2776 Nkbalifo.exe 31 PID 3068 wrote to memory of 2632 3068 Ndjfeo32.exe 32 PID 3068 wrote to memory of 2632 3068 Ndjfeo32.exe 32 PID 3068 wrote to memory of 2632 3068 Ndjfeo32.exe 32 PID 3068 wrote to memory of 2632 3068 Ndjfeo32.exe 32 PID 2632 wrote to memory of 2392 2632 Nmbknddp.exe 33 PID 2632 wrote to memory of 2392 2632 Nmbknddp.exe 33 PID 2632 wrote to memory of 2392 2632 Nmbknddp.exe 33 PID 2632 wrote to memory of 2392 2632 Nmbknddp.exe 33 PID 2392 wrote to memory of 500 2392 Nodgel32.exe 34 PID 2392 wrote to memory of 500 2392 Nodgel32.exe 34 PID 2392 wrote to memory of 500 2392 Nodgel32.exe 34 PID 2392 wrote to memory of 500 2392 Nodgel32.exe 34 PID 500 wrote to memory of 1656 500 Niikceid.exe 35 PID 500 wrote to memory of 1656 500 Niikceid.exe 35 PID 500 wrote to memory of 1656 500 Niikceid.exe 35 PID 500 wrote to memory of 1656 500 Niikceid.exe 35 PID 1656 wrote to memory of 2336 1656 Npccpo32.exe 36 PID 1656 wrote to memory of 2336 1656 Npccpo32.exe 36 PID 1656 wrote to memory of 2336 1656 Npccpo32.exe 36 PID 1656 wrote to memory of 2336 1656 Npccpo32.exe 36 PID 2336 wrote to memory of 2604 2336 Nadpgggp.exe 37 PID 2336 wrote to memory of 2604 2336 Nadpgggp.exe 37 PID 2336 wrote to memory of 2604 2336 Nadpgggp.exe 37 PID 2336 wrote to memory of 2604 2336 Nadpgggp.exe 37 PID 2604 wrote to memory of 2608 2604 Nilhhdga.exe 38 PID 2604 wrote to memory of 2608 2604 Nilhhdga.exe 38 PID 2604 wrote to memory of 2608 2604 Nilhhdga.exe 38 PID 2604 wrote to memory of 2608 2604 Nilhhdga.exe 38 PID 2608 wrote to memory of 2976 2608 Nhohda32.exe 39 PID 2608 wrote to memory of 2976 2608 Nhohda32.exe 39 PID 2608 wrote to memory of 2976 2608 Nhohda32.exe 39 PID 2608 wrote to memory of 2976 2608 Nhohda32.exe 39 PID 2976 wrote to memory of 1976 2976 Oebimf32.exe 40 PID 2976 wrote to memory of 1976 2976 Oebimf32.exe 40 PID 2976 wrote to memory of 1976 2976 Oebimf32.exe 40 PID 2976 wrote to memory of 1976 2976 Oebimf32.exe 40 PID 1976 wrote to memory of 2044 1976 Ookmfk32.exe 41 PID 1976 wrote to memory of 2044 1976 Ookmfk32.exe 41 PID 1976 wrote to memory of 2044 1976 Ookmfk32.exe 41 PID 1976 wrote to memory of 2044 1976 Ookmfk32.exe 41 PID 2044 wrote to memory of 1940 2044 Oaiibg32.exe 42 PID 2044 wrote to memory of 1940 2044 Oaiibg32.exe 42 PID 2044 wrote to memory of 1940 2044 Oaiibg32.exe 42 PID 2044 wrote to memory of 1940 2044 Oaiibg32.exe 42 PID 1940 wrote to memory of 1544 1940 Olonpp32.exe 43 PID 1940 wrote to memory of 1544 1940 Olonpp32.exe 43 PID 1940 wrote to memory of 1544 1940 Olonpp32.exe 43 PID 1940 wrote to memory of 1544 1940 Olonpp32.exe 43 PID 1544 wrote to memory of 2224 1544 Oomjlk32.exe 44 PID 1544 wrote to memory of 2224 1544 Oomjlk32.exe 44 PID 1544 wrote to memory of 2224 1544 Oomjlk32.exe 44 PID 1544 wrote to memory of 2224 1544 Oomjlk32.exe 44 PID 2224 wrote to memory of 768 2224 Ohendqhd.exe 45 PID 2224 wrote to memory of 768 2224 Ohendqhd.exe 45 PID 2224 wrote to memory of 768 2224 Ohendqhd.exe 45 PID 2224 wrote to memory of 768 2224 Ohendqhd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe"C:\Users\Admin\AppData\Local\Temp\60fb112f5ae41caad05a489862e48248a97b0cab99f59125536de5a345e590caN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:768 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe33⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe34⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe35⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe36⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe37⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe38⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe39⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe40⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe41⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe42⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe43⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe44⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe45⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe48⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe49⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe50⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe51⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe53⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe54⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe55⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe56⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe58⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe59⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe61⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe63⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe64⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe66⤵PID:2404
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe67⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe68⤵PID:1828
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe69⤵PID:292
-
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe70⤵PID:572
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe71⤵PID:2108
-
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe73⤵PID:1764
-
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe74⤵PID:2084
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe75⤵PID:2252
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe76⤵PID:2060
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe77⤵PID:2488
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe78⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe79⤵PID:2272
-
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe80⤵PID:1568
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe81⤵PID:2180
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe82⤵PID:2908
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe83⤵PID:2624
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe84⤵PID:2664
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe85⤵PID:1504
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe86⤵PID:2100
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe89⤵PID:2492
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe90⤵PID:2460
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe91⤵PID:1652
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe92⤵PID:2584
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe93⤵PID:892
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe94⤵PID:2544
-
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe95⤵PID:2784
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe96⤵PID:1992
-
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe97⤵PID:1204
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe98⤵PID:3020
-
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe99⤵PID:1952
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe100⤵PID:2360
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe101⤵PID:2112
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe102⤵PID:2304
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe103⤵PID:1044
-
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe104⤵PID:3064
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe105⤵PID:588
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe107⤵PID:2696
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe108⤵PID:2620
-
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe109⤵PID:2952
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe111⤵PID:1232
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe112⤵PID:1440
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe113⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Djclbl32.exeC:\Windows\system32\Djclbl32.exe114⤵PID:904
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe115⤵PID:1740
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe116⤵PID:2676
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe117⤵PID:536
-
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe118⤵PID:2072
-
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe119⤵PID:1880
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe120⤵PID:640
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe121⤵PID:1492
-
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe122⤵PID:2096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-