Analysis
-
max time kernel
38s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 21:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d537d6c1b98f8eb0771a6011f4e019e0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
d537d6c1b98f8eb0771a6011f4e019e0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d537d6c1b98f8eb0771a6011f4e019e0N.exe
-
Size
91KB
-
MD5
d537d6c1b98f8eb0771a6011f4e019e0
-
SHA1
e05c84184bc0517ac11bc88ebc8a7939ff15f69d
-
SHA256
44460d362dc648f8a6e889d09ae35b87c46023a53afb798915721b91359aff59
-
SHA512
7e21dcf79d660e29593b250bc00043d3df80fdd594ed7e72fa6bf66ee9b6983fdeabc68afd17373f44db808c066a0fbeafe39be40c939da3a7542964a32d3947
-
SSDEEP
1536:JS2X0XIx6joOuAXVd6NR7fCCsN0dUZgCXVXfYr/viVMi:Jh96joKz6HeCUYQrlvo/vOMi
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inplqlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abdeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Anpooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkdbea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhominh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apfici32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkmldbcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbdcepcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgfkchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgcecja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" d537d6c1b98f8eb0771a6011f4e019e0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kigibh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bldpiifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ladgkmlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncdpdcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdndeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gidhbgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odnobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldpiifb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neblqoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liblfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljplkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdamao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nokqidll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gefolhja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgfheodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdcjgnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hganjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhlaiccm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojloc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2920 Fdnlcakk.exe 2732 Fjhdpk32.exe 2708 Gbcien32.exe 2884 Gminbfoh.exe 688 Gbffjmmp.exe 2660 Gedbfimc.exe 2408 Gpjfcali.exe 288 Gefolhja.exe 2300 Glpgibbn.exe 2100 Gbjpem32.exe 2588 Gidhbgag.exe 2328 Goapjnoo.exe 2188 Gdnibdmf.exe 484 Hocmpm32.exe 2356 Hhlaiccm.exe 2340 Hkjnenbp.exe 1936 Hmijajbd.exe 1628 Hganjo32.exe 1540 Hnkffi32.exe 1328 Hchoop32.exe 2492 Hibgkjee.exe 3044 Hplphd32.exe 1484 Hgfheodo.exe 2468 Hjddaj32.exe 296 Hpnlndkp.exe 752 Ijfqfj32.exe 2804 Iaaekl32.exe 2836 Ihlnhffh.exe 2720 Icabeo32.exe 2240 Ilifndlo.exe 680 Iohbjpkb.exe 584 Idekbgji.exe 2544 Idghhf32.exe 316 Ikapdqoc.exe 3012 Inplqlng.exe 2780 Jcleiclo.exe 2924 Jqpebg32.exe 2344 Jcoanb32.exe 2332 Jmgfgham.exe 772 Jcandb32.exe 2204 Jqeomfgc.exe 2276 Jcckibfg.exe 2404 Jbfkeo32.exe 1272 Jojloc32.exe 1624 Jcfgoadd.exe 1556 Jfddkmch.exe 3040 Jegdgj32.exe 1788 Kkalcdao.exe 2296 Keiqlihp.exe 2364 Kkciic32.exe 1704 Knaeeo32.exe 2736 Kigibh32.exe 2952 Kjhfjpdd.exe 2896 Kcajceke.exe 2652 Kaekljjo.exe 2968 Kgocid32.exe 2052 Knikfnih.exe 2500 Kaggbihl.exe 644 Lcedne32.exe 1804 Ljplkonl.exe 1248 Liblfl32.exe 2208 Lpldcfmd.exe 2576 Lffmpp32.exe 1432 Lidilk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 2920 Fdnlcakk.exe 2920 Fdnlcakk.exe 2732 Fjhdpk32.exe 2732 Fjhdpk32.exe 2708 Gbcien32.exe 2708 Gbcien32.exe 2884 Gminbfoh.exe 2884 Gminbfoh.exe 688 Gbffjmmp.exe 688 Gbffjmmp.exe 2660 Gedbfimc.exe 2660 Gedbfimc.exe 2408 Gpjfcali.exe 2408 Gpjfcali.exe 288 Gefolhja.exe 288 Gefolhja.exe 2300 Glpgibbn.exe 2300 Glpgibbn.exe 2100 Gbjpem32.exe 2100 Gbjpem32.exe 2588 Gidhbgag.exe 2588 Gidhbgag.exe 2328 Goapjnoo.exe 2328 Goapjnoo.exe 2188 Gdnibdmf.exe 2188 Gdnibdmf.exe 484 Hocmpm32.exe 484 Hocmpm32.exe 2356 Hhlaiccm.exe 2356 Hhlaiccm.exe 2340 Hkjnenbp.exe 2340 Hkjnenbp.exe 1936 Hmijajbd.exe 1936 Hmijajbd.exe 1628 Hganjo32.exe 1628 Hganjo32.exe 1540 Hnkffi32.exe 1540 Hnkffi32.exe 1328 Hchoop32.exe 1328 Hchoop32.exe 2492 Hibgkjee.exe 2492 Hibgkjee.exe 3044 Hplphd32.exe 3044 Hplphd32.exe 1484 Hgfheodo.exe 1484 Hgfheodo.exe 2468 Hjddaj32.exe 2468 Hjddaj32.exe 296 Hpnlndkp.exe 296 Hpnlndkp.exe 752 Ijfqfj32.exe 752 Ijfqfj32.exe 2804 Iaaekl32.exe 2804 Iaaekl32.exe 2836 Ihlnhffh.exe 2836 Ihlnhffh.exe 2720 Icabeo32.exe 2720 Icabeo32.exe 2240 Ilifndlo.exe 2240 Ilifndlo.exe 680 Iohbjpkb.exe 680 Iohbjpkb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mkaeob32.exe Mhcicf32.exe File opened for modification C:\Windows\SysWOW64\Pbpoebgc.exe Pcmoie32.exe File opened for modification C:\Windows\SysWOW64\Qanolm32.exe Qnpcpa32.exe File created C:\Windows\SysWOW64\Beggec32.exe Bgdfjfmi.exe File created C:\Windows\SysWOW64\Peapkpkj.dll Bopknhjd.exe File opened for modification C:\Windows\SysWOW64\Cdamao32.exe Cabaec32.exe File created C:\Windows\SysWOW64\Mpgoaiep.dll Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Jcckibfg.exe Jqeomfgc.exe File created C:\Windows\SysWOW64\Dkmbap32.dll Knaeeo32.exe File created C:\Windows\SysWOW64\Egqcce32.dll Liibgkoo.exe File created C:\Windows\SysWOW64\Nhqhmj32.exe Neblqoel.exe File opened for modification C:\Windows\SysWOW64\Aejglo32.exe Anpooe32.exe File created C:\Windows\SysWOW64\Bfmqigba.exe Bdodmlcm.exe File created C:\Windows\SysWOW64\Jhmdfm32.dll Glpgibbn.exe File opened for modification C:\Windows\SysWOW64\Lekjal32.exe Lbmnea32.exe File created C:\Windows\SysWOW64\Lnkmkbpj.dll Nkaane32.exe File created C:\Windows\SysWOW64\Kegmaomi.dll Oqepgk32.exe File created C:\Windows\SysWOW64\Kgkpck32.dll Pijgbl32.exe File created C:\Windows\SysWOW64\Gefolhja.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Jqeomfgc.exe Jcandb32.exe File created C:\Windows\SysWOW64\Ibfmgg32.dll Kkciic32.exe File created C:\Windows\SysWOW64\Bdkcbpni.dll Qfkgdd32.exe File created C:\Windows\SysWOW64\Oeficpoq.dll Aebakp32.exe File created C:\Windows\SysWOW64\Ecipfpcm.dll d537d6c1b98f8eb0771a6011f4e019e0N.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Gidhbgag.exe File created C:\Windows\SysWOW64\Mpqijqhf.dll Inplqlng.exe File created C:\Windows\SysWOW64\Pokkfdac.dll Nnbjpqoa.exe File opened for modification C:\Windows\SysWOW64\Ocfiif32.exe Oqgmmk32.exe File opened for modification C:\Windows\SysWOW64\Omqjgl32.exe Ogdaod32.exe File created C:\Windows\SysWOW64\Bgdfjfmi.exe Bpjnmlel.exe File created C:\Windows\SysWOW64\Jcckibfg.exe Jqeomfgc.exe File created C:\Windows\SysWOW64\Nkdndeon.exe Ndjfgkha.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Abinjdad.exe File created C:\Windows\SysWOW64\Comjjjlc.dll Ajdcofop.exe File created C:\Windows\SysWOW64\Aimbbpmc.dll Nkdndeon.exe File created C:\Windows\SysWOW64\Ogohdeam.exe Occlcg32.exe File opened for modification C:\Windows\SysWOW64\Ogdaod32.exe Oqjibkek.exe File created C:\Windows\SysWOW64\Ikicmc32.dll Pecelm32.exe File created C:\Windows\SysWOW64\Qpaohjkk.exe Qanolm32.exe File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe Baealp32.exe File created C:\Windows\SysWOW64\Fdnlcakk.exe d537d6c1b98f8eb0771a6011f4e019e0N.exe File created C:\Windows\SysWOW64\Kkciic32.exe Keiqlihp.exe File opened for modification C:\Windows\SysWOW64\Baealp32.exe Bmjekahk.exe File opened for modification C:\Windows\SysWOW64\Bopknhjd.exe Bmnofp32.exe File opened for modification C:\Windows\SysWOW64\Fjhdpk32.exe Fdnlcakk.exe File opened for modification C:\Windows\SysWOW64\Ijfqfj32.exe Hpnlndkp.exe File opened for modification C:\Windows\SysWOW64\Ikapdqoc.exe Idghhf32.exe File created C:\Windows\SysWOW64\Onkmfofg.exe Ofdeeb32.exe File opened for modification C:\Windows\SysWOW64\Pgodcich.exe Pfnhkq32.exe File opened for modification C:\Windows\SysWOW64\Pgaahh32.exe Pecelm32.exe File opened for modification C:\Windows\SysWOW64\Cofaog32.exe Chmibmlo.exe File created C:\Windows\SysWOW64\Fjhdpk32.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Odfhpd32.dll Icabeo32.exe File created C:\Windows\SysWOW64\Knikfnih.exe Kgocid32.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Mbdcepcm.exe File opened for modification C:\Windows\SysWOW64\Nokqidll.exe Nhqhmj32.exe File opened for modification C:\Windows\SysWOW64\Pegnglnm.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File opened for modification C:\Windows\SysWOW64\Bmnofp32.exe Beggec32.exe File created C:\Windows\SysWOW64\Doclpb32.dll Fjhdpk32.exe File created C:\Windows\SysWOW64\Loimal32.dll Hnkffi32.exe File opened for modification C:\Windows\SysWOW64\Hpnlndkp.exe Hjddaj32.exe File created C:\Windows\SysWOW64\Peeabm32.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Qnpcpa32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkiebib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilifndlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohjbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knikfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkmldbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecelm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhlaiccm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojndpqpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdfjfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphehidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecbkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhqhmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlnhffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idekbgji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeomfgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefolhja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goapjnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljplkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdndeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplphd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhdpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhlaiccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlmjnop.dll" Idghhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcckibfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll" Ogdaod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Apfici32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpqjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbidpo32.dll" Ajipkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajdcofop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mebpakbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndjfgkha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noagjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odjgna32.dll" Jegdgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfbjdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckobac32.dll" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjddaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdodo32.dll" Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aicfgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gminbfoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hganjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kaekljjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" d537d6c1b98f8eb0771a6011f4e019e0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mebpakbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkbeloa.dll" Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pijgbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll" Aejglo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lidilk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pcmoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgodcich.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfimp32.dll" Qanolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oapcfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liblfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Admgglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcfgoadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loimal32.dll" Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diggcodj.dll" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmlooqi.dll" Pgodcich.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqmojc32.dll" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkaane32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2920 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 30 PID 2688 wrote to memory of 2920 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 30 PID 2688 wrote to memory of 2920 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 30 PID 2688 wrote to memory of 2920 2688 d537d6c1b98f8eb0771a6011f4e019e0N.exe 30 PID 2920 wrote to memory of 2732 2920 Fdnlcakk.exe 31 PID 2920 wrote to memory of 2732 2920 Fdnlcakk.exe 31 PID 2920 wrote to memory of 2732 2920 Fdnlcakk.exe 31 PID 2920 wrote to memory of 2732 2920 Fdnlcakk.exe 31 PID 2732 wrote to memory of 2708 2732 Fjhdpk32.exe 32 PID 2732 wrote to memory of 2708 2732 Fjhdpk32.exe 32 PID 2732 wrote to memory of 2708 2732 Fjhdpk32.exe 32 PID 2732 wrote to memory of 2708 2732 Fjhdpk32.exe 32 PID 2708 wrote to memory of 2884 2708 Gbcien32.exe 33 PID 2708 wrote to memory of 2884 2708 Gbcien32.exe 33 PID 2708 wrote to memory of 2884 2708 Gbcien32.exe 33 PID 2708 wrote to memory of 2884 2708 Gbcien32.exe 33 PID 2884 wrote to memory of 688 2884 Gminbfoh.exe 34 PID 2884 wrote to memory of 688 2884 Gminbfoh.exe 34 PID 2884 wrote to memory of 688 2884 Gminbfoh.exe 34 PID 2884 wrote to memory of 688 2884 Gminbfoh.exe 34 PID 688 wrote to memory of 2660 688 Gbffjmmp.exe 35 PID 688 wrote to memory of 2660 688 Gbffjmmp.exe 35 PID 688 wrote to memory of 2660 688 Gbffjmmp.exe 35 PID 688 wrote to memory of 2660 688 Gbffjmmp.exe 35 PID 2660 wrote to memory of 2408 2660 Gedbfimc.exe 36 PID 2660 wrote to memory of 2408 2660 Gedbfimc.exe 36 PID 2660 wrote to memory of 2408 2660 Gedbfimc.exe 36 PID 2660 wrote to memory of 2408 2660 Gedbfimc.exe 36 PID 2408 wrote to memory of 288 2408 Gpjfcali.exe 37 PID 2408 wrote to memory of 288 2408 Gpjfcali.exe 37 PID 2408 wrote to memory of 288 2408 Gpjfcali.exe 37 PID 2408 wrote to memory of 288 2408 Gpjfcali.exe 37 PID 288 wrote to memory of 2300 288 Gefolhja.exe 38 PID 288 wrote to memory of 2300 288 Gefolhja.exe 38 PID 288 wrote to memory of 2300 288 Gefolhja.exe 38 PID 288 wrote to memory of 2300 288 Gefolhja.exe 38 PID 2300 wrote to memory of 2100 2300 Glpgibbn.exe 39 PID 2300 wrote to memory of 2100 2300 Glpgibbn.exe 39 PID 2300 wrote to memory of 2100 2300 Glpgibbn.exe 39 PID 2300 wrote to memory of 2100 2300 Glpgibbn.exe 39 PID 2100 wrote to memory of 2588 2100 Gbjpem32.exe 40 PID 2100 wrote to memory of 2588 2100 Gbjpem32.exe 40 PID 2100 wrote to memory of 2588 2100 Gbjpem32.exe 40 PID 2100 wrote to memory of 2588 2100 Gbjpem32.exe 40 PID 2588 wrote to memory of 2328 2588 Gidhbgag.exe 41 PID 2588 wrote to memory of 2328 2588 Gidhbgag.exe 41 PID 2588 wrote to memory of 2328 2588 Gidhbgag.exe 41 PID 2588 wrote to memory of 2328 2588 Gidhbgag.exe 41 PID 2328 wrote to memory of 2188 2328 Goapjnoo.exe 42 PID 2328 wrote to memory of 2188 2328 Goapjnoo.exe 42 PID 2328 wrote to memory of 2188 2328 Goapjnoo.exe 42 PID 2328 wrote to memory of 2188 2328 Goapjnoo.exe 42 PID 2188 wrote to memory of 484 2188 Gdnibdmf.exe 43 PID 2188 wrote to memory of 484 2188 Gdnibdmf.exe 43 PID 2188 wrote to memory of 484 2188 Gdnibdmf.exe 43 PID 2188 wrote to memory of 484 2188 Gdnibdmf.exe 43 PID 484 wrote to memory of 2356 484 Hocmpm32.exe 44 PID 484 wrote to memory of 2356 484 Hocmpm32.exe 44 PID 484 wrote to memory of 2356 484 Hocmpm32.exe 44 PID 484 wrote to memory of 2356 484 Hocmpm32.exe 44 PID 2356 wrote to memory of 2340 2356 Hhlaiccm.exe 45 PID 2356 wrote to memory of 2340 2356 Hhlaiccm.exe 45 PID 2356 wrote to memory of 2340 2356 Hhlaiccm.exe 45 PID 2356 wrote to memory of 2340 2356 Hhlaiccm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d537d6c1b98f8eb0771a6011f4e019e0N.exe"C:\Users\Admin\AppData\Local\Temp\d537d6c1b98f8eb0771a6011f4e019e0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Ijfqfj32.exeC:\Windows\system32\Ijfqfj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe38⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe39⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe40⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe44⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe47⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe49⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe54⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe55⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe60⤵
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1804 -
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe63⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe66⤵PID:2392
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe68⤵PID:1176
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe69⤵PID:1604
-
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe70⤵PID:1600
-
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe71⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe75⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe78⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe79⤵
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe80⤵PID:864
-
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe82⤵PID:1660
-
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe83⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe84⤵PID:2508
-
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Mpqjmh32.exeC:\Windows\system32\Mpqjmh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe87⤵PID:2816
-
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe88⤵PID:2676
-
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe92⤵PID:2088
-
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2068 -
C:\Windows\SysWOW64\Neblqoel.exeC:\Windows\system32\Neblqoel.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Nokqidll.exeC:\Windows\system32\Nokqidll.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1668 -
C:\Windows\SysWOW64\Nedifo32.exeC:\Windows\system32\Nedifo32.exe97⤵PID:1000
-
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe98⤵PID:2036
-
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe100⤵PID:2072
-
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe107⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Odnobj32.exeC:\Windows\system32\Odnobj32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Ongckp32.exeC:\Windows\system32\Ongckp32.exe109⤵PID:300
-
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe111⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Ogohdeam.exeC:\Windows\system32\Ogohdeam.exe112⤵PID:1576
-
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Ollqllod.exeC:\Windows\system32\Ollqllod.exe114⤵
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Oqgmmk32.exeC:\Windows\system32\Oqgmmk32.exe115⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe116⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe117⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Oqjibkek.exeC:\Windows\system32\Oqjibkek.exe119⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe121⤵PID:2044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-