Analysis
-
max time kernel
69s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 12:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0f2e3f315723f295ef850dd8564cad90N.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
0f2e3f315723f295ef850dd8564cad90N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0f2e3f315723f295ef850dd8564cad90N.exe
-
Size
77KB
-
MD5
0f2e3f315723f295ef850dd8564cad90
-
SHA1
233adf9b6b50897dc908a37099cb6f6c35e2f895
-
SHA256
ace52d6bd972c404dc7a9378faf78ce25697423c8e6e90d4554904543c855b7a
-
SHA512
e6e5bcb637fc83b15270ddaf57a229f0189f888780a27dafbbd663c75a6ecfba9e28f6c1159a049863961c08515cc4208d0100c8ed4de4b0c64650304d35f921
-
SSDEEP
1536:q7DU/8RjvrbDPFsYfYZDSZ3Ba072Lt+0wfi+TjRC/D:q7DU/8RDXpvYJu+Q0wf1TjYD
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpjgdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmmhdka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfingaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmgeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjbpoeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplbpaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjqifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcankb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnagbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpphipbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knodnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmjgkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mekanbol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlpadaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbckagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkocfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Higiih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmdql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pceqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaadjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpjchicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajaagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampncd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecodfogg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofpmegpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moahdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcdigpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdngl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfedlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1832 Jcnmme32.exe 2820 Jdpidm32.exe 2948 Jeofnpke.exe 2836 Jgpbfh32.exe 2716 Jnjjcbiq.exe 2676 Jddbpmpm.exe 3044 Kknklg32.exe 2272 Kahciaog.exe 1728 Kgelahmn.exe 1044 Knodnb32.exe 2920 Kpmpjm32.exe 1516 Kfjibdbf.exe 340 Kldaon32.exe 2040 Kobmkj32.exe 2780 Khkadoog.exe 2332 Klfndn32.exe 2152 Kjjnnbfj.exe 1672 Khmnio32.exe 2276 Kccbgh32.exe 2940 Lfaocc32.exe 2952 Lkngkj32.exe 708 Lnmcge32.exe 1512 Lhbhdnio.exe 1288 Lkqdajhc.exe 2324 Lqmliqfj.exe 2712 Lhddjngm.exe 2880 Lbmicc32.exe 2728 Lgiakjld.exe 2788 Lmfjcajl.exe 2776 Ldnbeokn.exe 2768 Lfonlg32.exe 1444 Ljjjmeie.exe 2260 Mqdbjp32.exe 2456 Mfakbf32.exe 2588 Mmkcoq32.exe 2496 Mcekkkmc.exe 1020 Mibdcakk.exe 1524 Mkpppmko.exe 1648 Mpllpl32.exe 2556 Meidib32.exe 1580 Mpnifkae.exe 1012 Mbmebgpi.exe 1964 Mekanbol.exe 2080 Mbobgfnf.exe 1340 Memncbmj.exe 3036 Nlgfqldf.exe 1656 Nadoiccn.exe 3060 Nhngem32.exe 2320 Nljcflbd.exe 2760 Nmkpnd32.exe 2640 Nafknbqk.exe 2608 Ndehjnpo.exe 1040 Nfcdfiob.exe 2308 Nnjlhg32.exe 2252 Naihdb32.exe 2900 Ndgdpn32.exe 2248 Ndgdpn32.exe 2256 Nfeqli32.exe 1768 Njammhei.exe 2192 Nidmhd32.exe 620 Nmpiicdm.exe 2436 Npneeocq.exe 2112 Nblaajbd.exe 1724 Odlnkmjg.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 0f2e3f315723f295ef850dd8564cad90N.exe 2544 0f2e3f315723f295ef850dd8564cad90N.exe 1832 Jcnmme32.exe 1832 Jcnmme32.exe 2820 Jdpidm32.exe 2820 Jdpidm32.exe 2948 Jeofnpke.exe 2948 Jeofnpke.exe 2836 Jgpbfh32.exe 2836 Jgpbfh32.exe 2716 Jnjjcbiq.exe 2716 Jnjjcbiq.exe 2676 Jddbpmpm.exe 2676 Jddbpmpm.exe 3044 Kknklg32.exe 3044 Kknklg32.exe 2272 Kahciaog.exe 2272 Kahciaog.exe 1728 Kgelahmn.exe 1728 Kgelahmn.exe 1044 Knodnb32.exe 1044 Knodnb32.exe 2920 Kpmpjm32.exe 2920 Kpmpjm32.exe 1516 Kfjibdbf.exe 1516 Kfjibdbf.exe 340 Kldaon32.exe 340 Kldaon32.exe 2040 Kobmkj32.exe 2040 Kobmkj32.exe 2780 Khkadoog.exe 2780 Khkadoog.exe 2332 Klfndn32.exe 2332 Klfndn32.exe 2152 Kjjnnbfj.exe 2152 Kjjnnbfj.exe 1672 Khmnio32.exe 1672 Khmnio32.exe 2276 Kccbgh32.exe 2276 Kccbgh32.exe 2940 Lfaocc32.exe 2940 Lfaocc32.exe 2952 Lkngkj32.exe 2952 Lkngkj32.exe 708 Lnmcge32.exe 708 Lnmcge32.exe 1512 Lhbhdnio.exe 1512 Lhbhdnio.exe 1288 Lkqdajhc.exe 1288 Lkqdajhc.exe 2324 Lqmliqfj.exe 2324 Lqmliqfj.exe 2712 Lhddjngm.exe 2712 Lhddjngm.exe 2880 Lbmicc32.exe 2880 Lbmicc32.exe 2728 Lgiakjld.exe 2728 Lgiakjld.exe 2788 Lmfjcajl.exe 2788 Lmfjcajl.exe 2776 Ldnbeokn.exe 2776 Ldnbeokn.exe 2768 Lfonlg32.exe 2768 Lfonlg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cnjbfhqa.exe Cjngej32.exe File created C:\Windows\SysWOW64\Amhigkdj.dll Onhnjclg.exe File created C:\Windows\SysWOW64\Iemlfm32.dll 0f2e3f315723f295ef850dd8564cad90N.exe File created C:\Windows\SysWOW64\Gopnca32.exe Gqmmhdka.exe File created C:\Windows\SysWOW64\Lhhmle32.exe Process not Found File created C:\Windows\SysWOW64\Bnfodojp.exe Process not Found File created C:\Windows\SysWOW64\Kccbgh32.exe Khmnio32.exe File created C:\Windows\SysWOW64\Ahdkhp32.exe Abjcleqm.exe File opened for modification C:\Windows\SysWOW64\Elbkbh32.exe Process not Found File created C:\Windows\SysWOW64\Nqakim32.exe Nmeohnil.exe File opened for modification C:\Windows\SysWOW64\Mgodjico.exe Mdahnmck.exe File created C:\Windows\SysWOW64\Faopib32.exe Process not Found File created C:\Windows\SysWOW64\Bgbcfflb.dll Elcpdeam.exe File created C:\Windows\SysWOW64\Djcdmp32.dll Cappnf32.exe File created C:\Windows\SysWOW64\Jimcoh32.dll Mqgahh32.exe File created C:\Windows\SysWOW64\Pmdalo32.exe Pfjiod32.exe File created C:\Windows\SysWOW64\Hkidclbb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jilmkffb.exe Process not Found File created C:\Windows\SysWOW64\Pamnnemo.exe Pkcfak32.exe File created C:\Windows\SysWOW64\Begjnj32.dll Ollncgjq.exe File opened for modification C:\Windows\SysWOW64\Mffgfo32.exe Mchjjc32.exe File created C:\Windows\SysWOW64\Nqijmkfm.exe Nmnoll32.exe File opened for modification C:\Windows\SysWOW64\Giikkehc.exe Ggkoojip.exe File created C:\Windows\SysWOW64\Ppogok32.exe Phhonn32.exe File created C:\Windows\SysWOW64\Dmllgo32.exe Dippfplg.exe File created C:\Windows\SysWOW64\Pojfinhh.dll Process not Found File created C:\Windows\SysWOW64\Pcjmikpa.dll Jddbpmpm.exe File created C:\Windows\SysWOW64\Lfhednad.dll Higiih32.exe File created C:\Windows\SysWOW64\Khqahnpk.dll Dijjgegh.exe File created C:\Windows\SysWOW64\Meafpibb.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njjbjk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eagbnh32.exe Eipjmk32.exe File opened for modification C:\Windows\SysWOW64\Mbmebgpi.exe Mpnifkae.exe File created C:\Windows\SysWOW64\Phhcnnel.dll Eibgbj32.exe File opened for modification C:\Windows\SysWOW64\Fmjkbfnh.exe Feccqime.exe File created C:\Windows\SysWOW64\Kcindbjd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kccbgh32.exe Khmnio32.exe File opened for modification C:\Windows\SysWOW64\Fhdlbd32.exe Fialggcl.exe File created C:\Windows\SysWOW64\Idmele32.dll Lpjiik32.exe File created C:\Windows\SysWOW64\Bfcnfh32.exe Bgpnjkgi.exe File created C:\Windows\SysWOW64\Klbfbg32.exe Kidjfl32.exe File opened for modification C:\Windows\SysWOW64\Kpnbcfkc.exe Klbfbg32.exe File opened for modification C:\Windows\SysWOW64\Papmlmbp.exe Pmdalo32.exe File opened for modification C:\Windows\SysWOW64\Gcdmikma.exe Gljdlq32.exe File created C:\Windows\SysWOW64\Bdmklico.exe Process not Found File created C:\Windows\SysWOW64\Ckebbgoj.exe Process not Found File created C:\Windows\SysWOW64\Ohbmppia.exe Oedqcdim.exe File opened for modification C:\Windows\SysWOW64\Bdmhcp32.exe Bbolge32.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Ojakdd32.exe File created C:\Windows\SysWOW64\Affdii32.dll Bhljlnma.exe File created C:\Windows\SysWOW64\Kfnmnojj.exe Process not Found File created C:\Windows\SysWOW64\Oocqlibj.dll Hcajjf32.exe File created C:\Windows\SysWOW64\Lmolkg32.exe Process not Found File created C:\Windows\SysWOW64\Hphiggmf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Aecdpmbm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hngppgae.exe Process not Found File created C:\Windows\SysWOW64\Empphi32.exe Eeiggk32.exe File opened for modification C:\Windows\SysWOW64\Pfjiod32.exe Phhhchlp.exe File opened for modification C:\Windows\SysWOW64\Feppqc32.exe Faedpdcc.exe File created C:\Windows\SysWOW64\Lindbn32.dll Process not Found File created C:\Windows\SysWOW64\Bqngjcje.exe Bigohejb.exe File created C:\Windows\SysWOW64\Obnnchia.dll Icbldbgi.exe File created C:\Windows\SysWOW64\Neoejnjj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kkigfdjo.exe Khjkiikl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3112 1096 Process not Found 1418 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcqcoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcajn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijenpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfphmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgphke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncejcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpnpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofklpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcdcjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndgdpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbhmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difplf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabfqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhgbibgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhbljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhgolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiphmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljnmkoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfklolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglmifca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnplgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdmohmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faljqcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danaqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnhfhoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deimaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hggeeo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emceag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbamc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fialggcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljjjmeie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomdncho.dll" Omoehf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licidced.dll" Bnemlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlacoca.dll" Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allben32.dll" Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemoffml.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lppkgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcckbeha.dll" Fmnakege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjibdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdpngjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohopjjqj.dll" Fpkdca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbobgfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfdccf32.dll" Nloedjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqciha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfdpa32.dll" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glclampi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mflgkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlmifm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kanfgofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbmcd32.dll" Fdjfmolo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpaood32.dll" Lckbkfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcqdidim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjldp32.dll" Kbjbibli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edbminqj.dll" Dippfplg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkjca32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadpkf32.dll" Gfdcbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpfpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpbpemn.dll" Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enckek32.dll" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phgfko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbbghh.dll" Ecodfogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghqchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkgqpjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkkaem32.dll" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbekip32.dll" Ljhppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenabkfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmiojla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khebqq32.dll" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffdlkng.dll" Ljpqlqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqmliqfj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1832 2544 0f2e3f315723f295ef850dd8564cad90N.exe 29 PID 2544 wrote to memory of 1832 2544 0f2e3f315723f295ef850dd8564cad90N.exe 29 PID 2544 wrote to memory of 1832 2544 0f2e3f315723f295ef850dd8564cad90N.exe 29 PID 2544 wrote to memory of 1832 2544 0f2e3f315723f295ef850dd8564cad90N.exe 29 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 1832 wrote to memory of 2820 1832 Jcnmme32.exe 30 PID 2820 wrote to memory of 2948 2820 Jdpidm32.exe 31 PID 2820 wrote to memory of 2948 2820 Jdpidm32.exe 31 PID 2820 wrote to memory of 2948 2820 Jdpidm32.exe 31 PID 2820 wrote to memory of 2948 2820 Jdpidm32.exe 31 PID 2948 wrote to memory of 2836 2948 Jeofnpke.exe 32 PID 2948 wrote to memory of 2836 2948 Jeofnpke.exe 32 PID 2948 wrote to memory of 2836 2948 Jeofnpke.exe 32 PID 2948 wrote to memory of 2836 2948 Jeofnpke.exe 32 PID 2836 wrote to memory of 2716 2836 Jgpbfh32.exe 33 PID 2836 wrote to memory of 2716 2836 Jgpbfh32.exe 33 PID 2836 wrote to memory of 2716 2836 Jgpbfh32.exe 33 PID 2836 wrote to memory of 2716 2836 Jgpbfh32.exe 33 PID 2716 wrote to memory of 2676 2716 Jnjjcbiq.exe 34 PID 2716 wrote to memory of 2676 2716 Jnjjcbiq.exe 34 PID 2716 wrote to memory of 2676 2716 Jnjjcbiq.exe 34 PID 2716 wrote to memory of 2676 2716 Jnjjcbiq.exe 34 PID 2676 wrote to memory of 3044 2676 Jddbpmpm.exe 35 PID 2676 wrote to memory of 3044 2676 Jddbpmpm.exe 35 PID 2676 wrote to memory of 3044 2676 Jddbpmpm.exe 35 PID 2676 wrote to memory of 3044 2676 Jddbpmpm.exe 35 PID 3044 wrote to memory of 2272 3044 Kknklg32.exe 36 PID 3044 wrote to memory of 2272 3044 Kknklg32.exe 36 PID 3044 wrote to memory of 2272 3044 Kknklg32.exe 36 PID 3044 wrote to memory of 2272 3044 Kknklg32.exe 36 PID 2272 wrote to memory of 1728 2272 Kahciaog.exe 37 PID 2272 wrote to memory of 1728 2272 Kahciaog.exe 37 PID 2272 wrote to memory of 1728 2272 Kahciaog.exe 37 PID 2272 wrote to memory of 1728 2272 Kahciaog.exe 37 PID 1728 wrote to memory of 1044 1728 Kgelahmn.exe 38 PID 1728 wrote to memory of 1044 1728 Kgelahmn.exe 38 PID 1728 wrote to memory of 1044 1728 Kgelahmn.exe 38 PID 1728 wrote to memory of 1044 1728 Kgelahmn.exe 38 PID 1044 wrote to memory of 2920 1044 Knodnb32.exe 39 PID 1044 wrote to memory of 2920 1044 Knodnb32.exe 39 PID 1044 wrote to memory of 2920 1044 Knodnb32.exe 39 PID 1044 wrote to memory of 2920 1044 Knodnb32.exe 39 PID 2920 wrote to memory of 1516 2920 Kpmpjm32.exe 40 PID 2920 wrote to memory of 1516 2920 Kpmpjm32.exe 40 PID 2920 wrote to memory of 1516 2920 Kpmpjm32.exe 40 PID 2920 wrote to memory of 1516 2920 Kpmpjm32.exe 40 PID 1516 wrote to memory of 340 1516 Kfjibdbf.exe 41 PID 1516 wrote to memory of 340 1516 Kfjibdbf.exe 41 PID 1516 wrote to memory of 340 1516 Kfjibdbf.exe 41 PID 1516 wrote to memory of 340 1516 Kfjibdbf.exe 41 PID 340 wrote to memory of 2040 340 Kldaon32.exe 42 PID 340 wrote to memory of 2040 340 Kldaon32.exe 42 PID 340 wrote to memory of 2040 340 Kldaon32.exe 42 PID 340 wrote to memory of 2040 340 Kldaon32.exe 42 PID 2040 wrote to memory of 2780 2040 Kobmkj32.exe 43 PID 2040 wrote to memory of 2780 2040 Kobmkj32.exe 43 PID 2040 wrote to memory of 2780 2040 Kobmkj32.exe 43 PID 2040 wrote to memory of 2780 2040 Kobmkj32.exe 43 PID 2780 wrote to memory of 2332 2780 Khkadoog.exe 44 PID 2780 wrote to memory of 2332 2780 Khkadoog.exe 44 PID 2780 wrote to memory of 2332 2780 Khkadoog.exe 44 PID 2780 wrote to memory of 2332 2780 Khkadoog.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f2e3f315723f295ef850dd8564cad90N.exe"C:\Users\Admin\AppData\Local\Temp\0f2e3f315723f295ef850dd8564cad90N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Mqdbjp32.exeC:\Windows\system32\Mqdbjp32.exe34⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe35⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe36⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe37⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe38⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe39⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe40⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe41⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe43⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe46⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe47⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe48⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe49⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe51⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe52⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe54⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe55⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe56⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe57⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe59⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe60⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe61⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe62⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe63⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe64⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe66⤵PID:1532
-
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe67⤵PID:3012
-
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe68⤵PID:572
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe69⤵PID:2612
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe70⤵PID:2652
-
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe71⤵PID:1640
-
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe72⤵PID:2104
-
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe73⤵PID:2448
-
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe74⤵PID:316
-
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe75⤵PID:2416
-
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe76⤵PID:1272
-
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe77⤵PID:2976
-
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe78⤵PID:2216
-
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe79⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe80⤵PID:2056
-
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe81⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe82⤵PID:1748
-
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe83⤵PID:2464
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe84⤵PID:2944
-
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe85⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe86⤵PID:3016
-
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe87⤵PID:2064
-
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe88⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe89⤵PID:580
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe90⤵PID:3040
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe91⤵PID:2440
-
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe92⤵PID:1920
-
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe93⤵PID:1744
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe94⤵PID:1988
-
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe96⤵PID:1668
-
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe97⤵PID:2812
-
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe98⤵PID:1628
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe99⤵PID:1708
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2536 -
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe101⤵PID:1100
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe102⤵PID:2204
-
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe103⤵PID:2096
-
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe104⤵PID:904
-
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe105⤵PID:1508
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe106⤵PID:2404
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:236 -
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe108⤵PID:540
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe109⤵PID:2800
-
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe110⤵PID:2668
-
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe111⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe112⤵PID:2060
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe113⤵
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe114⤵PID:2172
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe115⤵PID:488
-
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe116⤵PID:1860
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe117⤵PID:2852
-
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe118⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe119⤵PID:2372
-
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe120⤵PID:2704
-
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-