Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 17:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05dfb9906cfe4cd84af4bcfe936864b0N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
Behavioral task
behavioral2
Sample
05dfb9906cfe4cd84af4bcfe936864b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
05dfb9906cfe4cd84af4bcfe936864b0N.exe
-
Size
67KB
-
MD5
05dfb9906cfe4cd84af4bcfe936864b0
-
SHA1
6c1b8369cdc7759ec069eb919ef267f498d5db7a
-
SHA256
3fc775c0e6d123538c1c2806e0d55f5acfbabbc408761347bce336cc897e3873
-
SHA512
0d51a4c55e101e4bacad7c9446c8e5bb2f02129f8896fe47a737725530991a7876444c1320e6381dadd3d655f7daa627ef8c4d239fa52a46d6dd608188bf7396
-
SSDEEP
1536:CgxptZe0JorOYYMUG82TobziDnW1cgCe8uC:o0GSYYMOfYnWugCe8uC
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbcek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apppkekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcoeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghibjjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdgipkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqfbjhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqmnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpojkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agihgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffibceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eihjolae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 05dfb9906cfe4cd84af4bcfe936864b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijokbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglalbbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegpjaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iichjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldiehbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmmpcfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqkclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bddbjhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmlhbbg.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Hohkmj32.exe 2772 Hfbcidmk.exe 2584 Hnnhngjf.exe 2664 Hegpjaac.exe 2608 Hiclkp32.exe 1204 Homdhjai.exe 3012 Hbkqdepm.exe 2648 Hejmpqop.exe 1208 Hkdemk32.exe 800 Haqnea32.exe 2860 Ikfbbjdj.exe 1856 Imgnjb32.exe 2952 Igmbgk32.exe 2264 Ifpcchai.exe 2740 Iphgln32.exe 2144 Ijnkifgp.exe 1864 Imlhebfc.exe 884 Iahceq32.exe 2140 Ibipmiek.exe 2236 Iichjc32.exe 1652 Imodkadq.exe 1744 Ifgicg32.exe 3008 Iejiodbl.exe 1612 Jelfdc32.exe 2780 Jhjbqo32.exe 2812 Jlfnangf.exe 2764 Jijokbfp.exe 2596 Jlhkgm32.exe 772 Jbbccgmp.exe 1688 Joidhh32.exe 1664 Jagpdd32.exe 2028 Jokqnhpa.exe 2068 Jajmjcoe.exe 320 Jfgebjnm.exe 2728 Jieaofmp.exe 2852 Kmqmod32.exe 1672 Kpojkp32.exe 2300 Kmcjedcg.exe 1600 Kdmban32.exe 1732 Kijkje32.exe 1668 Klhgfq32.exe 748 Kbbobkol.exe 2504 Khohkamc.exe 1240 Khohkamc.exe 2060 Kpfplo32.exe 1260 Koipglep.exe 1408 Kechdf32.exe 1736 Kindeddf.exe 1540 Kkpqlm32.exe 2848 Kajiigba.exe 2912 Ldheebad.exe 2544 Lhcafa32.exe 532 Lkbmbl32.exe 2112 Lonibk32.exe 584 Lnqjnhge.exe 1172 Laleof32.exe 1236 Ldjbkb32.exe 2116 Lgingm32.exe 1412 Lkdjglfo.exe 1964 Lopfhk32.exe 936 Lncfcgeb.exe 664 Lpabpcdf.exe 1680 Ldmopa32.exe 1948 Lhhkapeh.exe -
Loads dropped DLL 64 IoCs
pid Process 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 2700 Hohkmj32.exe 2700 Hohkmj32.exe 2772 Hfbcidmk.exe 2772 Hfbcidmk.exe 2584 Hnnhngjf.exe 2584 Hnnhngjf.exe 2664 Hegpjaac.exe 2664 Hegpjaac.exe 2608 Hiclkp32.exe 2608 Hiclkp32.exe 1204 Homdhjai.exe 1204 Homdhjai.exe 3012 Hbkqdepm.exe 3012 Hbkqdepm.exe 2648 Hejmpqop.exe 2648 Hejmpqop.exe 1208 Hkdemk32.exe 1208 Hkdemk32.exe 800 Haqnea32.exe 800 Haqnea32.exe 2860 Ikfbbjdj.exe 2860 Ikfbbjdj.exe 1856 Imgnjb32.exe 1856 Imgnjb32.exe 2952 Igmbgk32.exe 2952 Igmbgk32.exe 2264 Ifpcchai.exe 2264 Ifpcchai.exe 2740 Iphgln32.exe 2740 Iphgln32.exe 2144 Ijnkifgp.exe 2144 Ijnkifgp.exe 1864 Imlhebfc.exe 1864 Imlhebfc.exe 884 Iahceq32.exe 884 Iahceq32.exe 2140 Ibipmiek.exe 2140 Ibipmiek.exe 2236 Iichjc32.exe 2236 Iichjc32.exe 1652 Imodkadq.exe 1652 Imodkadq.exe 1744 Ifgicg32.exe 1744 Ifgicg32.exe 3008 Iejiodbl.exe 3008 Iejiodbl.exe 1612 Jelfdc32.exe 1612 Jelfdc32.exe 2780 Jhjbqo32.exe 2780 Jhjbqo32.exe 2812 Jlfnangf.exe 2812 Jlfnangf.exe 2764 Jijokbfp.exe 2764 Jijokbfp.exe 2596 Jlhkgm32.exe 2596 Jlhkgm32.exe 772 Jbbccgmp.exe 772 Jbbccgmp.exe 1688 Joidhh32.exe 1688 Joidhh32.exe 1664 Jagpdd32.exe 1664 Jagpdd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgiaefgg.exe Difqji32.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Eicpcm32.exe File created C:\Windows\SysWOW64\Lqapifjb.dll Fmfocnjg.exe File created C:\Windows\SysWOW64\Glbaei32.exe Gdkjdl32.exe File opened for modification C:\Windows\SysWOW64\Hqgddm32.exe Hjmlhbbg.exe File created C:\Windows\SysWOW64\Cqaiph32.exe Cncmcm32.exe File created C:\Windows\SysWOW64\Addfkeid.exe Aphjjf32.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hgciff32.exe File opened for modification C:\Windows\SysWOW64\Kdbepm32.exe Kadica32.exe File created C:\Windows\SysWOW64\Lcdhgn32.exe Lpflkb32.exe File created C:\Windows\SysWOW64\Jhjbqo32.exe Jelfdc32.exe File opened for modification C:\Windows\SysWOW64\Kmcjedcg.exe Kpojkp32.exe File created C:\Windows\SysWOW64\Lngpog32.exe Ljldnhid.exe File created C:\Windows\SysWOW64\Hgeelf32.exe Hcjilgdb.exe File created C:\Windows\SysWOW64\Faphfl32.dll Ijaaae32.exe File created C:\Windows\SysWOW64\Diodocki.dll Ikqnlh32.exe File created C:\Windows\SysWOW64\Nakpkfka.dll Hohkmj32.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Iphgln32.exe File created C:\Windows\SysWOW64\Jlfnangf.exe Jhjbqo32.exe File created C:\Windows\SysWOW64\Nckkgp32.exe Nppofado.exe File created C:\Windows\SysWOW64\Inppon32.dll Bdhleh32.exe File opened for modification C:\Windows\SysWOW64\Cqaiph32.exe Cncmcm32.exe File opened for modification C:\Windows\SysWOW64\Cbjlhpkb.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Ikjhki32.exe Imggplgm.exe File created C:\Windows\SysWOW64\Hejmpqop.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jfcabd32.exe File created C:\Windows\SysWOW64\Oiahkhpo.dll Jikhnaao.exe File created C:\Windows\SysWOW64\Mmfejo32.dll Lpabpcdf.exe File created C:\Windows\SysWOW64\Nmflee32.exe Nijpdfhm.exe File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Aphjjf32.exe File created C:\Windows\SysWOW64\Dgknkf32.exe Demaoj32.exe File created C:\Windows\SysWOW64\Fgjjad32.exe Fhgifgnb.exe File opened for modification C:\Windows\SysWOW64\Gpidki32.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Geoghd32.dll Igmbgk32.exe File created C:\Windows\SysWOW64\Elnfdpam.dll Cqfbjhgf.exe File created C:\Windows\SysWOW64\Dbabho32.exe Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Eikfdl32.exe Efljhq32.exe File created C:\Windows\SysWOW64\Eogolc32.exe Elibpg32.exe File created C:\Windows\SysWOW64\Kfeaomqq.dll Gehiioaj.exe File created C:\Windows\SysWOW64\Ofnpnkgf.exe Npdhaq32.exe File created C:\Windows\SysWOW64\Qhilkege.exe Qejpoi32.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cjljnn32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Gefmcp32.exe Gajqbakc.exe File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe Ghibjjnk.exe File created C:\Windows\SysWOW64\Lgngbmjp.exe Ldokfakl.exe File created C:\Windows\SysWOW64\Kbbobkol.exe Klhgfq32.exe File opened for modification C:\Windows\SysWOW64\Lonibk32.exe Lkbmbl32.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Gecpnp32.exe Ggapbcne.exe File opened for modification C:\Windows\SysWOW64\Iahceq32.exe Imlhebfc.exe File created C:\Windows\SysWOW64\Nldhfnkd.dll Pmhejhao.exe File created C:\Windows\SysWOW64\Kndkfpje.dll Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Ohfcfb32.exe Oehgjfhi.exe File created C:\Windows\SysWOW64\Acfdii32.dll Oaogognm.exe File opened for modification C:\Windows\SysWOW64\Bhmaeg32.exe Bfoeil32.exe File opened for modification C:\Windows\SysWOW64\Dmmpolof.exe Djocbqpb.exe File created C:\Windows\SysWOW64\Glklejoo.exe Gmhkin32.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hffibceh.exe File created C:\Windows\SysWOW64\Dhmcaf32.dll Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Oeaqig32.exe File opened for modification C:\Windows\SysWOW64\Pddjlb32.exe Pmjaohol.exe File created C:\Windows\SysWOW64\Okmjae32.dll Peefcjlg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocgfhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anljck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boifga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famaimfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnlgajg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldokfakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodcmd32.dll" Eldiehbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldhfnkd.dll" Pmhejhao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflcaaja.dll" Mphiqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfdii32.dll" Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgidfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cncmcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbbachm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnigm32.dll" Iahceq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll" Jpepkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlqmdnof.dll" Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcedad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njeccjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkngi32.dll" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" Jikhnaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmmlgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbofa32.dll" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldokfakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adaiee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll" Fpbnjjkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkclikh.dll" Kindeddf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll" Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmofdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmif32.dll" Anjnnk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2700 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 30 PID 2384 wrote to memory of 2700 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 30 PID 2384 wrote to memory of 2700 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 30 PID 2384 wrote to memory of 2700 2384 05dfb9906cfe4cd84af4bcfe936864b0N.exe 30 PID 2700 wrote to memory of 2772 2700 Hohkmj32.exe 31 PID 2700 wrote to memory of 2772 2700 Hohkmj32.exe 31 PID 2700 wrote to memory of 2772 2700 Hohkmj32.exe 31 PID 2700 wrote to memory of 2772 2700 Hohkmj32.exe 31 PID 2772 wrote to memory of 2584 2772 Hfbcidmk.exe 32 PID 2772 wrote to memory of 2584 2772 Hfbcidmk.exe 32 PID 2772 wrote to memory of 2584 2772 Hfbcidmk.exe 32 PID 2772 wrote to memory of 2584 2772 Hfbcidmk.exe 32 PID 2584 wrote to memory of 2664 2584 Hnnhngjf.exe 33 PID 2584 wrote to memory of 2664 2584 Hnnhngjf.exe 33 PID 2584 wrote to memory of 2664 2584 Hnnhngjf.exe 33 PID 2584 wrote to memory of 2664 2584 Hnnhngjf.exe 33 PID 2664 wrote to memory of 2608 2664 Hegpjaac.exe 34 PID 2664 wrote to memory of 2608 2664 Hegpjaac.exe 34 PID 2664 wrote to memory of 2608 2664 Hegpjaac.exe 34 PID 2664 wrote to memory of 2608 2664 Hegpjaac.exe 34 PID 2608 wrote to memory of 1204 2608 Hiclkp32.exe 35 PID 2608 wrote to memory of 1204 2608 Hiclkp32.exe 35 PID 2608 wrote to memory of 1204 2608 Hiclkp32.exe 35 PID 2608 wrote to memory of 1204 2608 Hiclkp32.exe 35 PID 1204 wrote to memory of 3012 1204 Homdhjai.exe 36 PID 1204 wrote to memory of 3012 1204 Homdhjai.exe 36 PID 1204 wrote to memory of 3012 1204 Homdhjai.exe 36 PID 1204 wrote to memory of 3012 1204 Homdhjai.exe 36 PID 3012 wrote to memory of 2648 3012 Hbkqdepm.exe 37 PID 3012 wrote to memory of 2648 3012 Hbkqdepm.exe 37 PID 3012 wrote to memory of 2648 3012 Hbkqdepm.exe 37 PID 3012 wrote to memory of 2648 3012 Hbkqdepm.exe 37 PID 2648 wrote to memory of 1208 2648 Hejmpqop.exe 38 PID 2648 wrote to memory of 1208 2648 Hejmpqop.exe 38 PID 2648 wrote to memory of 1208 2648 Hejmpqop.exe 38 PID 2648 wrote to memory of 1208 2648 Hejmpqop.exe 38 PID 1208 wrote to memory of 800 1208 Hkdemk32.exe 39 PID 1208 wrote to memory of 800 1208 Hkdemk32.exe 39 PID 1208 wrote to memory of 800 1208 Hkdemk32.exe 39 PID 1208 wrote to memory of 800 1208 Hkdemk32.exe 39 PID 800 wrote to memory of 2860 800 Haqnea32.exe 40 PID 800 wrote to memory of 2860 800 Haqnea32.exe 40 PID 800 wrote to memory of 2860 800 Haqnea32.exe 40 PID 800 wrote to memory of 2860 800 Haqnea32.exe 40 PID 2860 wrote to memory of 1856 2860 Ikfbbjdj.exe 41 PID 2860 wrote to memory of 1856 2860 Ikfbbjdj.exe 41 PID 2860 wrote to memory of 1856 2860 Ikfbbjdj.exe 41 PID 2860 wrote to memory of 1856 2860 Ikfbbjdj.exe 41 PID 1856 wrote to memory of 2952 1856 Imgnjb32.exe 42 PID 1856 wrote to memory of 2952 1856 Imgnjb32.exe 42 PID 1856 wrote to memory of 2952 1856 Imgnjb32.exe 42 PID 1856 wrote to memory of 2952 1856 Imgnjb32.exe 42 PID 2952 wrote to memory of 2264 2952 Igmbgk32.exe 43 PID 2952 wrote to memory of 2264 2952 Igmbgk32.exe 43 PID 2952 wrote to memory of 2264 2952 Igmbgk32.exe 43 PID 2952 wrote to memory of 2264 2952 Igmbgk32.exe 43 PID 2264 wrote to memory of 2740 2264 Ifpcchai.exe 44 PID 2264 wrote to memory of 2740 2264 Ifpcchai.exe 44 PID 2264 wrote to memory of 2740 2264 Ifpcchai.exe 44 PID 2264 wrote to memory of 2740 2264 Ifpcchai.exe 44 PID 2740 wrote to memory of 2144 2740 Iphgln32.exe 45 PID 2740 wrote to memory of 2144 2740 Iphgln32.exe 45 PID 2740 wrote to memory of 2144 2740 Iphgln32.exe 45 PID 2740 wrote to memory of 2144 2740 Iphgln32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\05dfb9906cfe4cd84af4bcfe936864b0N.exe"C:\Users\Admin\AppData\Local\Temp\05dfb9906cfe4cd84af4bcfe936864b0N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Hohkmj32.exeC:\Windows\system32\Hohkmj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe33⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe36⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe37⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe39⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe40⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe43⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe45⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe47⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe48⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe50⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe51⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe52⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe53⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe56⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe57⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe59⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\Lopfhk32.exeC:\Windows\system32\Lopfhk32.exe61⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe62⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe65⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe66⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe67⤵PID:2556
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe68⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe72⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe74⤵PID:768
-
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe78⤵PID:2260
-
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe79⤵PID:1224
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe81⤵
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe82⤵PID:2096
-
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe83⤵PID:2100
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe84⤵PID:2120
-
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe85⤵PID:2064
-
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe86⤵PID:2940
-
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe87⤵PID:1532
-
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe88⤵PID:1992
-
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe89⤵PID:1496
-
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe90⤵PID:1816
-
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe91⤵PID:2136
-
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe92⤵PID:2496
-
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe93⤵PID:1788
-
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe95⤵PID:3056
-
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe96⤵PID:1432
-
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe97⤵PID:2724
-
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe98⤵PID:1484
-
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe100⤵PID:1944
-
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe101⤵PID:864
-
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe102⤵PID:2152
-
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe103⤵PID:2128
-
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe105⤵
- Modifies registry class
PID:1296 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe107⤵PID:1708
-
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe108⤵PID:1536
-
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe109⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe110⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe111⤵PID:2880
-
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe112⤵PID:2156
-
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe113⤵PID:944
-
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe114⤵PID:2420
-
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe116⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe117⤵PID:2088
-
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe118⤵PID:2956
-
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe120⤵PID:3036
-
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-